Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Foster Parent


  • Please log in to reply
11 replies to this topic

#1 wakkoguy

wakkoguy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 20 August 2005 - 10:20 PM

Recently,

When I have been shutting down my computer, an end program screen for something called foster parent comes up. what is this?

BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:07:14 AM

Posted 21 August 2005 - 10:34 AM

Hello wakkoguy and welcome to BC.

Thats a new one. What is your operating system?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 AndersM

AndersM

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 13 January 2006 - 06:54 PM

Hi Leurgy!
I don't know about wakkoguy but I'm experiencing the same behavior with W2000.
Any idea?

#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:07:14 AM

Posted 14 January 2006 - 11:23 AM

Is it listed in Add/Remove programs? Do you have access to a 98 or XP machine?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 Succubus

Succubus

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 07 October 2006 - 08:26 AM

I want to revive this thread because I was "infected" with Foster Parent until today on my own computer. I run XPsp2.

The program is NOT visible on Add/Remove Programs; it can't be found by searching your system (not hidden files, not anything) for "foster", "parent", "fp" or any combination thereof; it doesn't show up on any startups lists nor in the task manager. No antivirus or malware cleaner will detect it - NONE. I have them all.

Pretty much the only place it exists is in your registry.

Run regedit and navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars. Look through there for an entry where the data reads "foster parent". Delete that entry.

Or just search your entire registry for the word "foster"; that'll turn it up too.

#6 merel

merel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 28 April 2007 - 09:20 AM

Hi there!
This week I noticed also this Foster Parent thing on my computer, indeed - I saw it before shutting it down.
I looked through the registry as it explained, but I couldn't find anything about this thing!
Is there anything to do about it?

WinXP

#7 cezovski

cezovski

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 April 2009 - 02:55 AM

I have this too and it's NOT in the registry, either!
Norton antivirus does not catch it.
RegCure does not do anything.

I can always tell when it's going to show up cause everything prettymuch freezes. I can't open webpages, etc. This happens about once an hour and I have to restart my computer each time.

I have come to the conclusion that all I can do is reformat my machine.

#8 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 AM

Posted 07 April 2009 - 04:07 AM

Best thing I could offer for you guys... If the program is appearing non-existent, or is not in the same place for one computer as it is with another... I would suggest getting yourself a Live Linux cd... Get a Linux anti-virus, (I have come to really enjoy Avast's linux version)... and while running the live Linux, scan with the AV... If this doesn't find it, then I would suggest trying to find it yourself using linux...
This Foster Parent seems to be a polymorphic, and probably has the capabilities of hiding and cloaking (apparently), which would also indicate, that either it is able to by-pass an AV scan as it is running, or there is no support against it yet...

Also if you do not want to try the Linux scan, you could also try a boot scan...

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 07 April 2009 - 11:03 AM

Since this has been happening for three and a half years at least and scanners still aren't finding it, there is a small likelyhood that any scanner has definitions for it. Possibly it's a rare malware that has yet to be analyzed, but there are other possibilities as well. May be that it is some obscure parental control software--could be both as malware like PurityScan purports to be parental control software--problem is, for legal reasons, most security vendors will keep away from including such software in definitions if it has any hint of being legit.

cezovski, are you the only person that has ever used this computer? Is it possible that someone else who has access or owns it is restricting your usage of it?

You've already posted about this and received advice here:
http://www.bleepingcomputer.com/forums/t/216363/foster-parent-virusspyware/

I have come to the conclusion that all I can do is reformat my machine.

You can do that if you want, but as tork posted in your other thread, if you allow us to investigate by posting to the malware removal forum, we might be able to figure out what is going on and fix it for you. That is what it is there for--when your security scanners based on definitions fail, we look for hiding places and determine what definitions should be if it's determined that you have newly discovered malware--and it helps others with the same problem. So please follow instructions in the following thread--reformatting is a last resort:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

When you have posted your logs in the malware removal forum, please post a link to it back here in this thread and I will have a look.

RegCure does not do anything.

If it is any kind of active software, RegCure or any other reg cleaner is not going to help you with it. They are designed mainly to look for orphaned reg entries. If it's active then it's not an orphan and they won't find it. Reg cleaners in general cause more problems than they cure.

This Foster Parent seems to be a polymorphic...

There is no hard evidence yet that it is even malware, much less that it's polymorphic. Log data in the malware removal forum shows many hiding places and other techniques used by malware, whether it is polymorphic or not.

The thing about people

is they change

when they walk away.--Mipso


#10 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 AM

Posted 07 April 2009 - 06:12 PM

Papakid - I never once said it was Malware... And I never once said that it is polymorphic, just said it seems to be... Scanning in Linux, or running a boot scan could help...

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 07 April 2009 - 08:41 PM

And I didn't say that you did. I said and still say there is not enough hard evidence to support even the supposition that it is polymorphic.

