I got somewhere some virus or what, which creted in c:\ root thess files: “hostdll32.exe”, “op32.exe”, “dotnetfix.exe”, “dll6wise.dll” and “Interop.Shel32.dll”.
In C:\Program Files was created folder named “common” and it contains folder “Data”, then folder “C_” and under it is directory structure of my c drive containing all the exe files in C. The originall exe seemed to be replaced, and running these copies. Result is that many applications will not run, or run unregistered (like Total Commander, Mozilla Firefox, Mozilla Thunderbird etc…). Also many uninstallers doesn’t work.
In Task manager I can see that many proccess are duplicated with another proccess with same name, but different usage of memory (ie Tetimer.exe (Spybot) ).
Similar problems are described here, but no solution is given.
I use Win XP SP2 (all updates), Spybot S&D (updated, TeaTimer resident) and Avast Home Edition (updated, resident). None of it claim something is wrong.
I tried it, but first time it brought me to website abou trains?? (I do not know holland),
and second time to website where I was adviced to use Avast, Spybot etc… Just generall tips,
nothing about my concrete problem…
The avast! link describes the same problem (EDIT: I notice now you’d already seen this, sorry), I think, but is not too hopeful about a solution; the other link has some possible manual solutions:
I eventually delete all these 16KB daemon files, and leave those hidden
folder alone, by searching files and deleted. And I wrote a small
program to convert all shortcuts under "Documents and Settings" to
make them point to the original one, by removing string
"\data\resources"
You notice the orig program name as a 16K file in the \data\resources\
directory that's the malware, it loads the program you want, plus
calls out to advertising sites (I have pop ups blocked or I think I'd
of noticed what had happen'd).
I caught it because my modem lights were blinking non stop.
TCPview confirm’d the problem
To get rid of the \data\resources\ directories I searched for
“resources” with Agent Ransack and deleted the whole lot of them.
Besides Dllhosts32.exe are Dllhost32.exe, Dotnetfx.exe,
Interop.shell.dll and Op32.exe files you need to remove.
One of the Alwil team mentioned exercising care when posting links with your session ID as from ther it may be possible to attribute and action incorrectly to your ID.
Ok, Avast didn’t find anything, so I had to solve it manual
First close almost everything by task manager (or even better process explorer, which shows processes in tree so you can easily identify which process is doubled)
Second delete all the suspicios files in c:\ root.
Third copy the folder “c:\Program Files\Common\Data\C_\Program Files” over “c:\Program Files” overwriting everything.
Now almost everything is fine, but all shortcuts on desktop and in start menu now points to icon in “c:\Program Files\Common\Data\C_\Program Files”. Do someone know how to repair it autommaticaly, so I will not have to do it one by one?