DNS Changer Trojan – Can’t find C:\resycled\boot.com

by on January 5th, 2009

Recently I had to scan some documents. I had got USB (ill-fate), so got scanned documents and trojans along with me in USB drive. After I plugged it into my PC; my all drives stopped to open.
Error message was

resycled/boot.com is not a valid Win32 application“.


While I could right click – explore my drives all right. This infection might also try to hide your files within your drives. Do not panic. Its not lethal for data.

I searched for the files and realized that all my drives had got;
1) A hidden folder named as resycled that contained a file boot.com
2) autorun.inf file containing following code:

shellexecute="resycled\boot.com f:"

I removed all resycled folders and autorun.inf files.
Then the error message changed to:

Can’t find C:\resycled\boot.com

I searched a bit more and found out that most people were using Malwarebyte Anti-Malware for cleaning such infection. I downloaded Malwarebyte Anti-Malware 1.31 and scanned my PC.


Following infections were found which were removed.

Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msqpdxoyegwicu.dll (Trojan.TDSS) -> Delete on reboot.
D:\backup restored 12 dec 2008\usb latest\Adobe Dreamweaver CS3\Crack MKDEV\CS3_Keygen\CS3 Keygen\adw3kg.exe (Trojan.Crax) -> Quarantined and deleted successfully.
D:\softwares\adobe\Adobe Dreamweaver CS3\Crack MKDEV\CS3_Keygen\CS3 Keygen\adw3kg.exe (Trojan.Crax) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxpqmoijnb.sys (Trojan.Agent) -> Quarantined and deleted successfully.
About resycled/boot.com

resycled/boot.com is a worm/trojan.DNSchanger that propagates on local fixed and removable USB drives. resycled/boot.com may infect drives via autorun.inf file it created that runs a command each time the drive is accessed. Malicious files will be copied to a drives attached on infected computer.
Use Malwarebyte’s Anti-Malware 1.31. It works perfectly. Error message was gone and drives were back to normal behavior. I also used Spyware Doctor and AMUST Registry Cleaner after that.

I was using Rising Antivirus which did not helped. I removed that. Installed Kaspersky Internet Security which also did not help in this situation. But Anti-Malware 1.31 works fine for this. I would recommend you to have some malware/adware removal tool and registry checker tool along with Antivirus software for PC protection.

Anti Virus Protection for any PC has been a growing need. Some people recommend cheap antivirus software solution and some suggest free virus protection software or virus removal software. Internet security software are different from antivirus and with standard scanning software you also need anti spam software sometimes. Explore TechMynd Recommendations for your PC security needs.

5 Reviews

  1. hadiar says:

    I use Eset smart security which can detect some of these kind of Trojan .. also a better solution is to use USB disk security.. a very small and lite software which help in preventing these infection as it automatically dectect and block any autorun on any device connected..most of the time USB Disk security detect it before my antivirus.. also to prevent the propagation of the autorun Trojan/virus i run flash disinfector

  2. robinsmth86 says:

    How to remove resycled/boot.com


  3. Raza says:

    @Khalid: Try AVG antivirus.

  4. Khalid says:

    Yeah! Malwarebyte’s anti-malware is a good solution for malwares. What program do you use for viruses?

  5. Excellent content here and a nice writing style too – keep up the great work!