1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Adware:W32/WebHancer

Adware:W32/WebHancer

Name : Adware:W32/WebHancer
Category:Spyware
Type:Adware
Platform:W32

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Details


File System Changes
Modified these files:

%programfiles%\whInstall\license.txt
%programfiles%\whInstall\readme.txt
%programfiles%\whInstall\whAgent.ini
%programfiles%\whInstall\whInstaller.ini
%programfiles%\whInstall\whAgent.inf
%programfiles%\whInstall\whAgent.exe
%programfiles%\whInstall\whInstaller.exe
%programfiles%\whInstall\whSurvey.exe
%programfiles%\whInstall\Sporder.dll
%programfiles%\whInstall\webhdll.dll
%programfiles%\whInstall\whiehlpr.dll
%windir%\LastGood\TMP1.tmp
%windir%\LastGood\TMP2.tmp
%programfiles%\webHancer\Programs\SET3.tmp
%programfiles%\webHancer\Programs\SET4.tmp
%programfiles%\webHancer\Programs\SET5.tmp
%programfiles%\webHancer\Programs\SET6.tmp
%programfiles%\webHancer\Programs\SET7.tmp
%programfiles%\webHancer\Programs\SET8.tmp
%programfiles%\webHancer\Programs\SET9.tmp
%windir%\SETA.tmp
%windir%\SETB.tmp
%windir%\SETC.tmp
%windir%\whInstaller.ini

Uses these temporary files:

  • %windir%\inf\oem0.inf
  •   %programfiles%\webHancer\Programs\SET3.tmp
  •   %programfiles%\webHancer\Programs\SET4.tmp
  •   %programfiles%\webHancer\Programs\SET5.tmp
  •   %programfiles%\webHancer\Programs\SET6.tmp
  •   %programfiles%\webHancer\Programs\SET7.tmp
  •   %programfiles%\webHancer\Programs\SET8.tmp
  •   %programfiles%\webHancer\Programs\SET9.tmp
  •   %windir%\SETA.tmp
  •   %windir%\SETB.tmp
  •   %windir%\SETC.tmp


    • Create these directories:

      • %programfiles%\whInstall
  •   %windir%\LastGood
  •   %windir%\LastGood\INF
  •   %programfiles%\webHancer
  •   %programfiles%\webHancer\Programs



    • Process Changes
    Creates these processes:

      • %programfiles%\whInstall\whInstaller.exe
  •   %programfiles%\webHancer\Programs\whAgent.exe


    • Creates these mutexes:

      • D6E09E34-294E-40bf-82AF-756D33497609
  •  D6E09E34-294E-40bf-82AF-756D33497609
  •  951B13F8-F40D-4c56-BD57-909A968F918B-31
  •  74F5FD53-368F-4e0d-805B-4A983826EF91-31
  •  08C823B1-76F2-11d5-AFC3-00010245B43E-31
  •  71BA7250-BC07-4cd2-BAB0-3E84FEBB108E
  •  EC5A3219-A690-4392-BF36-E9040EEE50CC
  •  46F021DC-CB81-4acc-BA1B-9E1B440020D4ms
  •  46F021DC-CB81-4acc-BA1B-9E1B440020D4mr
  •  6CB749B3-CE68-4fcb-A589-D6E71479F502ms
  •  6CB749B3-CE68-4fcb-A589-D6E71479F502mr
  •  06C1F0D5-9344-4086-8E00-8CFAE44B22B7ms
  •  06C1F0D5-9344-4086-8E00-8CFAE44B22B7mr
  •  08C823B1-76F2-11d5-AFC3-00010245B43E-31
  •  CCF23955-C5EC-4eca-9166-53DC22C1DBC9



    • Registry Modifications
    Sets these values:

