Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cryp_frdload


  • This topic is locked This topic is locked
28 replies to this topic

#1 Jihiro

Jihiro

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 19 June 2009 - 12:22 PM

Hi everyone! I was hoping you all would be able to help me with a bit of a problem I've been having with Trend Micro PC-cillin. I keep getting an incident back called 'cryp_frdload' but it won't let me clean, quarantine or delete it. I have no idea what to do so I searched around for some help and found this place =P Any help would be appreciated, also, please keep in mind I'm rather computer illiterate ^_^;

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 PM

Posted 19 June 2009 - 03:59 PM

Hello and welcome,this looks like tROJAN FAKEaLERT..

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 20 June 2009 - 04:03 AM

mmmkay so I've completed my first scan, however it told me that nothing at all was found. I'll supply the MBAM-log anyways, just in case, and also I'm gonna go ahead and do a Full Scan since you told me to just do a quick scan (you said to..err..keep all paths/directories/whatever they're called for scanning, but the quickscan option didn't give me such options, however a full scan DID ask me which places i want scanned.) I'll post the report from that too once it's done.

Also, thank you SOOO much for caring enough and actually trying to help me and stuff, it's greatly appreciated =)



Malwarebytes' Anti-Malware 1.38
Database version: 2314
Windows 6.0.6001 Service Pack 1

6/20/2009 4:45:58 AM
mbam-log-2009-06-20 (04-45-58).txt

Scan type: Quick Scan
Objects scanned: 72942
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Jihiro, 20 June 2009 - 04:04 AM.


#4 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 20 June 2009 - 07:11 AM

Ok this is making no sense at all....even after a full scan it's coming back that my computer is completely clean, even tho I know from Trend Micro PC-cillin that there's something on there. Here's the results from the complete scan I did, even tho it appears to say the same stuff.

Any tips on what I should do next? =S

Malwarebytes' Anti-Malware 1.38
Database version: 2314
Windows 6.0.6001 Service Pack 1

6/20/2009 8:06:11 AM
mbam-log-2009-06-20 (08-06-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 210405
Time elapsed: 1 hour(s), 8 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 20 June 2009 - 07:14 AM

Oh, one more question: Was I supposed to buy the full version of that MBAM thing, or is the free version fine?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 PM

Posted 20 June 2009 - 10:44 AM

Hello, no we aren't requiring you to buy anything.. When the TM scan finds this ,where is it saying it is ?? maybe write down what they are saying.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 20 June 2009 - 03:33 PM

it says: C:\Users\Jihiro\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUBHW4HI\A9installer_77o11804[1].exe

very little of that actually makes any sense to me ^_^;

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 PM

Posted 20 June 2009 - 08:37 PM

Ok.That file doesn't contain a reference to cryp_frdload. Did TM say that that file you posted was the infected file?
But this A9installer_77o11804[1].exe does appear to be malware... So lets' try to find it.

Please run another FREE tool.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 20 June 2009 - 08:56 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 22 June 2009 - 03:05 PM

How do I get Windows Vista into safemode? What exactly is safe mode, anyways, and how important was that step? I went ahead and ran those things anyways, and the SAS came back with one hit, called Rogue. Internet Antivirus...which is SOMETHING, although it's not anywhere near the same name as the thing I came here about originally ^_^; Anywho, I quarantined it and I'll run Trend PC again in a bit to see if that other weird one pops up still or if it's gone. Results to follow this reboot! =P

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 PM

Posted 22 June 2009 - 03:24 PM

Ok CRYP_FRDLOAD is a generic detection for a family of trojan that has a sole purpose of distributing a rogue security programs. CRYP_FRDLOAD will display misleading alert messages, warnings and do an automatic scan with a detection of false security threats.

Alias:

•TROJ_FRAUD
•TROJ_FAKEAV
•TROJ_FAKEALERT


Here's all the onHow to start Windows in Safe Mode


Windows Safe Mode is a way of booting up your Windows operating system in order to run administrative and diagnostic tasks on your installation. When you boot into Safe Mode the operating system only loads the bare minimum of software that is required for the operating system to work. This mode of operating is designed to let you troubleshoot and run diagnostics on your computer. Windows Safe Mode loads a basic video drivers so your programs may look different than normal.

For Windows Vista

Using the F8 Method:

Restart your computer.
When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options.
Select the Safe Mode option using the arrow keys.
Then press the enter key on your keyboard to boot into Vista Safe Mode.
When Windows starts you will be at a typical logon screen. Logon to your computer and Vista will enter Safe mode.
Do whatever tasks you require, and when you are done, reboot to go back into normal mode.


So you see you may have gotten it out. Only clean scans and no more symptoms will tell us.

Edited by boopme, 22 June 2009 - 03:26 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 22 June 2009 - 03:28 PM

Here are the logs. Out of curiosity, is 126294 files scanned an unusually large amount for a computer? It sure sounds like a lot ^_^;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/22/2009 at 03:55 PM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type : Complete Scan
Total Scan Time : 01:29:55

Memory items scanned : 571
Memory threats detected : 0
Registry items scanned : 5073
Registry threats detected : 0
File items scanned : 126294
File threats detected : 1

Rogue.Internet Antivirus
C:\Program Files\IA

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 PM

Posted 22 June 2009 - 03:36 PM

Less than the MBAM log.. I don't know how much ATF removed..
mbam-log-2009-06-20 (08-06-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 210405

How is the PC running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 22 June 2009 - 03:36 PM

Heh...that was the same method you gave for XP! If only I had been a bit more persistent when I tried the one time pressing f8 ^_^; But I wasn't sure what I was doing so I stopped lol

Anywho, I'll run the Trend Micro PC again and see what happens! (fingers crossed!) From what your last post says it seems the two are related, being fake anti spyware things. And come to think of it, I have had some weird alert-message-pop-up-ad-like things for a while now, i just thought they were normal popup ads or whatever and closed them.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 PM

Posted 22 June 2009 - 03:42 PM

No problem.. If things still show up we still have other tools also.
BTW when weird things pop up ...to help prevent execuring the malware program do not click the close or the X in the top right corner of the box.
Instead ..click CTRL+ALT+DEL..this opens the Task Manager.. From there highlight the application name. Then click End Task..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Jihiro

Jihiro
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:05:56 PM

Posted 22 June 2009 - 03:43 PM

Mmm i dont remember the exact numbers ATF told me, but when I did the main scan thing it was in the 900's (i dont remember if it said KB or MB or whatever) and then when I did it again with the firefox tab it said 600kb.

Also, my comp was never acting funny, at least that I noticed (and again, I stress, I'm not what you would call techno savvy lol) the only indication I had that anything was wrong was the 'cryp_frdload' showing up on Trend Micro PC and not being able to quarantine it or anything with that program.

So far no sign of the 'cryp_frdload' showing up in the scan, so I'll keep ya posted! Also, thanks again for helping me!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users