resycled/boot.com
resycled/boot.com is a worm that propagates on local fixed and removable USB drives. resycled/boot.com may infect drives via autorun.inf file it created that runs a command each time the drive is accessed. Malicious files will be copied to a drives attached on infected computer.
Category: Worm
Risk Level: Medium
Aliases:
- Trojan Horse SHeur.CODS
- Trojan.DNSChanger
Technical Details
Characteristics:
“resycled/boot.com” is actually a computer worm. Once it infects a system, it will scan for hard drives and removable devices. Then it will drop the following files:
[Drive Letter]:\resycled\boot.com
[Drive Letter]:\autorun.inf
Attributes of these files will be set to hidden probably to conceal its presence and prevent users from deleting it.
To load on every time Windows starts , this worm will add the following registry entry:
HKEY_CLASSES_ROOT\videosoft
Then, this registry entry is also added to remove “Help Menu” from Start Menu.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp
Finally, it will drop the following files that apply rootkit method and execute boot.com on the computer:
C:\WINDOWS\system32\lpkjhtyejnufhd.dll
C:\WINDOWS\system32\drivers\lpkjhnhjsythed.sys
Failure to locate the main file “boot.com” will initiate the worm to display a window containing this message:
C:\resycled\boot.com
C:\resycled\boot.com is not a valid Win32 application.
Distribution Method:
“resycled/boot.com” gets inside the system when a virus attached to a spam email messages is executed. Other method of propagation include illegal software downloads and malicious links from instant messaging applications.
Once inside the computer, this worm will infect all fixed and removable drives. It executes on itself by placing an autorun.inf file. Autorun intend to load the worm when the viewing or accessing the infected drives.
Recommended resycled/boot.com Removal Procedure
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop or any accessible location of your hard drive.
2. After downloading, double-click on the file to install the application.
3. Follow the prompts and install the program using the “default” settings.
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click Finish. Program will run automatically and you will be prompt to update the program before starting a scan. Please proceed with update to obtain the latest database necessary to detect and remove resycled/boot.com.
6. Scan your computer thoroughly and completely check all files, folders and registry entries for possible infection.
7. When scanning is finished, click on Show Results.
8. Make sure that all detected threats are marked, click on Remove Selected.
9. After removing items associated with resycled/boot.com, it will prompt to restart the computer. Click Yes to complete the cleaning process.
10. When computer starts, open MalwareBytes Anti-Malware. Go to Quarantine tab and click on Delete All to fully remove all malicious items.
Related posts:
- W32.SillyFDC-D
Overview: W32/SillyFDC-D is a worm that infects removable drives such as floppy disk drives and USB Flash Drives. Category: Worm Risk...
- Virus.Nhatquanglan
Worm.Nhatquanglan is a virus that can perform harmful effects on the computer. It creates folder.exe on drives and disable Windows process...
- W32/Zua.worm (UZA Operating System)
W32/Zua.worm spreads via removable drives and modifies the system boot up logo and desktop background image to U. Z. A Operating System. It...
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
– Update Malwarebytes’ Anti-Malware
– Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.
Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
I got rid of the problem by simply removing s file called autorun.inf from the root directory of my hard drive and it also worked for my USB memory stick when I removed the same file from the root of that drive.
Malwarebytes’ Anti-Malware didnt work out
Hi, What about Flash Disinfector?
lol, how the hell did i get this virus..
My computers like a lil slut always contracting some kind of virus.
Thankks webmaster
Hello all,
SInce two days i have te same problem. I reinstalled Vista twice, however the virus was at the external drive. I tried several programs but none of them worked. I simply removed the autorun.inf file and the directory named resyceld (wrong spelling) I seems to be the work-around for this moment.
well hi to every one.
i am using ESET Smart Security and before 2 days i have the problem that i cant open my C: cause of “resycled/boot.com” it open with just right click and explore. then i search to internet what is that “resycled/boot.com” and i find out that it is a kind of worm and i decide to disable my eset from the system and then i install the avast anti virus. I make update the avast anti virus and then i schedule a boot scan. Now i can open my C: with just double click BUT my external it still have the problem. Any help PLEASE.
where is autorun.inf located?? can someone post a way to it… plz
This tool worked perfect. Thanks!!
If you can’t find the autorun file, go into your
Tools > Folder options > View
Check the “Display the contents of system folders” box.
Then check the “Show hidden files and folders” bubble.
Uncheck “Hide extensions for known file types”.
Save the changes. You should now be able to see both the “autorun.inf” and the “resycle” folder. Delete them both and enjoy.
Hi,
My computer is infected with smart anti virus 2009, because of which i am not able to the C and D drives of my comp. Also it has installed itself on my comp. Please tell me how to remove it. I am using ESSET Security…NOD 32..Not quite sure how good it it. Should i delete it and then install malwarebytes or i can run both simultaneously??? I am really tensed
Malwarebytes had found it and put it in quarantine a while back. deleted file from quarantine, and scanned again. Found nothing, restarted computer. Still having symptoms.
answers?
nvm
ran windows search for autorun.inf
found a file containing:
[autorun]
OPEN=SETUP.EXE /AUTORUN
ICON=SETUP.EXE,1
shell\configure=&Configure…
shell\configure\command=SETUP.EXE
shell\install=&Install…
shell\install\command=SETUP.EXE
this the virus? found in C:\WORKSETUP\OFFICE
***HIDDEN FILE***
nvm bout that too…
turns out windows installer for office
CubeGuy,
I and my fellow friends are writing this to tell you, you are the s*it!!! You saved us thousands of dollars easily. I would not know what to do if I lost my music, movies, and fine female films. lol.***Justin shouts in the back of the room to you,”you saved someone certain death for giving us this problem”.
Malwarebytes’ Anti-Malware is a brilliant tool to overcome resycled\boot.com is not a valid win32 and its complication i.e. autoplay option in all drives…… really i could not believe that how much helpful this tool is …
I am 100% satified from this software … it works totally upon our required criteria.
deseo eliminar un virus con nombre de troyano
OK CubeGuy,
So I’ve done what you said: If you can’t find the autorun file… but now what? Where do I go to delete the files? I still can’t find them on my external drive. Please help! I need to access my pictures (it’s for our company!) You seem to be the guy that knows!
I did it, but when I try to open up C:, it says something like…Windows cannot find resycle\boot.com. BlahBlahblah
got the same problem. if you right click on cdrive and choose explore it should let you seek your files.
I removed it, along with 20 other viruses on my computer, but when I restarted it, I got a msg like “Computer cannot find C:\Windows\system32\hal.dll.
I fixed it by repairing my computer files with Windows XP SP2 repair installation.
Now, when I scan it, it has 20 less viruses, but I STILL have boot.com, and autorun.inf for boot.com…
I resolved this problem by,
1) BOOT the computer in safe mode.
2) Delete the autorun.inf file which would be present in all the drives.
3) BOOT the pc normally now.
4) The virus would be gone.
5) Stay happy *__*
This thing with safe mode worked for me,thanks a lot
Read these completely before starting.
autorun and resycled are usually hidden so you need to enable view hidden files
Until the problem is fixed DO NOT dbl click any drive in MY Computer, right click-’explore’ to view it instead
then:-
1] delete autorun.inf and the ‘resycled’ folder.
2] Do a regedit search for ‘resycled’ then ‘boot.com’ delete what it finds.
3] Check ‘windows\system32\dllcache’ for boot.com
4] Check ‘windows\prefetch’ for boot.com or just clear it
5] Clear you ‘local settings\&user&\temp’ folder
*ATF cleaner will clear 4&5 for you.*
6] In XP & lower put in all your suspected flash drives while pressing the shift key- wait for 15secs then release shift & open the flash drive in My Comp using method as above.
In Vista disable autorun/autoinsert completely as the shift trick don’t work apparently (dunno how, never used Vista crap)
7] delete resycled and autorun.inf
** BE AWARE – autorun.inf is used for some menu loaders on flash drives so they will stop working. Instead edit the ‘open=’ to point to the menu exe instead of resycled\boot.com **
If none of this makes sense you should not have a PC as they are too complicated for you. Get a PC geek/nerd dude to help you
Here’s the REAL way to clean this off your system. You should do these steps after a fresh reboot or in safe mode.
