I'm at my wit's end. (Free Scratch Cards)

BioStormX · 31-Mar-2003, 01:06 AM #1

EVERY time I start up my computer, I get an offer to Install Free Scratch Cards. I always click help, then exit, since there is no direct exit button.

I've tried the latest Ad-Aware, AND the latest SpyBot S&D, but it still comes up. Here is my startuplist thing... I'd appreciate any help... thanks.
.
.
.
.

StartupList report, 3/31/03, 12:04:30 AM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WSFWBBSB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
wkrdtype = C:\WINDOWS\SYSTEM\wkrdtype.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
SchedulingAgent = mstask.exe
LicCtrl = runservice.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = %1 %*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 30/3/2003, 23:29:30)

[Rename]
NUL=c:\windows\application data\rvlbd.lib
NUL=c:\windows\application data\qeaeejmx.exe
NUL=c:\windows\application data\aybwarn.htm
NUL=c:\windows\application data\aybgwarn.htm
NUL=c:\windows\application data\xheepreaoealy.dll
NUL=c:\windows\cookies\drew clock@adserver[1].txt
NUL=c:\windows\cookies\drew clock@mediaplex[2].txt
NUL=c:\windows\cookies\drew clock@centrport[1].txt
NUL=c:\windows\cookies\drew clock@hitbox[2].txt
NUL=c:\windows\cookies\drew clock@atdmt[2].txt
NUL=c:\windows\cookies\drew clock@ehg-dig.hitbox[1].txt
NUL=c:\windows\temp\rem41a1.exe
NUL=c:\windows\temp\rem30e2.exe
NUL=c:\windows\temp\remc1a1.exe

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
IF ERRORLEVEL 1 PAUSE
path C:\WINDOWS;C:\WINDOWS\COMMAND
c:\windows\system\setpower.exe
call c:\dosboot\drivers.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {004A5840-FF59-11d2-B50D-0090271D3FD4}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/s...ctor/swdir.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

[Support.com Installer]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLINS.DLL
CODEBASE = http://support.charter.com/sdccommon...d/tgctlins.cab

[Support.com SmartIssue]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLSI.DLL
CODEBASE = http://support.charter.com/sdccommon...ad/tgctlsi.cab

[Support.com Configuration Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TGCTLCM.DLL
CODEBASE = http://support.charter.com/sdccommon...ad/tgctlcm.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805/...ditControl.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,537 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

dobhar · 31-Mar-2003, 01:49 AM #2

BioStormX...

Did a "Search" on Tech forums and found a hit on "Free Scratch Cards...

This thread stands out and may be the info you need...

http://forums2.techguy.org/showthrea...atch+and+Cards

I noticed in your list you provided this bit C:\WINDOWS\SYSTEM\WSFWBBSB.EXE. I did a Google search for this and came up blank...hmmm!

Anyways read the thread...

BioStormX · 31-Mar-2003, 02:59 PM #3

Well, I used the advice in that topic and got the Beta update for SpyBot, and it worked fine. Thanks for the link

AtreideS · 31-Mar-2003, 07:46 PM #4

And here I was thinking this thread would be some great way to win stuff. Lol, ohh well

dobhar · 02-Apr-2003, 02:58 AM #5

No Problem...glad it worked out for you.

l0ckd0wn · 16-Apr-2003, 08:41 AM #6

I'm not sure as to whether the anti Ad/Spy-Ware software is simply supressing the Free Scratch Cards (and others like it), but I did manage to find the .exe that's responsible for that awful ad in the first place.

C:\windows\system\cxmpecrs.exe

The icon is a yellow/gold dollar sign on a brownish/orange background. Remove that, and the ad is gone.

tmork · 17-Apr-2003, 07:42 PM #7

RE:Install Free Scratch Cards

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run

I found entries for
zsbiauav.exe
And
zmipzxmh.exe
sized 29,184
These produced the

beartrax79 · 18-Apr-2003, 11:33 AM #8

Hey all...

For me, on the "Install Free Scratch Cards" annoyance, my filename was JRGPLCDV.EXE in my winnt/system32 directory.

Also, there were a bunch of other new files in there that could be related... all created since yesterday (when I started seeing this guy).

jgncvdti.exe
jysyphcy.exe
janyxnrh.exe
jpukgoht.dll
tmsock.tmp.tag

Any ideas?

Thanks, beartrax79

p.s. My file also had the dollar sign icon.

TonyKlein · 18-Apr-2003, 11:55 AM #9

Free Scratch Cards, like LOP, uses random file names, so it's a hard cookie to crack...

Are you still having that problem?

beartrax79 · 18-Apr-2003, 12:33 PM **#10**

No, I went with the brute-force approach of just deleting all of those files.

But I also ran the uninstaller at this link...
http://www.free-scratch-cards.com/uninstall.html

After restart, it didn't pop up again. Any ideas on how this stuff got on my system? I haven't installed anything recently on my system but MS Visual C++ .NET, and I'd hope that MS isn't installing free scratch cards.

beartrax79

beartrax79 · 18-Apr-2003, 12:34 PM **#11**

No, I went with the brute-force approach of just deleting all of those files.

But I also ran the uninstaller at this link...
http://www.free-scratch-cards.com/uninstall.html

After restart, it didn't pop up again. Any ideas on how this stuff got on my system? I haven't installed anything recently on my system but MS Visual C++ .NET, and I'd hope that MS isn't installing free scratch cards.

beartrax79

TonyKlein · 18-Apr-2003, 12:39 PM **#12**

They usually get there because your security settings are too lax.

Here are three recommendations:

1) Watch what you download!

2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Critical Updates listed.

3) Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first three options ("Download signed and unsigned ActiveX controls", and 'Initialize and Script ActiveX controls not marked as safe") to prompt.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.

Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

And some more advice:

4) Install Javacool's SpywareBlaster

It will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.

The spyware that you told Spywareblaster to set the "kill bit" for wont be a hazard to you any longer.

Don't forget to check for updates every week or so.

There's a small board at Wilderssecurity as well.

It won't protect you from every form of spyware known to man, but it is a very potent extra layer of protection.

BTW, SpyBot Search and Destroy has an Immunize feature which works roughly the same way.

It can't hurt to use both.

BioStormX · 18-Apr-2003, 04:49 PM **#13**

Yeah, I always watch what I download... but I share this comp with 3 other people.

Anyways, everything is goin smooth now..

redzcript · 21-May-2003, 10:59 AM **#14**

I ran the uninstall from the link posted by beartrax79 and it worked great.

beartrax79 · 21-May-2003, 11:24 AM **#15**

glad it helped!

Tag Cloud
access acer asus bios bsod computer crash driver drivers error ethernet excel freeze gaming google gpu graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard mouse network printer problem ram registry router server slow software sound svchost.exe trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!