?
Solved

Recovering from FBI Moneypak fix

Posted on 2013-06-03
5
Medium Priority
?
649 Views
Last Modified: 2013-11-22
I have fixed an FBI Moneypak virus Win 7 computer. I now have an error message upon startup that says:

"RegSvr32
The module
"C;\Users\xxx\AppData\Local\W...\jdwyxubx.dll"
failed to load.

Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files.

The specified module could not be found."

I click "ok" and it then behaves.

However, I followed the path shown, and the only "W" item was Webex. Within Webex was a text file of the name jdwyxubx.txt. I tried renaming it to ....dll, but that didn't do anything.

I looked to see if I could uninstall Webex, or remove it from startup items, or disable it in msconfig, but none of those are options.

Anyone have any ideas? PS this only happens on the user name that was infected with FBI.

Thank you.

PPS Roguekiller, ESET online scanner, ESET NOD32, MWB have all been run and show clean.
0
Comment
Question by:Bruce Corson
5 Comments
 
LVL 1

Accepted Solution

by:
c08ra earned 2000 total points
ID: 39217843
They may be located in the registry startup area
click on the windows key +r   or click start and in the search box type regedit   ----  enter
open the program and click yes to allow it to run.

Click on file then export to save a backup first then.....

Check these locations for entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

just delete the entry contents, if it goes wrong just double click on the saved backup to revert back to original registry entries
Hope this helps
0
 
LVL 31

Expert Comment

by:Thomas Zucker-Scharff
ID: 39218034
Try autoruns it will detect if a file is being accessed on startup and allow you to delete the reference to it ( it will say file not found next to the entry).  Once you have done this I strongly suggest booting to safe mode with networking and running chameleon by Malwarebytes.  In the Malwarebytes/tools directory look for svchost.exe, this is really chameleon which will run killing any rogue processes (in case any are left) then it will update MBAM and run a scan.

Between those 2 steps you should have the problem cleaned up.  Afterward I would reinstall webex.
0
 
LVL 93

Expert Comment

by:nobus
ID: 39218171
you can also make a new user account to fix it
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39218677
I would back tzucker's comment above and suggest you to follow it.

Get a copy of Autoruns from Microsoft and search for the "DLL"

Download:
http://download.sysinternals.com/Files/Autoruns.zip

Info:
http://technet.microsoft.com/en-us/sysinternals/bb963902

Remove it once found, or else if you face any difficulty working with the autoruns then you could just save the autorun entries of you system and post it here. To save the autorun entries do the following:
Click --> File --> Save.
File Name "filename.arn" (filename could be any name)
Save as type AutoRuns Data (*.arn) --> This is important while saving.

You might want to zip the arn file before posting it here for further analysis.

Sudeep
0
 
LVL 1

Author Closing Comment

by:Bruce Corson
ID: 39219845
This did it! Thanks very much.

For future people reading this solution, in case it isn't clear, the "entries" you are looking for are references to (in this case) Webex. Found that in one place, deleted it, and all's well now.

Thank you.
0

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question