1) Navigate to the problem drive(s) via the Explore option.
2) Click on TOOLS -> FOLDER OPTIONS
3) Click the button which says ‘Show hidden files and folders.
4) UNCHECK the following boxes:
Hide extensions for known file types
Hide protected operrating system files
5) Find and delete the autorun.ini file and the resycled folder on the root directory of all affected drives.
6) Check “c:\windows\system32\dllcache” for boot.com file and delete it if present.
7) Check “c:\windows\prefetch” for boot.com file and delete if present.
8) Delete all files from c:\windows\temp
(Some files may not delete, that’s ok, they’re in use by the system and not virus files.)
9) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local Settings\Temp
(Again, a couple files may not delete, don’t worry.)
10) Run Regedit
11) Make sure you are at the very first entry of the registry hive. (y Computer should be hilighted) then click EDIT -> FIND
12) Search for “boot.com”. If it finds an entry, delete it. Keep hitting F3 until you’ve deleted all instances of boot.com in the entire registry.
13) Scroll the left comumn back up to the top and hilight the My Computer again at the top of the registry hive.
14) Click Edit -> Find again and search for ‘resycled’ and repeat as in step 13, deleting the entries as it finds them. (I found 2 of each)
15) Close registry editor and try opening the infected drives. They should work now.
Worked for me at least. I ran NAV2008 2 times on it and it was able to find the files but unable to remove them for some reason. Doing this, seems to have completely resolved the issue for me.
Good luck!
-Maj
*NOTE*
I had this issue on 3 hard drives on my system, not on removable drives. Check the instructions in the post previous to mine for issues you might be having on removable drives. This process works for them too but like The Albatross said, some removable drives actually use an autorun.inf file so you may have to modify it to get the drive back to it’s normal state.
Majestyk
October 15th, 2008 at 11:50 pm
The Albatross
October 15th, 2008 at 3:12 pm
CubeGuy
October 8th, 2008 at 4:30 pm 10
you 3 guyes r from good guyes, the procedure u write is true and its work. GOD bless u ALL.
Hi Guys
My Problem is solve i delet those files from save mood.
GOD bless you Albatross it did work …..and thank you for all guys who spending time and writing for others…..
GOD BLESS YOU ALLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
Here’s the REAL way to clean this off your system. You should do these steps after a fresh reboot or in safe mode.
1) Navigate to the problem drive(s) via the Explore option.
2) Click on TOOLS -> FOLDER OPTIONS
3) Click the button which says ‘Show hidden files and folders.
4) UNCHECK the following boxes:
Hide extensions for known file types
Hide protected operrating system files
5) Find and delete the autorun.ini file and the resycled folder on the root directory of all affected drives.
6) Check “c:\windows\system32\dllcache” for boot.com file and delete it if present.
7) Check “c:\windows\prefetch” for boot.com file and delete if present.
8) Delete all files from c:\windows\temp
(Some files may not delete, that’s ok, they’re in use by the system and not virus files.)
9) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local Settings\Temp
(Again, a couple files may not delete, don’t worry.)
10) Run Regedit
11) Make sure you are at the very first entry of the registry hive. (y Computer should be hilighted) then click EDIT -> FIND
12) Search for “boot.com”. If it finds an entry, delete it. Keep hitting F3 until you’ve deleted all instances of boot.com in the entire registry.
13) Scroll the left comumn back up to the top and hilight the My Computer again at the top of the registry hive.
14) Click Edit -> Find again and search for ‘resycled’ and repeat as in step 13, deleting the entries as it finds them. (I found 2 of each)
15) Close registry editor and try opening the infected drives. They should work now.
Worked for me at least. I ran NAV2008 2 times on it and it was able to find the files but unable to remove them for some reason. Doing this, seems to have completely resolved the issue for me.
Good luck!
-Maj
Majestyk
October 15th, 2008 at 11:54 pm 26
*NOTE*
I had this issue on 3 hard drives on my system, not on removable drives. Check the instructions in the post previous to mine for issues you might be having on removable drives. This process works for them too but like The Albatross said, some removable drives actually use an autorun.inf file so you may have to modify it to get the drive back to it’s normal state.
You save me a lot of time Majestyk & The Albatross.
Thank you.
you seems the first to give the solution, didn’t find in other forum.
Hi Majestyk
I want to thank you for your detailed description on removing Resycled/boot.com: It worked great thaks again.
thnks evry 1 for help with the annoying damn boot.com wiggly virus. i’ve had problems with this little blighter for a few days, and trying get rid of. thnks again everyone
MR. Maj
I follow your commands regarding boot.com and rescycled in regedit and i found such files at logical drives and i delete them. After that it works eprfectly but when i restart the system or reboot the system again such files were three at same location. I apply same rules in Safe mode as well but again when the system restart such files were at their own place.
Kindly provide suggestion . I will thankful to you as I am doing some important work in my PC so such script make me in trouble.
I m waiting for your reply / solution.
Thank you
I followed Mr. Majestyk’s solution but nothing happend. I repeated it via safe mode and worked! But first I did this:
1) Found the autorun.inf (c:\autorun.inf)
2) Clicked right click over it
3) I UNchecked the “read only” file (I couldn’t save it otherwise)
4) I opened the file
5) I erased the content (completely)
6) I saved the -now empty- file
7) I entered safe mode (after a restart of course)
8) Did Mr. Majestyk’s solution. And it worked!
I’m not exactly sure if mine procedure was a coincidence or not. Maybe a successful combination of both…?
Good luck to everyone! Hope I helped!
hi i have deleted the files but i still can click on the drive
it keeps saying “this files do not have a program associated with it for performing his action, create an association in the folder option control panel..
how i do it
Sadegh Rezaeii karet doroste dadash
The problem is this, the malware boot.com, etc mentioned above can be removed by the method show, and THANK you guys for providing it. You have done a great public service. However what else I found out is that, at least under my circumstances the Kaspersky AVP.exe bug as show in the taskmaster window, when trying to use Kaspersky to remove the problem (even with their free “scripting” bug removal service) causes the avp.exe file to run and run, sometimes in multiple instances, running the CPU up to 100% and stopping the machine. Answer is to use the process described above and stay away from Kaspersky for this one.
i got rid of this problem by copying all the files on to my friends hard drive n i’ve formatted my 500 gb hard drive n reinstalled the XP..
i love u guys…. thk…!!!!
plz, send me virus removal command urgently. b’coz in my pc ”New folder.exe” virus.
i hope you send me virus command[utility].
thank you.
who is best anti virus software, means he detect & quickly delete or take action.
plz,reply me.
Also worth mentionable is that drives are REALY accessable AFTER a reboot…
I found out that some connections had to be restored, which eventualy happened after the reboot.
tq, this sfwr hv done a gud job!! haha…
well the software given by the webmaster is of great use
you should try this
thanks webmaster
Good one Sadegh Rezaei
The Registry suggestion was the only way to remove the thing. Fast easy and accurate. bye bye *resycled*
Thanks mate
It worked for me with safe mode way. It has removed it completely. Thanks guys for advices.
Hi guys, just to tell you if, when you delete the virus it keeps coming back, simply delete it then restart your computer quickly. It’s what i did.
Thx, Ori
you didn´t get this problem if you havn´t a computer !!!
nice evening…..
sincerly, noname
All thanks go to The Albatross and Majestyk. Awesome
Just tried the solution today and it works…Thanks MAJESTYK!
This file does not have a program associated with it for performing this action. Create an association in the Folder Options contol panel.
help me …
i deleted the boot.com
but resycled is not found …
then i try came this error !!
Hi
thank very much Mr. Maj (comment 25)
That was very helpfull to me.. but only after restart which you didn’t mention as needed.. But thank man!
Thank you very much Mr. Majestyk
It worked for me as well, but after restart.
Thanks again.
Majestyk!!
It works.
Thank you.
Im a bit stuck, i have deleted as suggested and gone through the steps but now i cannot explore my external drive…any help would be gd thanx
I Love You Majestyk!!!!!!!! it works!!!!!!
