 | Read the Sept 6 Spyware Weekly | 
|
|
Spyware Weekly Newsletter > May 27, 2003
Whazit Hijack Updated July 18, 2003 The whazit hijack is installed using ActiveX driveby methods from affiliate web sites. Each affiliate is paid $0.14 (USD) for each unique install. Whazit.com is registered to and operated by Windows Media Solutions Inc (no affiliation with Microsoft). Infected machines may have their start page, search bar, search page, search assistant, customized search, and search URL reset to www.whazit.com/ or home.whazit.com/. A Browser Helper Object and a toolbar are also installed. A new version also bundles and installs nCase spyware. Prevention The latest update of SpywareBlaster can prevent the installation of the Whazit Hijack as well as hundreds of other advertising parasites. Removal There is an uninstaller located at whazit.com, but testing shows that it leaves the hijack intact. Use our method for removal. Download HijackThis and scan. Tick the boxes next to the following entries. Don't worry if you don't see them both. There are several versions of this hijacker.
O4 - HKLM\..\Run: [WANOBSI] C:\WINDOWS\WANOBSI.exe
In your results, look for a particular O2 BHO and tick it for "fixing". The HijackThis listing will be similar to one of these examples, but will not exactly match the file names. The CLSID numbers will be the same: You may also have the following BHOs. Delete those as well: There may also be a toolbar listed in HijackThis similar to the following example. Tick the entry for this as well. The HijackThis listing will be similar to this example, but will not exactly match the file name. The CLSID numbers will be the same: You may also have any of the following entries listed in HijackThis. Tick the box next to any entry that includes "whazit.com".
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com Once all of the above has been selected by "ticking" the box to their left, click the "Fix Checked" button. Open the registry editor (click 'Start', choose 'Run' and enter 'regedit') and delete these registry keys (Note: If you are not comfortable editing your registry, you can safely skip this step)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE Restart the computer and delete the following files:
c:\WINDOWS\fiz1 Most of these files are hidden, so you will need to have Windows set to show hidden files. Follow the directions at windows-help.net if you need instructions on how to do that. These instructions work for all versions of Windows from 98 upwards. The software responsible for this hijack updates frequently. If the instructions above do not work for you, you may be infected with a new variant that we haven't seen yet. Please inform us at the support forums if this is the case so we can update this page and inform the antispyware community. This information located at: http://www.spywareinfo.com/articles/whazit/ Links:
http://www.windowsmediasolutions.com/ Windows Media Solutions Inc Spyblocker
Spyblocker Version 6.3 Many Web sites have ads that are distracting and a drain on bandwidth. Some sites send cookies and other files to your computer. Still others acquire information about you, your machine, and your browsing habits by using single-pixel Web bugs and other methods. SpyBlocker monitors this type of Web activity and allows users to control or block the ads and tracking systems. But SpyBlocker goes one step further. SpyBlocker strips ads out of ad-supported software, disabling the ad module and tracking capabilities without disabling the functionality of the program until you discover the program is 'spying' and remove it. Spyblocker is a favorite among the experts who regularly help people out at the SWI support forums. It's a powerful program that can go a long way toward securing your computer from all sorts of malware that can infect you just by browsing the internet (activex drive-by, rogue javascripts, etc). It can even block spyware from calling home if you don't realize you have it installed. This week, until June 3 2003, you can purchase Spyblocker for 10% off the normal price. Spyblocker Software also makes Settings Sentry, a program that monitors your browser settings in both Internet Explorer and Netscape for alterations made by browser hijackers and drive-by downloaders. If you purchase both Spyblocker and Settings Sentry, Spyblocker is 15% off. Setting Sentry is already priced as low as possible, and with the extra 5% off on Spyblocker, this is a huge bargain for these two exceptional products. http://www.spywareinfo.com/downloads/spyblocker/ Spyblocker feature page Firewalls still legal in Tennessee
Last week, I alerted you to a piece of Super DMCA legislation under discussion in Tennessee. Thanks to quick action by opponents of the proposed law, the legislature decided against voting on the matter during this year's session of the General Assembly. You can pull your firewall out of the closet now; you're not an outlaw (not yet anyway). Of course, this is not the end of the situation and I urge you visit the Tennessee Digital Freedom Network, one of the chief organizers of online resistance to the proposed law. There is still action that needs to be taken to stop this insanity. Links: http://www.spywareinfo.com/newsletter/archives/may-2003/20.php Last week's issue New.net vs Lavasoft - Some Corrections
I'd like to point out two errors in last week's article about the New.net vs Lavasoft lawsuit, and also one issue that New.net disputes. * Ad-aware 6 build 160 had problems with all versions of new.net, not just the new version that was released just after the client software became a target. * Aluria Spyware Eliminator recently stopped detecting new.net. SpywareInfo regrets the errors. * Additionally, New.net's president, Dan Sheehy, maintains that his company is not accusing Lavasoft of deliberately programming Ad-aware to break networks during the removal of their software. Having read the complaint, I would say that this could be interpreted either way. Please see points 31 and 40 of New.net's complaint:
Links:
http://www.spywareinfo.com/newsletter/archives/may-2003/20.php#new.net Last weeks New.net vs Lavasoft article HP's Spying Keyboard
There are numerous web sites that will tell you that Hewlett-Packard/Netropa keyboard software contains a spyware (mmkeybd.exe) which calls home to HP with all manner of information. I believe the record needs to be set straight on this. This is not spyware. Some brilliant person at HP thought that it would be a good idea to have the keyboard continually ping an HP server so that the keyboard would know whether or not it needed to light up the LED "online" indicator.
