FakeAV + Ransomware = Windows Expert Console

During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn’t mean that our good “old friends” known as FakeAV aren’t around. Fake antivirus have been infecting users for years and they have not disappeared,  although it is true they are not as prevalent as they were in the past. This week we have seen a rise in FakeAV attacks using a new aggressive ransom-like approach.

The malicious file uses the following icon:

windows expert icono

Usually it gets in the computer under the name “cleaner.exe”, although we have seen it using different names. As soon as it is executed, it appears a screen where it shows the installation of a program called “Windows Expert Console”:

windows expert 1

It only takes a few seconds, and before user is able to react it restarts the computer. Once restarted the following screen will show up and we won’t be able to do anything:

windows expert_eng

If you try to get back to the desktop or run any application, you won’t be allowed. The only thing you can do is to click on that “Remove All” button, and that will take you to a different window in order to buy a license of this FakeAV. It costs $99.

At the same time we found this malware, we detected another variant, this one is less aggressive (it does not block your computer) although they share the same interface, the only difference is the name, this new one is called VirusBuster, the same as the historical antivirus company that closed last year. In this case you get this kind of warnings to make the user pay the license fee:


As we mentioned, both programs share the same interface, and they are in 4 different languages (English, Spanish, German and French), in the following animated GIF you can see how they look like:

virusbuster-windows expert

In case you have been infected with any of these, you can use our free malware removal tool Panda Cloud Cleaner.

Related News

5 Responses

Leave a Reply
  1. Chris
    Dec 02, 2013 - 09:58 PM

    That’s all very well but this virus won’t let you open the installer…

  2. The Next Idea
    Dec 05, 2013 - 01:15 PM

    You are saying that once it enters in PC users don’t find any time to react and the PC gets reboot. And after the reboot a particular screen appears, which allows user to don nothing except to click on button. So, if the malware does not allow user to launch any application, then how could he launch Panda Cloud Cleaner?

    • Luis Corrons
      Dec 10, 2013 - 09:47 AM

      There are different flavours for that tool. In case you cannot access your computer, you only need to use the Panda Rescue USB. From the page linked in the article, if you chose that option you will be taken to this page:


      Where you have all the instructions.



  1. Sherman's Security Blog » FakeAV + Ransomware = Windows Expert Console

Leave a Reply

Your email address will not be published. Required fields are marked *