# I'm at my wit's end. (Free Scratch Cards)



## BioStormX (Oct 18, 2002)

EVERY time I start up my computer, I get an offer to Install Free Scratch Cards. I always click help, then exit, since there is no direct exit button.

I've tried the latest Ad-Aware, AND the latest SpyBot S&D, but it still comes up. Here is my startuplist thing... I'd appreciate any help... thanks.
.
.
.
.

StartupList report, 3/31/03, 12:04:30 AM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WSFWBBSB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
wkrdtype = C:\WINDOWS\SYSTEM\wkrdtype.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
SchedulingAgent = mstask.exe
LicCtrl = runservice.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = %1 %*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 30/3/2003, 23:29:30)

[Rename]
NUL=c:\windows\application data\rvlbd.lib
NUL=c:\windows\application data\qeaeejmx.exe
NUL=c:\windows\application data\aybwarn.htm
NUL=c:\windows\application data\aybgwarn.htm
NUL=c:\windows\application data\xheepreaoealy.dll
NUL=c:\windows\cookies\drew [email protected][1].txt
NUL=c:\windows\cookies\drew [email protected][2].txt
NUL=c:\windows\cookies\drew [email protected][1].txt
NUL=c:\windows\cookies\drew [email protected][2].txt
NUL=c:\windows\cookies\drew [email protected][2].txt
NUL=c:\windows\cookies\drew [email protected]ox[1].txt
NUL=c:\windows\temp\rem41a1.exe
NUL=c:\windows\temp\rem30e2.exe
NUL=c:\windows\temp\remc1a1.exe

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
IF ERRORLEVEL 1 PAUSE
path C:\WINDOWS;C:\WINDOWS\COMMAND
c:\windows\system\setpower.exe
call c:\dosboot\drivers.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {004A5840-FF59-11d2-B50D-0090271D3FD4}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe

[Support.com Installer]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLINS.DLL
CODEBASE = http://support.charter.com/sdccommon/download/tgctlins.cab

[Support.com SmartIssue]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLSI.DLL
CODEBASE = http://support.charter.com/sdccommon/download/tgctlsi.cab

[Support.com Configuration Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLCM.DLL
CODEBASE = http://support.charter.com/sdccommon/download/tgctlcm.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,537 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## dobhar (Jul 29, 2002)

BioStormX...

Did a "Search" on Tech forums and found a hit on "Free Scratch Cards...

This thread stands out and may be the info you need...

http://forums2.techguy.org/showthread.php?s=&threadid=125221&highlight=Scratch+and+Cards

I noticed in your list you provided this bit C:\WINDOWS\SYSTEM\WSFWBBSB.EXE. I did a Google search for this and came up blank...hmmm!

Anyways read the thread...


----------



## BioStormX (Oct 18, 2002)

Well, I used the advice in that topic and got the Beta update for SpyBot, and it worked fine. Thanks for the link


----------



## AtreideS (Aug 20, 2001)

And here I was thinking this thread would be some great way to win stuff. Lol, ohh well


----------



## dobhar (Jul 29, 2002)

No Problem...glad it worked out for you.


----------



## l0ckd0wn (Apr 16, 2003)

I'm not sure as to whether the anti Ad/Spy-Ware software is simply supressing the Free Scratch Cards (and others like it), but I did manage to find the .exe that's responsible for that awful ad in the first place.

C:\windows\system\cxmpecrs.exe

The icon is a yellow/gold dollar sign on a brownish/orange background. Remove that, and the ad is gone.


----------



## tmork (Apr 17, 2003)

RE:Install Free Scratch Cards

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run 

I found entries for 
zsbiauav.exe
And
zmipzxmh.exe
sized 29,184
These produced the


----------



## beartrax79 (Apr 18, 2003)

Hey all... 

For me, on the "Install Free Scratch Cards" annoyance, my filename was JRGPLCDV.EXE in my winnt/system32 directory. 

Also, there were a bunch of other new files in there that could be related... all created since yesterday (when I started seeing this guy). 

jgncvdti.exe
jysyphcy.exe
janyxnrh.exe
jpukgoht.dll
tmsock.tmp.tag

Any ideas?

Thanks, beartrax79

p.s. My file also had the dollar sign icon.


----------



## TonyKlein (Aug 26, 2001)

Free Scratch Cards, like LOP, uses random file names, so it's a hard cookie to crack...

Are you still having that problem?


----------



## beartrax79 (Apr 18, 2003)

No, I went with the brute-force approach of just deleting all of those files. 

But I also ran the uninstaller at this link... 
http://www.free-scratch-cards.com/uninstall.html

After restart, it didn't pop up again. Any ideas on how this stuff got on my system? I haven't installed anything recently on my system but MS Visual C++ .NET, and I'd hope that MS isn't installing free scratch cards. 

beartrax79


----------



## beartrax79 (Apr 18, 2003)

No, I went with the brute-force approach of just deleting all of those files. 

But I also ran the uninstaller at this link... 
http://www.free-scratch-cards.com/uninstall.html

After restart, it didn't pop up again. Any ideas on how this stuff got on my system? I haven't installed anything recently on my system but MS Visual C++ .NET, and I'd hope that MS isn't installing free scratch cards. 

beartrax79


----------



## TonyKlein (Aug 26, 2001)

They usually get there because your security settings are too lax.

Here are three recommendations:

1) Watch what you download!

2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Critical Updates listed.

3) Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first _three_ options ("Download signed and unsigned ActiveX controls", and 'Initialize and Script ActiveX controls not marked as safe") to prompt.

Now you will be _asked_ whether you want ActiveX objects to be executed and whether you want software to be installed.

Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

And some more advice:

4) Install Javacool's SpywareBlaster

It will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on _your_ computer) 
Press "select all", then "kill all checked", and you're done.

The spyware that you told Spywareblaster to set the "kill bit" for wont be a hazard to you any longer.

Don't forget to check for updates every week or so.

There's a small board at Wilderssecurity as well.

It won't protect you from every form of spyware known to man, but it _is_ a very potent extra layer of protection.

BTW, SpyBot Search and Destroy has an Immunize feature which works roughly the same way.

It can't hurt to use both.


----------



## BioStormX (Oct 18, 2002)

Yeah, I always watch what I download... but I share this comp with 3 other people.

Anyways, everything is goin smooth now..


----------



## redzcript (May 21, 2003)

I ran the uninstall from the link posted by beartrax79 and it worked great.


----------



## beartrax79 (Apr 18, 2003)

glad it helped!


----------



## rrjsurf (Jun 8, 2003)

I remember this annoying popup. I'm sorry I don't remember all the details for how I removed it. But I do remember some of my analysis and tools I used to remove. Here you go:

I found that a unfriendly program automatically reinstalled a exe file with a randomized name - that is why reviewing running programs and deleting unknow ones does not work. I believe that it was installed on my computer when one of my kids downloaded a free gambling game

I found and used some of the items others have mentioned in your email stream and they are good recommendations. Another tool I would recommend you download is a tool called "Starter" from Codestuff. Here is a link for the download:

http://www.softpile.com/Utilities/System_Tools/Review_10078_index.html

This tool allows you to view all the programs that auto-startup, see where they are initially loaded and either delete them or disable them temporarily. There is also a nice feature that allows you to look at properties of the file and see ownership when doing analysis of all the junk auto-starting on your PC. It has another window that allows you to view all the programs actively running much like task manager but with much more detail and control.

Best of luck going forward!


----------

