fff5ee.com - how to remove?

[Bdbfamily]

Software (Excel, Word, Adobe, etc) will start, but no files will open.  Error lists that files have wrong extension.

Installed Malwarebytes premium and ran scan, but issue is still present.

Malwarebytes stopes fff5ee communication to website.

 

I've downloaded and run Farbar Recovery Scan Tool as recommended.

FRST.txt and Addition.txt are attached to this post as requested.

 

Looking for next steps to remove fff5ee.

 

Thank you for your help.

FRST.txt

Addition.txt

[LiquidTension]

Hello Bdbfamily, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. 
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
• Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
• Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page. 
   

======================================================

 

Unfortunately, your files have been encrypted by an infection called CryptoWall 2.0. Decryption of these files is not possible unless you pay a ransom (see DECRYPT_INSTRUCTION.TXT in your various different folders). 

 

Read this article for information.

 

Unless you have a back up of the encrypted files, recovery is unlikely. 

 

Have a read of the article, and let me know what you think. Please keep your machine disconnected from the Internet for the time being.

[Bdbfamily]

Thanks Adam.  This is Bradley.

I've read the article and it looks like deep trouble, unfortunately.  We're not interested in paying the ransom, so need to consider next steps to possible restore some files through (Shadow Volume Copies?) and then need to understand how to remove from computer permanently to allow future use of computer.

 

thanks,

Bradley

 

[LiquidTension]

Hi Bradley, 
 
CryptoWall deletes the Shadow Volume Copies, so I doubt this will work. However, it's still worth a shot. 
Follow the instructions here (under Using native Windows Previous Versions), and see if previous versions are listed. 
 
Lets now remove the malware present on your computer. 
 
STEP 1
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-1424047357-388906951-2307998156-1003\...\MountPoints2: {2efe6ee8-5558-11e3-9d13-a41f72763852} - F:\MotorolaDeviceManagerSetup.exe -aHKU\S-1-5-21-1424047357-388906951-2307998156-1003\...A8F59079A8D5}\localserver32:  <==== ATTENTION!HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONToolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No FileToolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File2014-11-06 22:29 - 2014-11-06 22:29 - 00008536 _____ () C:\Users\Baker Family\Downloads\DECRYPT_INSTRUCTION.HTML2014-11-06 22:29 - 2014-11-06 22:29 - 00004208 _____ () C:\Users\Baker Family\Downloads\DECRYPT_INSTRUCTION.TXT2014-11-06 22:29 - 2014-11-06 22:29 - 00000272 _____ () C:\Users\Baker Family\Downloads\INSTALL_TOR.URL2014-11-06 22:28 - 2014-11-06 22:28 - 00008536 _____ () C:\Users\Baker Family\Documents\DECRYPT_INSTRUCTION.HTML2014-11-06 22:28 - 2014-11-06 22:28 - 00004208 _____ () C:\Users\Baker Family\Documents\DECRYPT_INSTRUCTION.TXT2014-11-06 22:28 - 2014-11-06 22:28 - 00000272 _____ () C:\Users\Baker Family\Documents\INSTALL_TOR.URL2014-11-06 21:10 - 2014-11-06 21:10 - 00008536 _____ () C:\Users\Baker Family\AppData\Roaming\DECRYPT_INSTRUCTION.HTML2014-11-06 21:10 - 2014-11-06 21:10 - 00008536 _____ () C:\Users\Baker Family\AppData\DECRYPT_INSTRUCTION.HTML2014-11-06 21:10 - 2014-11-06 21:10 - 00004208 _____ () C:\Users\Baker Family\AppData\Roaming\DECRYPT_INSTRUCTION.TXT2014-11-06 21:10 - 2014-11-06 21:10 - 00004208 _____ () C:\Users\Baker Family\AppData\DECRYPT_INSTRUCTION.TXT2014-11-06 21:10 - 2014-11-06 21:10 - 00000272 _____ () C:\Users\Baker Family\AppData\Roaming\INSTALL_TOR.URL2014-11-06 21:10 - 2014-11-06 21:10 - 00000272 _____ () C:\Users\Baker Family\AppData\INSTALL_TOR.URL2014-11-06 21:09 - 2014-11-06 21:09 - 00008536 _____ () C:\Users\Baker Family\AppData\Local\DECRYPT_INSTRUCTION.HTML2014-11-06 21:09 - 2014-11-06 21:09 - 00004208 _____ () C:\Users\Baker Family\AppData\Local\DECRYPT_INSTRUCTION.TXT2014-11-06 21:09 - 2014-11-06 21:09 - 00000272 _____ () C:\Users\Baker Family\AppData\Local\INSTALL_TOR.URL2014-11-06 20:57 - 2014-11-06 20:57 - 00008536 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML2014-11-06 20:57 - 2014-11-06 20:57 - 00004208 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT2014-11-06 20:57 - 2014-11-06 20:57 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL2014-11-06 20:47 - 2014-11-07 09:51 - 00000000 ___HD () C:\c7534892014-11-06 20:47 - 2014-11-07 09:51 - 00000000 ____D () C:\Users\Baker Family\AppData\Roaming\FrameworkUpdate72014-11-05 01:53 - 2014-11-06 20:46 - 00000000 ____D () C:\ProgramData\Windows Genuine AdvantageC:\Users\Baker Family\AppData\Local\Temp\avgnt.exeC:\Users\Baker Family\AppData\Local\Temp\MotoCast_Installer_2.0403.exeC:\Users\Baker Family\AppData\Local\Temp\ose00000.exeC:\Users\Baker Family\AppData\Local\Temp\SkypeSetup.exeC:\Users\Baker Family\AppData\Local\Temp\_is560A.exeC:\Users\Baker Family\AppData\Local\Temp\_isFD12.exeAlternateDataStreams: C:\ProgramData\Temp:C76EDAC3CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
 Farbar Recovery Scan Tool (FRST) Search

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Type the following text into the Search: textbox:
  

  DECRYPT_INSTRUCTION.*;INSTALL_TOR.*

• Click on the Search File(s) button.
• Upon completion, a log (Search.txt) will be open, and saved in the same location as FRST.exe.  
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Fixlog.txt
• Search.txt

[Bdbfamily]

No Shadow Volume Copies were found.

Now in the middle of executing the following instructions in the "Click Fix"  portion.  It has been running for 5-10min with "Fixing is in progress. Please wait..." in dialog box.  Is this typical?  Just checking to be sure.  Thanks - Bradley

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.

[LiquidTension]

You can close the programme if it's still running. 

 

Fixlog.txt should be present on your Desktop after you close the programme.

[Bdbfamily]

I've proceeded through your instructions and have the files below available.  However, IE won't start any longer (I'm on another computer making this post).  Avast gave me a message at the last reboot (after search.txt was completed, it asked for system reboot).  The message was something about an add-in for IE (some sort of flash? or other player? update).  I did not accept the proposal to remove anything.  Therefore, I can't insert the text files into this post.

• Fixlog.txt
• Search.txt

[LiquidTension]

Hello Bradley, 

 

What happens when you open Internet Explorer? 

Do you have a USB drive?

[Bdbfamily]

Thanks for your willingness to help.

I've decided to start over with this machine as time became an issue and most was backed up. Thanks again for your help.

[LiquidTension]

OK Bradley, thank you for letting me.

 

I will mark this topic for closure. 

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.