"The whazit hijack is installed using ActiveX driveby methods from affiliate web sites. Each affiliate is paid $0.14 (USD) for each unique install. Whazit.com is registered to and operated by Windows Media Solutions Inc (no affiliation with Microsoft). Infected machines may have their start page, search bar, search page, search assistant, customized search, and search URL reset to www.whazit.com/ or home.whazit.com/. A Browser Helper Object and a toolbar are also installed. A new version also bundles and installs nCase spyware."
The Kephyr removal instructions state one should look for ten different registry entries and delete any of them, if they are found, but I didn't see any of the ones listed when I searched the registry with regedit.
The Kephyr removal instructions state one should remove the following files:
%WinDir% is a variable. By default, this is C:\Windows on Windows 95, 98, Me,
and XP systems and C:\WINNT on Windows NT and 2000 systems. You can find
the value for the variable by issuing the command
echo %WINDIR% at
a command prompt. In this particular case, the system is running Windows 2000,
so the directory was C:\WINNT. In that directory I found only one of the files,
Right-clicking on the file and choosing "Properties" showed the following information:
|Size||56.0 KB (57,346 bytes)|
|Created||Wednesday, July 2, 2003|
|Company Name||Young Dynamic Software|
|Language||English (United States|
The Kephyr Whazit webpage indicated that Whazit installs a Browser Helper Object (BHO), but when I installed BHODemon 2.0, the only BHO's it found were one associated with Acrobat and one associated with Spybot Search & Destroy. A Doxdesk webpage links outones.dll to a Whazit/Whattt BHO stating "Whazit/Whattt uses one BHO called ‘whattt.dll’ along with another called either ‘outones.dll’ or ‘newones.dll’." So perhaps outones.dll was a remnant from a previous removal of Whazit on this system. When I deleted the outones.dll file and rescanned the system with Bazooka, it no longer reported Whazit, but still reported MediaLoads.
Download outones.dll for analysis:
I created a bach file Whazit-File-Removal-bat to remove the files Kephyr's site indicates are associated with this malware and a registry file, Whazit-Registry-Removal.reg to remove the registry entries associated with Whazit according to the Kephyr site.
To use the registry file to remove the pertinent registry entries, download Whazit-Registry-Removal.reg and double-click on the file. When asked "Are you sure you want to add the information in WHAZIT~1.REG to the registry?", click on "Yes". You will then see "Information in WHAZIT~1.REG has been successfully entered into the registry." Click on "OK". Though the message you will see asks about adding information to the registry, in this case registry keys are actually being deleted not added. After removing the registry entries, reboot the system into safe mode and run the batch file.
To run the batch file, download it, obtain a command prompt, then change to the directory where you downloaded it and type the file name, Whazit-File-Removal.bat. Though Kephyr's website indicates bho.dll may be found in %WINDIR%, Kephyr's Bazooka Scanner will report the presence of Whazit, if it finds bho.dll in %WINDIR\System32. The batch file will check for bho.dll in both %WINDIR% and %WINDIR%\system32. After running the batch file, reboot normally.
Download bho.dll, which was installed on a Windows 2000 system on October 3, 2005, for analysis: