Skip to content

Virus / Trojan - Freddy35.exe

Featured Replies

Hello all,

Just receievd a phone call from my bro who lives in cumbria, some 180 miles from where i am. His problem is that he cant log onto the internet to view webpages or log onto messenger etc. The wireless connection to the router is fine and the DSL and Internet/Broadband light are both lit on the router. I have been through a fault process which has culminated in the conclusion that he has picked up this virus/trojan called freddy35.exe. :thumbdwn:

He currently runs AVG and after asking him to check his logs, resident shield has notified of a problem but it looks like this has been bypassed by the user at the computer at the time resulting in this infection.

I have asked him to turn of system restore and to do another scan with AVG but i doubt that AVG will be able to clear this infection. Other than go to another computer and download Malwarebytes and install and run it on his computer is there anything else that anyone could advise to help him out.

Cheers.

Edited by Guest

is there an obvious process to kill? have a look for a startup (Run, RunOnce, RunServices, or RunServicesOnce) entry in the registry?

Worth a punt and hopefully it will clean it out too

http://www.pandasoftware.es/activescan/activescan-com.asp

Manual remove instructions are here:

http://www.bleepingcomputer.com/startups/freddy35.exe-24658.html

http://www.threatexpert.com/files/freddy35.exe.html

I also suggest you find a clean PC and change all online passwords and banking login information etc as it's a backdoor which means people can run a keylogger etc on your machine.

is there an obvious process to kill? have a look for a startup (Run, RunOnce, RunServices, or RunServicesOnce) entry in the registry?

No obvious processes to kill at all. only got him to check through task manager though. not through the regedit as he would **** himself if i mentioned that.

Worth a punt and hopefully it will clean it out too

http://www.pandasoftware.es/activescan/activescan-com.asp

Manual remove instructions are here:

sysftray2 - freddy35.exe - Program Information

freddy35.exe | ThreatExpert statistics

I also suggest you find a clean PC and change all online passwords and banking login information etc as it's a backdoor which means people can run a keylogger etc on your machine.

Cheers for the links. Will check them out.

He's on his way to his sister in laws as we speak to change his on line passwords. I mentioned that he might have been best to do this as god knows what the trojan does.

Sorry, i just remembered, cant get on line to run an online virus scan so that rules them out.

Is his network connection wired or wireless?

Tell him to delete the file c:\windows\freddy35.exe

He might need to change the permissions to give him read/write/delete access but once that's gone then obviously it can't run any more. Just have to make sure it doesn't reinstall itself because it detects it's been deleted.

Once that has been disabled then you can worry about cleaning it up properly.

Also it might be the AV that has taken the networking down as it's seeing lots of iffy traffic.

Is his network connection wired or wireless?

Tell him to delete the file c:\windows\freddy35.exe

He might need to change the permissions to give him read/write/delete access but once that's gone then obviously it can't run any more. Just have to make sure it doesn't reinstall itself because it detects it's been deleted.

Once that has been disabled then you can worry about cleaning it up properly.

Also it might be the AV that has taken the networking down as it's seeing lots of iffy traffic.

Its a wireless network. The funny thing was that he managed to send me a "test" email yesterday and was able to logon to messenger but now he cant do that either. He's phoning once hes done the malwarebytes scan so will take it from there. As far as i can work out it appears to be rebuilding itself though.

Hmm that's not too hard to break.

Open the exe file in a text editor, remove some of the first few lines of data and replace it with similar amounts of characters such as aaaaaabbb etc.

Hopefully if you replace the same number of characters it won't notice the size difference and you could break the files header such that it fails to run. That way you'll get an error message, but the thing won't be running for a bit.

Hmm that's not too hard to break.

Open the exe file in a text editor, remove some of the first few lines of data and replace it with similar amounts of characters such as aaaaaabbb etc.

Hopefully if you replace the same number of characters it won't notice the size difference and you could break the files header such that it fails to run. That way you'll get an error message, but the thing won't be running for a bit.

Thank you for your help and suggestions. So basically what your saying is that even if it does regenerate itself the content of the file will/should be worthless?

