FreeScratchAndWin
- By W3 Privacy
- Published 05/8/2007
- Parasites
- Unrated
FreeScratchAndWin
Description
FreeScratchAndWin is an IE Browser Helper Object that comes with a web-based 'scratchcards' game. (What exactly is available to be won, and whether anybody has ever won it, remains unclear.)
Variants
FreeScratchAndWin/Beta: a version of the software that didn't seem to work fully, but was distributed anyway.
FreeScratchAndWin/v5: most common variant of the software. Includes a homepage- and search-hijacker pointed at xzoomy.com.
FreeScratchAndWin/v6: now renamed 'Free Scratch Cards'. Instead of the xzoomy hijack this now bundles lop/Rnd. Like lop/Rnd, it uses random filenames for its files, and cannot be detected by the script at this site.
Also known as
FSW, FSC (v6 variant). CPM Media, after the company name used to sign the software.
Distribution
Installed by ActiveX drive-by download in affiliate pages which are redirected to by AdsCPM, the advertising network company who run FreeScratchAndWin.
What it does
Advertising
Yes. Connects to its controlling servers and downloads and opens pop-up adverts every few minutes.
Privacy violation
Suspected. The software's terms of use advises that the software can track users' web usage. However this behaviour has not actually been observed.
Security issues
Yes. Downloads and installs arbitrary unsigned code as part of an update feature; it claims that it will prompt you before installing extra third-party software.
Stability problems
None known. Although it sometimes seems to go crazy and start connecting to its controlling servers every couple of seconds, which generates an annoying amount of traffic.
Removal
There are uninstallers available for v5 and v6 from the manufacturers (not tested, may or may not work). Spybot update 2002-11-30 can also remove FreeScratchAndWin/v5. Spybot update 2003-03-27 can also remove FreeScratchAndWin/v6.
Manual Removal
Beta variant
Open the registry (Start, Run, regedit) and delete the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FSW
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Shutdown\SetupProgramRan
HKEY_CLASSES_ROOT\CLSID\{20A03A4C-9FAF-45D5-A5C2-B6C49774E03C}
HKEY_CLASSES_ROOT\CLSID\{99B0B113-6F25-49C9-8ECF-2FDDD3EDFF6A}
HKEY_CLASSES_ROOT\FSW_beta1.Application
HKEY_CLASSES_ROOT\Fswinst.Application
Reboot Windows and delete the 'FSW' folder inside 'Program Files'. You can also remove a leftover installer file from a DOS command prompt window (Start->Programs->Accessories):
cd "%WinDir%\Downloaded Program Files"
del fswinst.ocx
v5 variant
Open the registry (Start, Run, regedit) and delete the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FSW
HKEY_CLASSES_ROOT\CLSID\{47CC4DCD-BBC9-47A3-A677-44DB2559E0D8}
HKEY_CLASSES_ROOT\CLSID\{5DD7B3BE-FDEC-4563-B038-FF80F2345B89}
HKEY_CLASSES_ROOT\FSW.Application
HKEY_CLASSES_ROOT\FSWINST.FswinstCtrl.1
Reboot Windows and delete the 'FSW' folder inside 'Program Files', along with the files 'support.exe' and 'IdleUI.dll' in the System folder (inside 'Windows', called 'System32' under Windows NT/2000/XP). You can also remove a leftover installer file from a DOS command prompt window (Start->Programs->Accessories):
cd "%WinDir%\Downloaded Program Files"
del fswinst.ocx
Finally, go to Internet Options and reset your home page.
v6 variant
The v6 variant (Free Scratch Cards) uses random eight-letter filenames in the System folder (in 'Windows', called 'System32' under Windows NT/2000/XP). Find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the random-looking eight-letter value pointing to a similarly named EXE in the System folder. (eg. bprplgqf). This should
Restart the computer and open the System folder. Delete the file with the same name as you saw in the Run registry entry along with 'fsc.ini'. There should be some other eight-letter random files you can delete to clean up if you like:
- An EXE whose internal name (right-click, choose 'Properties' and click the 'Version' tab then choose 'Internal name') is 'loader'.
- An EXE with a dollar icon, internal name 'FSC'.
- A DLL, internal name 'runpool'.
- A 7K-long EXE with no version information. (Check the dates, don't delete a file if you're not sure.)
Make sure you have removed lop as well; unfortunately this means more random filename finding.
