"bot Not Crypted!"

Discussion in 'IT & Internet' started by Pab, Jul 22, 2010.

Thread Status:
Not open for further replies.
  1. Pab

    Pab UKBF Newcomer Free Member

    775 69
    My work laptop (Dell thingy, Windows 7, SBS client) has started showing this pop up when it starts up.

    BOT NOT CRYPTED!

    It gives no other information (apart from a '#' in the top left of the pop up box). Just an 'OK' button. Programs seem to be running fine. What could this be?
     
    Posted: Jul 22, 2010 By: Pab Member since: Jun 5, 2008
    #1
  2. Sterling

    Sterling UKBF Newcomer Free Member

    5 0
    Happened to me too on July 22nd, 2010. Lenovo ThinkPad T500 running Vista. Nothing in event logs, nothing shows up on virus scan. The screen flashed before the message popped up as though the video card was being reset, but nothing in the event log.
     
    Posted: Jul 23, 2010 By: Sterling Member since: Jul 23, 2010
    #2
  3. Bowser

    Bowser UKBF Newcomer Free Member

    1 0
    Hi there,

    Found this pop up on my laptop yesterday.

    Upon searching Google I found this forum (and a hacker's forum) as the only results.

    - M (in Canada)
     
    Posted: Jul 23, 2010 By: Bowser Member since: Jul 23, 2010
    #3
  4. roes

    roes UKBF Newcomer Free Member

    3 1
    i had the same, so i ran "hijackthis" which is a program that lists all the things your computer loads at startup.

    in there i found:

    O4 - HKCU\..\Run: [{2F2D4EB4-FC49-C869-539D-00E52FE52F03}]
    "C:\Documents and Settings\Administrator\Application Data\Uztaok\meol.exe"

    so follow that "C" path and delete the "Uztaok" folder.
    in order to see the "Application Data" folder you have to set your windows to "view hidden files and folders". i won't explain, just google it.

    next you have to run "regedit.exe". search for it and open it up.
    select "my computer" from the list and then in the "edit" menu select "find".

    type in "meol.exe". when it finds it in the registry just delete it. continue searching as it was in 3 different parts of my registry.

    WARNING: don't delete any other files except "meol.exe" in the registry as it may render your computer useless.

    when completed restart your computer and repeat the registry search to ensure the registry is clean of "meol.exe".

    good luck and let me know how it goes!
     
    Posted: Jul 24, 2010 By: roes Member since: Jul 24, 2010
    #4
  5. Sterling

    Sterling UKBF Newcomer Free Member

    5 0
    Thanks for the hint. Mine is in the AppData\Roaming folder for my user profile, and it has a different name from yours: The folder name is Ovpas and the file name is luad.exe. When I run msconfig.exe it shows up on the Startup tab with a Manufacturer of Unknown. When I do a virus scan on it, it is not reported as a threat (Symantec Enterprise). It does not appear in the list of running processes or services in Task Manager, but something must be running and monitoring it because when I try to delete it from HKCU Run, it reappears a few seconds later. I'm going to try safe mode and see if it will stay deleted.
     
    Posted: Jul 24, 2010 By: Sterling Member since: Jul 23, 2010
    #5
  6. Sterling

    Sterling UKBF Newcomer Free Member

    5 0
    In Safe mode I was able to rename the file. When I rebooted and logged in as normal the file stayed renamed and I was able to delete the registry entry, which this time stayed deleted.
     
    Posted: Jul 24, 2010 By: Sterling Member since: Jul 23, 2010
    #6
  7. roes

    roes UKBF Newcomer Free Member

    3 1
    when i google this error we are the only ones listed, so i was wondering if this is some new bot. it doesn't help that it has completely different names on different computers and different locations. perhaps part of the program is to name itself randomly everytime it reaches a new computer...

    i forgot to mention that one of us should keep the file and send it off to the anti-virus companies to see what it is. too bad i've already deleted it. perhaps if someone new gets it then they can send it in.
     
    Posted: Jul 24, 2010 By: roes Member since: Jul 24, 2010
    #7
  8. roes

    roes UKBF Newcomer Free Member

    3 1
    apparently our AV programs are just not good enough.

    (http)://virusscan.jotti.org/en

    this runs a file against 10 AV programs....

    half of them returned BOT and TROJAN warnings. but my program, Clam, said it was ok.

    time to pick a better anti-virus.
     
