FlashTrack Adware

[Brian]

I'm having a problem removing FlashTrack Adware with MS
Antispyware. It finds the spyware and removes it;
however, the ads continue uninterrupted. Any suggestions
on how I can get ride of this?

 

[Andre Da Costa]

Try doing a deep scan in safe mode.

Restart in safe mode and do a deep scan. On the Scan Page choose Scan
Options > Full System Scan. Do this at
least two times until detects something. Also, before you restart in safe
mode, disable System Restore, some trojans and spyware programs are likely
to restore themselves with system snap shots:

Right click My Computer > Properties > System Restore, check the "Disable
System Restore" check box and restart in safe mode.

Restart in safe mode instructions:
www.microsoft.com/resources/documentation/
windows/xp/all/proddocs/en-us/boot_failsafe.mspx

Remember, this is still beta and cannot be judged as a finished shipping
product. Continue to use additional thirdparty AntiSpyware utilities in
tandem with MSAS:
Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://www.intermute.com/products/cwshredder.html
Spy Sweeper - www.webroot.com

 

[Monitor]

Have you tried scanning with Microsoft Antispyware in safe
mode?

Please submit a Tools, suspected spyware report from the
infected machine!

Get HijackThis from

http://tomcoyote.org/hjt/hjt199//HijackThis.exe

and let it Scan your system and Save Log. (Save it where
you can find it again.) then send the log to

Ron Kinner
(e-mail address removed)

He will tell you what to do next.

 

[Andre Da Costa]

Its also a browser helper object:
by Ron Chamberlin - how possibly remove spyware and unwanted browser helper
objects in Windows, Internet Explorer with Microsoft AntiSpyware.
Boot into Safe Mode (F8) at Start Up;

Empty your temporary files AND your Temporary Internet Files C:\Documents

and Settings\Username\Local Settings\Temporary Internet Files folder ;

Run the scan while in safe mode;

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any

BHO's that you don't recognize.

 

[Guest]

I tried everything but the spyware is still there. I'll
send a log and see if there is something I have missed.
Thanks for your help!

 

[Ron Kinner]

Brian sent me his HijackThis log and we removed:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.hotsheet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.hotsheet.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32
\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32
\picsvr\picsvr.exe
O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common
Files\Java\flencpy.exe"

in Safe Mode. That appears to have corrected his
problem. My understanding is that the last line
(flencpy.exe) is related to FlashTrack. The picsvr and
msvsvc lines are from Delfin_Promulgate see:

http://securityresponse.symantec.com/avcenter/venc/data/adw
are.delfin.html

or if it wraps:

http://tinyurl.com/43m7v

He now says:

"Here is the new log. I think it worked! I did not get
the normal warnings/block from MS Antispyware when I
loaded XP. What do you think? Also - thanks for the
help!!"

His new log was clean. Wish they were all that easy.

Ron Kinner

 

[Bill Sanderson]

That's terrific. If I knew that he'd attempted to send in a Tools,
Suspected spyware report while the machine was still "dirty", I'd rate this
as perfect!

 

[Andre Da Costa]

Here is some removal instructions:
There is an automatic removal option for FlashTrack. Click Start > Settings

Control Panel > Add/Remove Programs, find the entry for 'FTApp', 'flt' or

'FT remove', select it and click Remove to delete the program from your
computer.

To manually remove the program:

1.. Unregister the component of the program.
Open a DOS command prompt window (Click Start > Run, type 'cmd' or
'command'), and enter the following commands:

for the FTApp variant:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\ftapp\ftapp.dll"

Or, for the Flt variant:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\flt\flt.dll"

Or, for the XMode variant:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Xmod\xm320.dll"
regsvr32 /u "C:\Program Files\Reg2\reg2.dll"

2.. Restart the computer.
3.. Remove the 'ftapp' or 'flt' folder in 'Program Files' on the C:\
drive.
For Xmode variant, remove the folder 'reg2' and 'XMode' in 'Program Files'
folder on the C:\ drive.

4.. Open the registry editor(Start >Run, type 'regedit' and click Ok),
delete the following key if they exist:

HKEY_LOCAL_MACHINE\Software\FTApp
HKEY_LOCAL_MACHINE\Software\flt
__________________________________________________________________________________