Majestyk. it works
please help cant get the external hardrive to run anymore, but the other drives work fine thanx for post
Thanks guys it works deleting de resycled folder and autorun.inf file
be aware that these virus folders replicated on ALL my partitions, not just the root drives.
autorun.inf/boot.com/recycler/resycle/a/system volume information
Here is what i did, i went to my computer, it wondnt let me open my main disk, im sort of a computer typ of rerson, so i tried to do it myself, and i did, right click on the drive, press explore, it shoul then show you your drives content, find a file called “autorun.inf”, delete it, also, if you see a file called “resycled”, it should have a app in it called “boot.com”, go back and delete the file “resyled”, DO NOT RUN THE APP “BOOT.COM”!!!!!!!!!!! Onother way is to press start and go to search, searh for both of those to names, when deleting a file called “autorun.inf”, from the search, make shure that inside it say somthing about runing shell boot.com, delete that “autorun.inf” file. Same thing with flash drives. I have to hard drives built in, it only fixed my main one, wich is all i care about, but to get into the other, just right click and explore. But the vires is still gone.
- first run Malwarebytes’ Anti-Malware
- then run Bootfix after 1
Sorry to repeat, but I recently discovered that I had this problem on my laptop and my new ext HD. Now, my laptop won’t let me log into XP (I log in, and it immediately logs me back out again). I ran a diagnostics test and I get a Start DST Short Test — Fail. Error code is 100-0146. I realize that’s bad because I’ve already Googled it, but I am wondering if the DST fail is related to this worm. I can’t log into Windows (tried safe mode and previous config already) to run the utility on my C: (which seems to be done for), but unless someone says differently, I am going to run it on the external from my mom’s Mac. Or can i just delete the resycled/boot.com and autorun.inf files?
Thanks and sorry again, my problem is unique to me even if it is very similar to others already posted.
Okay, read the posts better and I think I can take care of the ext HD.
However, if my failure to log into windows is related to this problem, it would be TOTALLY GREAT if one of you knew a secret to get me into windows so i can follow the steps on post #25.
I got rid of recycled/boot.com using Malwarebytes’ Anti-Malware and then Flash Disinflector.
Thanks to all
Kamrul
Iam not able to see the files of rescyled, boot.com in the drives, I tried several times in safe mode & even if i selected the option “show hidden files and folders” iam not able to see the hidden files, so plz guide me my friends i am in urgent to delete those files..
MAJESTIC I LOVEEEE YOU IT WORKED SO PERFECTLY I LOVE YOU!!!!
THANK YOU VERY MUCH !!!
How to del this virus its easy i was also lil bit confuse but i made a solution first of all
1)download zip file http://www.cafedejavu.com/srk/resycled.boot.com remover.zip
2)Extract autorun.inf
3)Then open My Computer
3)OPEN THE DRIVES ONE BY ONE from using this method http://www.cafedejavu.com/srk/solution.JPG
4)THEN COPY AND PASTE THE autorun.inf FILE INTO THE DRIVE IT WILL GIVE MESSAGE TO REPLACE THE FILE SELECT “YES” the virus will not remove without restarting your computer
SAME STEPS WITH ALL DRIVES
5)Restart Your After Making All Steps
InshAllah Your Comp Virus Will Remove
Funciona!
Eureka!
Gràcies des de Barcelona, amic Majestyk!!!! ;)
Thanks Webmaster. Flash Disinfector removed the problem and got me back my drives. Now to run a virus scan and never go on the internet ever, ever again.
sry guys prob here…i removed the virus alrdy but now i cant boot my drives properly… under folder options–>file types—>drive—>advance, i found out the default action is find instead of explore…thus now when i click my drives they go into search results(find option with the dog) explorer instead…i’m afraid i have deleted the boot keys along with the virus…can anybody help????
This PITA finds it’s way into portable MP3′s (seems to have a real affinity for iPods!) be sure to attach you portables, and removable camera media, and disinfect them. It took me a couple of rounds with it before I found the hidden autorun.inf in portable was reinfecting system.
I was unable to do a safe start, tried pumpin f8 , f5, f12, f10, shift/del , shift/tab etc. Woulda pumped the neighbor if thought woulda helped.
I followed the steps and seemed to get it out.
had something re-occurring in the msconfig wouldnt’ go down kdrqs.exe (could be wrong on that , can’t tell you now cuz is out) … i found it in the registry as well…. and deleted all the crap that went with it. Now I don’t know if that was smart or not. I coudn’t find nuffin on the darn thing but i knew that it was a recurring pain in my butt and it wouldnt’ leave the config and the Malwarebytes’ didnt’ seem to be likin it much so i said heck w/it. I think i’m alright as far as most things go…. have to still restart the system…. right now the drives / c – d- e- g all if double click turn to search engine. After reboot i’m hoping tis better.
Okay I got the virus(s) but …. now the C, E, and G, and the dvd, flop, n all, when double click go to the search as if i clicked start/search…… any clue on remedy for that shizzle ?
Thanks in advance for helpin the dummy (me) and great info on this to help out….. great help here always, but first time i actually wasn’t lazy enough to type.
Thanks to Maj and Alb and all the comments that gave me drive to do it
Peace and hope someone can stop my search thing… but will use the explore for while till figure it
Save yourself time and follow steps on #25. Easy to follow instructions, and will work. Thank you very much Majestyk!
Nas i got the exact same problem as you…can anybody help us with that prob…
I too had that virus trojan agent.aiby that when it got cleaned out by Avira Antivirus, my c: drive would not open. Went to softpedia.com and downloaded Disk Heal 1.46, ran the tool clicked on fix C rebooted pc and problem was truly fixed. You don’t have to search or look for any files.
Thank you Majestyk. I tried everything. How come PCGuard and other virus removers cannot take it out?
Many thanks once again
greenmoss
okay, i have tried Majestic’s steps, it succeeded! Thanks! but…I got 2 Drives C and E, the C’s Resycle folder and autorun.inf are gone, but at the E:\ drive, it’s still there, though i have deleted everything at the registery but the resycled folder still exist at the E: drive, but it’s 0(zero)KB (I think because i deleted alot at teh Registery) but now i got this notification ” The File does not have a program associated with it performing this action,create an association” , can someone help me please :D …
And if i may know, Do these Boot.coms are dangerous? Harmful? does it really makes us crazy? , is it okay and just stay like that if we do nothing to delete it? really wanted to know! ^o^y Thanks
sorry, i meant, is it okay to left the virus there for awhile and we do nothin? will it do something to our computer that would drive us crazy?
I followed all the steps from msg #25m and it worked. However, somehow, after reboot, the default action for double clicking a drive was set to ‘find’ in stead of ‘open’.
(Before reboot I had the error that no program was associated with the action or something like that)
I fixed this by doing the following:
Folder options -> tab ‘File types’ -> select ‘Drives’ -> click button ‘advanced’ -> click ‘new’, in the box, type ‘open’; in the box ‘application used for action’ browse to explorer.exe in the windows folder. Click OK, then again OK, then Apply and OK.
Listen, guys.. this is simple.
Go into your registry editor (windows key+r) type “regedit” without quotes, do a search for ‘resycled’ without the single quotes, you’ll find it in an obsecure folder which is actually a part of windows’ root core, and it’s telling windows when you try to browse a hard drive then look for the c:\resycled\boot.com – delete this entire subroutine (after backing UP!!!) for each hard drive you have (just hit ctrl+f again if you’re too stupid to find it on your own) and viola, don’t even have to restart!
Use Kaspersky free online virus scaning..it will work 100%. I am real happy for at last it worked me…..it is the best solution, it will remove the resycled/boot.com forever from your system…i am waiting from a month and half to remove this shit from system….finally it worked for me….try this one my friends….it will work….but be paitents when the scaning is going on it will scan each and every file in your systems.. so it will take a long time of scaning, depend on your Internet Speed connection…….
I have this problem too and i’ve tryed Majestic’s way but I can’t find any of these files mo boot.com, no resycled, and the only autorun.inf is in my nero ……
Here’s the full way to get rid of this virus:
1) Navigate to the problem drive(s) via the Explore option.
