Solved

Recovering from FBI Moneypak fix

Posted on 2013-06-03
5
637 Views
Last Modified: 2013-11-22
I have fixed an FBI Moneypak virus Win 7 computer. I now have an error message upon startup that says:

"RegSvr32
The module
"C;\Users\xxx\AppData\Local\W...\jdwyxubx.dll"
failed to load.

Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files.

The specified module could not be found."

I click "ok" and it then behaves.

However, I followed the path shown, and the only "W" item was Webex. Within Webex was a text file of the name jdwyxubx.txt. I tried renaming it to ....dll, but that didn't do anything.

I looked to see if I could uninstall Webex, or remove it from startup items, or disable it in msconfig, but none of those are options.

Anyone have any ideas? PS this only happens on the user name that was infected with FBI.

Thank you.

PPS Roguekiller, ESET online scanner, ESET NOD32, MWB have all been run and show clean.
0
Comment
Question by:Bruce Corson
5 Comments
 
LVL 1

Accepted Solution

by:
c08ra earned 500 total points
ID: 39217843
They may be located in the registry startup area
click on the windows key +r   or click start and in the search box type regedit   ----  enter
open the program and click yes to allow it to run.

Click on file then export to save a backup first then.....

Check these locations for entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

just delete the entry contents, if it goes wrong just double click on the saved backup to revert back to original registry entries
Hope this helps
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 39218034
Try autoruns it will detect if a file is being accessed on startup and allow you to delete the reference to it ( it will say file not found next to the entry).  Once you have done this I strongly suggest booting to safe mode with networking and running chameleon by Malwarebytes.  In the Malwarebytes/tools directory look for svchost.exe, this is really chameleon which will run killing any rogue processes (in case any are left) then it will update MBAM and run a scan.

Between those 2 steps you should have the problem cleaned up.  Afterward I would reinstall webex.
0
 
LVL 92

Expert Comment

by:nobus
ID: 39218171
you can also make a new user account to fix it
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39218677
I would back tzucker's comment above and suggest you to follow it.

Get a copy of Autoruns from Microsoft and search for the "DLL"

Download:
http://download.sysinternals.com/Files/Autoruns.zip

Info:
http://technet.microsoft.com/en-us/sysinternals/bb963902

Remove it once found, or else if you face any difficulty working with the autoruns then you could just save the autorun entries of you system and post it here. To save the autorun entries do the following:
Click --> File --> Save.
File Name "filename.arn" (filename could be any name)
Save as type AutoRuns Data (*.arn) --> This is important while saving.

You might want to zip the arn file before posting it here for further analysis.

Sudeep
0
 
LVL 1

Author Closing Comment

by:Bruce Corson
ID: 39219845
This did it! Thanks very much.

For future people reading this solution, in case it isn't clear, the "entries" you are looking for are references to (in this case) Webex. Found that in one place, deleted it, and all's well now.

Thank you.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question