There's not much to screenshot. The phishing page mimics any page. If I'm on Wells Fargo's website, the phishing page shows up and looks just like the real site. The only way I can tell that it's a phishing page is by the information it asks for (account numbers, SSN, mother's maiden name, etc., way too much sensitive info) and the copyright date at the bottom of the page is 2008. The URL is masked somehow. It shows online.wellsfargo.com in the address bar, but it's definitely something else.
I looked at the source code and the only thing that looked like something that might be an indicator of anything is there are a bunch of meta tags that say name="konichiwa". Seems odd.
I ran Spybot S&D and it picked up 55 things that were removed. The problem persisted, so I scanned again and this time it detected 13 items that were then removed. The problem stopped! At least temporarily. Now it's back to it's old tricks again, so I'm running another scan.
I'm guessing based on the brief interruption that something was removed or disabled that affected the virus/spyware/malware. But somehow it's persisting.
Any other thoughts on this? Anyone ever seen anything this sneaky?