Avatar of techcodr
techcodr
 asked on

Fedex redirect virus

I am dealing with the Fedex Virus. I followed http://www.techjaws.com/fedex-email-malicious-attachment/ instructions of:

1.Reboot your PC and hit F8 to run your computer in Safe Mode with Networking.
 2.Download MalwareBytes to your desktop and rename it to Explorer.exe as Windows Security 2011 blocks the program named MalwareBytes. If you can’t download files, try using another machine that’s not infected and saving the files to a flash drive or other storage device.
 3.Download and Run RKILL to stop all background processes related to Windows Security 2011.
 4.Launch MalwareBytes and run a (Full Scan) to remove infections.

Were completed.

However the next step does not work

5.Delete the file called “Hosts” in C:\Windows\System32\Drivers\etc\HOSTS and add the default Hosts file (below) for your operating system in C:\Windows\System32\Drivers\etc\

The existing host file was not modified. This is a new and improve Fedex redirect virus and uses a different method of redirection.

if I try housecall.trendmicro.com or similiar, I am redirected to www.google.com.  What method would the redirection be done?
Web Browsers

Avatar of undefined
Last Comment
techcodr

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
David Kroll

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Scott Thompson

Also. run TDSSKiller to check for rootkit infections which are common for redirecting issues.
Robert Retzer

How about trying a system restore. Restore your computer to a time when you know the computer was working fine, before you got the virus. Doing a system restore will not cause you to lose any new data or documents you have created it will just restore your computer to a time before the infection. A system restore may save a lot of time troubleshooting trying to remove the infection.

Obviously a system restore will not always work but it is worth a try.
techcodr

ASKER
Tried the system restore and could not complete it.
Ran Combofix It did find and I assume fix problem
Ran TDSSkiller and it found nothing.
Do not see the redirection problem. Will run the 10 days Microsoft scan.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Robert Retzer

If the sytem can not restore to an earlier time it probably indicates that the virus maybe preventing the system restore.  you can try to fix the windows issues by opening a dos window. Click the start button, click run, type cmd.... to get the dos prompt.

Then you want to type "sfc /scannow"  (do not type the quotation marks)
Running this command may or may not ask you to insert your windows disc.
Scott Thompson

Can you upload the Combofix log? It should be in C:\
techcodr

ASKER
I also believe the virus prevented the system restore.
Microsoft msert found 5 infected files. Currently running Eset.
I belive the Combofix took out most of the infection. I not seeing the redirection. Before I was redirected when trying to reach Trend Micro, Microsoft and Eset. However since things are still being found, I am still running malware finders.

Here is the combofix.txt which I believe is the log that was requested.
ComboFix.txt
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Scott Thompson

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
techcodr

ASKER
Eset found nothing. I assume that the problem is gone.

If I run as administrator and open a command prompt window, then run Combofix.exe, I get: C:\Windows\system32>combofix.exe /uninstall
'combofix.exe' is not recognized as an internal or external command,
operable program or batch file.
Scott Thompson

you have to be in the directory of the Combofix executable for the command to work.
techcodr

ASKER
I can not find combofix.exe by doing a search on the C drive. I do see the Qoobox folder but no executable.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Scott Thompson

Okay, if you just ran instead of saving Combofix, that can happen.  Just download Combofix again to a location you know.  Then run 'Combofix.exe /uninstall' from an elevated command prompt once in the proper location (i.e. C:\Users\(USER)\Desktop\>)
techcodr

ASKER
Get Error opening file for writing:
C:\32788R22FWJFW\NirCmd.3XE
Scott Thompson

With running as Administrator?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
techcodr

ASKER
Yes, was running as administrator. However, I deleted combofix.exe. Downloaded combofix again and then was able to use the combofix.exe /uninstall.