Resycled/boot.com (virus)

  • Thread starter Thread starter GoldHawk
  • Start date Start date
G

GoldHawk

I don’t know if this is strictly a hardware problem, but if I am in the wrong
newsgroup, perhaps someone will re-direct me.

I am running a desktop machine with Win XP Pro SP3. I have dual, but
separate and fitted hard drives, C:\ which contains the OP, and D:\ for “My
Documentsâ€. I also have an external hard drive partitioned into 3, E:\, F:\ &
G:\. Removable storage includes an MMC Card (I:\) in a card reader, and
memory stick (J:\).

Recently when clicking on any of these drives (except C:\) from My Computer,
produced the message “resycled/boot.com is not a valid Win 32 applicationâ€.
None of the affected drives was accessible except through Explorer.

I discovered this was a virus – boot.com. I have run (updated) AVG
Anti-Virus, Malwarebytes, Ad-Aware, Spybot Search & Destroy &
SuperAntiSpyware. All failed to detect the virus, let alone eliminate it.

I therefore resorted to a manual removal, following the instructions below:

"Here’s the REAL way to clean this off your system. You should do these
steps after a fresh reboot or in safe mode.
1) Navigate to the problem drive(s) via the Explore option.
2) Click on TOOLS -> FOLDER OPTIONS
3) Click the button which says ‘Show hidden files and folders.
4) UNCHECK the following boxes:
Hide extensions for known file types
Hide protected operating system files
5) Find and delete the autorun.ini file and the resycled folder on the root
directory of all affected drives.
6) Check “c:\windows\system32\dllcache†for boot.com file and delete it if
present.
7) Check “c:\windows\prefetch†for boot.com file and delete if present.
8) Delete all files from c:\windows\temp
(Some files may not delete, that’s ok, they’re in use by the system and not
virus files.)
9) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local
Settings\Temp
(Again, a couple files may not delete, don’t worry.)
10) Run Regedit
11) Make sure you are at the very first entry of the registry hive. (y
Computer should be highlighted) then click EDIT -> FIND
12) Search for “boot.comâ€. If it finds an entry, delete it. Keep hitting F3
until you’ve deleted all instances of boot.com in the entire registry.
13) Scroll the left column back up to the top and highlight the My Computer
again at the top of the registry hive.
14) Click Edit -> Find again and search for ‘resycled’ and repeat as in step
13, deleting the entries as it finds them. (I found 2 of each)
15) Close registry editor and try opening the infected drives. They should
work now.
Worked for me at least. I ran NAV2008 2 times on it and it was able to find
the files but unable to remove them for some reason. Doing this, seems to
have completely resolved the issue for me."


I found a number of infections on the various drives (including C:\) and in
the registry, which I deleted (not the registry – just the virus files !).

Following this, I re-formatted C:\ drive and reinstalled the OP, which I was
planning to do in any event. I also re-formatted D:\ drive, again which I was
planning anyway.

I had assumed that the problem virus had been successfully removed - which
it probably has - after making a further check for the offending files.
However, I now find on trying again to open the partitioned external HHDs,
E:\, F:\ & G:\, I get the message “Windows cannot find ‘resycled\boot.com’.
Make sure you have typed the name correctly and then try again. To search for
the file click the start button and then click searchâ€. I still can’t access
these drives except through Explorer.

Strangely, I am able to access the re-formatted D:\ drive and the removable
storage, the MMC card and flash drive.

Is the only way to resolve this, to move all data from the affected drives
and then delete, re-partition and reformat ?

Any assistance would be much appreciated.

Mike
 
Recently when clicking on any of these drives (except C:\) from My Computer,
produced the message “resycled/boot.com is not a valid Win 32 application”.
None of the affected drives was accessible except through Explorer.
[...]

Here is a way that I got rid of my infections, using cmd line.

For every drive (including USB stick), do:

[drive_letter]: <-- go to each drive by specifying the drive
letter
attrib -h -r -s Autorun.inf <-- unhide the virus (it may or may
not be there)
del Autorun.inf <-- delete it once you un-hide the virus

Hope this helps.
 
http://www.spywaredoctorhelp.com/remove-resycledbootcom/

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

GoldHawk said:
I don’t know if this is strictly a hardware problem, but if I am in the wrong
newsgroup, perhaps someone will re-direct me.

I am running a desktop machine with Win XP Pro SP3. I have dual, but
separate and fitted hard drives, C:\ which contains the OP, and D:\ for “My
Documentsâ€. I also have an external hard drive partitioned into 3, E:\, F:\ &
G:\. Removable storage includes an MMC Card (I:\) in a card reader, and
memory stick (J:\).

Recently when clicking on any of these drives (except C:\) from My Computer,
produced the message “resycled/boot.com is not a valid Win 32 applicationâ€.
None of the affected drives was accessible except through Explorer.

