"lmageshack.cn" MSN virus thingamabob

Echo

So a friend of mine suddenly started sending strange links to images at lmageshack.cn (with an L at the start). Bells instantly went off due to the obvious imageshack.us scam attempt.

I'm on a mac, so I clicked anyway. :P

Links redirect to a PIF file that I assume infects new people. Googled a bit, but I can't find anything on how to help him remove it. Anyone got some pointers? He's running ye olde ad-ware, malwarebytes etc now.

Barrakketh

I actually have all .cn domains blocked at my router. They're overwhelmingly used for nefarious purposes when seen in an English-speaking community and it's unlikely that a legitimate site that is in your native tongue would be hosted there. Most companies based there would be more likely to have a .tw or .com domain.

That said, most of my recommended tricks would generally require someone who knows what they are doing. HiJackThis is a good start and you can tell him what to remove after the automated tools are done, after that I would use Process Monitor (from Sysinternals/Microsoft) to check the threads in each Windows process (especially Explorer) for suspicious applications that decided to hide in them.

After that, I'd use either Root Repeal or GMER. They're invaluable for detecting hidden processes/files/services.