It forwards to here:
This leads to a "STOP! You computer is infected"-type message pop-up which you can x out of or press "OK". [see screen grab]
Which then leads to a phony scan with another (flash? couldn't view source) pop-up window. [see screen grab 2]
Now clicking on that window, closing it out or otherwise (because it's not actually a window) downloads an .exe file called freesystemscan.exe.
Running that will (and in her case, did) lead to a full-blown take-over.
Here's where I come in. Usually I would run one malwarebytes in smart mode or one of the rkills. But as it turns out, this time none of them worked. Finally, I copied one to the rkill.exe file to the desktop, changed that files name to explorer.exe and then it ran.
The thing about this particular take-over's template on the fake interface is that it looked new.
It is unusual for the rkill files not to launch either copied to the hd or from a thumbdrive.
Is there someone I submit this link to? If you are into such things—and I am only peripherally as the guy people call when this happens—I was wondering how such a file gets downloaded and then disassembled to see how it knew the rkills.
Is there somewhere I forward the file to for review and decompiling?
Edited by Budapest, 29 March 2011 - 06:12 PM.
Moved from XP ~BP