[theadvenger]

nope. no Y∞Y∞ found.

[bandit429]

Do you have an idea where you got it? And do you have another computer to slave the drive too? Ever done that before? If yes then we may have a procedure to try.

[theadvenger]

<Do you have an idea where you got it?>
That I do not know, it could be a worm, it could be a trojan, it could be a email virus. I am unsure.

<And do you have another computer to slave the drive too?>
That I do. I had not tried putting it on another computer as this computer has two drives, and I am able to run both windows and linux from the slave drive. So I have been trying all my forensics from there. All the files on the primary (infected) harddrive are fine and seem unaffected. I am willing to try anything at this point. (Other than giving up and formating.)

Quote:

Originally Posted by bandit429

Do you have an idea where you got it? And do you have another computer to slave the drive too? Ever done that before? If yes then we may have a procedure to try.

[bandit429]

Edit: There is a dead link in here I am going to have to find it. And the instruction is for 98.. Dang,,be back this evening. Is your partition NTFS or FAT32? We need to know.

Ok well this is found information...nothing we have tried..though I was willing to try, that was why I asked if you knew where you got it. I dont know if it works.

And I will Quote Tom GL2

Although you can remove boot viruses using the Recovery Console, the entire disk may become unusable if the MBR was altered. It's much safer to use antivirus software.

Using another computer equipped withe a CD burner, run boot98se.exe to create a boot floppy with CD drive support. Leave the completed floppy in the drive.

Download 20060222-006-i32.exe to C:\. Open a command prompt and type

MD C:\NavDX
C:\20060222-006-i32.exe /extract C:\NavDX

Download the following files to the C:\NavDX folder:

http://www.ecoland.ro/ecoland/Projec...ue/EXCLUDE.DAT
http://www.ecoland.ro/ecoland/Projec...e/EXCLUDEL.DAT
http://www.ecoland.ro/ecoland/Project/Rescue/NAVDX.EXE
http://www.ecoland.ro/ecoland/Projec...OVLNAVOPTS.DAT
http://www.ecoland.ro/ecoland/Projec...e/NAVSTART.DAT

Create a bootable CD, using the floppy to provide the boot data, and copy the C:\NavDX folder to the data area of the CD.

Boot the infected computer with the CD, and choose Start computer with CD-ROM support. Note the CD drive letter reported (I'll assume E)

Type

E:
CD NavDX
NavDX E:\ /S- /B+ /Prompt

This will scan the all hard disk boot records, and prompt to repair.

[theadvenger]

I will try that when I get home. However you are good to ask if it is NTFS or Fat32, because it is NTFS and I could foresee a problem of attempting to use a win98 boot to load a virus scanner. Now I can tell you that from the secondary windows xp disk, i have run a virus scan on the first drive (it was a fully updated avast antivirus) and it detected nothing.

I did try something last night that gave me marginal hope... Very marginal. I have two partitions on the second (working drive), and i installed ubuntu to the second partition. In doing that i installed the GRUB boot manager to the primary drive. Now, that allows me to boot to either XP and the Ubuntu partition. However, when attempting to boot to the primary hdd, it just gives me the blank screen but at least NO YoYo. (the other partitons seem to be fine for booting). (writing grub loader scripts from memory)

title Windows (yoyo infected drive)
rootnoverify (hd0,0)
savedefault
chainloader +1


title Windows (working second drive)
rootnoverify (hd1,0)
map (hd0, hd1)
map (hd1, hd0)
savedefault
chainloader +1

[bandit429]

You did almost exactly what I was going to ask you to do!

For example:
So since the windows partition is C if it were alone and then since you ve seen that Yoyo is not a secondary partition on that drive.
In other words I was heading towards fdisk,,,view the partition option of fdisk to look for a partition created by the virus itself. You have seen that Yoyo did not create its own partition,,,right?

You know we were worried a little that you might not understand...Sheesh your doing alright by yourself. Good job.

Now since you have done that you will probably come up with the next step before I do but if you don t have a brainstorm or your plan that you may already have does nt work out don t lose hope because we are thinking too.

[theadvenger]

Here are a few thoughts (please excuse me if i ramble). Tell me if this gives you any ideas.

When doing a fixmbr it gives the warning saying "this computer appears to have a non standard boot loader" no matter how many times you run it, which leads me to think that is not over writing the MBR.

Using a linux disc, I can over write the MBR and install a grub boot loader giving me access to the other drive and partitions. Giving normal operation (with exception of booting to effected drive windows which just gives a blank screen), (thus the old MBR should no longer exist)

After Grub has over written the MBR, going back with the windows XP recovery and re running the fixmbr fixboot, brings BACK the YOYO error.

If it is a virus that hides in the MBR, then it should be wiped out when the grub over writes the MBR. If it is on the hard drive, the system never get a chance to run or write to the MBR (and i am certain that the windows setupdisk is not infected.) It is also not in the ntdlr, ntdetect.com, nor the hibernation file. as i have either replaced or disabled those in different attempts.

Now if it was a hard drive error, then i would expect something other than the following results.
1 - GRUB installs correctly. no problems at all.
2 - On inspection of drive from alternative drive, all files intact
3 - Full scan disc from alternative drive of effected drive comes clean.

So this leaves me still rather baffled.
PS If any one wants to contact me VIA ICQ or MSN please do.
6250155
dabu147@hotmail.com

[bandit429]

You are not rambling. This stupid thing has me baffled...it has to be there somewhere. I m thinking its on its own partition and made that the boot partition...though I know that does nt sound logical..nothing else makes sense.

[Flrman1]

I'm closing this thread since it is old and inactive.

Anyone else with a similar problem please start a "New Thread".