SpywareInfo Home
Spyware Weekly Newsletter > May 27, 2003

Whazit Hijack

Updated July 18, 2003

The whazit hijack is installed using ActiveX driveby methods from affiliate web sites. Each affiliate is paid $0.14 (USD) for each unique install. Whazit.com is registered to and operated by Windows Media Solutions Inc (no affiliation with Microsoft).

Infected machines may have their start page, search bar, search page, search assistant, customized search, and search URL reset to www.whazit.com/ or home.whazit.com/. A Browser Helper Object and a toolbar are also installed. A new version also bundles and installs nCase spyware.

Prevention

The latest update of SpywareBlaster can prevent the installation of the Whazit Hijack as well as hundreds of other advertising parasites.

Removal

There is an uninstaller located at whazit.com, but testing shows that it leaves the hijack intact. Use our method for removal.

Download HijackThis and scan.

Tick the boxes next to the following entries. Don't worry if you don't see them both. There are several versions of this hijacker.

O4 - HKLM\..\Run: [WANOBSI] C:\WINDOWS\WANOBSI.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE

In your results, look for a particular O2 BHO and tick it for "fixing". The HijackThis listing will be similar to one of these examples, but will not exactly match the file names. The CLSID numbers will be the same:
O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\QOGJUOSK.dll
O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\bho.dll

You may also have the following BHOs. Delete those as well:
O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINDOWS\newones.dll
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

There may also be a toolbar listed in HijackThis similar to the following example. Tick the entry for this as well. The HijackThis listing will be similar to this example, but will not exactly match the file name. The CLSID numbers will be the same:
O3 - Toolbar: Whazit Toolbar - {C9176930-9C9F-4cba-9723-0F58C3E7CED6} - C:\WINDOWS\RGJWOYFH.dll

You may also have any of the following entries listed in HijackThis. Tick the box next to any entry that includes "whazit.com".

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com

Once all of the above has been selected by "ticking" the box to their left, click the "Fix Checked" button.

Open the registry editor (click 'Start', choose 'Run' and enter 'regedit') and delete these registry keys (Note: If you are not comfortable editing your registry, you can safely skip this step)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb
HKEY_CURRENT_USER\Software\180solutions
HKEY_LOCAL_MACHINE\SOFTWARE\wms

Restart the computer and delete the following files:

c:\WINDOWS\fiz1
c:\WINDOWS\kyf.dat
c:\WINDOWS\msbb.exe
c:\WINDOWS\ncmyb.dll
c:\WINDOWS\WANOBSI.exe
c:\WINDOWS\cards.ico
Desktop\Riviera Gold Casino!.url
Also delete the entire 'c:\WINDOWS\FLEOK' folder and all files within.

Most of these files are hidden, so you will need to have Windows set to show hidden files. Follow the directions at windows-help.net if you need instructions on how to do that. These instructions work for all versions of Windows from 98 upwards.

The software responsible for this hijack updates frequently. If the instructions above do not work for you, you may be infected with a new variant that we haven't seen yet. Please inform us at the support forums if this is the case so we can update this page and inform the antispyware community.

This information located at: http://www.spywareinfoforum.info/articles/whazit/


Links:

http://www.windowsmediasolutions.com/ Windows Media Solutions Inc
http://www.spywareinfoforum.info/articles/bho/ BHO article at SpywareInfo
http://www.wilderssecurity.net/spywareblaster.html Spyware Blaster
http://www.spywareinfoforum.info/~merijn/files/hijackthis.zip Download HijackThis
http://www.doxdesk.com/parasite/nCase.html nCase article at Doxdesk
http://www.windows-help.net/windows98/start-17.shtml How to show hidden files
http://www.lavasoft.de/ Ad-aware

Spyblocker

Permlink | Top

Spyblocker Version 6.3

Many Web sites have ads that are distracting and a drain on bandwidth. Some sites send cookies and other files to your computer. Still others acquire information about you, your machine, and your browsing habits by using single-pixel Web bugs and other methods.

SpyBlocker monitors this type of Web activity and allows users to control or block the ads and tracking systems. But SpyBlocker goes one step further. SpyBlocker strips ads out of ad-supported software, disabling the ad module and tracking capabilities without disabling the functionality of the program until you discover the program is 'spying' and remove it.

Spyblocker is a favorite among the experts who regularly help people out at the SWI support forums. It's a powerful program that can go a long way toward securing your computer from all sorts of malware that can infect you just by browsing the internet (activex drive-by, rogue javascripts, etc). It can even block spyware from calling home if you don't realize you have it installed.

