fff5ee.com infection

[deanorolls]

I'm having a similar issue to what others are posting today.  My Norton evidently expired today and I got this minutes before I renewed.  I've tried to download the FRST.exe (which I had to do from another computer because downloading is blocked).  Once I got it on the computer and run it it won't run and deletes the file (even if I renamed it).  It says I don't have permissions to run it (same message I get when trying to download files).  I've renewed Norton and am running a full scan now (and just finished saying no threats were found).  Malwarebytes is flashing the following sites/addresses as blocked.  fff5ee.com and 95.215.1.57

 

What can I do?

[LiquidTension]

Hello deanorolls, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. 
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
• Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
• Please backup important documents before proceeding with my instructions.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page. 
   

======================================================
 

What is your Operating System and bit-type? 

[deanorolls]

Hello Adam.  Windows 7 64 bit

 

I just read (on another post you authored) I need to disconnect and reinstall my PC.  True?

[LiquidTension]

Hello, 
 
Lets confirm what's on your system first. 
 
Please boot into Safe Mode, and attempt to run FRST there. 
 
 Boot into Safe Mode

• Restart your PC.
• As soon as the BIOS is loaded, begin repeatedly tapping the F8 key until the Advanced Options menu appears.  
• Using the arrow keys, select Safe Mode. 
• Press the Enter key.

[deanorolls]

That worked.  Files attached.  Thanks.

FRST.txt

Addition.txt

[LiquidTension]

Unfortunately, your computer is infected with a rootkit. As such, I must issue the following warning. Please let me know how you wish to proceed.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data,using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc). Consider these accounts already compromised.

If you have used a router, you will need to reset it with a strong logon/password to ensure the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Please let me know how you wish to proceed, and if you have any questions.

[deanorolls]

OK.  I'll reformat and reinstall and reinstall my routers.

 

When pulling files from off the old infected PC (like word docs, excel files, etc.) are these infected in any way?  Or can I transfer them to the new machine and virus scan those files before using?

[LiquidTension]

Hello, 

 

The safest way to backup and transfer your files from your infected PC to your clean PC is by doing the following:

 

STEP 1
 Panda USB Vaccine

• Using a clean PC, please download Panda USB Vaccine and save the file to your Desktop.
• Double-click USBVaccineSetup.exe to install the programme.
• Read and accept the license agreement, then click Next.
• Upon completion of the setup, ensure Launch Panda USB Vaccine is checked and click Finish.
• Click the Vaccinate Computer button. It should now show a green checkmark and confirm Computer vaccinated. 
• Hold down the Shift key on your keyboard and insert your USB flash/external drive.
• When the name of the drive appears in the Panda USB Vaccine dialog box, click the Vaccinate USB drive(s) button.
• Exit the programme when done.

-- Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

 

Remove the USB drive from your clean PC. Hold the shift key of your infected PC and insert your USB drive. 

 

 

STEP 2
 Backup Data
The safest practice is not to backup any executable (.exe), screensavers (.scr), dynamic link library (.dll), autorun (.ini) or script (.php,.asp, .htm, .html, .xml) files because they may be infected by malware. You should also avoid backing up compressed (.zip, .cab, .rar) files that have executables inside as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension, so be sure you look closely at the full file name.

• Backing up documents, image, music and video files is fine.
• To repeat, do not backup up files with the following extensions:

.exe, .scr, .bat, .com, .cmd, .msi, .pif, .ini, .htm, .html, .hta, .php, .asp, .xml, .zip, .rar, .cab

• Once you have decided which files you wish to backup, copy the files over to the USB drive. 

 

STEP 3

 MCShield

• Using your clean PC, please download the MCShield setup file. 
• Double-click MCShield-Setup.exe and follow the prompts to install the programme. 
• Launch the programme and wait for updates to download.
• Hold the shift key and insert your USB drive. 
• MCShield will scan your USB drive, and notify you if the drive is clean or not.
• Click the Logs tab to view a report. 
• Confirm no malware was found. 

 

Run a scan with your Anti-Virus. Ensure you select the option to scan external drives. Confirm no malware was found. Move your files from your USB drive to your clean PC's HDD. 

[LiquidTension]

Hello, 

 

Do you still require assistance?

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!