Got a call from my wife's friend today saying she was given a 1-800 "Microsoft" number to call as shown on her laptop screen. Said the virus alert warning wouldn't go away. Of course my response was "No, you didn't call the number did you" to which she responded YES! They asked for her credit card information so they could bill her for...now get this... a total of four firewalls and two antivirus programs. Total $199 USD. I'm glad she didn't fall for it and hung up right way. But she did say someone got access to her laptop and was "poking around saying uhuh...hmmm..yes you're infected alright!".
As I looked through her laptop for artifacts of the suspected compromised I came up with the site she visited where the virus alert image showed up...pretty amateur if you ask me.
I ran the page on my workstation in a sandbox to analyze it. Noticed some references/redirects to a few other pages one of which included an "update" for adobe flash which tried to install on my machine. Another site was non-functional. Ran a few tools and found a Trojan and other malware artifacts. Recommended a reimage of her machine.