I discovered this was a virus – boot.com. I have run (updated) AVG
Anti-Virus, Malwarebytes, Ad-Aware, Spybot Search & Destroy &
SuperAntiSpyware. All failed to detect the virus, let alone eliminate it.

I therefore resorted to a manual removal, following the instructions below:

"Here’s the REAL way to clean this off your system. You should do these
steps after a fresh reboot or in safe mode.
1) Navigate to the problem drive(s) via the Explore option.
2) Click on TOOLS -> FOLDER OPTIONS
3) Click the button which says ‘Show hidden files and folders.
4) UNCHECK the following boxes:
Hide extensions for known file types
Hide protected operating system files
5) Find and delete the autorun.ini file and the resycled folder on the root
directory of all affected drives.
6) Check “c:\windows\system32\dllcache†for boot.com file and delete it if
present.
7) Check “c:\windows\prefetch†for boot.com file and delete if present.
8) Delete all files from c:\windows\temp
(Some files may not delete, that’s ok, they’re in use by the system and not
virus files.)
9) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local
Settings\Temp
(Again, a couple files may not delete, don’t worry.)
10) Run Regedit
11) Make sure you are at the very first entry of the registry hive. (y
Computer should be highlighted) then click EDIT -> FIND
12) Search for “boot.comâ€. If it finds an entry, delete it. Keep hitting F3
until you’ve deleted all instances of boot.com in the entire registry.
13) Scroll the left column back up to the top and highlight the My Computer
again at the top of the registry hive.
14) Click Edit -> Find again and search for ‘resycled’ and repeat as in step
13, deleting the entries as it finds them. (I found 2 of each)
15) Close registry editor and try opening the infected drives. They should
work now.
Worked for me at least. I ran NAV2008 2 times on it and it was able to find
the files but unable to remove them for some reason. Doing this, seems to
have completely resolved the issue for me."


I found a number of infections on the various drives (including C:\) and in
the registry, which I deleted (not the registry – just the virus files !).

Following this, I re-formatted C:\ drive and reinstalled the OP, which I was
planning to do in any event. I also re-formatted D:\ drive, again which I was
planning anyway.

I had assumed that the problem virus had been successfully removed - which
it probably has - after making a further check for the offending files.
However, I now find on trying again to open the partitioned external HHDs,
E:\, F:\ & G:\, I get the message “Windows cannot find ‘resycled\boot.com’.
Make sure you have typed the name correctly and then try again. To search for
the file click the start button and then click searchâ€. I still can’t access
these drives except through Explorer.

Strangely, I am able to access the re-formatted D:\ drive and the removable
storage, the MMC card and flash drive.

Is the only way to resolve this, to move all data from the affected drives
and then delete, re-partition and reformat ?

Any assistance would be much appreciated.

Mike
 
Many thanks for these replies.

I wish I had known about the Spywaredoctor removal tool before ! However, as
mentioned, I have already used the instructions I found on a technical forum
to manually remove the virus files. I'm sure all the offending files are gone
(unless autorun.inf is also part of the virus).

My problem now is that on trying to open the partitioned external hard
drive(s) Windows seems to be searching for the file boot.com, which I
manually deleted, and as a consequence, won't allow access to those
(affected) drives from "My Computer".

I get the message “Windows cannot find ‘resycled\boot.com’.

What I can't quite understand is why I can now access the removable storage
drives (MMC card & flash drive) despite being similarly affected and after
manually removing the boot.com files from those drives as well.

The external HHDs do have a file autorun.inf which I deleted as suggested
but I got the same message as above, that Windows was looking for the (now
deleted) boot.com file. I have reinstated the autorun.inf file(s).

I'm looking for some advice on how I get around the problem of Windows
looking for this old (and deleted) virus file so I can access the external
HHD from "My Computer".

Mike
 
My problem now is that on trying to open the partitioned external hard
drive(s) Windows seems to be searching for the file boot.com, which I
manually deleted, and as a consequence, won't allow access to those
(affected) drives from "My Computer".

I get the message “Windows cannot find ‘resycled\boot.com’.

What I can't quite understand is why I can now access the removable storage
drives (MMC card & flash drive) despite being similarly affected and after
manually removing the boot.com files from those drives as well.

The external HHDs do have a file autorun.inf which I deleted as suggested
but I got the same message as above, that Windows was looking for the (now
deleted) boot.com file. I have reinstated the autorun.inf file(s).

I'm looking for some advice on how I get around the problem of Windows
looking for this old (and deleted) virus file so I can access the external
HHD from "My Computer".

The fact that your Windows is still barking implied that your Windows
is still not disinfected.

If I were you, I would restore the Windows with a backup 2-3 weeks
ago.
You have a backup, don't you?

