Whazit Hijack
Updated July 18, 2003 The whazit hijack is installed using ActiveX driveby methods from affiliate web sites. Each affiliate is paid $0.14 (USD) for each unique install. Whazit.com is registered to and operated by Windows Media Solutions Inc (no affiliation with Microsoft). Infected machines may have their start page, search bar, search page, search assistant, customized search, and search URL reset to www.whazit.com/ or home.whazit.com/. A Browser Helper Object and a toolbar are also installed. A new version also bundles and installs nCase spyware. Prevention The latest update of SpywareBlaster can prevent the installation of the Whazit Hijack as well as hundreds of other advertising parasites. Removal There is an uninstaller located at whazit.com, but testing shows that it leaves the hijack intact. Use our method for removal. Download HijackThis and scan. Tick the boxes next to the following entries. Don't worry if you don't see them both. There are several versions of this hijacker.
O4 - HKLM\..\Run: [WANOBSI] C:\WINDOWS\WANOBSI.exe
In your results, look for a particular O2 BHO and tick it for "fixing". The HijackThis listing will be similar to one of these examples, but will not exactly match the file names. The CLSID numbers will be the same: You may also have the following BHOs. Delete those as well: There may also be a toolbar listed in HijackThis similar to the following example. Tick the entry for this as well. The HijackThis listing will be similar to this example, but will not exactly match the file name. The CLSID numbers will be the same: You may also have any of the following entries listed in HijackThis. Tick the box next to any entry that includes "whazit.com".
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com Once all of the above has been selected by "ticking" the box to their left, click the "Fix Checked" button. Open the registry editor (click 'Start', choose 'Run' and enter 'regedit') and delete these registry keys (Note: If you are not comfortable editing your registry, you can safely skip this step)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE Restart the computer and delete the following files:
c:\WINDOWS\fiz1 Most of these files are hidden, so you will need to have Windows set to show hidden files. Follow the directions at windows-help.net if you need instructions on how to do that. These instructions work for all versions of Windows from 98 upwards. The software responsible for this hijack updates frequently. If the instructions above do not work for you, you may be infected with a new variant that we haven't seen yet. Please inform us at the support forums if this is the case so we can update this page and inform the antispyware community. This information located at: http://www.spywareinfoforum.info/articles/whazit/ Links:
http://www.windowsmediasolutions.com/ Windows Media Solutions Inc |
Site Navigation
About SpywareInfo Spyware Search |