It is understandably alarming to see your keyboard software set off your firewall with repeated attempts to connect to the internet. In this case, it is just a very inefficient way to let you know that you are online, not spyware. We have enough trouble as it is trying to convince people that spyware is a problem that they should be worrying about. It does us no good whatsoever when a perfectly innocent program is rumored to be spyware. Links: http://www.spywareinfo.com/rd/mmkeybd/ Replacement drivers for HP/Netropa keyboards Subsearch Parasite
Have you ever gone to your favorite search engine to look something up and spotted a mysterious search pane on the side of your browser window? This new search pane offers search results that are similar to what you are searching for, but they don't quite seem to fit. If you have ever noticed this search pane, then chances are you have an advertising parasite known as Subsearch. SubSearch is a Browser Helper Object from AdScholar.com that integrates into Internet Explorer. It detects when you are using a search engine, and opens its own "enhanced results" sidebar containing results paid for by advertisers. The Subsearch pane changes its appearance to resemble whichever search engine site you are currently on. Subsearch also spawns unwanted pop up windows when Internet Explorer is first opened. Subsearch is installed in one of two ways. The original variant is installed using ActiveX drive by methods. Once that is installed, a backdoor updater routine downloads and installs newer versions. All of this is done without user intervention, or indeed without the user's knowledge. In addition, one variant of Subsearch contains a rather serious security vulnerability. According to Andrew Clover of doxdesk.com, "the Subsearch/v2 variant can be directed by any web page to download any file and write it anywhere to the file system, including over other program files which may then get run." It is highly recommended that you remove this parasite as soon as possible. Spybot S&D can remove Subsearch as of the April 28 update, and Ad-aware can remove it as of its May 2 reference file update. Links:
http://www.doxdesk.com/parasite/SubSearch.html Doxdesk's SubSearch information page RSS News Feed
I am proud to announce that SpywareInfo now offers three RSS news feeds. These feeds can be read by those of you with RSS newsreaders and for those who want to include the information on their own web sites. Those of you who visit the Ziff-Davis web site regularly will soon see this news feed there (exactly where on their site, I don't know). There are three feeds to choose from. They are limited respectively to 5, 10, and 15 items. http://rss.spywareinfo.com/5.rdf There are three conditions for anyone who wishes to include these feeds on their own web site:
Links:
http://www.zdnet.com/ Ziff-Davis web site Evidence Eliminator
Last week, I made a last-minute addition to the feature section stating "Please note that this is Evidence Terminator and not Evidence Eliminator, which would never be featured here". That prompted a few people to ask why I had put it there. The reason for that is simple. The company that makes Evidence Eliminator is scum. They use advertising tactics that are so disgusting, they make people ill by viewing them. They use javascripts and server-side scripting to display your IP address, reverse DNS, browser type, operating system, referrer information, show you the contents of your hard drive in an I-Frame, and various other tricks to try to convince you that you are under investigation. They do anything to try to convince you to buy their product RIGHT NOW!!!!! If you don't, they want you to believe that you will go to jail and be assaulted by larger prisoners because of the porn on your computer. See for yourself (the page is random, keep refreshing your browser). I don't know about the product itself. For all I know, it could be a fine program. At well over $100 per copy, I'm not about to test it to find out. The company that sells it however....... scum, pure scum. Most people agree, as you can see in the message board thread where we were discussing it. And that is why Evidence Eliminator is not recommended at SpywareInfo and why it never will be. Next week, I will be featuring a program that I strongly recommend which performs the same functions as Evidence Eliminator, only this one will certainly not cost you $100. Links:
http://www.evidence-eliminator.com/d2w/intro/server.d2w Evidence-Eliminator landing page Recommend SpywareInfo to a friend
Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter. Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000. The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459 Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick. Links:
http://www.scotsnewsletter.com Scot Finnie's Newsletter |
Site Navigation
About SpywareInfo Spyware Search
All material on this web site is copyrighted SpywareInfo banner designed by mockie |
