How to remove Win32:dialer-520

I’ve found a dialer on my system, for which I haven’t found enough info around the Internet. So I’ve thought that it would be useful to share the procedure I’ve followed in order to remove it from a Windows XP computer.

This dialer is generically called Win32:dialer-520. My antivirus did not find it, so I’ve had to found it heuristically (indeed, I’ve had to look for strange startup items via Spybot Search and Destroy). Looking around on forums I’ve found that some other antivirus are able to discover it, however they can’t delete the related files.

The problem, in fact, is that this dialer works in a very odd way. It installs a file, in this case called winzwr32.dll, in the %windir%system32 directory (usually C:WINDOWSsystem32). This is a DLL library, so it does not work as a process itself (that is, a standalone program such as explorer.exe), hence it does not compare in the list of processes in Task Manager. A DLL just contains some functions that do something when invocated from another program.

In other words, this dialer is almost invisible. The only thing that makes you alerted is the fact that it randomly creates a program called xxxxx.tmp.exe (where xxxxx is a sequence of random alfanumeric characters) in the %TEMP% folder, then runs it.
This program opens a pop-up window asking you to create a modem connection to an unknown ISP, informing you that you’ll have to pay just 15 € per call (whoa!).

As a natural consequence, I had to find which program called this DLL. This program is winlogon.exe, that is the program that controls the logon and logoff procedures in Windows XP. This process is critical, so it must be loaded before anyone else and must be one of the last to be closed; thus it cannot be closed when someone is logged onto the system. It also can load some DLLs, such has the one that notifies messages through shiny baloons and so on.

The dialer installer silently adds some keys in the Windows Registry in the following path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifywinzwr32. These keys tell winlogon that it has to open winzwr32.dll, and do some things when system is starting up and some others when it is shutting down. Among these things there is the task of checking if someone deleted these keys, in order to restore them.

This means that:

  • The winzwr32.dll file cannot be deleted because it’s in use. This file is always loaded, even in Safe Mode.
  • If we try to delete that keys in the registry, in order to avoid letting winlogon load this DLL at next reboot and then be able to delete the file, the DLL will be invocated during the shutdown phase, will discover that the keys are deleted, and will recreate that before rebooting, hence making useless the changes.
  • As winlogon.exe is among the very first things loaded into the system, there is no easy way to tell Windows to delete the file before loading winlogon (better: I’m sure there is one, but I can’t find the way).
  • We would need to unmount the hard disk containing the operating system and plug it into another Windows XP system in order to avoid booting the "infected" system at all, then to be able to delete the unwanted files.

By luck I’ve found an easier way. But, before explaining it you must be warned. 1) You must be administrator of the computer in order to be able to do that. 2) Please notice that these info are provided for didactical purposes, but you accept to use at your own risk. 3) No liability for any damage due to following these steps.

If that’s ok, just follow these steps.

  • Go to Start, then Run…, then type regedt32 and go to OK;
  • Follow this path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifywinzwr32;
  • Delete the following values: DLLName, Startup, Shutdown;
  • Right-click on winzwr32, then go to Permissions… and click on Advanced;
  • Select SYSTEM, then click View/Edit…;
  • Set on Deny the following values (hope translation from the Italian version is correct): Set value, Create subkeys, Owner write.
  • Click on OK, then again on OK, then reboot;
  • After rebooting, go to Start, then Run…, then type cmd and go to OK;
  • Type del %windir%system32winzwr32.dll then press Enter. Et voilà! The file has been deleted!

In order to clean up the system, you should also come back to regedt32 and delete the winzwr32 key (although it now wouldn’t work in any case). Also you may want to delete the *.tmp.exe files located in the %TEMP% folder (usually C:WINDOWSTemp).

For any further question just ask …and hope I’ll be able to answer.

3 thoughts on “How to remove Win32:dialer-520

  1. ok, I only tell you that next friday some awesome rustic pizzas will be waiting for you at my home… :) I think I have a problem similar to yours, although it’s a trojan..

Note something down here. Put some effort into it.