2) Click on TOOLS -> FOLDER OPTIONS
3) Click the button which says ‘Show hidden files and folders.
4) UNCHECK the following boxes:
Hide extensions for known file types
Hide protected operating system files
5) Find and delete the autorun.ini file and the resycled folder on the root directory of all affected drives.
6) Check “c:\windows\system32\dllcache” for boot.com file and delete it if present.
7) Check “c:\windows\prefetch” for boot.com file and delete if present.
8) Delete all files from c:\windows\temp
(Some files may not delete, that’s ok, they’re in use by the system and not virus files.)
9) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local Settings\Temp
(Again, a couple files may not delete, don’t worry.)
10) Go to Start -> Run -> Regedit
11) Make sure you are at the very first entry of the registry hive. (y Computer should be highlighted) then click EDIT -> FIND
12) Search for “boot.com”. If it finds an entry, delete it. Keep hitting F3 until you’ve deleted all instances of boot.com in the entire registry.
13) Scroll the left column back up to the top and highlight the My Computer again at the top of the registry hive.
14) Click Edit -> Find again and search for ‘resycled’ and repeat as in step 13, deleting the entries as it finds them. (I found 2 of each)
15) Close registry editor and try opening the infected drives. They should work now.
If when you go to open the problem drive(s) but get the message ” has no file extension associated with it”, Follow These Steps:
1) Go to Tools -> Folder Options -> File Types
2) Left click ONCE on the Drive option and go to Advanced
3) If you only see ‘find’ in the editbox, click on New. For the action, type in Open. For the application, navigate to C:\WINDOWS\Explorer.exe. Then click Ok to create the option, highlight the Open option in the editbox and click on the Set Default button. Then click Ok, Ok, then double-click on the problem drive(s) and they *should* open upon being double-clicked.
thx JJ and Zaiba91 for helping solve the “find” problem..it worked for me too…THX lots again
Had the same problem 20 mins ago. Here’s what I did…
System Restore to a date before infection.
Turn off system before it reboots.
Booted from “Ultimate Boot CD”, deleted autorun.inf resycled folder from drives/partitions where I had system restore disabled.
Deleted all of Temp folder.
Rebooted.
Waited 10 mins to see if it appeared on any of my drives.
…Seems to have worked. Bit weird it’s been two months and still antivirus programs don’t seem to pick up on it though. It’s not even like it’s hard to remove it or notice it? A resycled folder appearing in the root of any drive should send alarm bells ringing to every antiviral program out there IMHO.
Hi, I normally dont post but i found this to be very helpful. Booting in safe mode work perfectly for me.
All you need to do is boot in safe mode, right click on each drive and hit explore. You should be able to see the hidden files with extension “autorun.inf ” and just delete it. I hope this helps
Zaiba91′s solution works great! Thank’ s…
I have resolved the resycled/boot.com problem. My hard drive D: encountered this problem.
I search in regedit for files resycled and boot.com. I have deleted all related registry keys…Please note that if you have HHD (driver C: for example) problems:
The first boot.com registry value is under some series of numbers like this
(98xas1324987) – Shell
The second boot.com value is found under subfolder for drive C:
C: – Shell
You must delete the Shell folder, because this worm made you C: drive an autorun and thus showing the error message: C:\ is not valid Windows 32 application
When you delete the Shell subfolder of C: IN THE REGISTRY, the problem is partially eliminated. After you delete the Shell folder…You will find another Boot.com in further in the registry…Once you delete the final file…The problem is fixed.
One thing that bothers me that despite I know how to fix that problem, I still having problem of deleting the virus/worm permanently. For some reason it keeps appearing over and over again.
I tried three programs for spyware/adware/worm detection, but non of them managed to find the infected files.
I used Spyware doctor, SUPERAntiSpyware, and Maleware´sbyte Anti-Malware…
Can you recommend me a program that can potentially find the infected file and remove it?
I used Malwarebytes’ Anti-Malware and it helped. It removed all the viruses but there’s a problem im facing inspite clearing all the viruses. When i open the drives C,D,E and F, they always open in a new window whereas folders on these drives work fine and open in the same window..why is that ? and is there a way to make the drives open in the same foldeR??
Hello Folks,
I should tell you this, what my anti virus couldn’t do ,your blog has done it.
My computer was infected ,and the virus is gone after deleting the recycled file from registry.
Thanks
Thanks a Lot ! It worked THIS WHAT I DID..!
1.Open windows explorer
2.Tools>>Folder Options do the following
a.Under view tab,
b.Select show hidden files and folders
c.Uncheck hide extension for known files
d.Uncheck hide protected operting system files.
3. following contents will be displayed.
autorun.ini & resycled
content of autorun.ini
[autorun]
;fcxqliqxfgruqnvpxktnjeachtuiaabimynygj…
shellexecute=”resycled\boot.com k:”
;mewuufagzvgghobxeijslondejidwkupwcs…
shell\Open\command=”resycled\boot.
KILL DELETE SECURELY THESE TWO THINGS
1.AUTORUN.INI FILE 2. RESYCLED FOLDER
4.Close windows explorer and reopen.
5.You can access your drive on double click.
6.I use Mcafee total protection I DONT KNOW WHAT TYPE OF ANTIVIRUS IS THIS WHICH COULDNT BLOK OR DO ANYTHING. IT REALLY SUCKS….!
7.THANX A LOT FOR THIS CONTENT ON THIS BLOG.
~Uj
i have seem Trouble
thank evry bady and Special Which they had solution
I tried this one and worked perfectly:
tools>folders options>view>
check>show hidden files
uncheck>hide protected opearating system file
after that delete:
Resycled + Autorun.inf
everything goes well and have a nice time!
note: I’m using NORTON INTERNET SECURiTY and it failed to even detect it…
This solution is fantastic. Thank you for your help. Just would add (after following instructions – reboot). I need another solution along the same instructions to another problem. I have added another thread and hope you can help.
Hi, I do not know why this people create this monster, this god-knows-mentally-ill-retarded-people-with-trojan-infested-ideas-for-fun. Thanks to your advise, I managed to clean all the trojans autorun.inf +resycled folder (which it infected after I formatted and installed my new WinXP, sigh). I wanted to share from my experience just now.
If you have more than 2 hd, REMEMBER! make sure you check ALL of the harddisks and partitions (I have 2 hd with 5 partitions. It really made me go crazy today, thinking whats the problem even though I just formatted my hd andinstalled fresh Win. Check thorough and forget about McAfee, Norton, ESET or whatsoever your AV installed, they wont help you out.
Except use your head and your eyes, and read the post here. Read everything. If you cant find the hidden files, make sure you check under Tools|Folder Options|View select “show hidden files” and uncheck “hide protected operating system files” which eventually you may find the trojans hidden in ALL your physical hd. And also check inside your registry, find and delete this trojan. I noticed that my registry is unusually big after the trojan attack, but once I deleted all the boot.com, autorun.inf and resycled, eventually my system back to normal.
My infected registry backup size is 29,045MB! and I understand something is wrong but with a little patience, I managed to restore that to only 39KB, the actual size for any fresh installed Winxp. But I feel I still need to reformat again once I backup my huge files, (over 200GB of personal work).
Thanks to ACS, Majestyk & The Albatross and Sadegh Rezaei.
Thanks again!
All – Sorry to be the bearer of bad news, but your may very well, not be fixed. If it’s anything like the one I’m in the middle on investigating, it’s a lot harder to clean, than just deleting a few files.
I have a sample which looks similar to what’s being reported, but boot.com is just the infector. When it’s executed, it installs itself as a service, and hides it’s main files and registry entries from the Windows API.
An easy way to check to see if you’re still infected:
Start –> Run, then type: cmd
From a DOS prompt, type:
dir c:\windows\system32\msqpdx* /s
If you see any entries at all, you may still be infected. A lot of the AV vendors are just getting these samples now, so hopefully they’ll be detecting and cleaning this infection, shortly.
Best Regards,
aX
Special thanks to Majestyk. This step by step removal of boot.com / resycled saved me a lot of payne. I owe you big time… :-)
A Bunddddddle of THANKSSSSSSSSSS!!!!!!!
