Limited Time!
Totally FREE Web Design!
Click here!

Parasite: FreeScratchAndWin

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

FreeScratchAndWin is an IE Browser Helper Object that comes with a web-based ‘scratchcards’ game. (What exactly is available to be won, and whether anybody has ever won it, remains unclear.)

Variants

FreeScratchAndWin/Beta: a version of the software that didn’t seem to work fully, but was distributed anyway.

FreeScratchAndWin/v5: most common variant of the software. Includes a homepage- and search-hijacker pointed at xzoomy.com.

FreeScratchAndWin/v6: now renamed ‘Free Scratch Cards’. Instead of the xzoomy hijack this now bundles lop/Rnd. Like lop/Rnd, it uses random filenames for its files, and cannot be detected by the script at this site.

Also known as

FSW, FSC (v6 variant). CPM Media, after the company name used to sign the software.

Distribution

Installed by ActiveX drive-by download in affiliate pages which are redirected to by AdsCPM, the advertising network company who run FreeScratchAndWin.

What it does

Advertising

Yes. Connects to its controlling servers and downloads and opens pop-up adverts every few minutes.

Privacy violation

Suspected. The software’s terms of use advises that the software can track users’ web usage. However this behaviour has not actually been observed.

Security issues

Yes. Downloads and installs arbitrary unsigned code as part of an update feature; it claims that it will prompt you before installing extra third-party software.

Stability problems

None known. Although it sometimes seems to go crazy and start connecting to its controlling servers every couple of seconds, which generates an annoying amount of traffic.

Removal

There are uninstallers available for v5 and v6 from the manufacturers (not tested, may or may not work). Spybot update 2002-11-30 can also remove FreeScratchAndWin/v5. Spybot update 2003-03-27 can also remove FreeScratchAndWin/v6.

Manual Removal

Beta variant

Open the registry (Start, Run, regedit) and delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FSW
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Shutdown\SetupProgramRan
HKEY_CLASSES_ROOT\CLSID\{20A03A4C-9FAF-45D5-A5C2-B6C49774E03C}
HKEY_CLASSES_ROOT\CLSID\{99B0B113-6F25-49C9-8ECF-2FDDD3EDFF6A}
HKEY_CLASSES_ROOT\FSW_beta1.Application
HKEY_CLASSES_ROOT\Fswinst.Application

Reboot Windows and delete the ‘FSW’ folder inside ‘Program Files’. You can also remove a leftover installer file from a DOS command prompt window (Start->Programs->Accessories):

cd "%WinDir%\Downloaded Program Files"
del fswinst.ocx

v5 variant

Open the registry (Start, Run, regedit) and delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FSW
HKEY_CLASSES_ROOT\CLSID\{47CC4DCD-BBC9-47A3-A677-44DB2559E0D8}
HKEY_CLASSES_ROOT\CLSID\{5DD7B3BE-FDEC-4563-B038-FF80F2345B89}
HKEY_CLASSES_ROOT\FSW.Application
HKEY_CLASSES_ROOT\FSWINST.FswinstCtrl.1

Reboot Windows and delete the ‘FSW’ folder inside ‘Program Files’, along with the files ‘support.exe’ and ‘IdleUI.dll’ in the System folder (inside ‘Windows’, called ‘System32’ under Windows NT/2000/XP). You can also remove a leftover installer file from a DOS command prompt window (Start->Programs->Accessories):

cd "%WinDir%\Downloaded Program Files"
del fswinst.ocx

Finally, go to Internet Options and reset your home page.

v6 variant

The v6 variant (Free Scratch Cards) uses random eight-letter filenames in the System folder (in ‘Windows’, called ‘System32’ under Windows NT/2000/XP). Find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the random-looking eight-letter value pointing to a similarly named EXE in the System folder. (eg. bprplgqf). This should

Restart the computer and open the System folder. Delete the file with the same name as you saw in the Run registry entry along with ‘fsc.ini’. There should be some other eight-letter random files you can delete to clean up if you like:

• An EXE whose internal name (right-click, choose ‘Properties’ and click the ‘Version’ tab then choose ‘Internal name’) is ‘loader’.
• An EXE with a dollar icon, internal name ‘FSC’.
• A DLL, internal name ‘runpool’.
• A 7K-long EXE with no version information. (Check the dates, don’t delete a file if you’re not sure.)

Make sure you have removed lop as well; unfortunately this means more random filename finding.

Links

FreeScratchAndWin and Free Scratch Cards sites.