Top
Browse > Home / Internet, Sci-Tech, Security, Technology / How To Eradicate Boot.com Trojan

How To Eradicate Boot.com Trojan

November 2, 2008 (42 Responses)

I GOT INFECTED a few days ago with the “boot.com” trojan and it’s taken me until now to finally kill it, so if you’re similarly afflicted then read on.

This little bugger is a self replicating trojan that isn’t exactly dangerous, but it is certainly annoying as hell. This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is an HTML page which contains Visual Basic Script and Java Script scenarios. It is 6881 bytes in size and the ultimate payload is that it alters your explorer.exe to prevent you from accessing any of your hard drives on your system via a standard double-click.

It manages to infect every hard drive on your system, creating an “autorun.inf” file in each root folder and also creating a ‘resycled’ folder that contains the nasty “boot.com” itself. These files are of course hidden by default so you can’t see them. Everytime you boot your system it tries to get to the Internet and download itself again, spreading further and further around your system.

I won’t bore you with the endless list of fixes I’ve tried to get rid of this bastard but I will tell you what worked as follows:-

Firstly – Download MalwareBytes – it’s free – (from http://www.malwarebytes.org) and install/run it on your system. This will find the little bugger and quarantine/remove it, but not permanently. However, the fact that this anti-malware program can even recognise the boot.com trojan gives it a leg up on others because even though I’ve plenty of anti-malware, anti-spyware, anti-virus and even firewall systems on my PC, the trojan still got through somehow because they didn’t recognise it.

Now – once you have managed to get a clean sweep using the program above, you need to manually edit your registry to remove every reference to the little bugger as follows:

  • Click on START, RUN and type in “Regedit” and then click OK.
  • Once in the registry select the EDIT dropdown option and use the FIND button to search for every occurance of “boot.com” and “resycled“. Delete every single occurance.

Now that you have the registry clean it’s time to hunt down bugger on your hard drives. Open Windows Explorer and go to TOOLS, FOLDER OPTIONS and then the VIEW tab. Now make sure the option to “Show hidden files and folders” is selected and click OK. Then do a search through all your hard drives / partitions and delete every occurance of the “resycled” folder or “boot.com” or even “autorun.inf” in your root folders if you can find them.

The final task is now to hunt out the (usually hidden) “autorun.inf” file and the only way to be sure is to use the following approach.

  • Click on START, RUN and type in CMD in the text box and then click OK.
  • Now you should be in an MS-DOS window with a prompt. Now you need to move to the root folder of each drive/partition you have. In other words you will type in “C:” to get to your system drive, or “D:” to get to your next drive, and so on. You need to use the “CD \” command to ensure you are in the root folder of each drive before executing the commands below (remember, do the commands below for each drive)
  • At the root folder of each drive type in “attrib -s -h -r autorun.inf
  • At the root folder of each drive type in “del autorun.inf

If you do all of the above I then suggest you reboot, and repeat the MalwareBytes scan and the Registry edit “Find” to make sure there are no references left to this nasty little bastard of a trojan.

And the ultimate proof? If you’ve done it right your Windows explorer should now be working again perfectly. Good hunting. If you have any questions let me know and I’ll do my best to help you out.

Related Content

Written by Coyote · Filed Under Internet, Sci-Tech, Security, Technology 

Comments

42 Responses to “How To Eradicate Boot.com Trojan”

  1. SEO - iSTYLE » Blog Archive » How To Eradicate Boot.com Trojan on November 2nd, 2008 11:43 pm


    [...] View original here: How To Eradicate Boot.com Trojan [...]

  2. Gwen Durrenberger on November 4th, 2008 2:38 am


    This google desktop is awful…..tell me right now how to delete it!

  3. Perry on December 16th, 2008 1:36 pm


    it doesn’t edit your explorer.exe file, it simply creates an autorun.inf file so that it tries to execute that file rather then openning the drive, learn something about computers for goodness sake!

  4. Coyote on December 16th, 2008 2:13 pm


    Jaysus – why are you being so pissy. Get out of the wrong side of the bed today did we?

  5. Tweyelite on December 17th, 2008 11:41 pm


    Thanks for the info buddy. I followed the steps and I hope all is well at this point. Re-scanning with Malwarebytes right now.

    I’ll never be able to understand why some ppl aren’t satisfied with being assholes during their regular daily lives and seem to want to be assholes on a universal scale by creating viruses that have no use other than to annoy the piss out of all the unsuspecting people that contract it.