To share a goooooooooood thing like that!!!!!!!!!
thnk u guys
thnks to all uore xplanations i removed the worm and now i can have access to c: and d: ;-D
Thank you !!!!!!!!!!!!!!!!!!!
Thx a lot for the information, spent a long time trying different removal tools to no avail… alas I came across this helpful thread and voila…!!! I have access. Like Ax stated above however… I suspect this is part of a problem now on the computer… Anyone have any ideas how these files arrived?”: email or websites or what not???
Peace
Hi!
My name is Jessika!
Hey Listen this is what i found out. Follow what UJJWAL SAYS. Do instructions 1-3 about showing the hidden files. Once the files are shown, you do not have to delete the Autorun.inf file. What you do is delete the resycled folders(on all your drives.) Now for the Autorun.inf files(this has to be done on all drives) Right Click the autorun.inf, hit properties, uncheck the read only. and it will restore the autorun.inf.
I did it step by step folowing Majestyk’s guide, but now when i open drive it opens search instoad of drive
Hey all .. Just download Malwarebytes’ Anti-Malware and update scan your system . and he`ll auto restarted and you can open your drives . thanks who give us this anti virus ~ Malwarebytes’ Anti-Malware ~
its worked awesome .
ones again thanks everyone :)
enjoy
Use 7ZIp.Yes open it. open the infected drive and locate rescycled\boot.com and delete it.If autorun.inf doesn’t cause problem don’t delete it.Once i deleted it and the windows didn’t boot.I had to reinstall windows!
I had download ” Malwarebytes’ Anti-Malware’” ,But it has no use and just wasting our time & Effort…
I got a tiny software which destroy all type of malware , adware & other severe threts……application is about an
‘Antirootkit” .which does not need any installation..
The process is very simple that we need only to run the application ……….
Thus I eliminated all the threts & Problems caused the presence of autorun.inf in the rootdirctry
AND MY LOCAL DRIVES NEVER SHOWN THE MSSG “resycled/boot.com is not a valid Win32 application” and my drives opens with just a double click!!
*** Mail Me those threts frm “resycled/boot.com”***
*** My ID is “cinnabar143@yahoo.com ” *****
Ill mail you the prescribed Application……….
I followed the advise given by “MAJESTYK” on the removal of the resycled trojan. It worked. Now I seem to have another problem. I can’t get my ISO software to run. It will mount on the virtual drive, however it will not install when I click the install button. I have totally reformatted every drive in my machine. I have also reinstalled the XP Professional OS. I mount the ISO image using Daemon tools or Alcohol, the image mounts, I press install and nothing happens. HELP!!!!!!
thanks Majestyk great simple easy answer seems to have solved the rescyled bug
THANX 2 ALL.Really helped.
Thanks a lot!!!
PROBLEM WOULDN’T GO AWAY, UNTIL…
i did everything that maj suggested and i still had the problem come back again and again.
then i found this solution from Bill Blanton
——————————
Open a cmd prompt. Start > Run… [type in] cmd > Ok
At the prompt, enter the following commands:
attrib -h -r -s C:\Autorun.inf
del C:\Autorun.inf
attrib -h -r -s D:\Autorun.inf
del D:\Autorun.inf
etc.
(do this for every drive letter (C: D: E: etc) and do NOT open any drives with
Explorer until you’re completed)
————————————-
that solved my problem
I agree with Tuckstar. That’s done !!!
I restart first, and try to boot in safe-mode, but system hanged. I didn’t understand why???
when again restart in normal-mode and did Tuckstar instructions, and restart again it solved.
A word of warning about this. The suggestions of Majestyk to remove this minor annoyance will work. However the problem may at that point really begin. Its a minor nuisance and apart from that it all seems normal. When its gone all seems normal and one gets on with whatever thinking that it was the work of some “scriptkiddie” with little else to do. This may not be the case. What else came with this simple problem, what else is happening now that you are not on high alert? Mine came with a DNS changer and a few other things I don’t know the purpose of. I arrived at this page looking for answers beyond what this discussion is focusing on because I had “fixed” my machine then carelessly put it into a new XP install we had setup for a Linux user. When I came home ran malwarebites found more. Ran DrWeb found more. Still don’t know if I’ve got it but I do know that the machine set up for the Linux person still has whatever it was/is. Good luck people and browse safe (no pun intended if yer using IE)
boot.virus effects explorer by the registry. It adds mount point to all of your fixed and removable drives. To remove this registry entries first plug in all usb drives you have. go START menu RUN type: regedit then OK. HKEY_CURRENT_USER –> Software –> Microsoft –> Windows –> CurrentVersion –> Explorer –> MountPoints2. In this section you will find all your drives and how they run when inserted or double clicked. Go through each one of them and clean them out by deleting all the values includes “rescyled/boot.com”.
When this is done go to your usb drives right click – explore. On top menu tools – folder options – view – show hidden files and deselect Hide protected operating system files. Explorer will alert you about this change click ok. Each of your drives includes fixed (“C:/”) and external. delete rescyled folder and Autorun.inf.
Basically we stop the virus from launching by this time but it is still there. Now go back to regedit. CTRL + F type “boot.com”. Delete any values includes this value. After first you can click F3 to fin rest of them. When there is no more do the same thing for “recyled”. You should be fine.
Many thanks to everyone who posted.
I followed CUBEGUY’s directions with one extra step. Untic “Hide protected operating system files” and both resycled and autorun folder and files came up. I deleted them and rebooted the computer. All good
Happy computing :-) :-)
thx Majestyk
i resolve the problem with this steps
Here’s the REAL way to clean this off your system. You should do these steps after a fresh reboot or in safe mode.
1) Navigate to the problem drive(s) via the Explore option.
2) Click on TOOLS -> FOLDER OPTIONS
3) Click the button which says ‘Show hidden files and folders.
4) UNCHECK the following boxes:
Hide extensions for known file types
Hide protected operrating system files
5) Find and delete the autorun.ini file and the resycled folder on the root directory of all affected drives.
After following the instructions above, from Maj, my only problem now is that I cannot go to my computer and open the c: or d: unless I use the explore option. I get a message that say “Windows cannot find ‘resycled\boot.com’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.” What do I need to do to get rid of that message and be able to open the C: and d: drives normally?
Thanks for you help
Hi. I had this problem with all my internal and external hdd’s. i tried all sort’s of advanced programs, but the easyest thing was the best! do as “CubeGuy” wrote @ post# 10. and restart. all your broblems will be solved.
NOTE!: only delete the folder named “resycled” and NOT “RECYSLED”.
also delete the file Autorun.inf .
I do not have that folder or the Autorun.inf on the system. I followed the instructions to have them show, but they were not there.
Posts number 1 and 25 really helps in deleting this malware.
I found this virus on my brother in law computer an decided to remove it… It kept coming back. So I ran to this site and the instruction from Majestik #25 worked like a charm. Thanks
For those who still didn’t get rid of it…
**Bit risky==registry**
do exactly what Majestyk has mentioned[#post25]
and open regedit & navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Explorer\MountPoints2\{457b7874-cce3-11dd-84b4-806d6172696f}\Shell\AutoRun\command
if u get confused/do not find the key ..it is the 5th/7th[for me] key in MountPoints2
OR just nav to MountPoints2 & search for auotrun key WHICH HAS another key named “command” as its subkey.
ok first backup MountPoints2 key–right-click MountPoints2 & export –to a file (anyname) in desktop preferably.[so that if anything goes wrong u can alwayz just double click the key in the desktop for backup]
delete the key named “autorun”…& go to my computer & double click the affected drive… :-) :-) :-) :-) :-)
{u may hav to delete more keys if u hav more drives–i delted twice “autorun”}
maleware removal has removed / solved the problem.
Thanks a lot sir, you are super. Keep up the good work.
Thanks ever so much Majestyk. Your precise and easy instructions saved the day. Thought I was going to have to reformat and with my computer skills that could have been a disaster.
