Jump to content
Washington DC Message Boards

Uinc.dll *.exe Spawner


Guest BlackSun

Recommended Posts

Guest BlackSun

These guys are the source of the DOS Trojan spawner?

 

 

Here is what I found in the uinc.dll file

 

                {CC3E6789-0120-1A20-04B0-087AFF6D2EA4}   0 ÿÿÿÿtimer2 http://www.wow-access.com/mypcc/conf.base EDIT writing hourtxt = %s writing linktxt = %s %d

restoring hour record TIME TO DOWNLOAD %s hourtxt int = %d  linktxt = %s w ### hour in config was changed! link in config was changed! r CP OK regsvr32 /s  %SystemRoot%\sys %i%i.dll %i%i.exe .exe DOWNLOADING FILE %s SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Network Load Monitor SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler Apartment ThreadingModel %WINDIR%\System32\uinc.dll CLSID\%s\InProcServer32  SysHandler#9 %WINDIR%\System32\uinc.dll.cur %WINDIR%\System32\uinc.dll.tmp %WINDIR%\System32\uinc.dll.job %WINDIR%\System32\uinc.dll.conf sysHNDLR9r sysHNDLR9

 

I noticed Double-Click advertisement appeared when I went to view the web site. What **inappropriate material**!!!

 

DO NOT GO TO WOW-ACCESS.COM

 

I figured they would at least provide a tool to remove their spyware. The link took me to a list of vendors where you can purchase it.

Link to comment
Share on other sites

Guest thumos

WOW-ACCESS.COM (216.195.44.59) is located in Chantilly, Virginia, United States.

 

Domain Name: WOW-ACCESS.COM

Registrar: ENOM, INC.

Whois Server: whois.enom.com

Referral URL: http://www.enom.com

Name Server: NS1.TEENS4WEB.COM

Name Server: NS2.TEENS4WEB.COM

Status: REGISTRAR-LOCK

Updated Date: 09-sep-2004

Creation Date: 23-oct-2003

Expiration Date: 23-oct-2005

 

First Name: Merriam

Last Name: Gork

Address 1: Bremen st. 19 #144

Address 2:

City: Berlin

StateProvince:

PostalCode: 00000

Country: DE

Phone: +49.000000000

Fax: +1.49

EmailAddress:

Link to comment
Share on other sites

  • 2 weeks later...
Guest Injury

Just got rid of this off a customers PC (before I found this page unfortunately so spent two days tracking it the hard way), particularly annoying bugger.

 

Spawns a dos box with sysxxxx.exe with xxxx being what seems to be a random number, creates the exe's in the windows directory even after you delete them. On this PC whenever one of the sysxxxx.exe was active it would page feed on the printer till it was out of paper.

 

Spybot, Adaware, and Microsoft AntiSpyware beta detected nothing, Norton would detect some files it attributed to downloader.trojan but usually the files were gone, or norton wouldn't act on them (no deletion, no error, just reported them as threats and went on) I'd manually browse to the files and delete if they still existed but they'd just be recreated. Last symptom was a long pause 5-10 minutes at startup where startup processes (on this particular PC SQL server would function just fine even though the local desktop and taskbar wouldn't function)would load however taskbar and desktop were unusable (killing explorer in taskmanager and restarting it with new task would make the desktop usable). Finally the thing still ran in safe mode, I never remember getting the sysxxxx.exe in safe mode but the annoying pause was still there, until I found uinc.dll with a process explorer and q2uarentined.

 

Very annoying as I couldn't find any info on this until after I got it removed and googled uinc.dll. Maybe my description will help someone find their solution quicked than I did.

Link to comment
Share on other sites

  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...