Resycled/boot.com (virus)

>I don’t know if this is strictly a hardware problem, but if I am in the wrong
> newsgroup, perhaps someone will re-direct me.
>
> I am running a desktop machine with Win XP Pro SP3. I have dual, but
> separate and fitted hard drives, C:\ which contains the OP, and D:\ for “My
> Documents�. I also have an external hard drive partitioned into 3, E:\, F:\ &
> G:\. Removable storage includes an MMC Card (I:\) in a card reader, and
> memory stick (J:\).
>
> Recently when clicking on any of these drives (except C:\) from My Computer,
> produced the message “resycled/boot.com is not a valid Win 32 application�.
> None of the affected drives was accessible except through Explorer.
>
> I discovered this was a virus – boot.com. I have run (updated) AVG
> Anti-Virus, Malwarebytes, Ad-Aware, Spybot Search & Destroy &
> SuperAntiSpyware. All failed to detect the virus, let alone eliminate it.
>
> I therefore resorted to a manual removal, following the instructions below:
>
> "Here’s the REAL way to clean this off your system. You should do these
> steps after a fresh reboot or in safe mode.
> 1) Navigate to the problem drive(s) via the Explore option.
> 2) Click on TOOLS -> FOLDER OPTIONS
> 3) Click the button which says ‘Show hidden files and folders.
> 4) UNCHECK the following boxes:
> Hide extensions for known file types
> Hide protected operating system files
> 5) Find and delete the autorun.ini file and the resycled folder on the root
> directory of all affected drives.
> 6) Check “c:\windows\system32\dllcache� for boot.com file and delete it if
> present.
> 7) Check “c:\windows\prefetch� for boot.com file and delete if present.
> 8) Delete all files from c:\windows\temp
> (Some files may not delete, that’s ok, they’re in use by the system and not
> virus files.)
> 9) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local
> Settings\Temp
> (Again, a couple files may not delete, don’t worry.)
> 10) Run Regedit
> 11) Make sure you are at the very first entry of the registry hive. (y
> Computer should be highlighted) then click EDIT -> FIND
> 12) Search for “boot.com�. If it finds an entry, delete it. Keep hitting F3
> until you’ve deleted all instances of boot.com in the entire registry.
> 13) Scroll the left column back up to the top and highlight the My Computer
> again at the top of the registry hive.
> 14) Click Edit -> Find again and search for ‘resycled’ and repeat as in step
> 13, deleting the entries as it finds them. (I found 2 of each)
> 15) Close registry editor and try opening the infected drives. They should
> work now.
> Worked for me at least. I ran NAV2008 2 times on it and it was able to find
> the files but unable to remove them for some reason. Doing this, seems to
> have completely resolved the issue for me."
>
>
> I found a number of infections on the various drives (including C:\) and in
> the registry, which I deleted (not the registry – just the virus files !).
>
> Following this, I re-formatted C:\ drive and reinstalled the OP, which I was
> planning to do in any event. I also re-formatted D:\ drive, again which I was
> planning anyway.
>
> I had assumed that the problem virus had been successfully removed - which
> it probably has - after making a further check for the offending files.
> However, I now find on trying again to open the partitioned external HHDs,
> E:\, F:\ & G:\, I get the message “Windows cannot find ‘resycled\boot.com’.
> Make sure you have typed the name correctly and then try again. To search for
> the file click the start button and then click search�. I still can’t access
> these drives except through Explorer.
>
> Strangely, I am able to access the re-formatted D:\ drive and the removable
> storage, the MMC card and flash drive.
>
> Is the only way to resolve this, to move all data from the affected drives
> and then delete, re-partition and reformat ?
>
> Any assistance would be much appreciated.
>
> Mike
>

> My problem now is that on trying to open the partitioned external hard
> drive(s) Windows seems to be searching for the file boot.com, which I
> manually deleted, and as a consequence, won't allow access to those
> (affected) drives from "My Computer".
>
> I get the message “Windows cannot find ‘resycled\boot.com’.
>
> What I can't quite understand is why I can now access the removable storage
> drives (MMC card & flash drive) despite being similarly affected and after
> manually removing the boot.com files from those drives as well.
>
> The external HHDs do have a file autorun.inf which I deleted as suggested
> but I got the same message as above, that Windows was looking for the (now
> deleted) boot.com file. I have reinstated the autorun.inf file(s).
>
> I'm looking for some advice on how I get around the problem of Windows
> looking for this old (and deleted) virus file so I can access the external
> HHD from "My Computer".

> Many thanks for these replies.
>
> I wish I had known about the Spywaredoctor removal tool before ! However, as
> mentioned, I have already used the instructions I found on a technical forum
> to manually remove the virus files. I'm sure all the offending files are gone
> (unless autorun.inf is also part of the virus).

>
> My problem now is that on trying to open the partitioned external hard
> drive(s) Windows seems to be searching for the file boot.com, which I
> manually deleted, and as a consequence, won't allow access to those
> (affected) drives from "My Computer".
>
> I get the message "Windows cannot find 'resycled\boot.com'.
>
> What I can't quite understand is why I can now access the removable storage
> drives (MMC card & flash drive) despite being similarly affected and after
> manually removing the boot.com files from those drives as well.
>
> The external HHDs do have a file autorun.inf which I deleted as suggested
> but I got the same message as above, that Windows was looking for the (now
> deleted) boot.com file. I have reinstated the autorun.inf file(s).
>
> I'm looking for some advice on how I get around the problem of Windows
> looking for this old (and deleted) virus file so I can access the external
> HHD from "My Computer".
>
> Mike
>
>