# Serious Virus Problem - YOYO.1271?



## unkellsam (Jan 14, 2006)

Hi,

The other night I when I left my computer on overnight and checked it in the morning the screen was blank, meaning that it crashed on its own. when I restarted the computer it would not log on to windows and after "verifying DMI pool where it should be displaying the windows bootscreen it's now locking up and displaying "Y∞Y∞" on screen.

I don't know much about boot sectors and all but I'm guessing that this is some kind of virus that messed with my MBR. I luckily have 2 HDs so I am logged on to windows through my secondary one and have checked the damaged HD and all of the files all still there.

I have scanned both hard drives with Norton, NOD32, and PC-Cillin, all with the latest updates, and none of them found anything of significance. I have also used the XP CD to run FIXBOOT and FIXMBR - neither of those fixed the problem. I have also tried to reinstall windows but that will not work since the installation needs to restart the computer after preparing the files, and when it does I am greeted by the "Y∞Y∞" and the setup, therefore, cannot continue. I have also run CHKDSK on the drive and set it to repair problems but I get the same result when I try to boot from that harddrive.

The closest virus description I have found to mine is the YOYO.1271 which is given the following description:

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are accessed. On accessing to the files with name extension: TXT, DOC, 1ST, ME?, the virus appends to the end of file 50 data bytes.

From 3rd till 8th of January the virus calls trojan subroutine. It writes trojan code to the MBR sector of hard drive and "hang up" the computer. The trojan code in MBR sector on next reboot erases the CMOS memory, decrypts and displays the message:
I and the public know What schoolchildern learn Those to whom evil is done Do evil in return

Although the message displayed on my computer is different from the description, The date the crash took place matches exactly - January 8 or 9.

I have also heard of YOYO.1271-B which is a boot virus and YOYO.1271-C but I could not fid any descriptions of the symptoms. I found two cases of the same problem posted:

http://www.betabulletinboard.com/for...showtopic=2964

http://p216.ezboard.com/fclanbobforu...icID=198.topic

neither of them are very helpful.

There must be a virus for the computer to be acting this way and for the same exact symptoms to have occured to others, but why have the virus scanners not found it?

I am wondering if any computer expert has any knowledge on how to solve this problem without formatting as I have heard that formatting is often a poor method for solving an infection. It would be very diffucult for me to start everything all over because I have tons of files built up over the years and many different kinds of Audio production software that have little plugins in different locations that are all linked through projects and must be in the folders they are in otherwise the projects will not work properly....its messy. Thanks in advanced to anyone who has any advise.


----------



## bandit429 (Feb 12, 2002)

Try start then run and type Chkdsk /r good luck. I will tell you why formatting is a bad method..because nothing is learned...thats exactly why. If you got it messed up and learned nothing then why format? How will you understand what happened? How will you prevent it from happening again? If you would post a hijackthis log I would be happy to take a look at it...I know you said its in the boot.....I am doing what I can to help let me see a log please.


----------



## unkellsam (Jan 14, 2006)

Bandit429,

I have tried the chkdsk /r command and it does not fix the problem. How can I get a hijackthis log if I cannot run windows off of that drive? 

And why do you think it is that none of the virus scanners have found anything? Could it be an exrtremely smart virus or is it possible that it is not a virus at all? The behavior definitely seems like that of a virus.

I totally agree with you on the learning part. I see this problem as a challenge that I have to solve and formatting would be like cheating.


----------



## bandit429 (Feb 12, 2002)

Edit...I missed the part where you said you had 2 drives,,sorry about that...Avg scans the boot sector for problems when you boot...I would guess you should try to install avg to that drive then boot with that drive to see if it will scan and remove it. Have you already tried that?

Then to we need to think about installing anything to that drive...we do nt want to infect the drive your using..and be sure that any floppy disk you use is locked so it cannot be written to. I ll be in this evening and do some thinking during the day.
http://www.softpedia.com/get/Antivirus/AVG-Free-Edition.shtml


----------



## unkellsam (Jan 14, 2006)

I will try and let you know the results.


