Yes it is, there is NO entry at all in hosts.txt
Weird hm?
For example, if I try www.eset.com, Firefox reports “Although the server seems to exist, Firefox failed to connect to it.”
Something is in that system. And it must come out. “It’s software Jim, but not as we know it.” 
Edit: Kaspersky Rescue CD running as we speak. Bitdefender Rescue CD booted, but failed during initialisation (“Can’t autoconfigure environment” - whatever that means)
Add
127.0.0.1 localhost
The non-booting Kaspersky is weird also…
Let us not lose the battle against this nasty one…
Well I believe getting rid of the msq*.* file in system32 and system32/drivers could well have killed a rootkit and that may well have been hiding more stuff.
So I know it is repeating things, but it would be worth a)running an avast boot-time scan (I don’t know if you have done that before), b) running both SAS and MBAM again and report any findings.
Line 5 of Tech’s cleaning instructions HiJackThis is an analysis tool which may help us, before using it and posting the results, change the hijackthis.exe to say FurstWan-HJT.exe as some malware hides from hijackthis.exe.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is. Or attach the log file.
Will do.
Let us not lose the battle against this nasty one...
I wasn’t planning to lose! Ha! This virus won’t know what hit it!
Avast boot-time scan is running now. SAS and MBAM will follow. If that’s all completed, I’ll run the Hijackthis and report back here. Thanks guys.
You’re welcome, until then.
Resycled is targeted by Combofix along with the trigger files, I would recommend running that. Sorry to be so late in coming to this
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Better late than never thanks for the feedback on resycled and combofix.
Well this nasty little bugger has got on to my computer but it appears to be worse and I was wondering if it’s something else that someone might recognise.
*Blue screen shut downs in normal mode for no reason
*Windows now telling me un athurized changes were made and they believe that my windows is a fake. I believe they said I might be a victim of program counterfitting (sorry my spelling is rather bad)
*I now can’t even log in it just sits on welcome for god knows how long but I get impaitiant (and worried) and force a shut down.
I haven’t even checked whether it’s blocking anti-virus websites as I diconnected as soon as I got the alert. All I know is avast has deleted countless nasties from my computer in the past few days, including farsec (supposedly), but every scan only finds two or three things at a time and my computer continues to be up shit creek without a paddle.
I could take it to a tech but but I’m in France at the moment and whilst I speak and understand a fair amount I don’t particualaly feel like trying to explain to a french technician whats wrong because he won’t speak english and I won’t know how to say it in french. Also the people I’m staying with don’t understand the problem past the fact it’s a virus and it’s bad.
I will not let the virus beat me!!!
[quote author=FurstWan link=topic=41313.msg348170#msg348170 date=1231013906]
Yeah…not if I get there first
Hi posters in this thread,
For the cleansing of this nastiness, also consider performing the following:
The Task Manager has most probably been disabled (Check with Ctrl+Alt+Del). To enable it, go to Start - Run and paste the following command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Hit Enter.
My guess is that the editing the registry has also been disabled. To enable the registry, go to Start - Run and paste the following command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Hit Enter.
Disabling Autorun on all disks could at least keep the nasty from starting up again.
The easiest way to do that is to download TweakUI from here:
http://www.annoyances.org/exec/show/tweakui
Install and start (you will find it under Powertools for Windows - TweakUI).
polonus
“En FurstWan - kalm blijven en volhouden, we hebben malware er altijd onder gekregen, je bent nog niet aan opnieuw installeren toe”
pol
Hi guys
I noticed your problem
I’ve developed a method of attack to this particular virus
from waht i’ve learned the virus uses windows built in super hidden file setting
making the folder and the files autorun.inf and resycled/boot.com untraceable to the naked eye
deletion is virtually impossible
this file boot.com does
1 replicate and infect each useable drive
2 inserts a infinitely running autorun.inf on each root folder of each drive
3 causes registry errors that prevent access of drives from my computer folder
Method of removal for boot.com
read this article on how to unlock super hidden files in windows
http://www.extremetech.com/article2/0,2845,1838913,00.asp
there is a step missing from this
when you apply the 1 to the data entry for the registry key they tell you
look above and locate show super hidden files edit the entry inside and give it a 1 as well this will
show you the hidden files
after you have made your super hidden files noticeable
go back to registry and search for boot.com
you will be taken to a key called mountpoints2
for each drive that is infected there is a folder with the sub-folders
shell
autorun
open
if you open on of those that has any of those folders in it
erase them promptly
all of them tha have those folders
you have now cut off the autorun.inf’s main method of replicating the boot.com
now using a program that has a deletion program
Spybot’s secure shredder works perfectly for this
bring each resycled fodler to it and it will automatically load boot.com to the shredder
run a 35 pass on all of them
the boot.com file has now been destroyed and will not come back
however there remains the fasec rootkit virus
and the autorun.inf’s
they still replicate
but they no longer reference the boot.com so they just remake the registry keys you erased
that will still cause the annoying cannot find boot.com and all that but boot.com is gone
the fasec virus infects
via a dll,tmp and a vbscript
so i advise some sort of boot scanner
I hope this helps
I wanted to say THANK YOU to everyone who helped out in this thread.
I had exactly the same problems (msqpdxwqsctmei.dll), same Trojan, and MBAM completely took care of the problem, after I followed the instructions in the post right above.
Now I can actually update my programs, and access all the anti-virus/spyware sites once more. Again, it’s very much appreciated! ;D
Welcome to avast forums HeroOfTheDay 