Majestyk,
your step by step instruction really is easy to follow and solves the probelm. but i am wondering how did i get this virus or malware in the first place? if someone could explain that will be great
thanks alot mate. happy holiday guys
Hi all,
Done all the rest but is anyone else having trouble mounting drives with Daemon, Magic Iso etc?
hi i have been reading ur posts just recently as i had the same problem ‘resycled’ ‘boot.com’ etc i went through the whole process as advised but i stuffed it up, although i have gotten rid of the worm, in the process i managed to change the ‘file type’ in the folder options for the drive associated with it, so now when i click on my c drive i get a windows search engine, and each time i try to change it to c:\ i just make it worse, how do i reset this? any answers? thanks in advance
kainer
ps merry xmas! :)
Hey, i did what you said and when i untick the hidden folders and stuff nothing show up like “autorun” or “rescycled”.
PLease Help
one more problem i delete the recycled thing and when i click on my C: or D: it saids we cant find boot.com
MAJESTYK king!!!! big thx!!!
I have boot.com on my external disk and I solve the problem
(I have to turn off and turn on my external disk to work proprely)
Guys look post 25 and all will work O.K.
ha..2x
that was easy to completely remove this…
just download This “SafeUsb” and use it.
you can search in google.com.tw
this really help..
it will delete autorun.inf
afterthat you just delete resycled folder. =)
to certain that the “autorun” deleted
select option tool -> folder option -> view->Show hidden folder-> unmark hide extensions for known file types and unmark hide protected operation system.
What aX said in post 100 is correct. The big problem is that the Trojan runs as a hidden windows service & using a rootkit detector is the way to go. I used a free program called gmer.
Just in starting the program up it found the hidden windows service & marked it in red. Right click on the entry & select delete the service. If it wont delete, right click & select stop service then try delete it. Then I ran Malwarebytes’ Anti-Malware to mop up anything else (originally I found the Malwarebytes could not totally remove the Trojan & reinfection kept happening).
Finally, I then went through all my hard drive partitions & any usb attached devices (mp3 player, TOMTOM gps yes it got infected as well) & removed the resycled folder & the inf file if it still existed.
I did do a search for boot.com in the registry but there were no entries, so the above procedure must have cleared everything out.
Hope that this simplifies things.
Thanks Zaiba
It really worked.
////////////////////////////////////////////////////////////////////
/guys just try flash-disinfector I am sure it will work.
//////////////////////////////////////////////////////////////
Pankaj
786
None of these methods work on my system.
Safe Mode
Go to folder options
show hidden files
show protected file system files
c:\resycled DELETE
c:\autorun.inf DELETE (right click open w/notepad to check if its the virus)
do the same to any usb drives, memory cards you have previously installed.
go to registry:
ctrl+f boot.com
every entry that it finds hit delete then f3
then restart machine
once machine restarts
start menu/run/cmd
regsvr32 /i shell32.dll
any questions email me. I deal with viruses at work. I’ve dealt with the Vundo, resycled, sality virus, etc… IEdefender
Malwarebytes’ Anti-Malware did work for me BUT you should run
its Scan in FULL SCAN not just the QUICK SCAN .
Remember to update it.
It found other bits of this virus in folder ‘System Volume Information’ .
I also went through my 3 Hard Drive partitions & manully deleted all the resycled folders & Autorun.inf & boot.com
instances. @@@luv Thing@@@
I have a dual boot system, I couldn’t access my C or D drive. Also could not access my External K drive. I was getting the ‘resycled\boot.com’ error. Only way I could access those drives was to right click and explorer. Flash Disinfector was mentoned in post # 4, download it & run, solved my problems on all 3 drives.
Thanks to webmaster for posting it.
I’d just like to thank everyone for posting here and to thoes that scroll to the bottom to find the answer first i’ll say post 24 was the one that defaced the virus for me. Again thanks to all computer users that like to share!!!!!
P.S. if u don’t know regedit learn it its uber useful and uber dangerous.
Thanks to Majestyk and MrNoHelp on this board.
After 5.5 hours on New Years day trying to clear up this issue (along with the iamfamous.dll trojan) I was able to clear the resycled and autorun via Safe Mode then ran regedit and deleted everything related to boot.com and resycled. Also found it on my flash/mp3 player the autorun and resycled folder hiding and deleted this (on SafeMode). Thankfully my external hardrive wasn’t hit.
Ended up changing all my secured online passwords after everything was fixed just in case.
The only issue I still have is now my LavaSoft AdAware hasn’t been able to connect for updates, it keeps saying no connection found even though I’m able to access all sites and update Spybot and AVG without problems and I did not change firewall at all, it was working fine until the Virus hit, any suggestions?
enter your drive that gives you the resycled problem by right clicking on it and press browse
at top click on tools then folder options,
under the view tab put a tick in
“display contents of system folders”
“show hidden files and folders”
then untick
“hide extensions for known file types”
“hide protected operating system files”
once this is done you should see a folder called “resycled” Delete it
also a file called “autorun.inf” Delete it
now close page and empty your recycle bin
once you click on the drive now you may get “resycled/boot.com could not be found”
right click the drive you just cleaned and press properties then lets say for instance this is your c drive
in the box next to the pic of a drive type c and press apply and ok
your c drive will now be called “c(c)” instead of “local disk (c)”
now if you click on the drive it will open, check the resycled folder and autorun.inf are still not there then close page
now you can right click the drive again and properties, now delete the letter c you called the drive and leave the box empty, press apply, now ok and now your drive will have its original name “local disk (c)” and it will open fine…….
do this with each drive including removable ones, memory cards etc, it affects anything you plug into pc….
this is the way of getting it removed and drives opening ok without the use of any removal tool…….
#
hope it helps some of you out…….jed
hi there i had same problem got eset security. the best way to do it is disable auto run on every drive i used software 2 do it with xcopy . next empty recycle bin then right click each of your drives (incase autorun is still enabled ) and click open then delete autorun.inf then then the recyle folder or wat eva it is its spelt wrong and also delete all files from your RECYCLE folder as it gets in there 2. continue 2 do this on every drive then run your anti virus which should take care of any other viral files in your C: and system directory which may be created depending on wat version u have. this is the second time its popped on my system with 2 different OS’s i am still unsure on the origin but if you follow these steps it should get rid of the main files have not looked in the registry yet as im almost certain it has done something 2 my IE keys so check that yourself. hope this helps if the other methods dont work (im just passin thru checkin see if theres any thing ive missed that any 1 knows about ) peace !! any1 knows any1 who makes viruses send me there email or ip save gettin it thru email so i can send them 1 i dont av time 4 this crap thank you . Jamie
and also go to start run and type msconfig then disable every uneeded startup enrty just 2 be safe
to solve this problem, download regseek (small but effective) it doesn’t require any installation, it checks your registry, first tick on every registry criteria in the program and type in “autorun.inf” and press enter, remove all searched results by selecting “select all”and then right click on any result and select remove checked entries, do the same for “resycled” and “boot.com” after this tick in search files and select the drive and look for the two files and the resycled folder and remove as above, then reboot your pc and see if you can open your drive(s) normally if not then again check and also clear the prefetch folder and reboot ,if ok then disable system restore and then renable it. it worked for me. the regseek program is good enough as it backs off the removed result so you can retrieve it back if a the problem developed worse, while in normal regedit it doesn’t, hope it is clear, thanks.
100% EASY SOLUTION.
FOR RESYCLED/BOOT.COM.
JUST DONT WORY BECAUSE BOOT.COM IS NOT DAMAGED UR WINDOW OR ANY FILE,BUT ITS WORKING QUAIT BOARING.
JUST DO THE FOLOWING FOR REMOVE IT.
(1). DOWNLOAD “Malwarebytes’ Anti-Malware” FROM INTERNET INSTALL & UPDATE IT.DONT WORY FOR REGISTRETION.
(2). FULL SCAN UR SYSTEM WITH “Malwarebytes’ Anti-Malware”.
:- GO TO MY COMPUTER AND “SELACT” ALL DRIVE RIGHT CLICK ON ANY DRIVE AND SCAN WITH “Malwarebytes’ Anti-Malware”
(3) AFTER SCAN GO TO “VIEW REPORT” AND “REMOVE” ALL FOUND THREADS.
(4) NOW BOOT.COM IS REMOVE FROM UR COMPUTER.