----------



## bandit429 (Feb 12, 2002)

Ok..best of luck...I should be here for the next five hours or close by.

You should be able to scan the boot area of the infected drive from the hard drive you are using now. I did nt know that before and just slaved a drive to be sure it would work. That should make it easier...its default to scan the boot area...hopefully you can select the drive in the system test areas and have it automatically scan there.

System Areas Test - settings Dialog

The System Areas Test is designed to quickly check important system areas, files and keys in the registry.

The System Areas Test settings dialog displays the registry keys, system areas and files included in the test.
Use the Add file button to add files to list. To remove selected file(s) from the list, use the Remove file button.
If the list does not include the Partition table, use the Add MBR button to add it. Alternatively, if the Partition table is included you can remove it by clicking the Remove MBR button.

Similarly, you can use the Add Boot and Remove Boot buttons to add/remove the Boot Sector from the list and the Add registry and Remove registry buttons to add/remove the system registry.


Click the Default button to restore the list to its original form as defined by the manufacturer. 
Click OK to confirm your settings and close the dialog and Close to exit the dialog without saving your changes.


----------



## unkellsam (Jan 14, 2006)

OK, 

So I scanned the Boot sector and nothing was found. I also tried running CHKDISK /R on the drive and this time got the message: The volume has one or more unrecoverable problems (or something to that effect). This is making me lose hope of being able to recover and I may just give in and format unless any bright ideas come my way. Thanks for your efforts so far, Bandit.


----------



## bandit429 (Feb 12, 2002)

Ok I see. Im still reading and trying to find good info..I did find this...you have norton..have you tried this yet? Is your volume fat32 or ntfs? This is for the fat32 format. Also is this a compac computer?
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2000092511434413

Be sure the floppy disks are locked.


----------



## bandit429 (Feb 12, 2002)

There are also fixboot and fixmbr commands and an even more in depth difficult but workable restore.. Dont give up I think we can get this. Lets try the most difficult first. I need to link you to where you can read all you will need to read. Watch for an edit to this post.

Edit: Anything look familiar?

http://support.microsoft.com/default.aspx?scid=kb;EN-US;307545

http://forums.techguy.org/windows-nt-2000-xp/195985-solved-well-im-stuck.html?highlight=stuck

There is the recovery console.

http://www.computerhope.com/issues/ch000217.htm

There is fixboot.

http://www.computerhope.com/fixboot.htm

There is fixmbr

http://www.computerhope.com/fixmbr.htm

And lastly is my silly idea of removing the battery for about ten minutes and re installing it. Thats the ideas of the day...I really need to know if it is a Compac it makes a difference.


----------



## unkellsam (Jan 14, 2006)

Hmmm, those posts don't really match my problem, I think what I have is pretty rare. I will look into the fixboot links you sent me. 

I have thought about it though, and as much as I want to figure out what the problem is I realized that its about time for me to format anyway, I have not done it in at least 4 years and a fresh start wouldnt be that bad. 

I really appreciate the help though and I will keep trying. My computer is not a Compaq, by the way, its a custom computer that I built with the help of my friend who does this for a living.

And the norton thing I will try as soon as I get my hands on some floppys. All of the floppies I have around here are so old that most of them dont work anymore.


----------



## bandit429 (Feb 12, 2002)

Good luck I hope its help..


----------



## unkellsam (Jan 14, 2006)

Well Bandit,
I ended up formatting and I'm pretty glad about it. Even after installing everything back, my computer is running twice as fast as it did. Although I hate giving up, I don't regret starting over. Thanks for your help, bro.


----------



## bandit429 (Feb 12, 2002)

You are Welcome Bro....I hate giving up too. I wish I could have been more help than I was..take care.


----------



## jerry62 (Jan 29, 2006)

I have this issue also, although I will not reformat... I have used BartPE and UltimateBootCD, but no virus' detected, but I believe it could be on my hidden HP partition.
I can see that data still resides on the system's C drive...
Next, was going to try Revovery Console... Anyone else have this problem?


