RunDLL trojan

[Nerevar]

it started with,

yotkhyfx.dll

yayvVOeb.dll

on my startup, it has since doubled itself countless times and the more I try to remove it, a restart and its there again....

as an AV I run Kaspersky AV 2009, uninstaller and tried AVAST aswell, both tells me there is a problem, both cant seem to fix it.

the weird thing with this trojan ( i guess ) is the fact that once its loaded, or says its failed to load, I cant access any website, (IE,Firefox,Opera) but I can access p2p ports ect, and my pc cpu usage on explorer is at a constant 30 - 40%.

tried googling but the only website I found was some Chinese forum...

I'm running VISTA SP1 with all the latest updates ect, no other pc on the network has trouble going on any website.

any help would be appreciated, before I format my HD ( its a 500gb ) =/ I'm frankly clueless as to how I even got this thing on my pc.

[hamin_aus]

I had this bugger in the beginning of the year.

I tried to beat it for about 2 weeks.

Eventually I gave up and reformatted.

[ADV4NCED]

I take it you tried removing the infection with KAV in safe mode?

Do you have UAC enabled? If not, enable it in safe mode

[Nerevar]

always give safe mode removal a go,

I'll see if uac makes something work

really strange that there is so few info about this little bugger on the internets

[Frozenfireside]

make sure you don't have a keygen or something hiding the little bugger and update your antivirus in safe mode.

I am however temped the say format. Slow format as well (although it makes little difference)!

[Nerevar]

uac didnt do a thing, it seems to have stopped once I changed the extensions of all the " virus " dll files, all I get now is on startup it says it fails to load and my internet works, still trying to fully remove it though, really strange as I have no idea how I got this on my pc.

[Anakha56]

I know this is a long shot but try enabling Windows Defender and let that doa full system scan. I have seen that remove some nasties that even my AV package could not remove...

[Nerevar]

ran a full system scan and found nothing, even got the latest updates

[Anakha56]

Then I have no idea what you have running there... Best bet seems to be a format reinstall

Remember kids downloading arb pr0n gives you an infection so dont do it! Unless it is reliable ..

/please note that the pr0n bit is a joke

[Frozenfireside]

ran a full system scan and found nothing, even got the latest updates

Le format.

[SBSP]

Weird that someone would put a DLL in the startup as it would just bring up the open with dialog box.

yotkhyfx.dll and yayvVOeb.dll might be hiding and extension of yotkhyfx.dll .exe and yayvVOeb.dll.exe
with Dll icons

When you say its in start up is it in the startup programs folder ? or in the registry ?
I take it you are seeing this in the startup folder as you can see the DLL files.

if you go to control panel ---> Folder Options ---> View Tab
Untick Hide extensions of known file types. (IMO this should be default as this cause most security problems)

then check the files in start up again and check to see if they have exe extentions.
When you delete them and they come back do they come back with the same file name ? or are they random ?

Edit.
This is a temporary solution, I always use this and it works.
The stupid programs are just programs and are programatically programmed to do exact steps.
So by messing with its mission to mess with you you can mess with it HeHe.

Remove the user permissions on the startup folder.
I think in vista C:\Users\bla bla bla.
and in the registry.
Start then Run Type regedit click ok
goto keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Right click them and remove the user rights. (Be carefull dont remove admin rights please!)
otherwise you wont have permission to put it back.

Then try and find the rest of the program,

Some extra tips run the system as is and use Filemon and Regmon to monitor unknown tasks, and exclude Explorer and all the nusual ones you should quickly find the source.

[Nerevar]

I removed them from startup and registry but they keep coming back under diffrent names, like I deleted those 2 and the next reboot, there they are again, I'll give all of that a go when I get home thanks

[Prime]

Its been along time since i've had a virus so i may be very wrong and i might have missed mention of it in this thread but what about a removal tool?

[Prime]

Any idea what virus this actually is? I'm looking at a pge of google results for rundll trojan.

[Treeoflife]

very good A/V http://downloads.bullguard.com/BullGuard-Gamers.exe

[rustypup]

very good A/V bullguard

bull-something... that would be repackaged bitdefender with some really simple spam filtering and a none-too-secure f/wall thrown into the mix...

ie, don't touch unless you're into masochism...

iirc, these folks even used a link-redirect from eset to bump sales