I just ran into another variant of Trojan.FakeAV today (before rapid release coverage). During the infection (SEP used latest AV, Proactive, and IPS definitions with maximum bloohound and 100 level Proactive sensitivity), any attempt to goto a security website, run task manager, cmd.exe, regedit, or explorer were terminated by the application showing as Antivirus Soft Demo. Usually with this type of malware, there is a shortcut on the desktop for it so you can determine it's home directory. In this case it was not. Failed attempts at removing the malware included downloading and running Malwarebytes. The malware responded by populating Internet Explorer with a bunch of porn and clamed that coh.exe (Symantec software) was the root cause of the porn and asked to terminate it.
Only way to resolve was to run IE as a different user than what was logged in to download Sysinternal's process explorer to identify the process, reboot into safe mode and to delete it manually. This was a fully patched Windows XP box with a user running as a non administrator. The process is now detected by Rapid Release v22 (today's date).
Just thought I'd share the methodology as it looks like FakeAV infections are ramping up this week with little or no mitgation help from security removal products.