Limited Time!
Totally FREE Web Design!
Click here!

Parasite: FlashTrack

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

FlashTrack is adware from Flashpoint Media implemented as an Internet Explorer Browser Helper Object (BHO), monitoring web page URLs viewed and terms entered into forms on search engines.

Variants

FlashTrack/FTApp: original version, with the program files including ftapp.dll being written to C:\Program Files\FTApp (regardless of whether that’s the real Program Files folder).

FlashTrack/Flt: minor update, main filename flt.dll, stored in C:\Program Files\Flt instead.

FlashTrack/Flcp: minor update, main filename FLCP.dll, stored in C:\Program Files\Flcp. Not widespread.

FlashTrack/Reg2: an additional Browser Helper Object called Reg2.dll, stored in C:\Program Files\Reg2, using the same class ID as FlashTrack/Flcp. However instead of opening pop-ups, it guards against removal of FlashTrack by reinstalling it if it is removed, typically the Xmod variant.

FlashTrack/Xmod: update named xm320.dll, stored in C:\Program Files\Xmod. Sometimes supplied with FlashTrack/RegJ, another guard against removing the main software, this time implemented as a process called Jreg2b.exe, which runs at every startup and re-installs FlashTrack/Xmod if removed.

FlashTrack/XML: update named XML.DLL, stored in C:\Program Files\XML. Often supplied with FlashTrack/RegX, a guard process named Xcpy1.exe which re-installs FlashTrack/XML, and xclean.exe, run on the first reboot after installation to try to uninstall older FlashTrack variants.

FlashTrack/Fen: update named Fen.dll, stored in C:\Program Files\Fen. Often supplied with FlashTrack/RegFe, a guard process named fecpy.exe which re-installs FlashTrack/Fen, and fclean.exe, run on the first reboot after installation to try to uninstall older FlashTrack variants.

Other programs in the Common Files\Java directory may be similar guard and cleaner processes for the BroadcastPC parasite.

Despite the efforts of the ‘clean’ processes it is not uncommon to have multiple FlashTrack variants installed at once.

Also known as

The XML and Fen variants masquerade as ‘Flash Extender’, ‘Flash Enhancer’ and ‘XML Extender’.

The RegX variant is misdetected by Trend anti-virus as Troj_RVP (through confusion with the BroadcastPC parasite, which can install it).

Distribution

Silently installed by the iMesh and Overnet file-sharing programs, the AutoStartup parasite, and the BroadcastPC parasite, which is also distributed and controlled by Flashpoint. May also be installed by software downloaded from soft-aware.com and downaload.com (sites also run by Flashpoint). Installed without any notice by software from ‘PinPrickMedia’ (formerly pinprickmedia.com), which is Flashpoint too. PinPrick software includes [Cable] Modem Speedup, LimeWire Speedup, Morpheus Speedup, Morpheus/Kazaa Hancers, MP3 Filez Filter, Wiz Solitaire and P2P Identity Secure.

What it does

Advertising

Yes. The software maintains a list of targeted site URLs, URL keywords and search terms. Upon a match a predetermined advert will open in a pop-up/pop-under window.

Privacy violation

Yes. Passes the targeted term (the complete URL including query string in the case of URL targeting) to its servers when requesting an advert, along with a unique ID that would allow web usage to be tracked.

Security issues

Yes. Can silently download and execute arbitrary unsigned code as directed by its controlling server a.flashpoint.bm. Typically used to install BroadcastPC.

Stability problems

Reported browser crashes in the Flt variant, particularly after monitored form submissions.

Removal

There may be an entry for ‘FTApp’, ‘flt’, ‘FlashTrack Uninstall’ or ‘FT remove’ in the Add/Remove Programs tool in the Control Panel. Even when provided, this is not always effective (never, in the older variants); other variants have no uninstaller.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for the FTApp variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\FTApp\ftapp.dll"

Or, for the Flt variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\flt\flt.dll"

Or, for the Flcp variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Flcp\FLCP.dll"

Or, for the Reg2 variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Reg2\Reg2.dll"

Or, for the XMod variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Xmod\xm320.dll"

Or, for the XML variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\XML\XML.dll"

Or, for the Fen variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Fen\Fen.dll"

For the RegJ, RegX and RegFe variants: open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the entry ‘Jreg’ pointing to ‘Jreg2b.exe’ (RegJ variant), ‘Xcpy1’ pointing to ‘Xcpy1.exe’ (RegX variant) or ‘FeCPY’ pointing to ‘fecpy1.exe’ (RegFe variant). Also check the RunOnce subkey; if this is a new installation you may find an entry called ‘t’ pointing at xclean.exe (RegX variant) or fclean.exe (RegFe variant). If so, delete this too.

Restart the computer immediately and you should then be able to remove the ‘FTApp’, ‘flt’, ‘Flcp’, ‘Xmod’, ‘XML’ or ‘Reg2’ folder in ‘Program Files’ on the C drive, and, in the RegJ and RegX variants, the ‘Java’ folder inside ‘Common Files’.

You can also open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\Software. Delete the subkeys ‘flt’, ‘FTApp’, ‘Flcp’, ‘XML’, ‘fen’, ‘Netfilter’ (Xmod variant) or ‘Persistent Bytes’ (Reg2 variant) to clean up if you like.