Suspected Rogue Anti Virus 2009. Appears as a white box on desktop

Im using my Uncle’s computer, I saw it on the desktop. He has AVG and Norton check up but they are quiet. I also get this pop-up too,

about a yimipivu.dll is not a valid Windows image each time I start something.

My cousins said its been there since they bought the computer.

Like I said im not sure, but I know there’s an rogue called Anti Virus 2009.

I will provide my uncle with a link to this topic.

Hi

I know that rogue Antivirus. It’s called W.A 2009(Windows Antivirus 2009).When Antivirus 2009 is installed, a Internet Explorer browser helper object is also installed that displays fake messages when using Internet Explorer. These messages range from a line at the top of the browser stating an infection was found to adding a box to the Google homepage stating Google detected that your computer was infected. You should try to download Malware Byte’s Antimalware. Make a full scan and post the log here.

LadyCC has good advice. Try MBAM (free in the demand version.)

You (or your uncle) has two AV’s active, from the look of it. Generally considered non-beneficial, and usually damaging.
I would suggest downloading a current copy of whatever AV he/you chooses to use (I know of one that is particularly good ;)), downloading the appropriate removal tools for Norton and AVG (can provide links if needed), make sure MBAM is installed and updated, then going offline, removing those old AV’s, scanning with MBAM, sorting the problem out (more work may be indicated, but MBAM is pretty competent) then installing your new AV and going online again for updates.


According to Prevx, yimipivu.dll is a sign of a Fraudulent Security Program.

http://www.prevx.com/filenames/X305904071622596820-X1/YIMIPIVU.DLL.html



YIMIPIVU.DLL has been identified as Adware.Vundo/Variant. If MBAM doesn’t detect that dll, you can use FixVundo.
Follow these steps to download and run the tool:

  1. Download the FixVundo.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixVundo.exe

  2. Save the file to a convenient location, such as your Windows desktop.

  3. Optional: To check the authenticity of the digital signature, refer to the “Digital signature” section later in this writeup.

    Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the “Digital signature” section before proceeding with step 4.

  4. Close all the running programs.

  5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

  6. If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

  7. Locate the file that you just downloaded.

  8. Double-click the FixVundo.exe file to start the removal tool.

  9. Click Start to begin the process, and then allow the tool to run.

    Note: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe Mode and run the tool again.

  10. Restart the computer.

  11. Run the removal tool again to ensure that the system is clean.

  12. If you are running Windows Me/XP, then reenable System Restore.

  13. If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.

  14. Run LiveUpdate to make sure that you are using the most current virus definitions.

When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:

* Total number of the scanned files
* Number of deleted files
* Number of repaired files
* Number of terminated viral processes
* Number of fixed registry entries 

Hope it will work. Have a nice day.

first you need to use 1 real-time protection for your windows, the only scanners or more than one real-time protection is mean NOT protected at all!!

if the Norton is a real time protection such Norton AntiVirus or norton internet secuirty or Norton 360:

  1. go to control panel and program and features (add/remove programs) and find norton and uninstall it
  2. download and run Norton Removal Tool

if the norton product is just norton security scan, leave it :slight_smile:

if you have AVG installed:

  1. go to “control panel” and “programs and features” (add/remove programs) and find AVG and uninstall it
  2. Download and run AVG Removal Tool 32Bit / 64Bit.

now I suggest you to use avast! antivirus, maybe you can try Home Edition and then when you see how good it is buy the professional version to use more feature (anyway you are protected very well by Home Edition too).

before install the new anti-virus, first you need to get rid of that fake AV:

during install of every new scanner, it can be possible the current fake AntiVirus infected it and don’t let it run correctly, so try one AntiVirus Scanner that work out side of windows without installation, a bootable antivirus disc can be good :slight_smile:
The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. You can download it from here. You can learn how to use it from Here.
also, if you want to burn that disc yourself with your own burning tool (Such as Nero or…), you can download the Image File (.iso) from Here.
After burn it to disc, use it to boot your computer and do a full scan and remove anything that it find.

and then
Download, install and update these programs (just use Offline update installer if you cannot use Live Update to update your programs):

