SpywareInfo Home
Whazit Hijack

Updated July 18, 2003

The whazit hijack is installed using ActiveX driveby methods from affiliate web sites. Each affiliate is paid $0.14 (USD) for each unique install. Whazit.com is registered to and operated by Windows Media Solutions Inc (no affiliation with Microsoft).

Infected machines may have their start page, search bar, search page, search assistant, customized search, and search URL reset to www.whazit.com/ or home.whazit.com/. A Browser Helper Object and a toolbar are also installed. A new version also bundles and installs nCase spyware.

Prevention

The latest update of SpywareBlaster can prevent the installation of the Whazit Hijack as well as hundreds of other advertising parasites.

Removal

There is an uninstaller located at whazit.com, but testing shows that it leaves the hijack intact. Use our method for removal.

Download HijackThis and scan.

Tick the boxes next to the following entries. Don't worry if you don't see them both. There are several versions of this hijacker.

O4 - HKLM\..\Run: [WANOBSI] C:\WINDOWS\WANOBSI.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE

In your results, look for a particular O2 BHO and tick it for "fixing". The HijackThis listing will be similar to one of these examples, but will not exactly match the file names. The CLSID numbers will be the same:
O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\QOGJUOSK.dll
O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\bho.dll

You may also have the following BHOs. Delete those as well:
O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINDOWS\newones.dll
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

There may also be a toolbar listed in HijackThis similar to the following example. Tick the entry for this as well. The HijackThis listing will be similar to this example, but will not exactly match the file name. The CLSID numbers will be the same:
O3 - Toolbar: Whazit Toolbar - {C9176930-9C9F-4cba-9723-0F58C3E7CED6} - C:\WINDOWS\RGJWOYFH.dll

You may also have any of the following entries listed in HijackThis. Tick the box next to any entry that includes "whazit.com".

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com

Once all of the above has been selected by "ticking" the box to their left, click the "Fix Checked" button.

Open the registry editor (click 'Start', choose 'Run' and enter 'regedit') and delete these registry keys (Note: If you are not comfortable editing your registry, you can safely skip this step)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb
HKEY_CURRENT_USER\Software\180solutions
HKEY_LOCAL_MACHINE\SOFTWARE\wms

Restart the computer and delete the following files:

c:\WINDOWS\fiz1
c:\WINDOWS\kyf.dat
c:\WINDOWS\msbb.exe
c:\WINDOWS\ncmyb.dll
c:\WINDOWS\WANOBSI.exe
c:\WINDOWS\cards.ico
Desktop\Riviera Gold Casino!.url
Also delete the entire 'c:\WINDOWS\FLEOK' folder and all files within.

Most of these files are hidden, so you will need to have Windows set to show hidden files. Follow the directions at windows-help.net if you need instructions on how to do that. These instructions work for all versions of Windows from 98 upwards.

The software responsible for this hijack updates frequently. If the instructions above do not work for you, you may be infected with a new variant that we haven't seen yet. Please inform us at the support forums if this is the case so we can update this page and inform the antispyware community.

This information located at: http://www.spywareinfoforum.info/articles/whazit/


Links:

http://www.windowsmediasolutions.com/ Windows Media Solutions Inc
http://www.spywareinfoforum.info/articles/bho/ BHO article at SpywareInfo
http://www.wilderssecurity.net/spywareblaster.html Spyware Blaster
http://www.spywareinfoforum.info/~merijn/files/hijackthis.zip Download HijackThis
http://www.doxdesk.com/parasite/nCase.html nCase article at Doxdesk
http://www.windows-help.net/windows98/start-17.shtml How to show hidden files
http://www.lavasoft.de/ Ad-aware

SUBSCRIBE
TO THE
SPYWARE WEEKLY!

Email Address

Site Search
Search this web site using Google.com

Site Navigation

About SpywareInfo
Contact us
Downloads Page
Latest Virus Alerts
Links Page
Privacy Policy
Support SpywareInfo
Support Forums
The Spyware Weekly


Spyware Search

Look up spyware in Spywareguide.com's spyware database
Search powered by SpywareGuide


Support SpywareInfo with PayPal - it 's fast, free and secure!
Support SpywareInfo

news.gif
Privacy News

Member of The Harvester Project

Stop Policeware

Anti-DMCA.org

Anti-TCPA



notetab

DogReader.com

XHTML

Advertising terms of use

All material on this web site is copyrighted
© 2001- 2017
by Mike Healan. ® All rights reserved.

SpywareInfo banner designed by mockie

For my bulk mailer visitors :)