This week, until June 3 2003, you can purchase Spyblocker for 10% off the normal price. Spyblocker Software also makes Settings Sentry, a program that monitors your browser settings in both Internet Explorer and Netscape for alterations made by browser hijackers and drive-by downloaders. If you purchase both Spyblocker and Settings Sentry, Spyblocker is 15% off. Setting Sentry is already priced as low as possible, and with the extra 5% off on Spyblocker, this is a huge bargain for these two exceptional products.

http://www.spywareinfoforum.info/downloads/spyblocker/ Spyblocker feature page
http://www.spywareinfoforum.info/downloads/spyblocker/settings+sentry.php Settings Sentry feature page

Firewalls still legal in Tennessee

Permlink | Top

Last week, I alerted you to a piece of Super DMCA legislation under discussion in Tennessee. Thanks to quick action by opponents of the proposed law, the legislature decided against voting on the matter during this year's session of the General Assembly. You can pull your firewall out of the closet now; you're not an outlaw (not yet anyway).

Of course, this is not the end of the situation and I urge you visit the Tennessee Digital Freedom Network, one of the chief organizers of online resistance to the proposed law. There is still action that needs to be taken to stop this insanity.


Links:

http://www.spywareinfoforum.info/newsletter/archives/may-2003/20.php Last week's issue

New.net vs Lavasoft - Some Corrections

Permlink | Top

I'd like to point out two errors in last week's article about the New.net vs Lavasoft lawsuit, and also one issue that New.net disputes.

* Ad-aware 6 build 160 had problems with all versions of new.net, not just the new version that was released just after the client software became a target.

* Aluria Spyware Eliminator recently stopped detecting new.net.

SpywareInfo regrets the errors.

* Additionally, New.net's president, Dan Sheehy, maintains that his company is not accusing Lavasoft of deliberately programming Ad-aware to break networks during the removal of their software. Having read the complaint, I would say that this could be interpreted either way.

Please see points 31 and 40 of New.net's complaint:

31. Defendants, falsely target and label the NewDotNet Client as an unauthorized and harmful program, thereby harming New.net's reputation, and prompting users to remove the software (through a flawed method programmed by Defendants) constitutes unfair and fraudulent conduct under California law.

40. Nevertheless, Defendants have intentionally targeted and labeled New.net's product in a false and disparaging manner, and have programmed the Ad-aware product to remove the NewDotNet Client from users computers in a manner that creates a negative user experience, which users wrongfully conclude is caused by New.net, when it was in fact caused by Defendant's Ad-Aware product


Links:

http://www.spywareinfoforum.info/newsletter/archives/may-2003/20.php#new.net Last weeks New.net vs Lavasoft article
http://www.spywareinfoforum.info/rd/aluria/ Aluria Spyware Eliminator
http://www.spywareinfoforum.info/downloads/ls/newnet-v-lavasoft.pdf New.net's complaint (PDF)

HP's Spying Keyboard

Permlink | Top

There are numerous web sites that will tell you that Hewlett-Packard/Netropa keyboard software contains a spyware (mmkeybd.exe) which calls home to HP with all manner of information. I believe the record needs to be set straight on this. This is not spyware.

Some brilliant person at HP thought that it would be a good idea to have the keyboard continually ping an HP server so that the keyboard would know whether or not it needed to light up the LED "online" indicator.

The Pavilion Netropa Multimedia Keyboard with the driver mmkeybd.exe has a regular ping to detect internet connectivity. The detection of a live internet connection was used to turn on the on-line LED that is present on some keyboards. The ICMP ping does not contain any user information and is not tracked in any way by HP.

This driver is no longer shipped with the key boards and there is a patch that can be downloaded that will remove and replace the driver for this ping this is available here.

It is understandably alarming to see your keyboard software set off your firewall with repeated attempts to connect to the internet. In this case, it is just a very inefficient way to let you know that you are online, not spyware.

We have enough trouble as it is trying to convince people that spyware is a problem that they should be worrying about. It does us no good whatsoever when a perfectly innocent program is rumored to be spyware.


Links:

http://www.spywareinfoforum.info/rd/mmkeybd/ Replacement drivers for HP/Netropa keyboards

Subsearch Parasite

Permlink | Top

Have you ever gone to your favorite search engine to look something up and spotted a mysterious search pane on the side of your browser window? This new search pane offers search results that are similar to what you are searching for, but they don't quite seem to fit. If you have ever noticed this search pane, then chances are you have an advertising parasite known as Subsearch.