----------



## bandit429 (Feb 12, 2002)

Hi Jerry,,,have you tried a HP bootdisk? There is a link below...this is not something I have tried. I am asking.

http://www.uktsupport.co.uk/hp/faq/pavilion.htm#boot

Edit: I would like to also add that any floppy disks you may use should be locked.


----------



## jerry62 (Jan 29, 2006)

no, i haven't tried that.. i don't have any dosboot subdirectory though on my C... this is quite nasty, whatever it is... can't figure out how to get the mcafee plugin to work with bartpe either, although I ran some AV from UBCD with NTFS support, didn't find anything...


----------



## bandit429 (Feb 12, 2002)

I understand, There is a link below that discusses how to remove boot Viruses....it also relates back to your idea of the recovery console...Have you had experience with the recovery console before?? If not please ask....I have had experience with it before. I m sorry I missed your post...ususally I get the notification right away.

http://www.bullguard.com/support/tip_boot_viruses.aspx


----------



## jerry62 (Jan 29, 2006)

Thanks for responding... I think the biggest help would be to know the exact name of the virus so that I could do the proper research, although I will see what else I can do in the mean time... it's difficult to search on the strange characters the screen displays when an attempt is made to boot from the hard drive.


----------



## jerry62 (Jan 29, 2006)

I don't know if I should have followed those instructions.. I don't think I wanted to run fixboot... that seemed to have wiped everything out... before I could at least see the data files... looks like I'm screwed royally... plus now recovery mode says the c drive is fat16... what ? it's wasted ! then it recognizes another partition it labels as ? at FAT32. I don't know, but one of those 2 commands wiped it out, plus getting those NTLDR not detected... tried copying those over, but still no boot... but why would C be fat16 now... it's worse than before.


----------



## bandit429 (Feb 12, 2002)

Which did you do?? How to remove boot viruses from Bullguard? Thats All I could find about yo yo 1271 b

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=YOYO.1271-B


----------



## bandit429 (Feb 12, 2002)

Fixboot should have worked ok. At least not made things worse. Can you still access the recovery console?

http://support.microsoft.com/?kbid=255220


----------



## jerry62 (Jan 29, 2006)

No one is sure that this is YOYO 1271. That was a guess of the original person's problem in this thread. He said the descriptions seemed similar if I recall. 
Yes, I could get back to Recovery Conole using boot floppies, however, using the MAP command, there was a small hidden partition, and the C partition was marked as FAT16. I've been running GETDATABACK all night on the drive using their BartPE Plugin. It can see that there was NTFS based data on C at one time. I can see the NTLDR and NTDETECT.COM files I had copied there, but the C drive used to be NTFS, not FAT16, which it now reports as under RC and/or BartPE. There was a smaller FAT32 partition that the MAP command defined as question mark ?. I'm going to try to recover what data I can and use BartPE so I can network in and perhaps copy the data. There was an error reading a block with GetDataBack, so having that run all night wasn't enough... had to respond to popup in order to continue.


----------



## bandit429 (Feb 12, 2002)

A hidden partition is probably normal...HP and Compac puts them on some of thier computers. If it found a bad block it could be a bad drive. If after your finished with that and want to continue find the manufactorer of the drive and lets see if there is a utility made for that brand you can run on it.


----------



## bandit429 (Feb 12, 2002)

Also Jerry you should take a look at the following. It notes that it is impossible for you to convert that drive. Whatever happened,,you did'nt do it. Not with a windows utility. Click the link it may be worth the read. There is another link at the bottom which may be of help.



