How to Kill the YoYo

A foul, wretched spawn of Satan!*** Revised May 11/09 ***

You can’t kill it.

It’s too much of a headache, unless one is a supergeek, and that’s not the vast majority of PC users.

The YoYo virus is: an evil thing that corrupts the MBR (Master Book Record) and gums up the NTUSER files so you can’t even login.

What happens: as your computer goes through the boot sequence – you know, where it checks the A drive, then/or the CD-ROM, and then the master hard drive from where it starts to load everything the puter needs to launch – it stops as it attempts to read from the hard drive. Why? Because apparently it can’t find it, and all you see is the letter “Y” followed by the infinity symbol, followed by another “Y” and another infinity symbol.

You can’t bypass it, you can’t get into windows Safe Mode, you can’t do nothin'. Total system fubar, except your data is still safe, in its original file structure.

However, it can be passed on through a saved hard drive image if that image, unbeknownst to thee, has the bug somewhere inside - which is very much possible, because major anti-virus software like AVG nor Avast can see it, which means it sits and waits. You know when it makes itself known because your machine's speed starts to radically slow down, followed by a total system crash, and the only solution is to reboot or kill the power, thus enabling the reboot which won't complete due to the data that was likely being corrupted during that massive slow-down period.

If you have ERD Commander 2005, you can boot from that disc and move data onto another hard drive for safety. Unless you know what you’re looking for, I wouldn’t attempt to muck around with the registry and change anything. I tried a system restore the first time I had the bug (Xmas ’08), and it did nothing. Neither scanning for corrupted files or any crash info yielded results – everything seemed normal – so ERD lets you move data to a safe place, and that’s it.

(If you don’t have ERD, you can still dump data from the affected drive onto another using a second computer.)

I tried using the FIXMBR feature in the Windows XP installation disc (which is bootable), but while it does fix the MBR, the NTUSER files are still corrupted. All that happens – in standard, or in Windows Safe Mode – is as the XP Welcome screen appears, the system hangs because it can’t load the user data, let alone a login.

I had a clean image of the drive taken a month prior to the first assault back in November, and using Powerquest Drive Image 7, even extracting clean NTUSER files onto the corrupted versions using a second puter did nothing.

One post I read said copying/cloning the drive onto another, wiping the old, and copying the files back worked, but that seems to infer YoYo is a software glitch instead of a virus, unless it lives in the drive’s MBR outside of the operating system, and can only be killed through formatting.

The easiest solution (if the above cloning/wiping/copying back option fails), is to to a clean wipe and total reinstall, and create specific backup images that will minimize the wmost time-consuming stage of restoring the hard drive - the installation of Windows, followed by main programs, and then all the little programs that can easily be installed without extensive waves of update patches (as is often the case with Windows and other Bloatware).

Some message boards have affected PC users claiming secondary infections, as well as a theory where the bug is meant to hit at Xmas or New Year’s, although the dates of those posts vary from 2007 and 2008.

One thing is very, very clear now: come Christmas, I’m getting’ a Mac, and live in that strange neverland where an EXE file is as harmful as a gnat.



- MRH

0 comments:

 
Copyright © mondomark