    Posted: Jul 25, 2010 By: roes Member since: Jul 24, 2010
    #8
  9. Sterling

    Sterling UKBF Newcomer Free Member

    5 0
    Google just found another: www, trojaner-board, de/88632-bot-not-crypted-ihim-exe, html (change commas to dots and remove spaces)
     
    Posted: Jul 25, 2010 By: Sterling Member since: Jul 23, 2010
    #9
  10. rob w

    rob w UKBF Newcomer Free Member

    1 0
    Yes this "bot not crypted" has just got my work laptop as well
     
    Posted: Jul 31, 2010 By: rob w Member since: Jul 30, 2010
    #10
  11. Sterling

    Sterling UKBF Newcomer Free Member

    5 0
    Google has pulled up another report, this time at www,bleepingcomputer,com / forums / topic336758.html
     
    Posted: Aug 3, 2010 By: Sterling Member since: Jul 23, 2010
    #11
  12. Jim2k

    Jim2k UKBF Enthusiast Free Member

    835 144
    Have posted an article on our blog with the fix posted above. Looks like a new one out in the wild.
     
    Posted: Aug 3, 2010 By: Jim2k Member since: Apr 21, 2010
    #12
  13. Jim2k

    Jim2k UKBF Enthusiast Free Member

    835 144
    I've updated the blog post with additional details. Here
     
    Posted: Aug 3, 2010 By: Jim2k Member since: Apr 21, 2010
    #13
  14. ncbowling

    ncbowling UKBF Newcomer Free Member

    3 1

    :) Under C:\Documents and Settings\your user name\Application Data\
    you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.
     
    Posted: Aug 6, 2010 By: ncbowling Member since: Aug 6, 2010
    #14
  15. ncbowling

    ncbowling UKBF Newcomer Free Member

    3 1
    :) Under C:\Documents and Settings\your user name\Application Data\
    you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.
     
    Posted: Aug 6, 2010 By: ncbowling Member since: Aug 6, 2010
    #15
  16. lorib10

    lorib10 UKBF Newcomer Free Member

    5 1
    I am having the same problem as everyone else I get a message when I start my computer that says BOT NOT CRYPTED , I am not good with computers & I have tried Spybot Search & Destroy & MCafee and both have not taken care of this. Please can somebody help me get this window off my computer. But do it in simple language because I am like a fish out of water when it come to computers. Any help will be appreciated.
     
    Posted: Aug 6, 2010 By: lorib10 Member since: Aug 6, 2010
    #16
  17. lorib10

    lorib10 UKBF Newcomer Free Member

    5 1
    bot not crypted message on my computer, how do I get rid of it? Have used Spybot & McAfee to no avail, can anyone help?
     
    Posted: Aug 6, 2010 By: lorib10 Member since: Aug 6, 2010
    #17
  18. ncbowling

    ncbowling UKBF Newcomer Free Member

    3 1

    Below are my directions from August 6th. See if you have the same folder I had that had the "BOT NOT CRYPTED!" exacutable.

    Under C:\Documents and Settings\your user name\Application Data\
    you will find folder Utevi containing the exacutable file buxoe.exe. Delete this folder and search your computer for every occurence of buxoe.exe and delete them all. Also empty the recycle bin. Reboot and the "BOT NOT CRYPTED!" should be toast.
     
    Posted: Aug 9, 2010 By: ncbowling Member since: Aug 6, 2010
    #18
  19. BlankReg

    BlankReg UKBF Newcomer Free Member

    1 0
    Eyup One and All .. This would be my first post here ..

    Bot Beating made Easy:

    When you first fire-up the PC dont touch the 'Bot Not Crypted' message

    Instead press Control,Alt,Delete to call up task manager.

    The only application running should be the one to destroy
    (if your pc/laptop/inter-continental communication device automatically loads up loadsa programmes for you on startup, cos your a lazy B or your IT guy's a smrtass then turn them all of and then run task manager)

    Highlight the soon to dead programme and click 'go to process'.
    This will show you precisely which file name you need to eliminate
    (remember, this Bot changes its name cos its a sneaky little F... - mine called itself 'hivai', two other posters on this thread have had other titles 'meol' and 'buxoe')

    Now pay close attention to where this little buggas hiding and go find it, through 'C' drive, into etc.etc. (C:\Documents and Settings\your user name\Application Data\)

    When you find it, delete it - with relish!

    Then run a full search of your whole drive for the filename 'hivai' whatever, and then delete all those too.
    (depending on how long its been around how many versions i reckon, but at least one more 'filename'.pf hiding in the Windows\prefetch directory)

    This worked for me.

    If it works for you then You're Welcome.

    If it all goes pear-shaped .... well .... blame some mad bloke on the inter-web!

    Tra! XX
     
    Posted: Aug 9, 2010 By: BlankReg Member since: Aug 9, 2010
    #19
  20. Steerpike

    Steerpike UKBF Newcomer Free Member

    3 0
    Hi Jim2K

    Thanks for the link to your blog, but the page doesn't seem to be there -has it been taken down?

    Please could you post again - this bot is really getting on my wick

    Thanks
     
    Last edited: Aug 9, 2010
    Posted: Aug 9, 2010 By: Steerpike Member since: Aug 9, 2010
    #20
Thread Status:
Not open for further replies.