> Note: Windows 2000/XP/2003 provides NO way to convert NTFS partitions to FAT16/32.


http://www.petri.co.il/convert_fat16_to_fat32_in_windows_2000_xp_2003.htm

http://support.microsoft.com/default.aspx?scid=kb;EN-US;307545


----------



## jerry62 (Jan 29, 2006)

Thanks for the follow up.
Well, all I can say, is that at first, even with the problems, I was able to see the files on my C drive using BartPE (xp boot cd). When I then used fixmbr and fixboot, there was a C drive, but Recovery Console lists it as FAT16 (with the size of my former NTFS system). So it could be something so messed up, RC is not reporting it properly, but after that I could no longer view my files on the C drive that matched the same size using BartPE. I had booted systems multiple times on CD and I could see the C drive, but after fixmbr/fixboot, no more. The new C did display the ntldr file I copied there using RC, but not the files that used to be there. In RC, the part listed as FAT16 was the larger drive, which I knew was NTFS. GetDataBack was able to recognize that there was NTFS for this same primary partition. I'm just wishing I had backed up what was visible prior to running fixmbr/fixboot. GetDataBack is not free.


----------



## bandit429 (Feb 12, 2002)

You are welcome,,,that last link maybe a possiblity. It looks complicated and it is to an extent but I believe you can do it. If the hard drive will let you. Please read the summary very carefully as it states


> This procedure does not guarantee full recovery of the system to a previous state; however, you should be able to recover data when you use this procedure.


I have used this procedure "One Time" and that time it worked perfectly but still the summary does state that it may not. I understand that BartPE does this. I did nt have BartPE.
And I am still looking. Please keep me informed. Did you purchase getdataback?

Edit...Here is a free download for a data recovery program,, a friend I know recommends it. He says it works well. _If it works and if the microsoft recovery procedure does not work maybe you could recover the files that microsoft is asking for in the procedure and get it going that way. Its an idea._

http://www.pcinspector.de/file_recovery/UK/welcome.htm

Edit: Here is another which may help...There is a part at the bottom which may apply to helping you with the fat 16 partition but I would read it all.

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prmc_str_bjid.asp

I sure hope something of this is help.


----------



## jerry62 (Jan 29, 2006)

man, this site logs u out quick.
Anyway, yes I purchased...
Don't think the registry is the problem... I think the hidden HP partition is corrupt.
Someone suggested using the xp "convert" command on the C drive.. which might work, but first I'm going to complete my backup efforts (only have so much time per day). I make 2 copies of each dvd in case one disc gets damaged. After that, I just might be able to recover to how it was since so far I've been able to recover/see just about all files...
[edit] Also, I might slave the drive off another (after extracting Partition Magic from the data recovery) at some point... strange though, no AV found any virus (when the drive was visable previously under BartPE).


----------



## bandit429 (Feb 12, 2002)

That may work as you can convert "supposedly" from a fat partition to NTFS. Still blows my mind as to how it worked the other way around....its not supposed to happen. I cannot help you with partition magic as I have never used the program. I did find a link for the windows convert command. And Partition Magic is recommended.. I hope you can get by any errors. The lower link is for an HP softpaq, which if you have on that computer you should be able to find it at that site by entering your model.

http://www.techrescue.net/guides/prepdrv8.asp#ConvertNTFS

http://h18023.www1.hp.com/support/files/server/us/romtabl.html


----------



## JimmyLegs (Jan 31, 2006)

I can't find any mention of anything like this on the major AV sites. I had ZoneAlarm running and AVG free all up to date, and no indication of problems until trying to restart. The system is P4, 784M ram, 250G HD with WinXP Pro, all up to date.

Recovery console chkdsk /r didn't change anything; I tried recovering the registry using ERDNT (http://www.larshederer.homepage.t-online.de/erunt) also, with no luck.

This HD is backed up except for a few things from the last few days, so I'm not worried about losing anything, but I want to find out what it was. Anyone have any ideas?


----------



## bandit429 (Feb 12, 2002)

There is no information to be found. This is it as far as I could find. Do you have a compaq or hp as well? And which filing system did you have?
Fat32 or NTFS?
And do you have your bad drive slaved now?


