Hey guys. I am not looking for any assistance with the removal, and was unsure of where to post for this particular issue, but I was working on a customer's machine earlier today, and they had a fake antivirus masquerading as BitNefender. Weirdest thing is though... unlike most fake AV's it didnt pop anything up on the screen and lock you down. I was unable to snag samples of this infection, but I did manage to clean the computer. This thing dumped like 16 different malicious .exe's into the syswow64 directory, and on top of that it seems to continuously reproduce itself in the %appdata% directory. by the time I got to the machine there were already 40+ directories with random names, and each directroy had a randomly named .exe inside it. Multiple .exe's in some cases. Apparently it came with some Bootkit too, but by the time I got to the case a previous tech had already pulled the bootkit so unable to ID whether it was something tied directly to its processes or if it was just something separate. In this particular situation, there was also a bad install.exe in the root of C:\, but I don't think that was related to the infection, that was likely from something else on top of it. There were runkeys in the typical location (HKLM > Software > Microsoft > Windows > CurrentVersion > Run) (HKLM > Software > Microsoft > WindowsNT > CurrentVersion > Winlogon) (HKCU > Software > Microsoft > Windows > CurrentVersion > Run)
After pulling all of the registry keys and rebooting the machine I was able to remove the infection completely, as it no longer had any processes running. I don't really know how to reverse engineer and I suck at grabbing droppers, but I have a pretty good grasp on removing malware. Has anyone else seen this thing? My regular sites don't have a thing, and all Google brings up is BitDefender & their forums. Let me know if I posted in the wrong section guys, but would appreciate some feedback.