How To Eradicate Boot.com Trojan
November 2, 2008 (42 Responses)
I GOT INFECTED a few days ago with the “boot.com” trojan and it’s taken me until now to finally kill it, so if you’re similarly afflicted then read on.
This little bugger isÂ a self replicating trojan that isn’t exactly dangerous, but it is certainly annoying as hell. This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the userâ€™s knowledge or consent. It is an HTML page which contains Visual Basic Script and Java Script scenarios. It is 6881 bytes in size and the ultimate payload is that it alters your explorer.exe to prevent you from accessing any of your hard drives on your system via a standard double-click.
It manages to infect every hard drive on your system, creating an “autorun.inf” file in each root folder and also creating a ‘resycled’ folder that contains the nasty “boot.com” itself. These files are of course hidden by default so you can’t see them. Everytime you boot your system it tries to get to the Internet and download itself again, spreading further and further around your system.
I won’t bore you with the endless list of fixes I’ve tried to get rid of this bastard but I will tell you what worked as follows:-
Firstly – Download MalwareBytes – it’s free – (from http://www.malwarebytes.org) and install/run it on your system. This will find the little bugger and quarantine/remove it, but not permanently. However, the fact that this anti-malware program can even recognise the boot.com trojan gives it a leg up on others because even though I’ve plenty of anti-malware, anti-spyware, anti-virus and even firewall systems on my PC, the trojan still got through somehow because they didn’t recognise it.
Now – once you have managed to get a clean sweep using the program above, you need to manually edit your registry to remove every reference to the little bugger as follows:
- Click on START, RUN and type in “Regedit” and then click OK.
- Once in the registry select the EDIT dropdown option and use the FIND button to search for every occurance of “boot.com” and “resycled“. Delete every single occurance.
Now that you have the registry clean it’s time to hunt down bugger on your hard drives. Open Windows Explorer and go to TOOLS, FOLDER OPTIONS and then the VIEW tab. Now make sure the option to “Show hidden files and folders” is selected and click OK. Then do a search through all your hard drives / partitions and delete every occurance of the “resycled” folder or “boot.com” or even “autorun.inf” in your root folders if you can find them.
The final task is now to hunt out the (usually hidden) “autorun.inf” file and the only way to be sure is to use the following approach.
- Click on START, RUN and type in CMD in the text box and then click OK.
- Now you should be in an MS-DOS window with a prompt. Now you need to move to the root folder of each drive/partition you have. In other words you will type in “C:” to get to your system drive, or “D:” to get to your next drive, and so on. You need to use the “CD \” command to ensure you are in the root folder of each drive before executing the commands below (remember, do the commands below for each drive)
- At the root folder of each drive type in “attrib -s -h -r autorun.inf“
- At the root folder of each drive type in “del autorun.inf“
If you do all of the above I then suggest you reboot, and repeat the MalwareBytes scan andÂ the Registry edit “Find” to make sure there are no references left to this nasty little bastard of a trojan.
And the ultimate proof? If you’ve done it right your Windows explorer should now be working again perfectly. Good hunting. If you have any questions let me know and I’ll do my best to help you out.