  6. Juan Exposito on December 19th, 2008 10:15 pm


    THANKS, THANKS !!!
    It worked.
    Just oone thing:
    The provided link to the program “MalwareBytes” didn´t work. So download the program from another source.

    Thanks a lot. !!

  7. Coyote on December 19th, 2008 11:39 pm


    I’m glad the fix worked for you. I’m not sure what you mean about the broken link though. I’ve just clicked on it and it works fine???

  8. Juan Exposito on December 20th, 2008 12:19 am


    You are right about the link.
    It seem that it didn´t work when I first hit it.
    * * * * * * * *
    Coyote, this MEDICAL – TUTORIAL is a excellent and very kind informative work.

    Again, thanks a lot.

    Juan, from Spain.
    .

  9. Hevghirl on January 6th, 2009 12:35 pm


    Thank you for helping me solve this problem. I hunted the net trying to find a solution and there wasn’t much on boot.com. Someone on a forum posted a link to this page, for which I am truly grateful.

    Apart from not being able to access any of my drives directly, I was also unable to do a system restore after this thing infected my system. I got a hold of malwarebytes, though had real trouble getting it as well, but got there in the end, and it seemed to do the trick for me. So far, my sysem seems to be running smoothly. Huge huge thanks for this article :D

  10. c0y0te on January 6th, 2009 4:34 pm


    Hevghirl – you’re very welcome and I’m delighted my article was able to help resolve your issue. It’s the very reason I bothered to record the steps in the first place, because I didn’t want anyone else having to go through the crap I did if it could be avoided. Please feel free to spread the word and link back to the article if you think it can help anyone else.

  11. Lorena on January 9th, 2009 10:14 pm


    I’ve tried this fix about 5 times, and it doesn’t work. I can see the resycled and autorun.inf files on my 2 partitions and external hard drive. I run antivirus and malware scans and they all come up clean. I’ve deleted them from the registry close to 10 times by now, and still it’s there.

    It’s driving me mad. Does anyone else have any other ideas/methods to get rid of it?

  12. Coyote on January 10th, 2009 12:55 am


    I don’t mean this to sound like a stupid question, but….

    Did you follow the instructions in the sequence outlined above? Because if you do it in any other sequence the little bugger gets a chance to reinfect your system. It’s really important that you clean out the registry before runing the MS-DOS commands to display and then delete the files on the root folders of your disks.

    I know when I was doing it I had to run through the registry a few times before it came up clean. That includes searching for all variants of boot.com, resycled.com etc.

    Hope this helps.

  13. steve sarazin on January 11th, 2009 4:38 pm


    while looking for boot.com files in registry i found boot .coom is this a variation of the same virus..????this was in the search assistant folder also in this folder is a autorun.inf file that was mised during previous reg scan….???what should i do whith this file .also i havent checked to see if there are any more boot.coom in the registry i stoped there till i find out if this is supoistto be there… thanks for any help in advance… steve

  14. Coyote on January 11th, 2009 7:57 pm


    To be honest I’m not sure. I didn’t come across that when I was getting rid of this trojan, but a quick internet search resulted in less than 10 references to “boot.coom” gobally, and most of them were in Russian so I’m none the wiser.

    If I were you I’d get rid of that as well, just to be on the safe side. If you can’t recognise it and you don’t have any installed software that rings a bell with that registry key – then zap it.

    Just my 2c worth :)

  15. Lestere on January 17th, 2009 3:22 am


    I wonder if I might add my two cents worth here after having this trojan twice. the first thing to do is download Malwarebytes, the next thing to do to stop it replicating is to work in safe mode, F8 at reboot in XP then look at all your drives and partitions for the RESYCLED folder and the autorun.inf files and delete them, and any USB storage too. Then check C:\windows\system32\dlcache for boot.com and delete it if it’s there.
    Next check C:\windows\prefetch for boot.com and if its there delete it.
    Next delete all files in C:\windows\temp some files may not delete they are being used so don’t sweat it to much.
    Next delete all files from C:\documents and settings\your profile\local settings\Temp again don’t sweat the ones being used.
    Now run regedit, for you nervous about touching regedit I’ll make it as simple as possible to do for you.
    OK here goes, click Start, Run, and type regedit then highlight “my computer” right at the very top of the panel on the left side. Then click EDIT and scroll down to find and click it, then in the find box type boot.com and click find next. when it finds boot.com press delete and send it to the recycle bin, and press F3 to continue to find the next one and delete it until you find them all and regedit says no more entries or something like that. Then go to the top of the left panel again and highlight my computer once more and click EDIT again and the find button again and this time write RESYCLED and click find next, repeat deleting and clicking F3 until you have found them all.
    Close regedit and check your drives again to see if they are clean of the resycled folder and the autorun.inf file.
    You should be able to reboot after this to find your computer is clean again, if not you may have to do this again only this time you may have to turn off your system restore in control panel\ system folder until your computer is completely free of this bastard Trojan.
    Hope this helps someone,
    Lestere.

