Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Foster Parent


  • This topic is locked This topic is locked
2 replies to this topic

#1 rizza

rizza

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 13 May 2011 - 08:31 AM

I've encountered this "End Program - Foster Parent" just today (I only use my laptop during weekends but relatives use it at weekdays). It's my practice to try to search the net when I find something I am not familiar with in my laptop. So, I found out that this is some kind of virus that is not recognized by most Anti-virus. Most of the links I found had no solution for this, until I found this post http://www.bleepingcomputer.com/forums/topic286119.html. It gave me hope that I would not have to reformat my laptop to remove the "Foster Parent" infection. So, I would like to ask for your help in removing it.

OS: Windows XP SP2
A/V: Kaspersky Anti-virus 2011 (updated to latest)

I took the liberty of executing step 1 which is to run DDS.scr. I only put the contents of DDS.txt. Just inform me if I need to attach the Attach.txt.
Here's the output I got:


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by cutebluangel at 21:19:35.15 on Fri 05/13/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2558 [GMT 8:00]
.
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Progs\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSP\fspuip.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\sttray.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Progs\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\cutebluangel\Local Settings\Application Data\RockMelt\Update\1.2.189.1\RockMeltCrashHandler.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Launchy\Launchy.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Progs\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\IDT\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\cutebluangel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cutebluangel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\cutebluangel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\cutebluangel\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.ph/
uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\youtube downloader toolbar\SearchSettings.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\progs\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\youtube downloader toolbar\SearchSettings.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\progs\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\1.0\youtubedownloaderToolbarIE.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\1.0\youtubedownloaderToolbarIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Messenger (Yahoo!)] "c:\progs\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Software Informer] "c:\program files\software informer\softinfo.exe" -autorun
uRun: [RockMelt Update] "c:\documents and settings\cutebluangel\local settings\application data\rockmelt\update\RockMeltUpdate.exe" /c
uRun: [Google Update] "c:\documents and settings\cutebluangel\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [fspuip] "c:\program files\fsp\fspuip.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVP] "c:\progs\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SearchSettings] "c:\program files\youtube downloader toolbar\SearchSettings.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\cutebl~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\progs\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progs\micros~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\progs\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\progs\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progs\micros~1\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\progs\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progs\kasper~1\kasper~1\mzvkbd3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\cutebl~1\applic~1\mozilla\firefox\profiles\8u67jacc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=10148&l=dis
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\progs\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\progs\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\documents and settings\cutebluangel\application data\kalydo\kalydoplayer\npkalydo.dll
FF - plugin: c:\documents and settings\cutebluangel\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\cutebluangel\local settings\application data\rockmelt\update\1.2.189.1\npRockMeltOneClick8.dll
FF - plugin: c:\documents and settings\cutebluangel\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\progs\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\progs\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\progs\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\progs\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\progs\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\progs\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\progs\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\progs\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\progs\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\progs\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;Kl1;c:\windows\system32\drivers\kl1.sys [2010-5-7 132184]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-8-28 477784]
R3 fspad_xp32;AVC Finger-sensing Pad Driver for Windows 2000/XP/Vista_xp32;c:\windows\system32\drivers\fspad_xp32.sys [2010-8-28 23552]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S1 kl2;Kl2;c:\windows\system32\drivers\kl2.sys [2010-5-7 132184]
S2 Application Updater;Application Updater;"c:\program files\application updater\applicationupdater.exe" --> c:\program files\application

updater\ApplicationUpdater.exe [?]
S2 AVP;Kaspersky Anti-Virus Service;c:\progs\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-5-7 344736]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena messenger\apps\go kart ph\releasephysx27\safedrv.sys --> c:\program files\garena

messenger\apps\go kart ph\releasephysx27\safedrv.sys [?]
S3 NetHook_ControlCenter;ArtOfPing ControlCenter;c:\progs\pingfu iris\ControlCenter.sys [2008-2-11 74752]
S3 NetHook_Interceptor;ArtOfPing TDI Interceptor;c:\progs\pingfu iris\Interceptor.sys [2008-3-23 40448]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva369;XDva369;\??\c:\windows\system32\xdva369.sys --> c:\windows\system32\XDva369.sys [?]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2011-05-12 14:21:36 -------- d-----w- c:\docume~1\cutebl~1\applic~1\Camfrog
2011-05-12 14:21:33 -------- d-----w- c:\docume~1\cutebl~1\locals~1\applic~1\CrashRpt
2011-05-12 14:21:01 -------- d-----w- c:\program files\Camfrog
2011-05-11 06:23:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Eltima Software
2011-05-04 17:05:46 -------- d-----w- c:\program files\common files\Symantec Shared
2011-05-04 17:05:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-05-04 17:05:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-05-04 14:04:09 -------- d-----w- c:\windows\system32\Adobe
2011-04-28 09:48:28 -------- d-----w- c:\program files\Veoh Networks
2011-04-23 10:54:38 -------- d-----w- C:\AV_LOGS
2011-04-23 10:54:06 -------- d-----w- c:\docume~1\cutebl~1\applic~1\Avnex
2011-04-22 08:55:42 -------- d-----w- c:\docume~1\cutebl~1\applic~1\SynthMaker
2011-04-22 08:53:37 -------- d-----w- c:\docume~1\cutebl~1\applic~1\Acoustica
2011-04-22 08:53:36 57344 ----a-w- c:\windows\system32\Wnaspint.dll
2011-04-22 08:16:39 348160 ----a-w- c:\windows\system32\~GLH0001.TMP
2011-04-22 08:13:11 -------- d-----w- c:\docume~1\cutebl~1\applic~1\GetRightToGo
2011-04-20 16:54:04 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-04-20 16:54:04 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-04-20 16:54:04 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-04-20 16:54:04 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-04-20 16:54:04 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-04-20 16:54:04 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-04-20 16:54:04 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-04-20 16:53:06 -------- d-----w- c:\docume~1\cutebl~1\locals~1\applic~1\Apple
2011-04-20 16:52:50 -------- d-----w- c:\docume~1\cutebl~1\locals~1\applic~1\Apple Computer
.
==================== Find3M ====================
.
.
============= FINISH: 21:20:04.43 ===============

BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:12 PM

Posted 24 May 2011 - 05:44 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:12 PM

Posted 31 May 2011 - 08:51 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users