Posted 07 May 2009 - 05:32 PM
I'm also dealing with a system infected with a NEW variant of this. Nag screens declare it's 'WinPC Antivirus', there are also overlapping nag screens about firewall traffic that DON'T have anything to do with the firewall.
The bad news: this is on a machine with fully updated Symantec Endpoint Protection. So this looks like a zero-day problem to me, because SEP is oblivious to it. All the manual removal info I've found so far has listed processes, files and reg keys that aren't on this system; so it's apparently a new profile. It interferes with SEP to the degree that the main status screen doesn't even list 'Antivirus and Antispyware Protection'; and Windows Security Center is hacked, showing an alert for "No Antivirus Installed", with a link to the fake WinPC junk offered as a solution, right in the XP window.
The only interesting/"good" news with this, is that it appears to be confined to the one user profile - the local Admin account doesn't have symptoms.
I'm going back to the client to attack this thing again; SEP has new sigs & updates for the Proactive component. Hopefully this will detect it.
I'd be very happy to hear from anyone who's seen this variant and has a solution to killing it!