N.B. Re-instated the autorun.inf won't help, because it is part of the
viral
propagation mechanism.

Good luck.
 
GoldHawk said:
Many thanks for these replies.

I wish I had known about the Spywaredoctor removal tool before ! However, as
mentioned, I have already used the instructions I found on a technical forum
to manually remove the virus files. I'm sure all the offending files are gone
(unless autorun.inf is also part of the virus).

It is. When you open a drive, Windows searches the root of the drive
an autorun.inf file. If one exists the instruction within the file are executed.
In your case the autorun.inf file is attempting to load and run boot.com
from a (presumably now missing) \resycled folder.

You need to remove them all at once before opening any drives.
Opening a drive that has one of these \autorun.inf files will just
propagate the file back onto the drive you previously removed the
file from.

As was already suggested.

Open a cmd prompt. Start > Run... [type in] cmd > Ok
At the prompt, enter the following commands:

attrib -h -r -s C:\Autorun.inf

del C:\Autorun.inf

attrib -h -r -s D:\Autorun.inf

del D:\Autorun.inf

attrib -h -r -s E:\Autorun.inf

del E:\Autorun.inf

etc.
(do this for every drive letter (C: D: E: etc) and do NOT open any drives with
Explorer until you're completed)
 
Brilliant Bill, this looks to have sorted it. Thank you.

As I am not very familiar with Command Prompt, I wasn't too sure if I was
doing it correctly. After typing the (first) command line, some drives said
no file was found, in which case I moved on, using the command line for the
next drive. When there was no message that a file couldn't be found, I
assumed that there was a file and followed with your suggested (delete)
second command. Again. no confirmation or otherwise whether the file had been
deleted, or not.

In any event, I assume I was doing it right as, on re-boot, all drives now
opening on click from My Computer.

With many thanks again, and to Harry.

Regards.

Mike

Bill Blanton said:
GoldHawk said:
Many thanks for these replies.

I wish I had known about the Spywaredoctor removal tool before ! However, as
mentioned, I have already used the instructions I found on a technical forum
to manually remove the virus files. I'm sure all the offending files are gone
(unless autorun.inf is also part of the virus).

It is. When you open a drive, Windows searches the root of the drive
an autorun.inf file. If one exists the instruction within the file are executed.
In your case the autorun.inf file is attempting to load and run boot.com
from a (presumably now missing) \resycled folder.

You need to remove them all at once before opening any drives.
Opening a drive that has one of these \autorun.inf files will just
propagate the file back onto the drive you previously removed the
file from.

As was already suggested.

Open a cmd prompt. Start > Run... [type in] cmd > Ok
At the prompt, enter the following commands:

attrib -h -r -s C:\Autorun.inf

del C:\Autorun.inf

attrib -h -r -s D:\Autorun.inf

del D:\Autorun.inf

attrib -h -r -s E:\Autorun.inf

del E:\Autorun.inf

etc.
(do this for every drive letter (C: D: E: etc) and do NOT open any drives with
Explorer until you're completed)



My problem now is that on trying to open the partitioned external hard
drive(s) Windows seems to be searching for the file boot.com, which I
manually deleted, and as a consequence, won't allow access to those
(affected) drives from "My Computer".

I get the message "Windows cannot find 'resycled\boot.com'.

What I can't quite understand is why I can now access the removable storage
drives (MMC card & flash drive) despite being similarly affected and after
manually removing the boot.com files from those drives as well.

The external HHDs do have a file autorun.inf which I deleted as suggested
but I got the same message as above, that Windows was looking for the (now
deleted) boot.com file. I have reinstated the autorun.inf file(s).

I'm looking for some advice on how I get around the problem of Windows
looking for this old (and deleted) virus file so I can access the external
HHD from "My Computer".

Mike
 
You're welcome. Yes, assuming the command had no typos, and
if "file not found", then it did not exist for that drive. Correct, the attrib
and del commands give no confirmation when successful.

You would probably be wise to make sure you have no more traces
of the infection. Or anything else for that matter.



GoldHawk said:
Brilliant Bill, this looks to have sorted it. Thank you.

As I am not very familiar with Command Prompt, I wasn't too sure if I was
doing it correctly. After typing the (first) command line, some drives said
no file was found, in which case I moved on, using the command line for the
next drive. When there was no message that a file couldn't be found, I
assumed that there was a file and followed with your suggested (delete)
second command. Again. no confirmation or otherwise whether the file had been
deleted, or not.

In any event, I assume I was doing it right as, on re-boot, all drives now
opening on click from My Computer.

With many thanks again, and to Harry.

Regards.

Mike

Bill Blanton said:
GoldHawk said:
Many thanks for these replies.

I wish I had known about the Spywaredoctor removal tool before ! However, as
mentioned, I have already used the instructions I found on a technical forum
to manually remove the virus files. I'm sure all the offending files are gone
(unless autorun.inf is also part of the virus).

