Updated 19/08/2010

I have seen a few people on forums mention seeing a pop up saying ‘Bot Not Crypted’ and causing them confusion. AV hasnt picked anything up nor some malware scanners, but it is indeed malware and can be found with HijackThis.

Removal Instructions are as follows:

Run Hijack this and look for:

O4 – HKCU..Run: [{2F2D4EB4-FC49-C869-539D-00E52FE52F03}]
“C:Documents and SettingsAdministratorApplication DataUztaokmeol.exe”

*The actual filename and path may be different but look for anything out of the ordinary.

To Remove this, go to C:Documents and SettingsAdministratorApplication Data
*in order to see the “Application Data” folder you have to set your windows to “view hidden files and folders”.

Next run “regedit.exe”. search for it and open it up.
Select “my computer” from the list and then in the “edit” menu select “find”.

type in “meol.exe” (or the name of the file you found in hijackthis). When it finds it in the registry just delete it. Continue searching as it was in 3 different parts of my registry.

WARNING: don’t delete any other files except “meol.exe” in the registry as it may render your computer useless.

when completed restart your computer and repeat the registry search to ensure the registry is clean of “meol.exe”.

You may want to run something like Malwarebytes over your system afterwards to be sure.

Happy Computing!

*Update* – Reports suggest the filename is a dynamically generated one so it could be anything. Look for files.exe that are random letters etc.

The file path may also be different with reports of appdataroaming holding the package.

Rescan with Hijackthis after removal to ensure its gone. If it reappears use safe mode and do the removal.

You may also need to disable system restore and clear the files.

For assistance in removing this malware remotely, call Orbits today on 01446 678 639 or email us at helpdesk@orbitshost.co.uk
Update 19/11/2010: We are noticing a spike in visitors from Spain. Orbits are investigating the reason for the outbreak in Spain but in the meantime please leave your comments and fixes to assist your fellow compatriates.