My only concern is relaying all this to my bro. Will see what malwarebytes brings up and go from there. I also got him to download and install Hijack this so hopefully he will be able to email me the log.

Personally if he isn't sure of what he is doing, it's at this point I'd either want the PC or be suggesting the essential data and only the essentials, no tools, software/downloads etc, is backed up and a format and reinstall to be certain.

Personally if he isn't sure of what he is doing, it's at this point I'd either want the PC or be suggesting the essential data and only the essentials, no tools, software/downloads etc, is backed up and a format and reinstall to be certain.

TBH he's not sure. He always relies on myself to help out. Last time there was something wrong i did travel down to fix it for him. I fitted a spare sata drive the last time i was down and set this up to back up his files so it depends on whether he has carried on with the backup routine. I have already said worst case scenario( in my opinion sometimes the best case ) would be a complete format and reinstall. His computer came with a recovery disc so i am sure he could carry out that. It would then be the next day installing all the windows updates and programs that would pi$$ him off.

Ok further update.

He has installed and ran malwarebytes. It found three infections all related to freddy35.exe which are now in quarantine. After a reboot no freddy35.exe file is shown in the windows file. He can now send and receive emails but cant use display webpages using internet explorer or log onto messenger.

Unfortunately he doesnt have a full install cd, only a recovery cd so a repair is out of the question. Is there anything else that anyone could suggest before he goes down the line of recovering the OS back to 2003. :thumbdwn:

Has he got a product key sticker on the machine?

If so he could reinstall then rather than apply all the updates in time got and get the latest service pack:

Download details: Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers

Once he has installed that there will be many less updates to do to get it right up to date.

Yeah hes got a Fujitsu OEM product key.

The virus / trojan has gone but its obviously mucked up the internet settings ot TCP/IP settings. I was going to suggest using Firefox but it uses IE as its core so that wont work either, will it. Is there an easy way of resetting TCP/IP settings?

Yeah hes got a Fujitsu OEM product key.

The virus / trojan has gone but its obviously mucked up the internet settings ot TCP/IP settings. I was going to suggest using Firefox but it uses IE as its core so that wont work either, will it. Is there an easy way of resetting TCP/IP settings?

Firefox doesn't use IE at all, so you're wide of the mark there.

Worth giving FF a go, but I still think a complete from scratch format then reinstall from the rescue media is the way forward.

Firefox doesn't use IE at all, so you're wide of the mark there.

Worth giving FF a go, but I still think a complete from scratch format then reinstall from the rescue media is the way forward.

Ok mate, cheers i thought firefox used ie as its core. Thought i read that somewhere, i stand corrected.:thumbup:

Like you say i would prefer to do a complete restore but he doesnt want to go that route.

Since when does FF use IE as it's core? :confused:

Bets are the hosts file has been tampered with. Messenger also has it's own hosts file too.

Since when does FF use IE as it's core? :confused:

Bets are the hosts file has been tampered with. Messenger also has it's own hosts file too.

If i could shoot myself right now i would.:rofl: Got it way wrong.

Its looking like the hosts file. He can send receive email but cant view webpages or log onto messenger.

Now he can get onto messenger.

Delete the hosts file, and windows should re-create a nice empty one.

There will be around 3 hosts files. At least I have. Hosts, Hosts for messenger (Icalender acording to vista), Imhosts.

Once online, run an online scanner such as trend housecall to ensure you are clean. Most nasties disable the onboard security upon infection - so dont trust it!

Delete the hosts file, and windows should re-create a nice empty one.

There will be around 3 hosts files. At least I have. Hosts, Hosts for messenger (Icalender acording to vista), Imhosts.

Once online, run an online scanner such as trend housecall to ensure you are clean. Most nasties disable the onboard security upon infection - so dont trust it!

He's given up for the night. When you say delete the host file, do you mean the actual host file or its contents?

Either or should do.

take out the whole file, that way windows should create you a nice new one.

Will get him to try that tomorrow. Hopefully that will resolve the issue.

Guest
This topic is now closed to further replies.

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.