Found and cleaned 3 infections in the last week of fake antivirus malware off windows machines. The last one I finally checked out what it was named: Rogue Security Suite. I was able to boot off a Linux CD to access the boot disk and remove the malware. It drops itself in Docs & Settings \ username \ Local Settings \ Application Data \ "something strange". The "something strange" is 8 to 10 characters that are meaningless. On one of the machines the hosts file was messed up, not sure if the malware did that, but I've been checking that on every machine (windows\system32\drivers\etc\hosts)
After doing a Google search, apparently it also sets up a proxy connection for IE - need to go back and check that on the machines I cleaned.