infection occurs through MSN messenger. user receives a message from a friend in their list. the message has a link. partial url is http://www.imfriendz.net
(not the complete url). user clicks on it and it downloads a file that causes the infection. it spreads itself through MSN
link to saved hijackthis log
items listed as "potentially nasty" are not nasty. it is our domain.
spybot partially detects it, and calls it FakeMSN8Beta, but is unable to completely remove it. spybot does fix the hosts file, which the infection fills with various security websites and points them all to 127.0.0.1. infection also disables ability to view hidden files.
ewido finds nothing.
ran scan with Symantec Corporate AV 10.0 with updated definition. it detected nothing. called Symantec and they have not heard of it. sent them data and info for them to research
spybot id's the following
and a registry entry in local_machine\software\mic
i have checked a non-infected computer and system32\csrss is a valid file, as are netstat and taskkill. the registry entry is not valid.