----------



## JimmyLegs (Jan 31, 2006)

Nope, not a Compaq/HP. This is one of two systems built by a local company that I acquired used after the owner got rid of them 'cause the hard drive had failed on both. I couldn't figure out if it was the HD or the controller, though the HD I pulled from one was completely dead when I tried it in another machine. The HD on the other was fine after repartitioning. I put a reconditioned 250G HD in the one with the dead HD; that's the one I have probs with now. The other's in the basement waiting to be used.

I've never seen a boot problem like this, and it looks like the kinda thing a virus would do. If I hadn't found this thread, I would have assumed the HD had died, and gone from there. But it looks like 2 others are having exactly the same issue, which seems less likely to be a HD failure. Although I guess Jerry62's problems could be controller/HD related.

Unkellsam and Jerry62 what manufacturer/motherboard/processor do you have?


----------



## bandit429 (Feb 12, 2002)

I agree with you,,,,sometimes when a hard drive is on the edge of going all it takes is a little problem and poof. Maybe Jerry got it and thats all it took and caused a failure.

Have you seen a Y with a sideways 8? Yoo as well? I have never seen so many persons in the same thread so fast if you have. I have posted many links to good information that should have fixed the problem. I worry about advising anyone anything now. Normally if you repair/replace the boot record the virus is gone. I wonder if it creates its own little partition and works from there? Compaq and Hp use boot partitions, so its really not out of the scope of possibilitys.


----------



## JimmyLegs (Jan 31, 2006)

Well, I've confirmed that it isn't my hard drive. I finally had time to put the HD in a different machine as a secondary, and all the data appears to be there. I've just finished a full scan with AVG with no result. I'm about to install Norton and scan with that.

In the meantime, unkellsam and jerry62 - did either of you recently install either ClocX v1.4 (description from PC World here) or Icon Restore (PC World here)? I'd installed both of them just before this problem came up. If either of you did, then I'll see if I can submit the installation files for them.


----------



## bandit429 (Feb 12, 2002)

Thanks for sticking with it Jimmy.


----------



## unkellsam (Jan 14, 2006)

Yo, 

I'm back on the post. Jimmy, I didn't install either of the programs you mentioned. 

I have never seen a problem like this that is so hard to get past and happens so randomly. The reason I said I thought it was the YOYO.1271 was because it was the closest thing i could find to that description when i searched for YOYO. The virus description said that the virus launched itself around January 8th which is exactly when my problem started, and that it displayed a message. Thats why I think its some kind of variation of that virus. 

I can't think of any other logical explanation for what else it could be. At least it doesn't wipe the data off the HD, I guess thats a plus. Good luck fixing it, man. I ended up formatting, which I'm pretty happy about, but I'd like to find out what the problem is if you figure it out. Its just wierd how no virus scanners find anything, I ran 4 different ones.


----------



## jerry62 (Jan 29, 2006)

I'm still backing up the hard drive, since I only have so much time with it (to avoid the family disowning me). I don't believe I have hardware issues. My problem occurred immediately after installing a program that rebooted my system. I still believe this has to be some kind of virus.
In the meantime, my working system locked up (cheap mb), so since I had to reboot anyway, I tried installing the ati catalyst 6.1 drivers, which don't seem to work for me at all, causing more frustration. But someday I'll get it all working again. No, I did not use ClocX.


----------



## arkasarkas (May 22, 2006)

i've got the same virus. Is it safe to use fixmbr? will it sove anything? will fixboot solve anything? How do i boot windows on my first drive from my second hard drive??


----------



## arkasarkas (May 22, 2006)

oh yeah, and how do i virusscan before boot? or could i put my HD in another computer safely and scan there?


----------



## JimmyLegs (Jan 31, 2006)

I don't think it's a virus, but I also don't have a solution. Nothing I tried worked, including pulling the HD out and scanning it from another machine. I ended up reformatting and reinstalling, just like everyone else. Good luck.


