Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible gasretyw0.dll & olhrwef.exe infections

  • This topic is locked This topic is locked
2 replies to this topic

#1 CdGreven


  • Members
  • 1 posts
  • Local time:05:48 AM

Posted 31 January 2009 - 04:13 AM


I have an infected computer which does not have any anti-virus or anti-spyware softwares running on it. The infections do not prevent the computer from working but they slow down some, and also i am afraid that the situation will become worse, therefore i would like to know how to clean my computer completely. I am not sure of the infections names but using a software named Revo Uninstaller, i managed to uninstall a possible malware named "PCHealth" and disabled startup entries named "kamsoft" (C:\WINDOWS\system32\kamsoft.exe) and "cdoosoft" (C:\WINDOWS\system32\olhrwef.exe). I also tried to install Avira Antivir Free Edition, and did it but after the installation it does not update because of no valid license error (although that it is free edition). Without the recent updates, i ran a Avira Scan and it found a possible infection named "gasretyw0.dll", offering me to deny access, quarantine or ignore. I selected quarantine but it kept appearing and re-appearing, it worked same for deny access. Then i had to choose ignore option in order to close the window. Afterwards i unistalled Avira in order to not interrupt ComboFix and Hijackthis scans, you can find the logs of scans on this post. I still know that the computer is infected, therefore i am here to request your help. Thanks in advance.

Here is my DDS.txt

DDS (Ver_09-01-19.01) - NTFSx86
Run by Baris at 10:16:23,60 on 31.01.2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1254.90.1055.18.255.27 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Baris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdoosoft] c:\windows\system32\olhrwef.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Microsoft Excel'e Gonder - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
LSP: c:\progra~1\netdog\netd.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bar~1\applic~1\mozilla\firefox\profiles\idxaacfn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll

============= SERVICES / DRIVERS ===============

R3 smimini;smimini;c:\windows\system32\drivers\smiminib.sys [2005-11-6 58368]
S3 USB188;USB PC Camera 188;c:\windows\system32\drivers\usb188.sys [2007-4-6 391120]
S4 PortTalk;PortTalk; [x]

=============== Created Last 30 ================

2009-01-31 09:53 95,744 ---shr-- c:\windows\system32\nmdfgds1.dll
2009-01-31 09:53 179 ---shr-- C:\autorun.inf
2009-01-31 09:18 161,792 a------- c:\windows\SWREG.exe
2009-01-31 09:18 98,816 a------- c:\windows\sed.exe
2009-01-31 08:25 109,127 ---shr-- C:\hl80c6b1.com
2009-01-31 08:25 109,127 ---shr-- c:\windows\system32\olhrwef.exe
2009-01-31 08:25 95,744 -------- c:\windows\system32\nmdfgds0.dll
2009-01-31 02:34 <DIR> --d-hr-- c:\documents and settings\barış\Recent
2009-01-31 02:24 <DIR> --d----- c:\program files\CCleaner
2009-01-31 01:53 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-01-31 01:53 21,504 a------- c:\windows\system32\hidserv.dll
2009-01-31 01:52 14,720 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-01-31 01:52 14,720 a------- c:\windows\system32\drivers\kbdhid.sys
2009-01-31 01:40 <DIR> --d----- c:\program files\HI-TECH Software
2009-01-31 01:40 <DIR> --d----- c:\program files\Vwho
2009-01-31 01:40 <DIR> --d----- c:\program files\Aquatica Waterworlds
2009-01-31 00:34 <DIR> --d----- c:\program files\VS Revo Group
2009-01-30 23:51 <DIR> --d----- c:\program files\Avira(2)

==================== Find3M ====================

2009-01-31 09:51 3,932,160 a------- c:\documents and settings\barış\ntuser.dat
2007-06-20 21:36 18,480 a------- c:\docume~1\bar~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 10:17:10,45 ===============

Here is my hijackthis scan log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:40, on 31.01.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

End of file - 3237 bytes

Attached Files

Edited by CdGreven, 31 January 2009 - 04:16 AM.

BC AdBot (Login to Remove)


#2 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:11:48 AM

Posted 05 February 2009 - 07:47 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:11:48 AM

Posted 10 February 2009 - 05:57 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users