Jump to content

fff5ee.com - how to remove?


Recommended Posts

Software (Excel, Word, Adobe, etc) will start, but no files will open.  Error lists that files have wrong extension.

Installed Malwarebytes premium and ran scan, but issue is still present.

Malwarebytes stopes fff5ee communication to website.

 

I've downloaded and run Farbar Recovery Scan Tool as recommended.

FRST.txt and Addition.txt are attached to this post as requested.

 

Looking for next steps to remove fff5ee.

 

Thank you for your help.

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello Bdbfamily, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
     

======================================================

 

Unfortunately, your files have been encrypted by an infection called CryptoWall 2.0. Decryption of these files is not possible unless you pay a ransom (see DECRYPT_INSTRUCTION.TXT in your various different folders). 

 

Read this article for information.

 

Unless you have a back up of the encrypted files, recovery is unlikely. 

 

Have a read of the article, and let me know what you think. Please keep your machine disconnected from the Internet for the time being.

Link to post
Share on other sites

Thanks Adam.  This is Bradley.

I've read the article and it looks like deep trouble, unfortunately.  We're not interested in paying the ransom, so need to consider next steps to possible restore some files through (Shadow Volume Copies?) and then need to understand how to remove from computer permanently to allow future use of computer.

 

thanks,

Bradley

 

Link to post
Share on other sites

Hi Bradley, 
 
CryptoWall deletes the Shadow Volume Copies, so I doubt this will work. However, it's still worth a shot. 
Follow the instructions here (under Using native Windows Previous Versions), and see if previous versions are listed. 
 
Lets now remove the malware present on your computer. 
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-1424047357-388906951-2307998156-1003\...\MountPoints2: {2efe6ee8-5558-11e3-9d13-a41f72763852} - F:\MotorolaDeviceManagerSetup.exe -aHKU\S-1-5-21-1424047357-388906951-2307998156-1003\...A8F59079A8D5}\localserver32:  <==== ATTENTION!HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONToolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No FileToolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File2014-11-06 22:29 - 2014-11-06 22:29 - 00008536 _____ () C:\Users\Baker Family\Downloads\DECRYPT_INSTRUCTION.HTML2014-11-06 22:29 - 2014-11-06 22:29 - 00004208 _____ () C:\Users\Baker Family\Downloads\DECRYPT_INSTRUCTION.TXT2014-11-06 22:29 - 2014-11-06 22:29 - 00000272 _____ () C:\Users\Baker Family\Downloads\INSTALL_TOR.URL2014-11-06 22:28 - 2014-11-06 22:28 - 00008536 _____ () C:\Users\Baker Family\Documents\DECRYPT_INSTRUCTION.HTML2014-11-06 22:28 - 2014-11-06 22:28 - 00004208 _____ () C:\Users\Baker Family\Documents\DECRYPT_INSTRUCTION.TXT2014-11-06 22:28 - 2014-11-06 22:28 - 00000272 _____ () C:\Users\Baker Family\Documents\INSTALL_TOR.URL2014-11-06 21:10 - 2014-11-06 21:10 - 00008536 _____ () C:\Users\Baker Family\AppData\Roaming\DECRYPT_INSTRUCTION.HTML2014-11-06 21:10 - 2014-11-06 21:10 - 00008536 _____ () C:\Users\Baker Family\AppData\DECRYPT_INSTRUCTION.HTML2014-11-06 21:10 - 2014-11-06 21:10 - 00004208 _____ () C:\Users\Baker Family\AppData\Roaming\DECRYPT_INSTRUCTION.TXT2014-11-06 21:10 - 2014-11-06 21:10 - 00004208 _____ () C:\Users\Baker Family\AppData\DECRYPT_INSTRUCTION.TXT2014-11-06 21:10 - 2014-11-06 21:10 - 00000272 _____ () C:\Users\Baker Family\AppData\Roaming\INSTALL_TOR.URL2014-11-06 21:10 - 2014-11-06 21:10 - 00000272 _____ () C:\Users\Baker Family\AppData\INSTALL_TOR.URL2014-11-06 21:09 - 2014-11-06 21:09 - 00008536 _____ () C:\Users\Baker Family\AppData\Local\DECRYPT_INSTRUCTION.HTML2014-11-06 21:09 - 2014-11-06 21:09 - 00004208 _____ () C:\Users\Baker Family\AppData\Local\DECRYPT_INSTRUCTION.TXT2014-11-06 21:09 - 2014-11-06 21:09 - 00000272 _____ () C:\Users\Baker Family\AppData\Local\INSTALL_TOR.URL2014-11-06 20:57 - 2014-11-06 20:57 - 00008536 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML2014-11-06 20:57 - 2014-11-06 20:57 - 00004208 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT2014-11-06 20:57 - 2014-11-06 20:57 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL2014-11-06 20:47 - 2014-11-07 09:51 - 00000000 ___HD () C:\c7534892014-11-06 20:47 - 2014-11-07 09:51 - 00000000 ____D () C:\Users\Baker Family\AppData\Roaming\FrameworkUpdate72014-11-05 01:53 - 2014-11-06 20:46 - 00000000 ____D () C:\ProgramData\Windows Genuine AdvantageC:\Users\Baker Family\AppData\Local\Temp\avgnt.exeC:\Users\Baker Family\AppData\Local\Temp\MotoCast_Installer_2.0403.exeC:\Users\Baker Family\AppData\Local\Temp\ose00000.exeC:\Users\Baker Family\AppData\Local\Temp\SkypeSetup.exeC:\Users\Baker Family\AppData\Local\Temp\_is560A.exeC:\Users\Baker Family\AppData\Local\Temp\_isFD12.exeAlternateDataStreams: C:\ProgramData\Temp:C76EDAC3CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Search

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Type the following text into the Search: textbox:
    DECRYPT_INSTRUCTION.*;INSTALL_TOR.*
  • Click on the Search File(s) button.
  • Upon completion, a log (Search.txt) will be open, and saved in the same location as FRST.exe.  
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • Search.txt
Link to post
Share on other sites

No Shadow Volume Copies were found.

Now in the middle of executing the following instructions in the "Click Fix"  portion.  It has been running for 5-10min with "Fixing is in progress. Please wait..." in dialog box.  Is this typical?  Just checking to be sure.  Thanks - Bradley

  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
Link to post
Share on other sites

I've proceeded through your instructions and have the files below available.  However, IE won't start any longer (I'm on another computer making this post).  Avast gave me a message at the last reboot (after search.txt was completed, it asked for system reboot).  The message was something about an add-in for IE (some sort of flash? or other player? update).  I did not accept the proposal to remove anything.  Therefore, I can't insert the text files into this post.

  • Fixlog.txt
  • Search.txt
Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.