Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


rescycled\boot.com and dns redirect/blocking worm

  • Please log in to reply
2 replies to this topic

#1 bardicverse


  • Members
  • 2 posts
  • Local time:02:41 AM

Posted 24 October 2008 - 06:22 PM

After many years of being pretty safe, a virus finally tagged my PC. Im on my macbook pro right now writing this, because bleepingcomputer.com comes up as a Page Not Found, along with several other sites.

When I click on my disk drives in the explorer window, I get the "rescycled\boot.com is not a valid Win32 application" error.

I am not partial to the data on the disk drive, so wiping it clean isn't a big deal to me. My secondary as well as my portable drives might have been affected as well though, and those are important to keep the current data.

This computer is a "clean" install (sans for the virus), and there really isn't any specific stuff installed, though popups are getting through Firefox 3.

My specs:
P4 2.4 GHZ
1 GB PC 3200 Ram
Nvidia Geforce 7600 GS
Windows XP Professional Service Pack 2
Linksys WMP300N Wireless PCI adapter

I have a few ideas, including tearing the HD boot sector apart with Active KillDisk.
Any better ideas are appreciated.

BC AdBot (Login to Remove)


#2 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:41 AM

Posted 24 October 2008 - 09:59 PM

I found this workaround by one person:

In our case, it's happened...:
(1) First, after the date I did a backup on my Sony VAIO to a backup drive, with USB connection, by Norton 360. The backup was completed successfully. Then this drive have a system file named "resycled" folder with a "boot.com" file and a "autorun.inf" in the root drive with the same date stamp. These files are only located in the backup drive only, not the notebook drive. Of cuase, I did not noticed their existing at the time.
(2) And later on, I used the same backup drive, but installed as internal drive, to do a backup on the Server 2003. I tried to do backup by cloning image of the Server 2003 system with Seagate Disc Wizard. The Disc Wizard failed the backup. However, all the partitions on the hard drive I wanted to backup are all infected by a "autorun.inf" file stored in the root of each drive.

All our systems are well installed and updated with Symantec's security software except Server 2003, which the security software could not be installed. Microsoft claims the Server is well protected by itself.

Well, so much about this, as I could not concluded it's a virus or not. It definitely could be affected by virus on the same date as I backed up Jessie's Sony VAIO notebook. But, it's amusing the Sony VAIO notebook has no such infection when I checked it later on.

I was surprised that the problem get into the Windows Server system. And found no help from all the Anti-virus software.

However, I found a way to solve it in our Windows Server 2003 Enterprise Edition. I guest it may work in the other Windows system as well.

It's quite simple to do it as I found.
1. Opened the My Computer
2. Right clicked the mouse on the drive having the infection.
3. Selected "Explorer" from the pop-up menu.
4. Went to the Menu bar and select Tools->Folder Option.
5. Select the View tap. and did:
a) selecting "Show hidden files and folders'
:thumbsup: unchecking "Hide protected operating system files (recommended)"
6. Click OK.
7. I found the file named "autorun.inf" file in the root of each infected drive.
8. And I deleted the file. And I selected the other infected drive and delete all the "autorun.inf" files one by one.
9. Over the backup drive, I also deleted the "resycled" system folder as well. I think, this is the source of the infection. Or you could name it as the virus nest.
10. I went to the Desktop and open the Recycle Bin and Executed Empty Recycle Bin. It's a very important step to prevent the infection coming back!
10. Then, I rebooted the system.
11. And everyone was backed to work. Problem was solved or virus was removed, whatever you name it.
12 Of course, don't forget to change the View functions back over the "Folder Options" if they were not the original selections.

Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 bardicverse

  • Topic Starter

  • Members
  • 2 posts
  • Local time:02:41 AM

Posted 26 October 2008 - 10:45 AM

Thanks Garmanma - that did the trick for the rescycled\boot.com issue.
I managed to fix the dns hijacking/blocking using Malwarebytes' Anti-Malware tool. Everything seems to be working back to normal. Much appreciated!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users