Hacked by UC worm removal

[adsense]

I recently went through a bit of a struggle increasing the speed of my computer, and clearing out some low level threat worms that attached themselves to my Internet Explorer browser. I primarily use FireFox, so I had been in no rush to remove the harmless “solow” bug. It only did two things… it placed the text “Hacked by UC” at the end of the title bar in my IE browser, and it made it impossible to open my external drive by double clicking it on the “My Computer” screen. I could, however, still open the drive by right clicking, and choosing “Open”.

I found detailed instructions on how to fix this problem by “Googling” the term “Hacked by UC”. I’ve found that if you have a PC problem, you can normally find a solution by typing the error code, or error message into the Google search bar. Of course, when you look for solutions this way, you have to make sure that you’re getting your information from a reliable source. When I find something I want to try, I usually “Google” the solution too, to make sure it’s valid, and there have been NO complaints about it.

In my particular case, I found this forum discussion about the same exact worm. The very last entry in that thread held the detailed instructions I was looking for. In the off chance that the forum referenced above archives that post, I’ll quote the instructions below, including all source information. I followed these instructions, and am now free of the “Hacked by UC” worm… thanks Mr. Paul Hatch!! :)

Hacked by UC’ Problem – Paul Hatch

15-Oct-07 04:39:18
Hi Julia,

I just wanted to let you know that I figured out a solution that worked for me;
that is to get double-click access to my drives and get rid of ‘Hacked by UC’
in the IE title bar. Anyway, here are the steps I followed that got the problem
fixed on my computer. However, these instructions are kind of long, so it might
take awhile to get through all the steps.

One last thing before I get into the instructions to fix the problem:
You might want to save this page to your hard drive, to your My Documents
folder. The reason I say this is that if you have the page saved to your
hard drive you will be able to view it while you are in safe-mode. Also,
if you have a word processing program, such as Microsoft Word, you can
copy this post and paste it into a document(and save to the My Documents
folder)and that should make it a bit easier to locate this post, than if
you use your web browser and open the webpage, although you can do either.
(Just anything to view these instructions in safe-mode – they’re quite
lengthy) Well, I hope my instructions help you get that nasty problem
fixed – I wish you luck!

—————————————————

If you see ‘Hacked by UC’ in the title bar of Internet Explorer, you may
have noticed that you cannot open the drives in Windows Explorer by
double-clicking on the drives.

If you are experiencing this problem, and you need immediate access to
a drive, you can safely open it by right-clicking on the drive you want
to open, and then click Open.

The reason I say ‘safely’ is that if you double-click a drive to open it,
and it doesn’t open, it runs a script in the root of that drive called
‘uc.vbs’, which is referenced in the autorun.inf file.

Now, let’s proceed to fix the problem:

(Note: Press Enter after each line, and do not type the punctuation)

1. Restart the computer and go into safe-mode.

2. Press Ctrl+Alt+Del to bring up the Windows Task Manager.

3. Click the Processes tab. Look for a process called wscript.exe, and
terminate it if it’s running. There may be more than one instance of this
process so be sure you terminate all of them if there’s more than one.

4. Now you need to show the hidden files and folders, if they’re not already
shown.

To do this follow these steps:

• Open My Computer

• Go Tools | Folder Options and click the View tab

• Click the radio button Show Hidden Files and Folders

• Scroll down if necessary and find the check box Hide Protected Operating
System Files, and if you see a check mark remove it

5. Open the Command Prompt

6. Type ‘del %systemroot%\uc.vbs’. Don’t worry if you get a ‘File not found’ error

7. Go to the root of the C drive and type ‘attrib –r –h –s C:\uc.vbs’

8. Type del uc.vbs.

9. Type attrib –r –h –s C:\autorun.inf

10. Type del autorun.inf

Repeat steps 6 through 9 for all hard drives or hard drive partitions that
you’re having trouble with, and replace C with the appropriate drive letter,
and remember to press Enter after every line.

Now, Go to the Start menu, click Run, type ‘regedit’ and then click OK.

This takes you into the Registry Editor. What you’re going to do here is remove
the following values from the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title

HKCR\vbsfile\DefaultIcon

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UC

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title

When you’re finished deleting the above registry values navigate to the
top of the registry, and then go Edit | Find, and then type ‘uc.vbs’.
When you’re finished click Find Now.

Furthermore, don’t delete the string value itself –
Here’s what I recommend: open the string value(which is in the right pane)
and then delete everything in it, and then click OK. Press F3 when you’re
ready to go to the next occurrence.

Keep doing this until you have emptied all the string values containing
references to ‘uc.vbs’. When you have finished going through the whole
registry, you’ll want to be sure you haven’t missed any occurrences.

Navigate back to the top of the registry and click on My Computer to highlight
it. You want to be sure you’re searching the whole registry.

Now Go to the edit menu and click Find. In the text box make sure you see
uc.vbs, and then click Find Next. What we’re doing is a sweep of the entire
registry to make sure we have deleted every reference to uc.vbs. I’m not
certain that it’s safe to delete the string value itself because I haven’t
tested it, so we’re staying on the safe side.

If you come across any string value with this filename, open it, delete the
contents of the string value. You can do this quickly by placing the insertion
point at the beginning of the text field and then pressing Shift+End. This
selects everything in the string value. Press Delete, then click OK. After
you have done this press F3 to see if there are any more of these references.

After you have come to the end of the registry, navigate back to the top of
the registry and then do another search. What you’re after is to go through
the whole registry without finding any occurrences of uc.vbs.

When you’re finished, restart the computer.

After you’ve restarted the computer open Windows Explorer (My Computer)
and then double-click on the icon for your hard drive. You should now be
in your hard drive’s directory.

Well, you’re all finished! That was quite a journey, but if you did everything
correctly I believe that you will again have double-click access to your
drives as well as be rid of ‘Hacked by UC’ in the IE title bar.

Comments

  1. James says

    Hi, I found your blog on this new directory of WordPress Blogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>