dialer.gbdial won't die!
March 16, 2006 6:49 AM   Subscribe

Particularly stubborn infestation of dialer.gbdial (or something very similar) on a Windows XP machine - any suggestions, either of solutions or reliable anti-malware forums where I can post logs?

I've had this dialer lurking for a few days now - there's no risk of it actually dialing anything, since this PC is plugged into a router and doesn't have a modem, but the constant reappearance of an 'Access Members Area.exe' icon on the desktop is annoying me. I've run a variety of virus/spyware scanners (many of which have found affected files and deleted/cleaned them) and have run HijackThis logs through the analyser at hijackthis.de, and cleaned up anything untoward, but the bloody thing keeps reappearing from somewhere. I get a program called 'winxx.tmp.exe' running, where xx is replaced with, say, 5A or 2B, which seems to recreate the dialer icon on the desktop, and which turns up with a new permutation of letter and number if I delete it.

Obviously, I'd really appreciate a relatively idiot-friendly guide to getting rid of this thing if anyone's had any experience with it. Failing that, I'm perfectly happy to post HijackThis (or something else) logs to one of the expert-frequented forums around the 'net if anyone can direct me to a trustworthy one. Thanks!
posted by terpsichoria to Computers & Internet (6 answers total)
posted by Ferrari328 at 7:10 AM on March 16, 2006

I have the same thing I think. It's reported as a dialler but I'm not really sure what it is. You'll find (if it is the same) it's creating registry keys under HKCU\software ....\current version set\run with a legit program name but a tell-tale parameter set, it also creates these tasks in task manager (the winxx.tmp.exe) - plus I've seen some other strangeness there. If you can't find an answer I'm going to try and nuke it tonight, so I may have more to say then. BTW, is it just me, or are antivirus services becoming incredibly unhelpful? They don't give you any clues as to how things work any more, just tell you to run their tools.
posted by grahamwell at 7:40 AM on March 16, 2006

Have you tried booting in safe mode yet? That is always my first step in cleaining up these sorts of messes.

Here's what you do:
Burn the installation file for something like spysweeper on to a disc from a clean computer.

Boot the infected computer in safe mode (hit F8 when the computer is starting up before the windows logo).

Once in safemode, install your cleanup software and run it. I've never had anything for which this didn't work- once I found the right cleanup program.
posted by gus at 8:04 AM on March 16, 2006

Thanks for the advice - I've just tried running Spy Sweeper in safe mode, and while it didn't get rid of whatever keeps recreating this dialer on the desktop it did clear up a trojan none of the other programs had caught, so that's something. I'm going to try a couple of other spyware/virus scanners in and out of safe mode - fingers crossed!
posted by terpsichoria at 10:30 AM on March 16, 2006

I definitely have gbdial. I may have some other stuff as well which is unrelated. Are you getting persistent pop-ups from 'Outerinfo'? Do you see strange keys in HKCU ...\run which end with the parameters "-vt ndrv"? I can't find any clear account of what's going on so I'm just blitzing the system (Win 2K).
posted by grahamwell at 2:45 PM on March 16, 2006

As a final word on all this, in case anyone's got the same problem, my amazing partner seems to have fixed it - based on advice from here and from one or another of the various malware-related forums, we ran Ewido in safemode, deleted any and all temporary folders, then ran it again in normal mode. Each time it found different stuff - in safemode, it showed up lots of instances of dialer.gbdial, whereas in normal mode it found two programs in windows/system32. We cleaned everything it suggested we clean, and (touch wood) 'access members area' hasn't turned up on the desktop again for a few hours. With any luck, that'll be the end of it.
posted by terpsichoria at 2:43 PM on March 18, 2006

« Older How to Learn Teeline?   |   My brother wants to join the National Guard. WTF?... Newer »
This thread is closed to new comments.