Category: Automation

I’ve found a dialer on my system, for which I haven’t found enough info around the Internet. So I’ve thought that it would be useful to share the procedure I’ve followed in order to remove it from a Windows XP computer.

This dialer is generically called Win32:dialer-520. My antivirus did not find it, so I’ve had to found it heuristically (indeed, I’ve had to look for strange startup items via Spybot Search and Destroy). Looking around on forums I’ve found that some other antivirus are able to discover it, however they can’t delete the related files.

The problem, in fact, is that this dialer works in a very odd way. It installs a file, in this case called winzwr32.dll, in the %windir%system32 directory (usually C:WINDOWSsystem32). This is a DLL library, so it does not work as a process itself (that is, a standalone program such as explorer.exe), hence it does not compare in the list of processes in Task Manager. A DLL just contains some functions that do something when invocated from another program.

In other words, this dialer is almost invisible. The only thing that makes you alerted is the fact that it randomly creates a program called xxxxx.tmp.exe (where xxxxx is a sequence of random alfanumeric characters) in the %TEMP% folder, then runs it.
This program opens a pop-up window asking you to create a modem connection to an unknown ISP, informing you that you’ll have to pay just 15 € per call (whoa!).

As a natural consequence, I had to find which program called this DLL. This program is winlogon.exe, that is the program that controls the logon and logoff procedures in Windows XP. This process is critical, so it must be loaded before anyone else and must be one of the last to be closed; thus it cannot be closed when someone is logged onto the system. It also can load some DLLs, such has the one that notifies messages through shiny baloons and so on.

The dialer installer silently adds some keys in the Windows Registry in the following path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifywinzwr32. These keys tell winlogon that it has to open winzwr32.dll, and do some things when system is starting up and some others when it is shutting down. Among these things there is the task of checking if someone deleted these keys, in order to restore them.

This means that:

• The winzwr32.dll file cannot be deleted because it’s in use. This file is always loaded, even in Safe Mode.
• If we try to delete that keys in the registry, in order to avoid letting winlogon load this DLL at next reboot and then be able to delete the file, the DLL will be invocated during the shutdown phase, will discover that the keys are deleted, and will recreate that before rebooting, hence making useless the changes.
• As winlogon.exe is among the very first things loaded into the system, there is no easy way to tell Windows to delete the file before loading winlogon (better: I’m sure there is one, but I can’t find the way).
• We would need to unmount the hard disk containing the operating system and plug it into another Windows XP system in order to avoid booting the "infected" system at all, then to be able to delete the unwanted files.

By luck I’ve found an easier way. But, before explaining it you must be warned. 1) You must be administrator of the computer in order to be able to do that. 2) Please notice that these info are provided for didactical purposes, but you accept to use at your own risk. 3) No liability for any damage due to following these steps.

If that’s ok, just follow these steps.

• Go to Start, then Run…, then type regedt32 and go to OK;
• Follow this path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifywinzwr32;
• Delete the following values: DLLName, Startup, Shutdown;
• Right-click on winzwr32, then go to Permissions… and click on Advanced;
• Select SYSTEM, then click View/Edit…;
• Set on Deny the following values (hope translation from the Italian version is correct): Set value, Create subkeys, Owner write.
• Click on OK, then again on OK, then reboot;
• After rebooting, go to Start, then Run…, then type cmd and go to OK;
• Type del %windir%system32winzwr32.dll then press Enter. Et voilà! The file has been deleted!

In order to clean up the system, you should also come back to regedt32 and delete the winzwr32 key (although it now wouldn’t work in any case). Also you may want to delete the *.tmp.exe files located in the %TEMP% folder (usually C:WINDOWSTemp).

For any further question just ask …and hope I’ll be able to answer.

Although the CSS specifications make it easy to create inset and outset borders (see border-style), we may want to set up "manually" a border around an object giving a 3D effect just thanks to a right setting of the colors of each side of the border.

Generally, a 3D effect to a square object can be obtained applying an X colour for the background, then an X+1 (brighter) colour for the top and left sides and an X-1 (darker) colour for the bottom and right sides.

Let’s begin with an example. We’ll just create a paragraph with the following style (hover the mouse to get a description of each row):

width: 60px;
padding: 2px;
color: #FFFFFF;
background-color: #888888;
border: 2px solid;
border-color: #AAAAAA;

For those of you who never used colours in HTML or CSS, colours are just defined as #RRGGBB, where RR, GG and BB stand for the hexadecimal code of the quantity of Red, Green and Blue that define the colour. The hexadecimal value may go from 00 (=0) to FF (=255), hence: #000000 is black, #FF0000 is red, #00FF00 is green, #0000FF is blue, and #FFFFFF is white. Of course, as each colour can assume 255 hues, we may choose among 16 million colours (255*255*255).

Anyway: here it is the result.

Hello.

As you probably already know, border-color is a shorthand for border-*-color where * can be top, right, bottom or left. This means that this attribute may define either just one colour (that would set the four sides of the border with the same colour) or it may define up to four colours, one for each side.

Now we have a gray background and a border with a brighter gray (+2). Let’s try to define the colours of the four sides, keeping the original border colour for the top and left sides, and setting a darker (-2) one for the bottom and right sides.

border-color: #AAAAAA #666666 #666666 #AAAAAA;

The box comes like this:

Hello.

It seems that it is raising from the screen. To inverse the result, just invert the colours!

border-color: #666666 #AAAAAA #AAAAAA #666666;

Hello.

Also you may want to raise it more. There are two things you can do in order to reach this result. The first one is to increase the width of the border:

border: 3px solid;

Hello.

The other way is to make the contrast higher using more "distant" colours:

border-color: #DDDDDD #333333 #333333 #DDDDDD;

Hello.

Of course, this becomes extremely interesting when using DHTML features (that, however, we won’t discuss here). A good thing to do is, for example, to define two classes, eg. Class1 and Class2, that can be alternated by Javascript using onMouseOver and onMouseOut events. Class1 may contain, for instnace, definitions for an inset border and Class2 for an outset variant, or two different sets of colours.