      • HKLM\Software\Classes\exefile\MUICache\
        C:\Program Files\whInstall\whInstaller.exe = webHancer Installer
  •  HKLM\Software\webHancer
        (default) =
  •  HKLM\Software\webHancer
        BaseDir = C:\Program Files\webHancer
  •  HKLM\Software\webHancer\CC
        DistTag = CYZEAL
  •  HKLM\Software\webHancer\ESO
        aa = 003.006.000.000
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
        (default) =
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
        DisplayName = webHancer Customer Companion
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
        UninstallString = C:\WINDOWS\whInstaller.exe /uninstall whAgent
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        webHancer Agent = "C:\Program Files\webHancer\Programs\whAgent.exe"
  •  [Launchpoint: Run]
        HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
        (default) =
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
        DisplayName = webHancer Survey Companion
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
        UninstallString = C:\Program Files\webHancer\Programs\WhSurvey.exe -uninstall
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        webHancer Survey Companion = "C:\Program Files\webHancer\Programs\whSurvey.exe"
  •  [Launchpoint: Run]
        HKLM\System\LastKnownGoodRecovery\LastGood
        INF/oem0.inf = 7143525
  •  HKLM\System\LastKnownGoodRecovery\LastGood
        INF/oem0.PNF = 7143525
  •  HKLM\System\CurrentControlSet\Services\WS2IFSL
        Type = 655360
  •  HKLM\System\CurrentControlSet\Services\WS2IFSL
        Start = 12
  •  HKLM\System\CurrentControlSet\Services\WS2IFSL
        ErrorControl = 7274563
  •  HKLM\System\CurrentControlSet\Services\WS2IFSL
        ImagePath = \SystemRoot\System32\drivers\ws2ifsl.sys
  •  [Launchpoint: Service]
        HKLM\System\CurrentControlSet\Services\WS2IFSL
        DisplayName = Windows Socket 2.0 Non-IFS Service Provider Support Environment
  •  HKLM\System\CurrentControlSet\Services\WS2IFSL
        Group = PNP_TDI
  •  HKLM\System\CurrentControlSet\Services\WS2IFSL\Security
        Security =
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
        Num_Catalog_Entries = 7209029
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
        Next_Catalog_Entry_ID = 7602286
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
        Serial_Access_Num = 7536741
  •  HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
        PackedCatalogItem =
  •  [Launchpoint: LSP]
        HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings
        MigrateProxy = 6619252
  •  HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings
        ProxyEnable = 4522105
  •  HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings
        ProxyEnable = 4522105
  •  HKU\S-1-5-21-299502267-823518204-839522115-1003
        SavedLegacySettings =
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore
        Type = 655360
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore
        Count = 12
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore
        Time =


    • Creates these keys:

      • HKLM\Software\webHancer
  •  HKLM\Software\webHancer\ESO
  •  HKLM\Software\webHancer\CC
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
  •  HKLM\System\LastKnownGoodRecovery\LastGood
  •  HKLM\System\CurrentControlSet\Services\WS2IFSL\Security
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000006
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000008
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
  •  HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
  •  HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1
  •  HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1\CLSID
  •  HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj
  •  HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj\CurVer
  •  HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
  •  HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\ProgID
  •  HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\VersionIndependentProgID
  •  HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\Programmable
  •  HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\InprocServer32
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
  •  HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}
  •  HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0
  •  HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\FLAGS
  •  HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
  •  HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32
  •  HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\HELPDIR
  •  HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}
  •  HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid
  •  HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid32
  •  HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore


    • Additional Details

    This is the family description of the Adware:W32/WebHancer adware family, which contains multiple variants.

    The WebHancer adware  uses the Microsoft Winsock 2 SPI API to insert itself into the TCP/IP stack in order to monitor all web traffic on the host. This information is then relayed to the WebHancer server(s). Monitored traffic details include visited websites, browser type and other statistics.


    Installation

    The software has no visible installation routine, but when executed will install itself to:

    •  %programfiles%\webHancer\Programs
    •  %programfiles%\wbinstall\

    The program may also be installed bundled together with other software installations.



    Example connection attempts:

    •  http://prime.webhancer.com
    •  http://secondary.webhancer.



    Removal

    It may be uninstalled from the Windows Add/Remove Programs interface.

    Improper manual removal may corrupt the Winsock registry keys and break the TCP/IP stack. This may result in disabling Internet access.