F-Secure
Tools
Adware:W32/WebHancer
| Name : | Adware:W32/WebHancer |
| Category: | Spyware |
| Type: | Adware |
| Platform: | W32 |
Summary
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Details
File System Changes
Modified these files:
%programfiles%\whInstall\license.txt
%programfiles%\whInstall\readme.txt
%programfiles%\whInstall\whAgent.ini
%programfiles%\whInstall\whInstaller.ini
%programfiles%\whInstall\whAgent.inf
%programfiles%\whInstall\whAgent.exe
%programfiles%\whInstall\whInstaller.exe
%programfiles%\whInstall\whSurvey.exe
%programfiles%\whInstall\Sporder.dll
%programfiles%\whInstall\webhdll.dll
%programfiles%\whInstall\whiehlpr.dll
%windir%\LastGood\TMP1.tmp
%windir%\LastGood\TMP2.tmp
%programfiles%\webHancer\Programs\SET3.tmp
%programfiles%\webHancer\Programs\SET4.tmp
%programfiles%\webHancer\Programs\SET5.tmp
%programfiles%\webHancer\Programs\SET6.tmp
%programfiles%\webHancer\Programs\SET7.tmp
%programfiles%\webHancer\Programs\SET8.tmp
%programfiles%\webHancer\Programs\SET9.tmp
%windir%\SETA.tmp
%windir%\SETB.tmp
%windir%\SETC.tmp
%windir%\whInstaller.ini
Uses these temporary files:
• %windir%\inf\oem0.inf
• %programfiles%\webHancer\Programs\SET3.tmp
• %programfiles%\webHancer\Programs\SET4.tmp
• %programfiles%\webHancer\Programs\SET5.tmp
• %programfiles%\webHancer\Programs\SET6.tmp
• %programfiles%\webHancer\Programs\SET7.tmp
• %programfiles%\webHancer\Programs\SET8.tmp
• %programfiles%\webHancer\Programs\SET9.tmp
• %windir%\SETA.tmp
• %windir%\SETB.tmp
• %windir%\SETC.tmp
Create these directories:
• %programfiles%\whInstall
• %windir%\LastGood
• %windir%\LastGood\INF
• %programfiles%\webHancer
• %programfiles%\webHancer\Programs
Process Changes
Creates these processes:
• %programfiles%\whInstall\whInstaller.exe
• %programfiles%\webHancer\Programs\whAgent.exe
Creates these mutexes:
• D6E09E34-294E-40bf-82AF-756D33497609
• D6E09E34-294E-40bf-82AF-756D33497609
• 951B13F8-F40D-4c56-BD57-909A968F918B-31
• 74F5FD53-368F-4e0d-805B-4A983826EF91-31
• 08C823B1-76F2-11d5-AFC3-00010245B43E-31
• 71BA7250-BC07-4cd2-BAB0-3E84FEBB108E
• EC5A3219-A690-4392-BF36-E9040EEE50CC
• 46F021DC-CB81-4acc-BA1B-9E1B440020D4ms
• 46F021DC-CB81-4acc-BA1B-9E1B440020D4mr
• 6CB749B3-CE68-4fcb-A589-D6E71479F502ms
• 6CB749B3-CE68-4fcb-A589-D6E71479F502mr
• 06C1F0D5-9344-4086-8E00-8CFAE44B22B7ms
• 06C1F0D5-9344-4086-8E00-8CFAE44B22B7mr
• 08C823B1-76F2-11d5-AFC3-00010245B43E-31
• CCF23955-C5EC-4eca-9166-53DC22C1DBC9
Registry Modifications
Sets these values:
• HKLM\Software\Classes\exefile\MUICache\
C:\Program Files\whInstall\whInstaller.exe = webHancer Installer
C:\Program Files\whInstall\whInstaller.exe = webHancer Installer
• HKLM\Software\webHancer
(default) =
(default) =
• HKLM\Software\webHancer
BaseDir = C:\Program Files\webHancer
BaseDir = C:\Program Files\webHancer
• HKLM\Software\webHancer\CC
DistTag = CYZEAL
DistTag = CYZEAL
• HKLM\Software\webHancer\ESO
aa = 003.006.000.000
aa = 003.006.000.000
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
(default) =
(default) =
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
DisplayName = webHancer Customer Companion
DisplayName = webHancer Customer Companion
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
UninstallString = C:\WINDOWS\whInstaller.exe /uninstall whAgent
UninstallString = C:\WINDOWS\whInstaller.exe /uninstall whAgent
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
webHancer Agent = "C:\Program Files\webHancer\Programs\whAgent.exe"
webHancer Agent = "C:\Program Files\webHancer\Programs\whAgent.exe"
• [Launchpoint: Run]
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
(default) =
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
(default) =
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
DisplayName = webHancer Survey Companion
DisplayName = webHancer Survey Companion
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
UninstallString = C:\Program Files\webHancer\Programs\WhSurvey.exe -uninstall
UninstallString = C:\Program Files\webHancer\Programs\WhSurvey.exe -uninstall
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
webHancer Survey Companion = "C:\Program Files\webHancer\Programs\whSurvey.exe"
webHancer Survey Companion = "C:\Program Files\webHancer\Programs\whSurvey.exe"
• [Launchpoint: Run]
HKLM\System\LastKnownGoodRecovery\LastGood
INF/oem0.inf = 7143525
HKLM\System\LastKnownGoodRecovery\LastGood
INF/oem0.inf = 7143525
• HKLM\System\LastKnownGoodRecovery\LastGood
INF/oem0.PNF = 7143525
INF/oem0.PNF = 7143525
• HKLM\System\CurrentControlSet\Services\WS2IFSL
Type = 655360
Type = 655360
• HKLM\System\CurrentControlSet\Services\WS2IFSL
Start = 12
Start = 12
• HKLM\System\CurrentControlSet\Services\WS2IFSL
ErrorControl = 7274563
ErrorControl = 7274563
• HKLM\System\CurrentControlSet\Services\WS2IFSL
ImagePath = \SystemRoot\System32\drivers\ws2ifsl.sys
ImagePath = \SystemRoot\System32\drivers\ws2ifsl.sys
• [Launchpoint: Service]
HKLM\System\CurrentControlSet\Services\WS2IFSL
DisplayName = Windows Socket 2.0 Non-IFS Service Provider Support Environment
HKLM\System\CurrentControlSet\Services\WS2IFSL
