Whazit

When I scanned a Windows 2000 system with Bazooka Adware and Spyware Scanner on September 13, 2005, it reported the presence of MediaLoads and Whazit.

The Kephyr website provided the following overview of Whazit, which was obtained from SpywareInfo:

"The whazit hijack is installed using ActiveX driveby methods from affiliate web sites. Each affiliate is paid $0.14 (USD) for each unique install. Whazit.com is registered to and operated by Windows Media Solutions Inc (no affiliation with Microsoft). Infected machines may have their start page, search bar, search page, search assistant, customized search, and search URL reset to www.whazit.com/ or home.whazit.com/. A Browser Helper Object and a toolbar are also installed. A new version also bundles and installs nCase spyware."

The Kephyr Whazit - removal instructions webpage lists instructions for removing Whazit, which differ somewhat from the removal instructions offerred at the SpywareInfo removal instructions webpage.

The Kephyr removal instructions state one should look for ten different registry entries and delete any of them, if they are found, but I didn't see any of the ones listed when I searched the registry with regedit.

The Kephyr removal instructions state one should remove the following files:

%WinDir%\whattn.dll
%WinDir%whattt.dll
%WinDir%\newones.dll
%WinDir%\whattt.dll
%WinDir%\HYKFRETI.dll
%WinDir%\bho.dll
%WinDir%\outones.dll

%WinDir% is a variable. By default, this is C:\Windows on Windows 95, 98, Me, and XP systems and C:\WINNT on Windows NT and 2000 systems. You can find the value for the variable by issuing the command echo %WINDIR% at a command prompt. In this particular case, the system is running Windows 2000, so the directory was C:\WINNT. In that directory I found only one of the files, outones.dll.

Right-clicking on the file and choosing "Properties" showed the following information:

Nameoutones.dll
LocationC:\WINNT
Size56.0 KB (57,346 bytes)
CreatedWednesday, July 2, 2003
Company NameYoung Dynamic Software
Internal Nameoutones
LanguageEnglish (United States
OLESelfRegister 
Orignal Filenameoutones.dll
Product Namewhazitreder
Product Version1.00

The Kephyr Whazit webpage indicated that Whazit installs a Browser Helper Object (BHO), but when I installed BHODemon 2.0, the only BHO's it found were one associated with Acrobat and one associated with Spybot Search & Destroy. A Doxdesk webpage links outones.dll to a Whazit/Whattt BHO stating "Whazit/Whattt uses one BHO called ‘whattt.dll’ along with another called either ‘outones.dll’ or ‘newones.dll’." So perhaps outones.dll was a remnant from a previous removal of Whazit on this system. When I deleted the outones.dll file and rescanned the system with Bazooka, it no longer reported Whazit, but still reported MediaLoads.

Download outones.dll for analysis:

File Size MD5 Sum
outones.dll56K e284b3207b9c02f8caa18aab165baf36
Zipped version18K 7fdfcdc414d31d768dd1b0f3cc815c49

I created a bach file Whazit-File-Removal-bat to remove the files Kephyr's site indicates are associated with this malware and a registry file, Whazit-Registry-Removal.reg to remove the registry entries associated with Whazit according to the Kephyr site.

To use the registry file to remove the pertinent registry entries, download Whazit-Registry-Removal.reg and double-click on the file. When asked "Are you sure you want to add the information in WHAZIT~1.REG to the registry?", click on "Yes". You will then see "Information in WHAZIT~1.REG has been successfully entered into the registry." Click on "OK". Though the message you will see asks about adding information to the registry, in this case registry keys are actually being deleted not added. After removing the registry entries, reboot the system into safe mode and run the batch file.

To run the batch file, download it, obtain a command prompt, then change to the directory where you downloaded it and type the file name, Whazit-File-Removal.bat. Though Kephyr's website indicates bho.dll may be found in %WINDIR%, Kephyr's Bazooka Scanner will report the presence of Whazit, if it finds bho.dll in %WINDIR\System32. The batch file will check for bho.dll in both %WINDIR% and %WINDIR%\system32. After running the batch file, reboot normally.

Download bho.dll, which was installed on a Windows 2000 system on October 3, 2005, for analysis:

File Size MD5 Sum
bho.dll168K 22a7ca82a0065eb2505a1e9da6194a99
Zipped version75K f99fa47e75500dad0a6b662dd2651ed8

References:

  1. Whazit - Removal instructions
  2. SpywareInfo > Whazit Hijack
  3. doxdesk.com: Whazit