My work laptop (Dell thingy, Windows 7, SBS client) has started showing this pop up when it starts up.

BOT NOT CRYPTED!

It gives no other information (apart from a '#' in the top left of the pop up box). Just an 'OK' button. Programs seem to be running fine. What could this be?

Happened to me too on July 22nd, 2010. Lenovo ThinkPad T500 running Vista. Nothing in event logs, nothing shows up on virus scan. The screen flashed before the message popped up as though the video card was being reset, but nothing in the event log.

Hi there,

Found this pop up on my laptop yesterday.

Upon searching Google I found this forum (and a hacker's forum) as the only results.

- M (in Canada)

i had the same, so i ran "hijackthis" which is a program that lists all the things your computer loads at startup.

in there i found:

O4 - HKCU\..\Run: [{2F2D4EB4-FC49-C869-539D-00E52FE52F03}]
"C:\Documents and Settings\Administrator\Application Data\Uztaok\meol.exe"

so follow that "C" path and delete the "Uztaok" folder.
in order to see the "Application Data" folder you have to set your windows to "view hidden files and folders". i won't explain, just google it.

next you have to run "regedit.exe". search for it and open it up.
select "my computer" from the list and then in the "edit" menu select "find".

type in "meol.exe". when it finds it in the registry just delete it. continue searching as it was in 3 different parts of my registry.

WARNING: don't delete any other files except "meol.exe" in the registry as it may render your computer useless.

when completed restart your computer and repeat the registry search to ensure the registry is clean of "meol.exe".

good luck and let me know how it goes!

Thanks for the hint. Mine is in the AppData\Roaming folder for my user profile, and it has a different name from yours: The folder name is Ovpas and the file name is luad.exe. When I run msconfig.exe it shows up on the Startup tab with a Manufacturer of Unknown. When I do a virus scan on it, it is not reported as a threat (Symantec Enterprise). It does not appear in the list of running processes or services in Task Manager, but something must be running and monitoring it because when I try to delete it from HKCU Run, it reappears a few seconds later. I'm going to try safe mode and see if it will stay deleted.

In Safe mode I was able to rename the file. When I rebooted and logged in as normal the file stayed renamed and I was able to delete the registry entry, which this time stayed deleted.

when i google this error we are the only ones listed, so i was wondering if this is some new bot. it doesn't help that it has completely different names on different computers and different locations. perhaps part of the program is to name itself randomly everytime it reaches a new computer...

i forgot to mention that one of us should keep the file and send it off to the anti-virus companies to see what it is. too bad i've already deleted it. perhaps if someone new gets it then they can send it in.

apparently our AV programs are just not good enough.

(http)://virusscan.jotti.org/en

this runs a file against 10 AV programs....

half of them returned BOT and TROJAN warnings. but my program, Clam, said it was ok.

time to pick a better anti-virus.

when i google this error we are the only ones listedGoogle just found another: www, trojaner-board, de/88632-bot-not-crypted-ihim-exe, html (change commas to dots and remove spaces)

Yes this "bot not crypted" has just got my work laptop as well

Google has pulled up another report, this time at www,bleepingcomputer,com / forums / topic336758.html

Have posted an article on our blog with the fix posted above. Looks like a new one out in the wild.

I've updated the blog post with additional details. Here (http://www.orbits-ltd.co.uk/orbits-opinion/)

My work laptop (Dell thingy, Windows 7, SBS client) has started showing this pop up when it starts up.

BOT NOT CRYPTED!

It gives no other information (apart from a '#' in the top left of the pop up box). Just an 'OK' button. Programs seem to be running fine. What could this be?


:) Under C:\Documents and Settings\your user name\Application Data\
you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.

:) Under C:\Documents and Settings\your user name\Application Data\
you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.

