Windows 7: windows failed to start with "ynhif is compressed" error

A friend who has an Aspire One with Windows 7 Starter asked me to help, his computer wouldn't boot. It would go through the bios part of the boot and then very quickly it would show an error saying "ynhif is compressed" and stop there. The error would come up so fast it was as if Windows wasn't even trying to boot. There was none of the normal Windows startup screens. There was nothing I could do to boot the machine. I couldn't get to the list of boot options. This problem was happening way before one could get that list in the startup process.

I booted off an AVG antivirus rescue disk cd and checked the system. There were no viruses. That disk allowed me to use a simple file browser and editor. I could see a file named ynhif with no file extension and a file size of around 233kb. It was modified at the same time that Windows 7.ld was modified.

I googled heavily but couldn't find anything about a file named vnhif. I didn't know what to do so on a hunch I just renamed the file to ynhif.old and the system booted right up.

Does anyone have any idea what ynhif might be from and how it got there? I looked into it with a text editor and looked like it was some kind of boot file, with references to linuxey stuff and thing about booting.

I thought I'd post this here as it might help someone else and also to see if anyone had any ideas.

Thanks!
Greg

Greg I am highly suspicious of it. I too googled it with no information, the fact that it had no extension (or was it hidden) more so.

The fact that AVG didnt find anything isnt un-usual. I would download malwarebytes and run it against the file before you delete it.

ZigZag,

Thanks! I didn't delete the file. I'm going to move a copy of it over to my Mac and send it to the antivirus folks that have a place on the web to submit suspicious files for analysis.

I think installing MalwareBytes is a good idea too! I'm going to do that now. I'll post back what it turns up.

Greg

Good luck

ZigZag,

Sophos came back with results first. They say the file is clean. I'll see what the others say. I also submitted to Avira, Symantec and another one.

Greg

Good. Better safe than sorry with unknown files.

After you renamed the file and got the pc to boot, did your friend's system create a new ynhif file?

It's highly likely you've caught some form of pre-boot rootkit that uses a random name for its payload. Googling or looking for another "ynhif" won't help because other installations of the same malware will be named with a different set of five random characters. If you want to check if the computer has been reinfected, use a boot disk to look for the re-appearance of any other files with random names.

Brand-name antivirus software virtually useless against this kind of threat and all 'clean' reports you get should be considered false negatives.

Rootkit malware is extremely difficult to eradicate. Your best option is to copy all data off the system, wipe the hard drive (diskpart clean) and reinstall from a recovery disk or retail DVD.

Make sure your friend gets into the habit of updating all his Internet-facing software (browser, flash, acrobat reader) to reduce the risk of being infected again. Running AV software alone is an inadequate defense.