Uinc.dll *.exe Spawner

[Guest BlackSun]

These guys are the source of the DOS Trojan spawner?

 

 

Here is what I found in the uinc.dll file

 

                {CC3E6789-0120-1A20-04B0-087AFF6D2EA4}   0 ÿÿÿÿtimer2 http://www.wow-access.com/mypcc/conf.base EDIT writing hourtxt = %s writing linktxt = %s %d

restoring hour record TIME TO DOWNLOAD %s hourtxt int = %d  linktxt = %s w ### hour in config was changed! link in config was changed! r CP OK regsvr32 /s  %SystemRoot%\sys %i%i.dll %i%i.exe .exe DOWNLOADING FILE %s SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Network Load Monitor SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler Apartment ThreadingModel %WINDIR%\System32\uinc.dll CLSID\%s\InProcServer32  SysHandler#9 %WINDIR%\System32\uinc.dll.cur %WINDIR%\System32\uinc.dll.tmp %WINDIR%\System32\uinc.dll.job %WINDIR%\System32\uinc.dll.conf sysHNDLR9r sysHNDLR9

 

I noticed Double-Click advertisement appeared when I went to view the web site. What **inappropriate material**!!!

 

DO NOT GO TO WOW-ACCESS.COM

 

I figured they would at least provide a tool to remove their spyware. The link took me to a list of vendors where you can purchase it.

[Guest BlackSun]

Here is what I found in the file

 

uinc.dll.conf

 

http://www.wow-access.com/myppc/dropper.exe

2

http://www.microsoet.com/mypop.exe

2

##################

##################

 

Run your computer in safe mode and remove these files.

[Guest thumos]

WOW-ACCESS.COM (216.195.44.59) is located in Chantilly, Virginia, United States.

 

Domain Name: WOW-ACCESS.COM

Registrar: ENOM, INC.

Whois Server: whois.enom.com

Referral URL: http://www.enom.com

Name Server: NS1.TEENS4WEB.COM

Name Server: NS2.TEENS4WEB.COM

Status: REGISTRAR-LOCK

Updated Date: 09-sep-2004

Creation Date: 23-oct-2003

Expiration Date: 23-oct-2005

 

First Name: Merriam

Last Name: Gork

Address 1: Bremen st. 19 #144

Address 2:

City: Berlin

StateProvince:

PostalCode: 00000

Country: DE

Phone: +49.000000000

Fax: +1.49

EmailAddress:

[Guest Injury]

Just got rid of this off a customers PC (before I found this page unfortunately so spent two days tracking it the hard way), particularly annoying bugger.

 

Spawns a dos box with sysxxxx.exe with xxxx being what seems to be a random number, creates the exe's in the windows directory even after you delete them. On this PC whenever one of the sysxxxx.exe was active it would page feed on the printer till it was out of paper.

 

Spybot, Adaware, and Microsoft AntiSpyware beta detected nothing, Norton would detect some files it attributed to downloader.trojan but usually the files were gone, or norton wouldn't act on them (no deletion, no error, just reported them as threats and went on) I'd manually browse to the files and delete if they still existed but they'd just be recreated. Last symptom was a long pause 5-10 minutes at startup where startup processes (on this particular PC SQL server would function just fine even though the local desktop and taskbar wouldn't function)would load however taskbar and desktop were unusable (killing explorer in taskmanager and restarting it with new task would make the desktop usable). Finally the thing still ran in safe mode, I never remember getting the sysxxxx.exe in safe mode but the annoying pause was still there, until I found uinc.dll with a process explorer and q2uarentined.

 

Very annoying as I couldn't find any info on this until after I got it removed and googled uinc.dll. Maybe my description will help someone find their solution quicked than I did.

[Guest Injury]

...also trojan hunter didn't detect anything as well.

[Guest Nog]

System Spyware Interrogator did find it on my system.