I am having the same problem as everyone else I get a message when I start my computer that says BOT NOT CRYPTED , I am not good with computers & I have tried Spybot Search & Destroy & MCafee and both have not taken care of this. Please can somebody help me get this window off my computer. But do it in simple language because I am like a fish out of water when it come to computers. Any help will be appreciated.

bot not crypted message on my computer, how do I get rid of it? Have used Spybot & McAfee to no avail, can anyone help?

bot not crypted message on my computer, how do I get rid of it? Have used Spybot & McAfee to no avail, can anyone help?


Below are my directions from August 6th. See if you have the same folder I had that had the "BOT NOT CRYPTED!" exacutable.

Under C:\Documents and Settings\your user name\Application Data\
you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.

Eyup One and All .. This would be my first post here ..

Bot Beating made Easy:

When you first fire-up the PC dont touch the 'Bot Not Crypted' message

Instead press Control,Alt,Delete to call up task manager.

The only application running should be the one to destroy
(if your pc/laptop/inter-continental communication device automatically loads up loadsa programmes for you on startup, cos your a lazy B or your IT guy's a smrtass then turn them all of and then run task manager)

Highlight the soon to dead programme and click 'go to process'.
This will show you precisely which file name you need to eliminate
(remember, this Bot changes its name cos its a sneaky little F... - mine called itself 'hivai', two other posters on this thread have had other titles 'meol' and 'buxoe')

Now pay close attention to where this little buggas hiding and go find it, through 'C' drive, into etc.etc. (C:\Documents and Settings\your user name\Application Data\)

When you find it, delete it - with relish!

Then run a full search of your whole drive for the filename 'hivai' whatever, and then delete all those too.
(depending on how long its been around how many versions i reckon, but at least one more 'filename'.pf hiding in the Windows\prefetch directory)

This worked for me.

If it works for you then You're Welcome.

If it all goes pear-shaped .... well .... blame some mad bloke on the inter-web!

Tra! XX

Hi Jim2K

Thanks for the link to your blog, but the page doesn't seem to be there -has it been taken down?

Please could you post again - this bot is really getting on my wick

Thanks

Just found it...

Sorry about that!

:redface:

How are people finding the removal? I will update the blog (link fixed) (http://www.orbits-ltd.co.uk/category/orbits-opinion/) with any new removal details etc. Please post what fixed it for you.
(http://www.orbits-ltd.co.uk/category/orbits-opinion/)

Below are my directions from August 6th. See if you have the same folder I had that had the "BOT NOT CRYPTED!" exacutable.

Under C:\Documents and Settings\your user name\Application Data\
you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.
I have tried that I do not have any of those files you mentioned, anything else you can suggest?

I do not have any of those folders on my computer what else can I do?

Below are my directions from August 6th. See if you have the same folder I had that had the "BOT NOT CRYPTED!" exacutable.

Under C:\Documents and Settings\your user name\Application Data\
you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.

I have looked on my computer for those files and they are not listed what else can I do???? Help please? I am not a computer person

Id like to get to the bottom of this and create a removal guide which works. If anyone has the problem and would like to have an hour of remote IT Support for free then PM me. We will connect up, assess the problem and try to identify the cause and removal. First come first server!

Hi Jim

Your guide worked well (So many thanks there!) - when I actually read it carefully

The first time I tried I was doing it at 10pm, and was way too tired. Second time I actually managed to work out where the HCUK etc line was, (this is the complicated bit for amatuers like myself) and found three versions of the file in my case named /Gmocy and /something else etc

Once I'd deleted them, everything seems to be fine and I'm not getting redirected to tedious alternative websites everytime I try load up Firefox.

Good luck with the guide

Thanks for the feedback - will update post to make it easier to read.

Thanks Jim,

I did exactly what you said in your blog. I only found it in two places but it seems to be gone. Mine was called ilzu.exe.I installed spyware doctor on my computer before seeing this. When I went to pay for it in order to get rid of everything spyware doctor found I couldn't get to any site with spyware doctor or pctools ( the maker of spywre doctor) in the title.Not sure if it was related or not. Now my computer won't talk to my gateway. It seems my driver for my network connecter is gone. Once again not sure if this is related.
Thanks again this is a tricky one with it having a diofferentname on each computer.