:- BUT U STILL CAN NOT OPEN UR DRIVE WITH DOUBLE CLICK. DONT WORRY.
(5) NOW GO TO SYSTEM FILES AND DELET “resycled” FOLDER AND “autorun.ini”FILES IN UR PARTITIONS .
(6) U CAN NOT SEE THIS FILE & FOLDER EASILY.
DO IT FOR FOUND IT.
:- GO TO “TOOLS MENU,FOLDER OPTIONS,VIEW TAB.”
FOUND FOLOWING.
:- SHOW HIDEN FILE.(DISABLED IT)
:- Display content of the system folder.(DISABLED IT)
:- Hide protected operating system files.(ENABLED IT)
(7) NOW GO TO ANY DRIVE BY EXPLORAR. AND
:- DELET ONLY “autorun.ini FILE & recycled FOLDER”
just RESTART ur computer.
NOTE : Untill u do these folowing do no “DOUBLE CLICK ON ANY DRIVE”.
***NEED MORE HELP JUST LEAVE UR QUESTION HERE…
From :- D.J
Date :- 03-01-2009.
I have the solution….. Download the program Disk Heal. It’s freeware and it fix my problem with resycled’boot.com! First of all clean your computer with malwarebytes and then run the Disk Heal!!!!
Everyone, download the program ComboFix. It instant worked for me and destroyed that beast hardware style.
hxxp://download.bleepingcomputer.com/sUBs/ComboFix.exe
you can’t have avg on while running it. it also isn’t a typical virus protection program. it goes down to the raw software and rips the virus out of the files.
Is what I meant to say, anyway, you can’t go in and manually delete it. I tried over 9000 times and it would just copy it’s self again when i rebooted. this program takes every single file and inch of your computer it’s laid eggs at or corrupted and rips them out with fierce vengeance.
go get flash disinfector…..use it and it takes about 10 secs and works great. Tried everything else and this has been the only thing that has worked. 100 percent satisfied
Majestyk thank you very much! Just do as Majestyk said and restart your sistem, all problems should be gone…
Regards!
I have something different affected in my machine.All the folders are showing a size of 71KB and when we do a right click there is no option for “open” instead i am able to see something called as “Test”,”Configure”,”Install”,”Run”….etc.I am not able to copy the folder or to open the folder too.Can anybody help me how to overcome with this virus????
Guys, I have had this problem before, and Sadegh Rezaei’s – Post # 30 removes the infected files 100%. However this doesent always fix the problem of being able to open the drives again. All you do next is:
Right click on My Computer
Click Manage
Click on Disk Management
Right Click on drive letter that wont open (gets error)
click change drive letter
change drive letter to next avaliable letter
then change to back to the same letter
done!
Simple, as everyone has suggested, go buy yourself a decent antivirus and spyware. Dont download any free scanners etc, save yourself the trouble and buy one. Happy Fixing. Ashley!
Thank you so much Sadegh Rezaei!!
Ok people. I have read through this incredibly long thread and then I decided, after trying a few of the ‘solutions’ posted here, to investigate this virus a bit further.
First of all:
IT HAS A ROOTKIT INFECTION which means that just simply deleting folders will NOT REMOVE the whole thing.
I tried the recommended Flash Disinfector and it removes the autorun file but upon a reboot or browse through explorer the files return as they did so FAIL.
The registry method whilst being the most likely to work, is STILL NOT a full removal method.
so let me tell you of two programs I know of that are total FREEWARE and safe, that remove this thing as easy as pie.
Please note: Just for your interest – Get hold of a rootkit finding program called Gmer and run it. you will see it finds that there are hidden processes coming from this virus. You would not have known they were there and you would not be removing them AT ALL if you followed any of the advice given above about simply deleting the files and folders created. You need to remove the hidden processes and some hidden files in the windows/system32 folder which are impossible to see, find or delete!
The program I used last week to remove this from a friends PC was a great utility for many, MANY malware infections.
Combofix.
Google it and then just run it from the desktop. Close other programs first as the combofix MUST reboot your PC during its process to rid the machine of the hidden stuff. It creates a logfile for you to see exactly what it found and removed.
You can download it here:
hxxp://download.bleepingcomputer.com/sUBs/ComboFix.exe but you may have trouble with certain viruses or malware blocking you downloading it. Anyway I got myself infected with this yesterday and had forgotten where to download combofix and for some reason could not get the download links to work so I tried a rootkit utility I had on the hard drive…just a little EXE file and it removed the whole lot : FOLDERS named resycled and the contents of them (boot.com) and also the autorun.inf files PLUS, most important of all: It detected the hidden process which was somehow attatching itself to the printspooler service and also three hiden files in windows/system32 and windows/system32/drivers. these were all .DLL files with long and random names.
It then asked me to reboot to remove the files.
After that all was completely back to normal.
Grab it and fix your Pc WITHOUT getting into the registry OR wasting your time deleting files and fiolders because you will still have a serious rootkit virus running even if you stop the folder creation!
hxxp://www.trendmicro.com/download/rbuster.asp
You can trust trendmicro so dont be worrying about using the utility – it really does get rid of this – any many other malwares FAST and EASY!!!
I too had same problem of rescycled\boot.com.. the right solution for this.. u can download the disk heal 1.46 from the net searching and install.. u could easily fix the problem.. the problem will be solved in a moment.. try this its fast and easy.
`
Phew! After doing as described in #25 and #83 I still had the problem of AutoPlay as the default, non-removable, choice when trying to open the previously infected disk… The virus was gone so no virus scanner could help me further… What I finally did was instead to insert another command with a unique name, let’s say “xyz” and just assign whatever to it, for example the explorer…
Then run Regedit and search for “xyz” and you’ll find your just added command below AutoPlay under “Drive”… Delete the AutoPlay entry completely and also your just added xyz and restart the cumputer… Voila… finally works… Seems so simple in hinsight, but it took me a day to find out… The phrase AutoPlay occurrs so many other times for other programs that it’s hard to find out which one to delete..
No further needs to run anything at all…
Combofix was the fast and 100% solution for me.
I did it my way:
go to my computer
select C:
rightclick –> explore
on top –> tools –> folder options
View: select : display contents of system folders
and bellow : show hidden files and folders
go to C: and delete autorun.inf and rysycled (if you can see them)
then go to start –> command –> type redegit–> OK
on top: edit –> Find
type resycled –> find, delete the found one,
go to Edit–> find next, delete, find next…. untill they are all gone
do the same to find and delete boot.com
then restart your computer and push F8 while he is doing this, restart in safe mode
then restart in normal mode
–> problem solved
OK!
I have read this ENTIRE thread. I have tried everything that has been suggested.
To clarify, I was infected with the \resycled \boot.com virus. This virus didn’t allow me to access my drives with a simple double click. it also screwed-up my DNS settings for my wireless connection (you may need to restart your DNS through PROGRAMS, ADMINISTRATIVE TOOLS, SERVICES, then make the DNS go to AUTOMATIC) , it also didn’t allow Mocrosoft to update, it also didn’t allow Kasperski Anti-Virus to update, it also didn’t allow PeerGuardian to update and it clogged it up with a malware intrusion every second, It also didn’t allow me to Defrag my drives, AND it didn’t allow me to visit Google or Microsoft update sites. It redirects you to ad sites AND it creates 2 pop-ups wherever you go. Finally and most importantly, it would freeze my pc sometimes at start-up, sometimes shortly after.
This is how I fixed it. I first downlaoded all Four programs listed above in different posts.
1. Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Malwarebytes:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm
3. Flash Disinfector:
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/
4. GMER RootKit:
http://www.majorgeeks.com/download.php?det=5198
I also used Hijack This:
http://majorgeeks.com/download3155.html
I saved all 5 programs somewhere, but didn’t open them yet.
At this time Kasperski has found Resycled folder, but was unable to really take it out, (neither could CCleaner, RegCure or CleanMyPC). I did all the Regedit Root work suggested in post 25 and all the CMD prompt stuff suggested after that.\, and though the files seemed to not exist anymore, the effects were still very apparent.