  16. craps gambling on March 20th, 2009 7:59 am


    If you want to remove this virus, you have to be very careful and use your common sense, for you to find it. So you have to try and identify one name that the virus uses, then use that name to get every other name that it may also be using to run. Get Avast download and install; at the end of the installation, you’ll be asked if you want to do a boot-scan. Select Yes. This will restart your PC, and Avast will scan your system *before* Windows loads, thus being able to delete files that are started as services.

  17. James Trader on May 29th, 2010 6:20 pm


    I would advice you not simply download some unknown application but simply install Kaspersky antivirus it is the most powerful one.

  18. Ed-ward on July 4th, 2010 8:27 am


    Thanks! You saved me a lot of time and maybe money…I was infected and was about to pay a thechie guy to remove Boot.com Trojan

  19. monalisa222 on October 18th, 2010 11:56 am


    How to remove resycled/boot.com

    http://www.tips29.com/2009/01/how-to-remove-resycledbootcom.html

  20. custom banner design on March 31st, 2011 12:18 pm


    Nice Blog here . I really like it . always a pleasure to read

  21. article demon review on July 19th, 2011 8:53 am


    Thanks for taking the time to make this article. I really enjoyed the read.

    Thanks alot

  22. short term rental london on September 16th, 2011 12:47 pm


    Trojans are basically the easiest way someone to download something important from your computer. So in case you are keeping some important information like user names and passwords make sure that your computer is not infected.

  23. Peter on October 5th, 2011 1:15 pm


    Guys, girls are making such a beautiful custom research paper and it’s cool.

  24. seo consultancy on October 10th, 2011 5:08 am


    Really very informative tips definitely help me a lot.

  25. Plumber Dunstable on October 21st, 2011 6:42 am


    I am glad to see this great post.I got a lot of information from this post.

  26. Plumber Dunstable on October 21st, 2011 6:43 am


    I am glad to see this great post.I got a lot of information from this post.Plumber Dunstable

  27. asbestos survey on November 1st, 2011 6:01 am


    So helpful instructions to eliminate the “boot.com” trojan.I bookmark this post for future reference.

  28. wholesale beads on November 14th, 2011 10:42 am


    You post is interesting, however, I was a little confused, so I decide to read it again.

  29. chopard replica watches on December 24th, 2011 10:32 am


    Hi. I actually liked reading your present writing! Best good quality material.

  30. links of london replica on December 27th, 2011 5:34 am


    This is what I have been searching in many websites and I finally found it here.

  31. izreke on February 13th, 2012 3:59 pm


    Very good website, hope you keep updating it more often. Thanks.vezbe za ramena,
    Dijete mrsavljenje,prizivanje duhova

  32. tag heuer replica on March 15th, 2012 6:28 am


    Your articles tell us lots of philosophy but you need to put your contents in more logical ways.

  33. popusti on March 29th, 2012 1:13 pm


    Very interesting article.

  34. make an iphone app on March 30th, 2012 8:00 am


    BTW, my antivirus (NOD32) lock some troyan virus from your site all the time.

  35. horoskop on May 17th, 2012 10:53 am


    Interessting.

  36. grupna kupovina on May 18th, 2012 1:13 pm


    Great article!

  37. pvc stolarija on May 28th, 2012 12:21 pm


    Very informative blog. Thank you!

  38. selidbe on May 28th, 2012 1:22 pm


    Very helpful article?!

  39. tepisi on August 9th, 2012 2:29 pm


    Great article, it helps a lot.

  40. baloni za mali fudbal on August 10th, 2012 10:48 am


    Great website, many interesting subjects…

  41. iphone app development on February 4th, 2013 7:37 am


    Great information regarding the boot.com trojan. It something great information about the resolve these problem.

    I would like to try some other antivirus software.

  42. Security Services London on March 9th, 2013 12:41 pm


    Thanks for making the effort to talk about this, I experience highly about it and really like studying more on this subject. If possible, as you obtain skills, would you thoughts upgrading your website with more information

Got something to say?

You must be logged in to post a comment.

Bottom