It is. When you open a drive, Windows searches the root of the drive
an autorun.inf file. If one exists the instruction within the file are executed.
In your case the autorun.inf file is attempting to load and run boot.com
from a (presumably now missing) \resycled folder.

You need to remove them all at once before opening any drives.
Opening a drive that has one of these \autorun.inf files will just
propagate the file back onto the drive you previously removed the
file from.

As was already suggested.

Open a cmd prompt. Start > Run... [type in] cmd > Ok
At the prompt, enter the following commands:

attrib -h -r -s C:\Autorun.inf

del C:\Autorun.inf

attrib -h -r -s D:\Autorun.inf

del D:\Autorun.inf

attrib -h -r -s E:\Autorun.inf

del E:\Autorun.inf

etc.
(do this for every drive letter (C: D: E: etc) and do NOT open any drives with
Explorer until you're completed)



My problem now is that on trying to open the partitioned external hard
drive(s) Windows seems to be searching for the file boot.com, which I
manually deleted, and as a consequence, won't allow access to those
(affected) drives from "My Computer".

I get the message "Windows cannot find 'resycled\boot.com'.

What I can't quite understand is why I can now access the removable storage
drives (MMC card & flash drive) despite being similarly affected and after
manually removing the boot.com files from those drives as well.

The external HHDs do have a file autorun.inf which I deleted as suggested
but I got the same message as above, that Windows was looking for the (now
deleted) boot.com file. I have reinstated the autorun.inf file(s).

I'm looking for some advice on how I get around the problem of Windows
looking for this old (and deleted) virus file so I can access the external
HHD from "My Computer".

Mike
 
Guys, I appreciate this information. I resolve the problem with this
"resycled" with your help; but now appear another problem:

I can't connetc to internet. The message is "no iternet connection"; please
could you provide information about this topic? I already try everything, but
the problem remain.

I'll really appreciate it! Thanks in advance.




Bill Blanton said:
You're welcome. Yes, assuming the command had no typos, and
if "file not found", then it did not exist for that drive. Correct, the attrib
and del commands give no confirmation when successful.

You would probably be wise to make sure you have no more traces
of the infection. Or anything else for that matter.



GoldHawk said:
Brilliant Bill, this looks to have sorted it. Thank you.

As I am not very familiar with Command Prompt, I wasn't too sure if I was
doing it correctly. After typing the (first) command line, some drives said
no file was found, in which case I moved on, using the command line for the
next drive. When there was no message that a file couldn't be found, I
assumed that there was a file and followed with your suggested (delete)
second command. Again. no confirmation or otherwise whether the file had been
deleted, or not.

In any event, I assume I was doing it right as, on re-boot, all drives now
opening on click from My Computer.

With many thanks again, and to Harry.

Regards.

Mike

Bill Blanton said:
Many thanks for these replies.

I wish I had known about the Spywaredoctor removal tool before ! However, as
mentioned, I have already used the instructions I found on a technical forum
to manually remove the virus files. I'm sure all the offending files are gone
(unless autorun.inf is also part of the virus).

It is. When you open a drive, Windows searches the root of the drive
an autorun.inf file. If one exists the instruction within the file are executed.
In your case the autorun.inf file is attempting to load and run boot.com
from a (presumably now missing) \resycled folder.

You need to remove them all at once before opening any drives.
Opening a drive that has one of these \autorun.inf files will just
propagate the file back onto the drive you previously removed the
file from.

As was already suggested.

Open a cmd prompt. Start > Run... [type in] cmd > Ok
At the prompt, enter the following commands:

attrib -h -r -s C:\Autorun.inf

del C:\Autorun.inf

attrib -h -r -s D:\Autorun.inf

del D:\Autorun.inf

attrib -h -r -s E:\Autorun.inf

del E:\Autorun.inf

etc.
(do this for every drive letter (C: D: E: etc) and do NOT open any drives with
Explorer until you're completed)





My problem now is that on trying to open the partitioned external hard
drive(s) Windows seems to be searching for the file boot.com, which I
manually deleted, and as a consequence, won't allow access to those
(affected) drives from "My Computer".

I get the message "Windows cannot find 'resycled\boot.com'.

What I can't quite understand is why I can now access the removable storage
drives (MMC card & flash drive) despite being similarly affected and after
manually removing the boot.com files from those drives as well.

The external HHDs do have a file autorun.inf which I deleted as suggested
but I got the same message as above, that Windows was looking for the (now
deleted) boot.com file. I have reinstated the autorun.inf file(s).

I'm looking for some advice on how I get around the problem of Windows
looking for this old (and deleted) virus file so I can access the external
HHD from "My Computer".

Mike
 
Back
Top