Resurgence of "Win 7 XXX 2011" Fakeware

Over the past three days there has been a huge upswing in the number of my users infected by variants of "Win 7 Total Security / Antispyware / etc. 2011." Yesterday alone I dealt with approximately 70.

The vector appears to have been an injected web advertisement, and unfortunately ESET does not appear to be detecting it presently (not just failing to prevent its install, but when I right-click the malicious .exe and choose to scan it is returned as clean) These are fully up to date Windows 7 Ultimate machines running ESET Nod32 4.2.58.3 and definitions 6045. I was hoping someone could speak to this particular malware, and as to whether an updated def pack will be addressing it. I have submitted multiple samples over the past few days.

Behavior appears as follows:

3 alpha character name.exe (e.g. smc.exe) stored in %\AppData\Local
10 numeric character system file stored in %\AppData\Local

Processes attaches itself via registry keys so that launching any .exe file on the host machine calls the .exe file stored in %\AppData\Local.

Runs in Safe Mode, preventing easy cleaning.

 

Have you submitted the file in question to ESET as per the instructions here? You can also submit it to Virus Total to see which AVs detect it by the on-demand scanner.

 

Marcos, according to VirusTotal, 7/42 are currently detecting this .exe (Kaspersky, BitDefender, and SuperAntiSpyware of note). For on-demand scanners, I can attest that Malwarebytes detects it, albeit classified as a GEN.trojan.

~Virus Total link removed per Policy.~

Samples submitted again per your provided instructions -- I had previously been submitting them via the ESET context menus in Windows.

 

Please see this thread regarding the new engine update several days ago.

Rogue AV's like these appears under different guises every day, no one is impervious to them. As Marcos said there is the option of the online scanner and the free stand-alone removal tools and free removal utilities that are rogue | pest specific.