After Physically erasing all the files I could find in explorer AND in DOS, I installed and ran all 5 programs ending with ComboFix. There is a real danger that you accidentally delete something that you shouldn’t so be conservative. Check to see if they pick-up some of the same problems, chances are they shouldn’t be there. In my case, the resycled virus installed a couple of root dll’s that ended in msqpds…..etc.
To fix Kasperski after all this, I went to START, PROGRAMS, KASPERSKI, REPAIR. After that I was able to update it and use it again.
To be clear, I eradicated ALL autorun.ini and autorun.inf files, all boot.com files and all resycled files. The dll’s that were in GMER, hijack this AND Combo Fix are the ones I targetted and erased.
Finally, this took me one whole day, but now everything is working fine again. The virus seemed to get worse as it went along, so don’t waste time. Good Luck.
thanks a lot guys
flash disinfector works for me.
thx majestyk..
thx malaware also…
i tried both..and after deleting the virus, i restarted my computer and finally my C n D can be opened by a double click.. =)
thx 4 this blog~
The Best Solution….
Flash Disinfector:
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/
Did exactly as instructed, scan took 1 1/2 hrs, restarted and the problem is gone. Found 15 infections. Thank you, it’s a great product!
hi guys, im also getting the same problem with all the internal drives and i tried to remove the file autorun.inf from all the drives.i could find the file but i couldnt delete the file in even a single drive.pls help me in this regard.
When I got the error message of’ C:\resycled\boot.com is not a valid Win32′
I did the run cmd & deleted the autorun.inf’s and it worked.
Then it happened again a week or so later (just my luck aye), so I did it again but it still showed the same error message.
So I did then a boot.com check in the regedit app and found all of them even on my portable.
I did a anti spyware scan after that and found the trogan/worm that was effecting all this and it was deleted. YES I thought BUT when I double click on my hard drive an error message comes up saying that it can’t find C:\resycled\boot.com.
I thought thats what the problem was but now Im lost
HA LOL is used the Flash Disinfector and it sorted it out straight away
cheers
Hi everyone
I want to thank web master for his helpful guidance. I do his guidance one by one and get ride of “resycled\boot.com” virus. thanks
Guys…….
If u Deleted Autorun.inf and resycled folder……
then setting up the paths of the drives follows….
Just Rightclick on the particular drive –> Properties –> Tools —> Check Now….
then Check the tick mark for ‘ Automatically fix the System Errors ‘ —> Start.
Every thing works Fine….
Hi guys.. I just had the same problem, i couldnt open C or D drives cuz it sad “cannot find resycled/boot.com”. I tried Malaware and it didnt work.. Then i tried Flash Disinfector and i didnt even insert any sticks or flash drives when it asked me.. Somehow it got solved.. And now i can enter C and D again.. Hope it stays that way..
hello every body
tank you for “Flash_Disinfector”
ATTENTION:
Up to here noone mentioned that this virus also inscribes some information into the registry … scan your registry for “resycled” and for “MountPoints2″ and remove all related items !!!
Best regards …
PS. Otherwise the removing of the resycled directory may require to show system files when you explore your drives …
Hey guys
Let me explain what exactly happens when you get this virus.
this virus basically duplicated itself in the each drives you have that includes the partitions.
so if you run malware’s scanner or any other scanner, even if you find the infected files, once you reboot, it will still replicate itself.
why? because of the three files mention.
these files are 1.AUTORUN.INI FILE 2. RESYCLED FOLDER 3.RESYCLED FOLDER\BOOT.COM
ok once you remove these mention files & directories, you will be still getting the trojan. IF the virus has replicated itself deep. it is smart enough to know if these files exist or not.
i was lucky since this issue happened on a fresh windows installation. what i realized was that even removing the files & removing the reference to boot.com & resychled in registry & running the scanner melware’s , the problem still persist as i was having all porn adds on my IE.
therefore i just reinstall windows since it was a fresh copy and virus was gone all togather.
a word of warning:
if you reinstall windows and the three files & directories are still there, you will get the virus.
therefor removing them then installing the widowns did the trick.
fortunately this virus unlike others did infected any of my music or zip or rar files.
so removing the three files should do the trick if you reinstall the windows.
again reinstalling for many of you should be the last resort but then i figured since it is ganna take me as long to get all the programs reinstall as if i was to remove the virus completely and waste my time looking for it and see that it is still there
This virus also has a rootkit attached to it!
I just deleted the recycled/boot.com through peazip because i couldn’t see it any other way XD
then removed autorun.inf through avg
Cool, this worked perfectly (malwarebyte, that is) its weird because my virus file was ntldr.com, not boot.com, but anyways, cool ^_^
i had i one time before and it was terrible and hard to get off my computer. but now i got it again just called S-3-0-90-100001958-100026864-100032715-7157.com :’( but i don’t know how i get it, is there anybody who know how i get it. so I can avoid getting it again:) it would be nice ;)
hi i am having this same virus problem but i tried deleting the files and rebooting my computer and now my computer will not start using windows but will start running linux. also it wont start in safe mode either thanks
I have this virus and have tried the above aformentions steps and no luck.
It is only affecting my external hard drive.
I have kaspery 2009 and it has detected this and says it has been disinfected.
However, I still get the error when I double click on the external drive?
Any ideas?
I found it and deleted it the auto run file and the resycled folder go to tools> folder Option> view > uncheck “hide protected operating system files” there you will find it. delete them both i haven’t tried it yet though.
I did find the boot.com using the regedit funtction. I deleted it, but still no luck.
I did not find any autorun’s or resycled folders though.
Should I replace from My kaspersky file and try that way?
i found a folder called ($AVG8.VAULT$) i found wen i deleted this folder that it sorted my prblem out
Here is what i did to delete the boot.com malware from my system
1) Opened NERO Burning ROM > Start Multisession Disk > In the Left we get a file browser. I will be using this file browser to delete the files and folders.
2) Now delete autorun.inf (all infected drives).
3) Delete X:\resycled folder from all you drives (fixed or removable, X is your drive letter/s)
4) Check “c:\windows\system32\dllcache” for boot.com file and delete it if present.
5) Check “c:\windows\prefetch” for boot.com file and delete if present.
6) Delete all files from c:\windows\temp
(Some files may not delete, that’s ok, they’re in use by the system and not virus files.)
7) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local Settings\Temp
(Again, a couple files may not delete, don’t worry.)
8) Run Regedit
9) Make sure you are at the very first entry of the registry hive. (y Computer should be hilighted) then click EDIT -> FIND
10) Search for “boot.com”. If it finds an entry, delete it. Keep hitting F3 until you’ve deleted all instances of boot.com in the entire registry.
11) Scroll the left comumn back up to the top and hilight the My Computer again at the top of the registry hive.
12) Click Edit -> Find again and search for ‘resycled’ and repeat as in step 13, deleting the entries as it finds them. (I found 2 of each)
13) Close registry editor and try opening the infected drives. They should work now.
Restart the system and check whether the folders have reappeared or not. It didnt back come for me. But still if it comes, repeat the process.
Hope this helps….
Hello,
As I found this forum nice, I want to share one way with all who have VISTA.
If you get this virus ant cant open your USB drives, do a restoration of the system one or two days (or even one week) before you got these viruses…
(There are a lot of viruses coming from cracks which make this problem “resycled/boot.com is not a valid Win32 application”). After restoration, you will be able again to open your drives. Reinstall the programs you lost while restoration (you will not loose your documents), but never reinstall programs with cracks because these viruses came in 99.9 % from cracks !
enjoy !
Chris-Eagle
For those currently seeking: as far as XP goes-
Yes -MalwareBytes will get rid of evil AntiVirus2007,8 etc.
for resycled problem – deleting autorun.inf should work
Spyware terminiator eliminates it
Leave your response!
192 Responses
Post your remarks about resycled/boot.com. Get feedback and help others to resolve this issue.Subcategory
Recent Comments
Recent Posts
Most Commented
About precisesecurity
A trusted computer security web site that provides efficient and free solution to remove Trojans, viruses, rogue programs and other similar malicious activities.
Copyright © 2006-2012 | Tech Blogs - precisesecurity.com | Privacy Policy