Jump to content
Washington DC Message Boards
Sign in to follow this  
Guest BlackSun

Uinc.dll *.exe Spawner

Recommended Posts

Guest BlackSun

These guys are the source of the DOS Trojan spawner?

 

 

Here is what I found in the uinc.dll file

 

                {CC3E6789-0120-1A20-04B0-087AFF6D2EA4}   0 ÿÿÿÿtimer2 http://www.wow-access.com/mypcc/conf.base EDIT writing hourtxt = %s writing linktxt = %s %d

restoring hour record TIME TO DOWNLOAD %s hourtxt int = %d  linktxt = %s w ### hour in config was changed! link in config was changed! r CP OK regsvr32 /s  %SystemRoot%\sys %i%i.dll %i%i.exe .exe DOWNLOADING FILE %s SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Network Load Monitor SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler Apartment ThreadingModel %WINDIR%\System32\uinc.dll CLSID\%s\InProcServer32  SysHandler#9 %WINDIR%\System32\uinc.dll.cur %WINDIR%\System32\uinc.dll.tmp %WINDIR%\System32\uinc.dll.job %WINDIR%\System32\uinc.dll.conf sysHNDLR9r sysHNDLR9

 

I noticed Double-Click advertisement appeared when I went to view the web site. What **inappropriate material**!!!

 

DO NOT GO TO WOW-ACCESS.COM

 

I figured they would at least provide a tool to remove their spyware. The link took me to a list of vendors where you can purchase it.

Share this post


Link to post
Share on other sites
Guest thumos

WOW-ACCESS.COM (216.195.44.59) is located in Chantilly, Virginia, United States.

 

Domain Name: WOW-ACCESS.COM

Registrar: ENOM, INC.

Whois Server: whois.enom.com

Referral URL: http://www.enom.com

Name Server: NS1.TEENS4WEB.COM

Name Server: NS2.TEENS4WEB.COM

Status: REGISTRAR-LOCK

Updated Date: 09-sep-2004

Creation Date: 23-oct-2003

Expiration Date: 23-oct-2005

 

First Name: Merriam

Last Name: Gork

Address 1: Bremen st. 19 #144

Address 2:

City: Berlin

StateProvince:

PostalCode: 00000

Country: DE

Phone: +49.000000000

Fax: +1.49

EmailAddress:

Share this post


Link to post
Share on other sites
Guest Injury

Just got rid of this off a customers PC (before I found this page unfortunately so spent two days tracking it the hard way), particularly annoying bugger.

 

Spawns a dos box with sysxxxx.exe with xxxx being what seems to be a random number, creates the exe's in the windows directory even after you delete them. On this PC whenever one of the sysxxxx.exe was active it would page feed on the printer till it was out of paper.

 

Spybot, Adaware, and Microsoft AntiSpyware beta detected nothing, Norton would detect some files it attributed to downloader.trojan but usually the files were gone, or norton wouldn't act on them (no deletion, no error, just reported them as threats and went on) I'd manually browse to the files and delete if they still existed but they'd just be recreated. Last symptom was a long pause 5-10 minutes at startup where startup processes (on this particular PC SQL server would function just fine even though the local desktop and taskbar wouldn't function)would load however taskbar and desktop were unusable (killing explorer in taskmanager and restarting it with new task would make the desktop usable). Finally the thing still ran in safe mode, I never remember getting the sysxxxx.exe in safe mode but the annoying pause was still there, until I found uinc.dll with a process explorer and q2uarentined.

 

Very annoying as I couldn't find any info on this until after I got it removed and googled uinc.dll. Maybe my description will help someone find their solution quicked than I did.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×