DNS Changer Trojan – Can’t find C:\resycled\boot.com
Recently I had to scan some documents. I had got USB (ill-fate), so got scanned documents and trojans along with me in USB drive. After I plugged it into my PC; my all drives stopped to open.
Error message was
“resycled/boot.com is not a valid Win32 application“.
While I could right click – explore my drives all right. This infection might also try to hide your files within your drives. Do not panic. Its not lethal for data.
I searched for the files and realized that all my drives had got;
1) A hidden folder named as resycled that contained a file boot.com
2) autorun.inf file containing following code:
[autorun] ;rtoybpvbgpulwmzxgqwfdzknaaydctawwvwsbtejqrvxjhqkctfcdoproiqrjfzediwuwzprsibubjszbeqoopwvreisu shellexecute="resycled\boot.com f:" ;rudcghbzuxdaqaxmdaaqscbbvhrsyyvindzzwryfprhtiqcyketwzwhaomtjmtfunuupiwelisnbxvjwwszg shell\Open\command="resy
I removed all resycled folders and autorun.inf files.
Then the error message changed to:
“Can’t find C:\resycled\boot.com”
I searched a bit more and found out that most people were using Malwarebyte Anti-Malware for cleaning such infection. I downloaded Malwarebyte Anti-Malware 1.31 and scanned my PC.
Following infections were found which were removed.
Registry Keys Infected: HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\msqpdxoyegwicu.dll (Trojan.TDSS) -> Delete on reboot. D:\backup restored 12 dec 2008\usb latest\Adobe Dreamweaver CS3\Crack MKDEV\CS3_Keygen\CS3 Keygen\adw3kg.exe (Trojan.Crax) -> Quarantined and deleted successfully. D:\softwares\adobe\Adobe Dreamweaver CS3\Crack MKDEV\CS3_Keygen\CS3 Keygen\adw3kg.exe (Trojan.Crax) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\msqpdxpqmoijnb.sys (Trojan.Agent) -> Quarantined and deleted successfully.
resycled/boot.com is a worm/trojan.DNSchanger that propagates on local fixed and removable USB drives. resycled/boot.com may infect drives via autorun.inf file it created that runs a command each time the drive is accessed. Malicious files will be copied to a drives attached on infected computer.
Use Malwarebyte’s Anti-Malware 1.31. It works perfectly. Error message was gone and drives were back to normal behavior. I also used Spyware Doctor and AMUST Registry Cleaner after that.
I was using Rising Antivirus which did not helped. I removed that. Installed Kaspersky Internet Security which also did not help in this situation. But Anti-Malware 1.31 works fine for this. I would recommend you to have some malware/adware removal tool and registry checker tool along with Antivirus software for PC protection.
Anti Virus Protection for any PC has been a growing need. Some people recommend cheap antivirus software solution and some suggest free virus protection software or virus removal software. Internet security software are different from antivirus and with standard scanning software you also need anti spam software sometimes. Explore TechMynd Recommendations for your PC security needs.