Serious Virus Problem - YOYO.1271?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

unkellsam

Thread Starter
Joined
Jan 13, 2006
Messages
8
Hi,

The other night I when I left my computer on overnight and checked it in the morning the screen was blank, meaning that it crashed on its own. when I restarted the computer it would not log on to windows and after "verifying DMI pool where it should be displaying the windows bootscreen it's now locking up and displaying "Y∞Y∞" on screen.

I don't know much about boot sectors and all but I'm guessing that this is some kind of virus that messed with my MBR. I luckily have 2 HDs so I am logged on to windows through my secondary one and have checked the damaged HD and all of the files all still there.

I have scanned both hard drives with Norton, NOD32, and PC-Cillin, all with the latest updates, and none of them found anything of significance. I have also used the XP CD to run FIXBOOT and FIXMBR - neither of those fixed the problem. I have also tried to reinstall windows but that will not work since the installation needs to restart the computer after preparing the files, and when it does I am greeted by the "Y∞Y∞" and the setup, therefore, cannot continue. I have also run CHKDSK on the drive and set it to repair problems but I get the same result when I try to boot from that harddrive.

The closest virus description I have found to mine is the YOYO.1271 which is given the following description:

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are accessed. On accessing to the files with name extension: TXT, DOC, 1ST, ME?, the virus appends to the end of file 50 data bytes.

From 3rd till 8th of January the virus calls trojan subroutine. It writes trojan code to the MBR sector of hard drive and "hang up" the computer. The trojan code in MBR sector on next reboot erases the CMOS memory, decrypts and displays the message:
I and the public know What schoolchildern learn Those to whom evil is done Do evil in return

Although the message displayed on my computer is different from the description, The date the crash took place matches exactly - January 8 or 9.

I have also heard of YOYO.1271-B which is a boot virus and YOYO.1271-C but I could not fid any descriptions of the symptoms. I found two cases of the same problem posted:

http://www.betabulletinboard.com/for...showtopic=2964

http://p216.ezboard.com/fclanbobforu...icID=198.topic

neither of them are very helpful.

There must be a virus for the computer to be acting this way and for the same exact symptoms to have occured to others, but why have the virus scanners not found it?

I am wondering if any computer expert has any knowledge on how to solve this problem without formatting as I have heard that formatting is often a poor method for solving an infection. It would be very diffucult for me to start everything all over because I have tons of files built up over the years and many different kinds of Audio production software that have little plugins in different locations that are all linked through projects and must be in the folders they are in otherwise the projects will not work properly....its messy. Thanks in advanced to anyone who has any advise.
 
Joined
Feb 11, 2002
Messages
4,962
Try start then run and type Chkdsk /r good luck. I will tell you why formatting is a bad method..because nothing is learned...thats exactly why. If you got it messed up and learned nothing then why format? How will you understand what happened? How will you prevent it from happening again? If you would post a hijackthis log I would be happy to take a look at it...I know you said its in the boot.....I am doing what I can to help let me see a log please.
 

unkellsam

Thread Starter
Joined
Jan 13, 2006
Messages
8
Bandit429,

I have tried the chkdsk /r command and it does not fix the problem. How can I get a hijackthis log if I cannot run windows off of that drive?

And why do you think it is that none of the virus scanners have found anything? Could it be an exrtremely smart virus or is it possible that it is not a virus at all? The behavior definitely seems like that of a virus.

I totally agree with you on the learning part. I see this problem as a challenge that I have to solve and formatting would be like cheating.
 
Joined
Feb 11, 2002
Messages
4,962
Edit...I missed the part where you said you had 2 drives,,sorry about that...Avg scans the boot sector for problems when you boot...I would guess you should try to install avg to that drive then boot with that drive to see if it will scan and remove it. Have you already tried that?