SubSearch is a Browser Helper Object from AdScholar.com that integrates into Internet Explorer. It detects when you are using a search engine, and opens its own "enhanced results" sidebar containing results paid for by advertisers. The Subsearch pane changes its appearance to resemble whichever search engine site you are currently on.

Subsearch also spawns unwanted pop up windows when Internet Explorer is first opened.

Subsearch is installed in one of two ways. The original variant is installed using ActiveX drive by methods. Once that is installed, a backdoor updater routine downloads and installs newer versions. All of this is done without user intervention, or indeed without the user's knowledge.

In addition, one variant of Subsearch contains a rather serious security vulnerability. According to Andrew Clover of doxdesk.com, "the Subsearch/v2 variant can be directed by any web page to download any file and write it anywhere to the file system, including over other program files which may then get run." It is highly recommended that you remove this parasite as soon as possible.

Spybot S&D can remove Subsearch as of the April 28 update, and Ad-aware can remove it as of its May 2 reference file update.


Links:

http://www.doxdesk.com/parasite/SubSearch.html Doxdesk's SubSearch information page
http://www.spywareinfoforum.info/articles/bho/ BHO article at SWI
http://security.kolla.de/ Spybot
http://www.lavasoft.de/ Ad-aware

RSS News Feed

Permlink | Top

I am proud to announce that SpywareInfo now offers three RSS news feeds. These feeds can be read by those of you with RSS newsreaders and for those who want to include the information on their own web sites. Those of you who visit the Ziff-Davis web site regularly will soon see this news feed there (exactly where on their site, I don't know).

There are three feeds to choose from. They are limited respectively to 5, 10, and 15 items.

http://rss.spywareinfoforum.info/5.rdf
http://rss.spywareinfoforum.info/10.rdf
http://rss.spywareinfoforum.info/15.rdf

There are three conditions for anyone who wishes to include these feeds on their own web site:

  1. You may not charge your visitors to view the content.
  2. You must provide a link to http://www.spywareinfoforum.info/ and indicate that this is the source of the news.
  3. Please send me an email telling me you are loading it on your web site.

Links:

http://www.zdnet.com/ Ziff-Davis web site
http://www.spywareinfoforum.info/contact.php SWI Contact page

Evidence Eliminator

Permlink | Top

Last week, I made a last-minute addition to the feature section stating "Please note that this is Evidence Terminator and not Evidence Eliminator, which would never be featured here". That prompted a few people to ask why I had put it there.

The reason for that is simple. The company that makes Evidence Eliminator is scum. They use advertising tactics that are so disgusting, they make people ill by viewing them.

They use javascripts and server-side scripting to display your IP address, reverse DNS, browser type, operating system, referrer information, show you the contents of your hard drive in an I-Frame, and various other tricks to try to convince you that you are under investigation.

They do anything to try to convince you to buy their product RIGHT NOW!!!!! If you don't, they want you to believe that you will go to jail and be assaulted by larger prisoners because of the porn on your computer. See for yourself (the page is random, keep refreshing your browser).

I don't know about the product itself. For all I know, it could be a fine program. At well over $100 per copy, I'm not about to test it to find out. The company that sells it however....... scum, pure scum. Most people agree, as you can see in the message board thread where we were discussing it.

And that is why Evidence Eliminator is not recommended at SpywareInfo and why it never will be. Next week, I will be featuring a program that I strongly recommend which performs the same functions as Evidence Eliminator, only this one will certainly not cost you $100.


Links:

http://www.evidence-eliminator.com/d2w/intro/server.d2w Evidence-Eliminator landing page
http://www.spywareinfoforum.info/forums/index.php?act=ST&f=8&t=5910

Recommend SpywareInfo to a friend

Permlink | Top

Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.

Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.

The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459

Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.


Links:

http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist

SUBSCRIBE
TO THE
SPYWARE WEEKLY!

Email Address

Site Search
Search this web site using Google.com

Site Navigation

About SpywareInfo
Contact us
Downloads Page
Latest Virus Alerts
Links Page
Privacy Policy
Support SpywareInfo
Support Forums
The Spyware Weekly


Spyware Search

Look up spyware in Spywareguide.com's spyware database
Search powered by SpywareGuide


Support SpywareInfo with PayPal - it 's fast, free and secure!
Support SpywareInfo

news.gif
Privacy News

Member of The Harvester Project

Stop Policeware

Anti-DMCA.org

Anti-TCPA



notetab

DogReader.com

XHTML

Advertising terms of use

All material on this web site is copyrighted
© 2001- 2017
by Mike Healan. ® All rights reserved.

SpywareInfo banner designed by mockie

For my bulk mailer visitors :)