----------



## theadvenger (Jul 8, 2006)

Ok. I have been like the rest of you. i have tried almost everything at this point.
I flashed the bios. followed up by a running of a series of Fixmbr, fixboot, and then bootcfg /reconfigure. Nothing seemed to do it.
I also looked at the boot.ini file, nothing seems abnormal

However, the only time i have been able to get the mbr on the primary drive to work properly was by installing the linux. (thus installing GRUB boot loader to the MBR) It gives me windows as a boot option. however, that is still not loading, BUT NO YOYO. so i think i am getting closer.

PS if anyone wants to see screen shots of what the yoyo looks like. check out. 
http://www.neowin.net/forum/index.php?showtopic=394304


----------



## theadvenger (Jul 8, 2006)

Ok, Still no luck

Here are other things i have tried.
delete the windows xp hybrinate file. to make sure it was not hiding in there. as xp will load that file first if it exists.

i rewrote the boot.ini file to make sure it is absoultly normal. not altered in any fashion. 

also tried. praying, although as an athiest that doesnt seem to do much.

also tried copying over the ntdls and the ntloader.com with new copies

Any ideas anyone?


----------



## bandit429 (Feb 12, 2002)

Do you have your windows xp cd?


----------



## theadvenger (Jul 8, 2006)

Yeah, i have my XP CD, I have used it both to get into a recovery console, as well as doing a full repare. but neither works. When attempting a repare it goes all the way through the dos type install and when it reboots to get into the gui half of the installed it gets caught by the yoyo screen.


----------



## bandit429 (Feb 12, 2002)

Sheesh,,check your account for a private message please.


----------



## theadvenger (Jul 8, 2006)

Ok i just had a novel idea. 

Now i am going to attempt a search of all files on the C: drive (drive with Y&#8734;Y&#8734; issues), for any files that are named and or contain the Y&#8734;Y&#8734; string. 

Could take a while. ill let everyone know if it comes up with anything.
(The advenger copes with 4 days of Y&#8734;Y&#8734


----------



## theadvenger (Jul 8, 2006)

nope. no Y&#8734;Y&#8734; found.


----------



## bandit429 (Feb 12, 2002)

Do you have an idea where you got it? And do you have another computer to slave the drive too? Ever done that before? If yes then we may have a procedure to try.


----------



## theadvenger (Jul 8, 2006)

<Do you have an idea where you got it?>
That I do not know, it could be a worm, it could be a trojan, it could be a email virus. I am unsure.

<And do you have another computer to slave the drive too?>
That I do. I had not tried putting it on another computer as this computer has two drives, and I am able to run both windows and linux from the slave drive. So I have been trying all my forensics from there. All the files on the primary (infected) harddrive are fine and seem unaffected. I am willing to try anything at this point. (Other than giving up and formating.)



bandit429 said:


> Do you have an idea where you got it? And do you have another computer to slave the drive too? Ever done that before? If yes then we may have a procedure to try.


----------



## bandit429 (Feb 12, 2002)

Edit: There is a dead link in here I am going to have to find it. And the instruction is for 98.. Dang,,be back this evening. Is your partition NTFS or FAT32? We need to know.

Ok well this is found information...nothing we have tried..though I was willing to try, that was why I asked if you knew where you got it. I dont know if it works.

And I will Quote Tom GL2

Although you can remove boot viruses using the Recovery Console, the entire disk may become unusable if the MBR was altered. It's much safer to use antivirus software.

Using another computer equipped withe a CD burner, run boot98se.exe to create a boot floppy with CD drive support. Leave the completed floppy in the drive.

Download 20060222-006-i32.exe to C:\. Open a command prompt and type

MD C:\NavDX
C:\20060222-006-i32.exe /extract C:\NavDX

Download the following files to the C:\NavDX folder:

http://www.ecoland.ro/ecoland/Project/Rescue/EXCLUDE.DAT
http://www.ecoland.ro/ecoland/Project/Rescue/EXCLUDEL.DAT
http://www.ecoland.ro/ecoland/Project/Rescue/NAVDX.EXE
http://www.ecoland.ro/ecoland/Project/Rescue/NAVDX.OVLNAVOPTS.DAT
http://www.ecoland.ro/ecoland/Project/Rescue/NAVSTART.DAT

Create a bootable CD, using the floppy to provide the boot data, and copy the C:\NavDX folder to the data area of the CD.

