Solved

Recovering from FBI Moneypak fix

Posted on 2013-06-03
5
634 Views
Last Modified: 2013-11-22
I have fixed an FBI Moneypak virus Win 7 computer. I now have an error message upon startup that says:

"RegSvr32
The module
"C;\Users\xxx\AppData\Local\W...\jdwyxubx.dll"
failed to load.

Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files.

The specified module could not be found."

I click "ok" and it then behaves.

However, I followed the path shown, and the only "W" item was Webex. Within Webex was a text file of the name jdwyxubx.txt. I tried renaming it to ....dll, but that didn't do anything.

I looked to see if I could uninstall Webex, or remove it from startup items, or disable it in msconfig, but none of those are options.

Anyone have any ideas? PS this only happens on the user name that was infected with FBI.

Thank you.

PPS Roguekiller, ESET online scanner, ESET NOD32, MWB have all been run and show clean.
0
Comment
Question by:Bruce Corson
5 Comments
 
LVL 1

Accepted Solution

by:
c08ra earned 500 total points
ID: 39217843
They may be located in the registry startup area
click on the windows key +r   or click start and in the search box type regedit   ----  enter
open the program and click yes to allow it to run.

Click on file then export to save a backup first then.....

Check these locations for entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

just delete the entry contents, if it goes wrong just double click on the saved backup to revert back to original registry entries
Hope this helps
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39218034
Try autoruns it will detect if a file is being accessed on startup and allow you to delete the reference to it ( it will say file not found next to the entry).  Once you have done this I strongly suggest booting to safe mode with networking and running chameleon by Malwarebytes.  In the Malwarebytes/tools directory look for svchost.exe, this is really chameleon which will run killing any rogue processes (in case any are left) then it will update MBAM and run a scan.

Between those 2 steps you should have the problem cleaned up.  Afterward I would reinstall webex.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39218171
you can also make a new user account to fix it
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39218677
I would back tzucker's comment above and suggest you to follow it.

Get a copy of Autoruns from Microsoft and search for the "DLL"

Download:
http://download.sysinternals.com/Files/Autoruns.zip

Info:
http://technet.microsoft.com/en-us/sysinternals/bb963902

Remove it once found, or else if you face any difficulty working with the autoruns then you could just save the autorun entries of you system and post it here. To save the autorun entries do the following:
Click --> File --> Save.
File Name "filename.arn" (filename could be any name)
Save as type AutoRuns Data (*.arn) --> This is important while saving.

You might want to zip the arn file before posting it here for further analysis.

Sudeep
0
 
LVL 1

Author Closing Comment

by:Bruce Corson
ID: 39219845
This did it! Thanks very much.

For future people reading this solution, in case it isn't clear, the "entries" you are looking for are references to (in this case) Webex. Found that in one place, deleted it, and all's well now.

Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now