Content

Free-Scratch-Cards

Type
Program
SubType
-
Discovery Date
03/27/2003
Minimum DAT
4257 (04/09/2003)
Updated DAT
4859 (09/25/2006)
Minimum Engine
5.1.00
Description Added
03/31/2003
Description Modified
05/20/2003 1:45 AM (PT)

Tab Navigation

Characteristics

This is a "potentially unwanted application". It is not a virus or trojan, but rather a program that claims to allow users to win money. The application is installed via an ActiveX control on a web site. The site does provide clear terms of service, that includes allowing the program to:
  • Change the user's home and search pages
  • Add a toolbar to the user's web browser
  • Automatically update itself, and download other companies programs
  • Add bookmarks to the user's favorites folder.
  • Open advertisements while surfing the web
  • Desactivate existing browser toolbars
  • Report browsing behavior back to the program author
The application installs itself in the %WinDir%\APPLICATION DATA directory using the following filenames:
  • chajzsho.exe
  • drgldrstzoqush.exe
  • iquxust.lib
  • kwilldrbrfr.dll
It creates a registry run key to load itself at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "odrbrw" = C:\WINDOWS\APPLIC~1\chajzsho.exe -QuieT
The following registry keys are created by this application:
  • HKEY_CURRENT_USER\Software\ckmixibrglbrlw
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Backup
  • HKEY_CLASSES_ROOT\CLSID\{dfb98501-6070-11d7-bc91-00d009853834}
  • HKEY_CLASSES_ROOT\ovmrx.kjdrmbroxjlub
  • HKEY_CLASSES_ROOT\yzbsa.kjdrmbrj
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\
    Distribution Units\{ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE}\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    explorer\Browser Helper Objects\{dfb98500-6070-11d7-bc91-00d009853834}
The default search page may be set to http://ecpm.com/searchbar.html and the start page to http://ecpm.com. The following URL shortcuts are placed in the WINDOWS FAVORITES folder and some may also appear on the desktop:
  • Adult Entertainment.url
  • Gambling.url
  • Games.url
  • MP3 Music.url
  • News.url
  • Adult\Adult Chat.url
  • Adult\Amateur Photo.url
  • Adult\Asian Sex.url
  • Adult\Ebony.url
  • Adult\Fetish.url
  • Adult\Gay and Lesbian.url
  • Adult\Hardcore.url
  • Adult\Live Video Feeds.url
  • Adult\Matchmaking.url
  • Adult\XXX Cartoons.url
  • Business and Finance\B to B.url
  • Business and Finance\Banking.url
  • Business and Finance\Business.url
  • Business and Finance\Careers.url
  • Business and Finance\Credit Cards.url
  • Business and Finance\Finance.url
  • Business and Finance\Insurance.url
  • Business and Finance\Office.url
  • Business and Finance\Printing.url
  • Computers and Tech\Computer Games.url
  • Computers and Tech\Computer Stores.url
  • Computers and Tech\Dedicated Server.url
  • Computers and Tech\Domain Names.url
  • Computers and Tech\Hardware.url
  • Computers and Tech\Laptops.url
  • Computers and Tech\Software.url
  • Computers and Tech\Web Design.url
  • Computers and Tech\Web Hosting.url
  • Computers and Tech\Telecommunication\Mobile Phones.url
  • Computers and Tech\Telecommunication\Telecommunication.url
  • Computers and Tech\Telecommunication\Telephone.url
  • Computers and Tech\Telecommunication\Text SMS Messaging.url
  • Cool Stuff\Auction.url
  • Cool Stuff\Classifieds.url
  • Cool Stuff\Free Emails.url
  • Cool Stuff\Free Homepages.url
  • Cool Stuff\Free Services.url
  • Cool Stuff\School Essays and Homework.url
  • Cool Stuff\Services.url
  • Entertainment\Adult Entertainment.url
  • Entertainment\Automotive.url
  • Entertainment\DVD.url
  • Entertainment\Entertainment.url
  • Entertainment\Hot Games and Gaming.url
  • Entertainment\Mp3.url
  • Entertainment\Travel.url
  • Gambling\Black Jack.url
  • Gambling\Chips.url
  • Gambling\Craps.url
  • Gambling\Multi Player.url
  • Gambling\Online Casinos.url
  • Gambling\Poker.url
  • Gambling\Roulette.url
  • Gambling\Slots.url
  • Gambling\Sports Books.url
  • On Lifestyle\Art.url
  • On Lifestyle\Astrology.url
  • On Lifestyle\Books.url
  • On Lifestyle\Community.url
  • On Lifestyle\eBooks.url
  • On Lifestyle\Kids.url
  • On Lifestyle\Magazines.url
  • On Lifestyle\Matchmaking.url
  • On Lifestyle\Pets.url
  • On Lifestyle\Self Help.url
  • On Lifestyle\Wine.url
  • On Lifestyle\Women.url
  • On Lifestyle\Education\Education.url
  • On Lifestyle\Education\Training.url
  • On Lifestyle\Health and Beauty\Beauty.url
  • On Lifestyle\Health and Beauty\Health and Fitness.url
  • On Lifestyle\Health and Beauty\Pharmacy.url
  • On Lifestyle\Home and Garden\Construction.url
  • On Lifestyle\Home and Garden\Furniture.url
  • On Lifestyle\Home and Garden\Home and Garden.url
  • On Lifestyle\Home and Garden\Real Estate.url
  • On Lifestyle\Home and Garden\Utilities.url
  • Shopping and Gifts\Accessories.url
  • Shopping and Gifts\Apparel.url
  • Shopping and Gifts\Cards.url
  • Shopping and Gifts\Electronics.url
  • Shopping and Gifts\Flowers.url
  • Shopping and Gifts\Gifts.url
  • Shopping and Gifts\Jewlery.url
  • Shopping and Gifts\Retail Products.url
  • Shopping and Gifts\Shoes.url
  • Shopping and Gifts\Shopping.url
  • Shopping and Gifts\Toys.url

Removal

Potentially Unwanted Applications can be detected with VirusScan 7 and/or the command line scanner with the /PROGRAM switches.

  1. Click the START button
  2. Click RUN
  3. Type COMMAND and hit ENTER
  4. Type:

    c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /sub

    and hit ENTER.

Users running VirusScan 7 or later can also enable application or joke detection via the configuration option "Find potentially unwanted programs" (Advanced section - see example below), within the VirusScan GUI as shown below:

Corporate Users:

This applies for the On-Access scanner too.

Retail Users:

Contact the program author (origin) for removal instructions.

Aliases

Aliases

    N/A