Boot the infected computer with the CD, and choose Start computer with CD-ROM support. Note the CD drive letter reported (I'll assume E)

Type

E:
CD NavDX
NavDX E:\ /S- /B+ /Prompt

This will scan the all hard disk boot records, and prompt to repair.


----------



## theadvenger (Jul 8, 2006)

I will try that when I get home. However you are good to ask if it is NTFS or Fat32, because it is NTFS and I could foresee a problem of attempting to use a win98 boot to load a virus scanner. Now I can tell you that from the secondary windows xp disk, i have run a virus scan on the first drive (it was a fully updated avast antivirus) and it detected nothing. 

I did try something last night that gave me marginal hope... Very marginal. I have two partitions on the second (working drive), and i installed ubuntu to the second partition. In doing that i installed the GRUB boot manager to the primary drive. Now, that allows me to boot to either XP and the Ubuntu partition. However, when attempting to boot to the primary hdd, it just gives me the blank screen but at least NO YoYo. (the other partitons seem to be fine for booting). (writing grub loader scripts from memory)

title Windows (yoyo infected drive)
rootnoverify (hd0,0)
savedefault
chainloader +1 


title Windows (working second drive)
rootnoverify (hd1,0)
map (hd0, hd1)
map (hd1, hd0)
savedefault
chainloader +1


----------



## bandit429 (Feb 12, 2002)

You did almost exactly what I was going to ask you to do! 

For example:
So since the windows partition is C if it were alone and then since you ve seen that Yoyo is not a secondary partition on that drive.
In other words I was heading towards fdisk,,,view the partition option of fdisk to look for a partition created by the virus itself. You have seen that Yoyo did not create its own partition,,,right?

You know we were worried a little that you might not understand...Sheesh your doing alright by yourself. Good job. 

Now since you have done that you will probably come up with the next step before I do but if you don t have a brainstorm or your plan that you may already have does nt work out don t lose hope because we are thinking too.


----------



## theadvenger (Jul 8, 2006)

Here are a few thoughts (please excuse me if i ramble). Tell me if this gives you any ideas.

When doing a fixmbr it gives the warning saying "this computer appears to have a non standard boot loader" no matter how many times you run it, which leads me to think that is not over writing the MBR.

Using a linux disc, I can over write the MBR and install a grub boot loader giving me access to the other drive and partitions. Giving normal operation (with exception of booting to effected drive windows which just gives a blank screen), (thus the old MBR should no longer exist)

After Grub has over written the MBR, going back with the windows XP recovery and re running the fixmbr fixboot, brings BACK the YOYO error.

If it is a virus that hides in the MBR, then it should be wiped out when the grub over writes the MBR. If it is on the hard drive, the system never get a chance to run or write to the MBR (and i am certain that the windows setupdisk is not infected.) It is also not in the ntdlr, ntdetect.com, nor the hibernation file. as i have either replaced or disabled those in different attempts.

Now if it was a hard drive error, then i would expect something other than the following results. 
1 - GRUB installs correctly. no problems at all. 
2 - On inspection of drive from alternative drive, all files intact 
3 - Full scan disc from alternative drive of effected drive comes clean.

So this leaves me still rather baffled.
PS If any one wants to contact me VIA ICQ or MSN please do.
6250155
[email protected]


----------



## bandit429 (Feb 12, 2002)

You are not rambling. This stupid thing has me baffled...it has to be there somewhere. I m thinking its on its own partition and made that the boot partition...though I know that does nt sound logical..nothing else makes sense.


----------



## Flrman1 (Jul 26, 2002)

I'm closing this thread since it is old and inactive.

Anyone else with a similar problem please start a "New Thread".


----------