[tr]
	[td][b]Program[/b][/td]
	[td][b]Download[/b][/td]
	[td][b]Offline Updater[/b][/td]
[/tr]
[tr]
	[td][b]Malwarebytes Antimalware[/b][/td]
	[td][url=http://www.malwarebytes.org/mbam.php]Download[/url][/td]
	[td][url=http://www.malwarebytes.org/mbam/database/mbam-rules.exe]Updater[/url][/td]
[/tr]
[tr]
	[td][b]SUPERAntiSpyware[/b][/td]
	[td][url=http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe]Download[/url][/td]
	[td][url=http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE]Updater[/url][/td]
[/tr]
[tr]
	[td][b]SpyBot S&D[/b][/td]
	[td][url=http://www.safer-networking.org/en/mirrors/index.html]Download[/url][/td]
	[td][url=http://www.spybotupdates.biz/updates/files/spybotsd_includes.exe]Updater[/url][/td]
[/tr]

scan your computer using them, also try to immunize your windows using SpyBot S&D. During installation of SpyBot S&D disable all residents.

now download and install and register avast! antivirus home edition

the fixvundo tool from symantec is an out-dated program and only can detect and remove first generations of “Vundo”.
Avira Rescue Disc would be able to remove that Vundo and other malware that has been downloaded via Vundo.
also avast! updated would be able to protect and remove future virus attacks :slight_smile:

Norton FixVundo info (see avast! virus definition too find how many generation of Vundo has been released):

Discovered: November 20, 2004 Updated: November 30, 2005 12:00:00 AM Type: Removal Information This tool is designed to remove the infections of the following threats:

Trojan.Vundo
Trojan.Vundo.B

ok,I just called him, Im going to take care of it after school, I will run MBAM, Uninstall AVG, and Install Avast. He said the Yimpivu.dll pop-up starting appearring when he downloaded some pictures(Im guessing thats why it says Bad Image everytime you start something.)

they dont want avast right now, so they will keep AVG(I couldnt turn them to the best) I dont have the log, but I will just post the items found by MBAM

Adware.Hotbar
Adware.Mywebsearch
Adware.Funwebproducts
Adware.gamevance
Trojan.Vundo.H
herustic.malware(Suspicious behavior?)
Malware.Trace
Rouge anti virus 2009
Trojan.Vundo

This all I can remember, except for the Malware.trace and heuristic, there were multiple signs of everything else. My uncle is stubbron and has a degree in this, he just didn’t notice the “Anti Virus 2009” mocking everyone on the desktop. Can you tell me some more info on this. Oh yeah, this is without MBAM being updated because it would freeze during the update. Im getting Intrested in killing these little buggers!

update MBAM via the offline updater, download rules from http://www.malwarebytes.org/mbam/database/mbam-rules.exe and run it, it would update MBAM to latest version, ok, if you don’t want to Install avast!, just do a scan via that Avira Rescue System to remove things missed by MBAM and AVG :slight_smile:

My Uncle is gonna do things himself he said, he’s pretty embarrased about a 13 year old (me) cleaning his computer, which he has a degree in. They also Password locked it because the viruses were probably accidently downloaded by their children. They will play anything they see(Like that gamevance) I have to take my hands off from here. And on the log, what did it mean by Heuristics.Malware. I know what A heuristics is, but why would it detect that as part of a name?

Without the detailed log and access to the file (and maybe even then) one could not be certain, but detection made heuristically is somewhat more likely to be a false positive than one made using signatures. Depending on the heuristic method - and I’m no expert on this, just the remembered sum of what I’ve read - the file behaviour and/or structure and/or similarity to family known malware is analysed to be suspicious. The idea being, of course, to give the user a chance to quarantine new malware that isn’t on the signature list, yet.
I can’t tell from what you’ve posted above whether the heuristic detection refers to “trojan vundo H” or “malware trace…” etc.

So a 13year old has more local smarts about AV’s than someone with a degree. (Well done.)
But it goes to show you what a degree is worth, these days.
“tick the boxes for the ISO qualification”. No need to actually teach anything.

It wasnt probably a FP, That computer was loaded with crap. They were about to throw it away. But I saved it. He also got a refund from AVG thanks to me… and as that one guy on the forums says, Im about to love the smell of burning Malware in the morning, Well anytime at least. I just wish those girls would be careful. I first spotted the Rogue laughing when I saw it on the desktop. Thats when I took action…

Apocalypse Now - I Love The Smell Of Napalm In The Morning
http://www.kewego.com/video/iLyROoaft6Wn.html

You have to see the movie with the sound turned up and Sub Woofers bolted to the floor.
Invite you neighbors over as they might think WW III has started.