|
What is Whazit ?
Whazit is an Internet Explorer toolbar and home-/search-/error- page hijacker pointed at its controlling server whazit.com. It may download from the Internet and install certain adware parasites such as nCase without asking for user permission. Some versions of WHAZIT also install the nCase parasite.
Whazit variants
Whazit/bho is an early version, always stored under the filename 'bho.dll' in
the Windows folder.
Whazit/Rnd is similar to the bho variant, but uses random eight-letter filenames.
Whazit/Whattt uses one BHO called 'whattt.dll' along with another called either
'outones.dll' or 'newones.dll'.
Whazit/Whattn uses 'whattn.dll', and may still have the 'newones.dll' left
over
Whazit behavior
- Stealth Tactics
- Shows ads
- Changes browser
- Stays Resident
Whazit Removal Instructions:
In the Whazit/Whattt variant, there may be an entry in the Control Panel's Add/Remove Programs feature for 'whazit tools'.
bho variant
Open a DOS command prompt window (from Start->Programs->Accessories), and
enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "..\bho.dll"
Restart the computer and you should be able to delete the file bho.dll from
the Windows folder.
Rnd variant
First, you need to find out what the name of the file is. It will be inside
the Windows folder, in capitals letters, eight letters long with the extension
.DLL. If you can't find it by looking, try looking in the registry (from Start->Run->regedit)
and opening the key HKEY_CLASSES_ROOT\CLSID\.
Click the 'InProcServer32' subkey and the '(Default)' value on the right should
tell you the filename.
Open a DOS command prompt window (from Start->Programs->Accessories),
and enter the following commands, replacing the XXXXXXXX with the relevant letters:
cd "%WinDir%\System"
regsvr32 /u "..\XXXXXXXX.DLL"
Restart the computer and you should be able to delete this file.
Whattt variant
Open a DOS command prompt window (from Start->Programs->Accessories),
and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "..\whattt.dll"
regsvr32 /u "..\outones.dll"
regsvr32 /u "..\newones.dll"
(one of the latter two commands should generate an error, because normally only
one of the files outones.dll and newones.dll is present at a time.)
Restart the machine and you should be able to delete the whattt.dll and outones.dll/newones.dll
files from the Windows folder.
Whattn variant
Open a DOS command prompt window (from Start->Programs->Accessories),
and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "..\whattn.dll"
regsvr32 /u "..\newones.dll"
Restart the machine and you should be able to delete the whattn.dll and newones.dll
files from the Windows folder.
All variants
Having removed the software, you can now reset your home page (from Internet
Options->General->Start page) and search pages (from Internet Options->Programs->Reset
Web Settings). You can also open the registry (Start->Run->regedit) and
delete the key HKEY_LOCAL_MACHINE\Software\wms to clean up if you like. Finally,
open Downloaded Program Files in the Windows folder, and delete the entry
if you have it.
Copyright ©
SpywareDot 2002-2005| spywaredot.com. All rights reserved.
|