Then to we need to think about installing anything to that drive...we do nt want to infect the drive your using..and be sure that any floppy disk you use is locked so it cannot be written to. I ll be in this evening and do some thinking during the day.
http://www.softpedia.com/get/Antivirus/AVG-Free-Edition.shtml
 
Joined
Feb 11, 2002
Messages
4,962
Ok..best of luck...I should be here for the next five hours or close by.

You should be able to scan the boot area of the infected drive from the hard drive you are using now. I did nt know that before and just slaved a drive to be sure it would work. That should make it easier...its default to scan the boot area...hopefully you can select the drive in the system test areas and have it automatically scan there.

System Areas Test - settings Dialog

The System Areas Test is designed to quickly check important system areas, files and keys in the registry.

The System Areas Test settings dialog displays the registry keys, system areas and files included in the test.
Use the Add file button to add files to list. To remove selected file(s) from the list, use the Remove file button.
If the list does not include the Partition table, use the Add MBR button to add it. Alternatively, if the Partition table is included you can remove it by clicking the Remove MBR button.

Similarly, you can use the Add Boot and Remove Boot buttons to add/remove the Boot Sector from the list and the Add registry and Remove registry buttons to add/remove the system registry.


Click the Default button to restore the list to its original form as defined by the manufacturer.
Click OK to confirm your settings and close the dialog and Close to exit the dialog without saving your changes.
 

unkellsam

Thread Starter
Joined
Jan 13, 2006
Messages
8
OK,

So I scanned the Boot sector and nothing was found. I also tried running CHKDISK /R on the drive and this time got the message: The volume has one or more unrecoverable problems (or something to that effect). This is making me lose hope of being able to recover and I may just give in and format unless any bright ideas come my way. Thanks for your efforts so far, Bandit.
 
Joined
Feb 11, 2002
Messages
4,962
There are also fixboot and fixmbr commands and an even more in depth difficult but workable restore.. Dont give up I think we can get this. Lets try the most difficult first. I need to link you to where you can read all you will need to read. Watch for an edit to this post.

Edit: Anything look familiar?

http://support.microsoft.com/default.aspx?scid=kb;EN-US;307545

http://forums.techguy.org/windows-nt-2000-xp/195985-solved-well-im-stuck.html?highlight=stuck

There is the recovery console.

http://www.computerhope.com/issues/ch000217.htm

There is fixboot.

http://www.computerhope.com/fixboot.htm

There is fixmbr

http://www.computerhope.com/fixmbr.htm

And lastly is my silly idea of removing the battery for about ten minutes and re installing it. Thats the ideas of the day...I really need to know if it is a Compac it makes a difference.
 

unkellsam

Thread Starter
Joined
Jan 13, 2006
Messages
8
Hmmm, those posts don't really match my problem, I think what I have is pretty rare. I will look into the fixboot links you sent me.

I have thought about it though, and as much as I want to figure out what the problem is I realized that its about time for me to format anyway, I have not done it in at least 4 years and a fresh start wouldnt be that bad.

I really appreciate the help though and I will keep trying. My computer is not a Compaq, by the way, its a custom computer that I built with the help of my friend who does this for a living.

And the norton thing I will try as soon as I get my hands on some floppys. All of the floppies I have around here are so old that most of them dont work anymore.
 

unkellsam

Thread Starter
Joined
Jan 13, 2006
Messages
8
Well Bandit,
I ended up formatting and I'm pretty glad about it. Even after installing everything back, my computer is running twice as fast as it did. Although I hate giving up, I don't regret starting over. Thanks for your help, bro.
 
Joined
Feb 11, 2002
Messages
4,962
You are Welcome Bro....I hate giving up too. I wish I could have been more help than I was..take care.
 
Joined
Jan 29, 2006
Messages
13
I have this issue also, although I will not reformat... I have used BartPE and UltimateBootCD, but no virus' detected, but I believe it could be on my hidden HP partition.
I can see that data still resides on the system's C drive...
Next, was going to try Revovery Console... Anyone else have this problem?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top