Solved

Recovering from FBI Moneypak fix

Posted on 2013-06-03
5
628 Views
Last Modified: 2013-11-22
I have fixed an FBI Moneypak virus Win 7 computer. I now have an error message upon startup that says:

"RegSvr32
The module
"C;\Users\xxx\AppData\Local\W...\jdwyxubx.dll"
failed to load.

Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files.

The specified module could not be found."

I click "ok" and it then behaves.

However, I followed the path shown, and the only "W" item was Webex. Within Webex was a text file of the name jdwyxubx.txt. I tried renaming it to ....dll, but that didn't do anything.

I looked to see if I could uninstall Webex, or remove it from startup items, or disable it in msconfig, but none of those are options.

Anyone have any ideas? PS this only happens on the user name that was infected with FBI.

Thank you.

PPS Roguekiller, ESET online scanner, ESET NOD32, MWB have all been run and show clean.
0
Comment
Question by:Bruce Corson
5 Comments
 
LVL 1

Accepted Solution

by:
c08ra earned 500 total points
ID: 39217843
They may be located in the registry startup area
click on the windows key +r   or click start and in the search box type regedit   ----  enter
open the program and click yes to allow it to run.

Click on file then export to save a backup first then.....

Check these locations for entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

just delete the entry contents, if it goes wrong just double click on the saved backup to revert back to original registry entries
Hope this helps
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39218034
Try autoruns it will detect if a file is being accessed on startup and allow you to delete the reference to it ( it will say file not found next to the entry).  Once you have done this I strongly suggest booting to safe mode with networking and running chameleon by Malwarebytes.  In the Malwarebytes/tools directory look for svchost.exe, this is really chameleon which will run killing any rogue processes (in case any are left) then it will update MBAM and run a scan.

Between those 2 steps you should have the problem cleaned up.  Afterward I would reinstall webex.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39218171
you can also make a new user account to fix it
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39218677
I would back tzucker's comment above and suggest you to follow it.

Get a copy of Autoruns from Microsoft and search for the "DLL"

Download:
http://download.sysinternals.com/Files/Autoruns.zip

Info:
http://technet.microsoft.com/en-us/sysinternals/bb963902

Remove it once found, or else if you face any difficulty working with the autoruns then you could just save the autorun entries of you system and post it here. To save the autorun entries do the following:
Click --> File --> Save.
File Name "filename.arn" (filename could be any name)
Save as type AutoRuns Data (*.arn) --> This is important while saving.

You might want to zip the arn file before posting it here for further analysis.

Sudeep
0
 
LVL 1

Author Closing Comment

by:Bruce Corson
ID: 39219845
This did it! Thanks very much.

For future people reading this solution, in case it isn't clear, the "entries" you are looking for are references to (in this case) Webex. Found that in one place, deleted it, and all's well now.

Thank you.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now