DisplayName = Windows Socket 2.0 Non-IFS Service Provider Support Environment
• HKLM\System\CurrentControlSet\Services\WS2IFSL
Group = PNP_TDI
Group = PNP_TDI
• HKLM\System\CurrentControlSet\Services\WS2IFSL\Security
Security =
Security =
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
Num_Catalog_Entries = 7209029
Num_Catalog_Entries = 7209029
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
Next_Catalog_Entry_ID = 7602286
Next_Catalog_Entry_ID = 7602286
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
Serial_Access_Num = 7536741
Serial_Access_Num = 7536741
• HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
PackedCatalogItem =
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
PackedCatalogItem =
• [Launchpoint: LSP]
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
PackedCatalogItem =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
PackedCatalogItem =
• [Launchpoint: LSP]
HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings
MigrateProxy = 6619252
HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings
MigrateProxy = 6619252
• HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable = 4522105
ProxyEnable = 4522105
• HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable = 4522105
ProxyEnable = 4522105
• HKU\S-1-5-21-299502267-823518204-839522115-1003
SavedLegacySettings =
SavedLegacySettings =
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore
Type = 655360
Type = 655360
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore
Count = 12
Count = 12
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore
Time =
Time =
Creates these keys:
• HKLM\Software\webHancer
• HKLM\Software\webHancer\ESO
• HKLM\Software\webHancer\CC
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
• HKLM\System\LastKnownGoodRecovery\LastGood
• HKLM\System\CurrentControlSet\Services\WS2IFSL\Security
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000006
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000008
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
• HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
• HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1
• HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1\CLSID
• HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj
• HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj\CurVer
• HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
• HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\ProgID
• HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\VersionIndependentProgID
• HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\Programmable
• HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\InprocServer32
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
• HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}
• HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0
• HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\FLAGS
• HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
• HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32
• HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\HELPDIR
• HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}
• HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid
• HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid32
• HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore
Additional Details
This is the family description of the Adware:W32/WebHancer adware family, which contains multiple variants.
The WebHancer adware uses the Microsoft Winsock 2 SPI API to insert itself into the TCP/IP stack in order to monitor all web traffic on the host. This information is then relayed to the WebHancer server(s). Monitored traffic details include visited websites, browser type and other statistics.
Installation
The software has no visible installation routine, but when executed will install itself to:
The program may also be installed bundled together with other software installations.
Example connection attempts:
Removal
It may be uninstalled from the Windows Add/Remove Programs interface.
Improper manual removal may corrupt the Winsock registry keys and break the TCP/IP stack. This may result in disabling Internet access.
The WebHancer adware uses the Microsoft Winsock 2 SPI API to insert itself into the TCP/IP stack in order to monitor all web traffic on the host. This information is then relayed to the WebHancer server(s). Monitored traffic details include visited websites, browser type and other statistics.
Installation
The software has no visible installation routine, but when executed will install itself to:
• %programfiles%\webHancer\Programs
• %programfiles%\wbinstall\
The program may also be installed bundled together with other software installations.
Example connection attempts:
• http://prime.webhancer.com
• http://secondary.webhancer.
Removal
It may be uninstalled from the Windows Add/Remove Programs interface.
Improper manual removal may corrupt the Winsock registry keys and break the TCP/IP stack. This may result in disabling Internet access.