Problem with a virus

Well, I've got a big problem with a virus that I can't seem to be able to clean --- both on the laptop I'm using at work and on my home PC. Both run WinXP.

One thing: my home PC got infected by a USB flash memory, since at the moment I don't have an internet connection there, but the laptop definitely was already infected when I started using it --- which was after my home PC was already infected.

After running a few clean up sessions on the laptop I eliminated most of malware that was in it --- my PC was very clean, but this laptop was a huge mess. Still, the same virus seems to be present on both machines. I can't reformat the laptop's hard drive since it's not mine and eventually I have to return it to its owner, and as it has some files of importance I can't do whatever I want with it. My PC on the other hand has many many GBs of music and video files, so I don't want to reformat its hard disc either.

I did a google search on what seems to be a very suspicious file that I find when I run Autoruns (from SysInternals): iuhi64.exe; Autoruns however can't simply delete the file: it reappears after doing so. All I found from Google was in Polish, and since I don't speak the language it's completely useless to me. What I did see is that it seems other people have found it in the exact same folder as both of the computers I'm using; the full path is:

c:\RECYCLER\s-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe

The file simply can't be deleted, since Windows can't find it when I try, but it clearly appears in Autoruns under the entry for the key

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

under the "name" n/a. Again: deleting it or simply unchecking the entry doesn't work, as it simply reappears next time I run Autoruns or after restarting the computer. Also, RootKitRevealer doesn't seem to help much: I can't find the problem with it.

Can anyone help? I'm getting very aggravated to put it mildly.

EDIT: Oh, one of the web pages I found is in Czech, which I also don't speak

This post has been edited by gildardo: Apr 15 2008, 06:08 PM

Only word I can recognise on those results is Rootkit

Try running AVG Anti-Rootkit available from here

Thing is...

I did the same thing. And ran the anti-rootkit.

And my puter blew up. Had to reinstall XP completely.

Just fyi.

Windows Explorer will hide the Recycler folder as its a systemfolder, so you can either make it visible via:
ControlPanel>FolderOptions>View>
-- Enable 'Show Hidden Files and Folders'
-- Disable 'Hide Protected Operating System Files'

Or you can use a third party program like WinRAR which should show it anyway.

The file re-appears because it's not the only infected file, though the other one is likely to be an infected systemfile (like an infected version of explorer.exe, for example).

Get FileMon -- it logs harddisk activity, so use it to find out which process is responsible for recreating the iuhi64.exe when you delete it.

It will probably point you to the infected systemfile, and then it'll be a bit tricky to find the right sequence of deleting the iuhi64.exe file, stopping the infected systemfile's process, and replacing the infected systemfile with an original copy. And making sure there are no infected copies of it left in the Windows/System32/dllcache folder.

This post has been edited by ADL242: Apr 16 2008, 01:21 AM

start by running your scans in safe mode

I've had a look on Google and one page although in non English 'seems' to point out that it called Win32.Small.dlh, which from another search 'looks like' it's also known as Trojan-Clicker.Win32.Small.kj, Generic, Win32/TrojanClicker.Small.KJ, TROJ_Generic

Looking at Symantec's website, this doesn't look like anything new especially not a rootkit. Hope this gives you some other search avenues.

Thanks for the replies --- and thank God filesoup is back on!

Well ADL, the problem is that whatever the virus is doing won't let me see any hidden files and folders --- that's how I noticed something was wrong, because after electing to see the both the system and other hidden files the option just wouldn't "stick". I checked and unchecked the correct boxes, and it just wouldn't work. I tried again, and the tick marks on the boxes would be the same as if I hadn't done anything.

Also, if I try to erase the virus file, windows can't find it, even if I give it the full path. My home machine is a dual boot machine, the other OS being Linux; from there I can actually see the file, but I can't delete it --- there's no way of changing the permissions of the files in the windows partitions.

Oh, and I ran Process Monitor from Sysinternals on the laptop I use at work to get a boot log; the file in question does seem to be initiated by explorer.exe, but something happened after I rebooted the system to do the scan: after a few minutes I could not connect to the internet --- there was activity when I checked the status of the connection, but it certainly wasn't coming from me. It seems something happened that activated some function of the virus that kept my connection saturated so any web page I tried to load would simply time out. Now I'm a bit concerned about doing the same on my home machine.

By the way, I got a couple of new computers for my office --- I requested them with some funds I had for research (I'm a physics professor). I'm using one of them now to access the internet, so at least for now I'm somewhat less concerned, since it has a brand new system.

Before I forget, under Linux I checked my USB flash memory stick, and sure enough it had a hidden folder and a hidden file from windows: an exact copy of the iuhi64.exe in the same path as in my hard disk, and file named "autorun.inf" --- as I said, it got to my home PC on an infected memory stick.

Thank you very much, and I'll accept more help if anyone can give me some.

Well i finaly can erase the file, i just end explorer.exe from task manager, then erase c:\RECYCLER\s-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe with WinRAR and restart the pc.
i had no problems with internet or anyting else.
i hope this help you, it help me atlast thnx

PD.- my english is realy bad sorry i made mistakes =P

I finally just wiped my drive.

Which hurt, yes, but now I have all this space to play with!

Ouch, that was a painful solution, Coyote!

Well, I tried what Pasadesu suggested, and at least the file is now gone. Thank you.

However, something is still messed up, since I still cannot see the hidden files and folders --- I just can't choose the option, since it will revert to hiding those files/folders. The option just won't stick, so something else is blocking it. Anyone else has any more suggestions?

Thank you all in the meantime.