Let's say hypothetically that it is malware that the scanners aren't finding. Are you basing your supposition on the fact that one previous poster found a reg entry and another didn't. There could be many much more mundane reasons for that, such as human error. Or is it because the responsible files/reg entries can't be found by the previous posters? Still nothing to indicate polymorphism--several techniques can be used that are beyond the skill of the average user, including rootkits and hooking into Winlogon so that the malware runs before the user logs on. Also a polymorphic malware might not even be hidden. There is just not enough details and hard data about this whole situation, in this thread or on the internet as a whole. Which makes any comments, by you or by me, pure speculation.

I would like the opportunity to look at some details and try to get to the bottom of the situation. It might not work either, but running more scanners won't make us any better informed one way or another either.

All we're doing here is removing software and that boils down to finding the files to delete and reg entries to keep it from starting up. We use several enumerators and scanners to do that and various techniques to remove that most people don't know about.

Among the community of malware fighters, I have never heard of using Linux to remove malware. I'm open to new ideas, so could you expand on that, please? Even tho i think it's because we found ways to find and remove without Linux. On first glance it looks to me like using Avast for Linux is insane. But I am ignorant about Linux and am assuming that that program is only to be used when you have Linux installed and that it will only scan a Linux partition. Are you saying that it could be used to scan an entire hard drive, Windows system files and all? What about removal? Let me back up a bit and say, now that I think about it--there was talk of using Linux in some way when the Gromozon rootkit came out. But that was discarded--if i remember correctly, because it was hard to find Linux that would write to NTFS volumes, and the one that was tried that did made critical errors. But don't quote me on that. And eventually another method of removal was found. But the point is that I would have concerns that, even if Linux did find malware installed on Windows, can it remove it. Have you run any tests and documented the results? Please share your experiences with us.

I could see booting from a disk so that Windows isn't running, but why not a Windows based one? If I don't know how to go about anything that you're suggesting, then the average point and click Windows user won't either. It takes some time to learn even the basics of Linux and most people want their problem solved yesterday. One of the basic skills malware removal specialists are taught in training is communication. To give detailed instructions so that even the most clueless can muddle thru them. I would think detailed instructions for your Linux idea would be pretty involved--but if you want to be helpful, that is what it takes--dealing with details.

The thing about people

is they change

when they walk away.--Mipso


#12 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 AM

Posted 07 April 2009 - 09:17 PM

I apologize for not being very in depth with detail... With the years I have put in, with computers, and everything I have done with computers... I do tend to overlook a lot of the details that some people or most people may not know...

But as for it being hard to find a Linux OS that can write to NTFS, well to be honest with you, I would really like to know where you found that?... Even 5 years ago when I was in college taking Linux classes, we had to learn to mount devices, hard drives ect... Those including NTFS... I have never had a problem with writing data to a NTFS format, whilst using an ext3 format... We also had to learn how to do dual boots, using NTFS and Windows XP, and including manipulating data on the NTFS format... (btw if I remember correctly, with most distributions, you would have to choose to not install the support with the OS installation..)

No offense to you and your malware fighters communities... But I am not one who has just been in the position of malware fighting... The first virus I have ever written was when I was 13, also 3 years before I started college... Though I have not infected others with my programs, I have taken more then just a look at what theses writers have to be thinking, or doing, and so on and so forth to cause these effects/affects, also how to keep the program from being caught, ect. ect... Though I have not been into the mix in a quite some time now... I still understand the flow of things, and what needs to be done, what should be done ect... So the things you may see from me, or hear from me, will not always be common practice... I understand what it takes to hack into a computer, I understand what it takes to hack into corporation computers... I understand how to protect from more then just sophisticated programs, I know how to protect against techniques you have probably never heard of, or even seen of (just so you know I mean no disrespect, just saying is all)... If I wanted to build my own firewall, or IPS, or IDS, I could almost say it would be unhackable... I say almost cause there is nothing that is unhackable, nor will there ever be anything that is unhackable... But I have chosen to wait till I review the C/C++ languages, as for it has been awhile since I have dabbled in it much, and I also want to wait till I learn assembly...


I suggest the boot scan, or Linux scan, because if the program in question has been caught before, and is supported through AV/AS; in my opinion, those are the easiest ways to find out... and plus, Avast for Linux does not need to be installed to scan... Once you unpack it, you can run it... I have solved a lot of problems with using Linux to scan, or even manually go through the drive and remove discrepancies ... Rather I use a Live CD, or I mount the hard drive to one of my boxes, and scan it from there... Though I do have to say that I am sorry that I have not documented any of it... But if you would like, I am sure one of the many Linux books through Thomson, could probably help you find some documentation for doing so...

Also if I remember correctly the only thing really that is windows based that you can run a boot disk, are in no way any where near as powerful as even Knoppix 1.0...

And as for my estimation on it being a polymorphic, is pretty simple, for a program to be fairly wide in infections... And this is a program that is been in the mix for a few years (as I believe someone said)... Then either this program needs to be found before it has a chance to boot up, or it is most likely a very sophisticated polymorphic program, although you are right, and I could be wrong, but with the things I have seen, it seems like a sophisticated program, even if it can be found by AV/AS, it is at least a good one...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users