Threat Description

Adware:W32/WebHancer

Details

Category: Spyware
Type: Adware
Platform: W32

Summary


This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.


Removal


Automatic action

Once detected, the F-Secure security product will automatically quarantine the suspect file and prompt the user to select a further desired action.

Quarantine is a safe repository for files that may be harmful. A quarantined file can be restored or, if you decide so, deleted.


Excluding a file from scanning

If you are aware of and accept any potential risk associated with this program, you can configure the F-Secure security product to exclude it from scanning.

Suspect a False Alarm?

If you suspect a file has been incorrectly identified as malicious, (that is, it is a False Alarm or a False Positive), please first ensure your F-Secure security program is up-to-date with the latest detection database updates, then rescan the suspect file.

If you continue to suspect a False Alarm, you may submit a sample of the suspect file to our Security Labs for further analysis via the Submit A Sample (SAS) page.

More scanning & removal options

More information on scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


This is the family description of the Adware:W32/WebHancer adware family, which contains multiple variants.

The WebHancer adware& uses the Microsoft Winsock 2 SPI API to insert itself into the TCP/IP stack in order to monitor all web traffic on the host. This information is then relayed to the WebHancer server(s). Monitored traffic details include visited websites, browser type and other statistics.

Installation

The software has no visible installation routine, but when executed will install itself to:

  • %programfiles%\webHancer\Programs
  • %programfiles%\wbinstall\

The program may also be installed bundled together with other software installations.

Example connection attempts:

  • https://prime.webhancer.com
  • https://secondary.webhancer.

Removal

It may be uninstalled from the Windows Add/Remove Programs interface.

Improper manual removal may corrupt the Winsock registry keys and break the TCP/IP stack. This may result in disabling Internet access.

File System Changes

Modified these files:

%programfiles%\whInstall\license.txt

%programfiles%\whInstall\readme.txt

%programfiles%\whInstall\whAgent.ini

%programfiles%\whInstall\whInstaller.ini

%programfiles%\whInstall\whAgent.inf

%programfiles%\whInstall\whAgent.exe

%programfiles%\whInstall\whInstaller.exe

%programfiles%\whInstall\whSurvey.exe

%programfiles%\whInstall\Sporder.dll

%programfiles%\whInstall\webhdll.dll

%programfiles%\whInstall\whiehlpr.dll

%windir%\LastGood\TMP1.tmp

%windir%\LastGood\TMP2.tmp

%programfiles%\webHancer\Programs\SET3.tmp

%programfiles%\webHancer\Programs\SET4.tmp

%programfiles%\webHancer\Programs\SET5.tmp

%programfiles%\webHancer\Programs\SET6.tmp

%programfiles%\webHancer\Programs\SET7.tmp

%programfiles%\webHancer\Programs\SET8.tmp

%programfiles%\webHancer\Programs\SET9.tmp

%windir%\SETA.tmp

%windir%\SETB.tmp

%windir%\SETC.tmp

%windir%\whInstaller.ini

Uses these temporary files:

  • %windir%\inf\oem0.inf
  • %programfiles%\webHancer\Programs\SET3.tmp
  • %programfiles%\webHancer\Programs\SET4.tmp
  • %programfiles%\webHancer\Programs\SET5.tmp
  • %programfiles%\webHancer\Programs\SET6.tmp
  • %programfiles%\webHancer\Programs\SET7.tmp
  • %programfiles%\webHancer\Programs\SET8.tmp
  • %programfiles%\webHancer\Programs\SET9.tmp
  • %windir%\SETA.tmp
  • %windir%\SETB.tmp
  • %windir%\SETC.tmp

Create these directories:

  • %programfiles%\whInstall
  • %windir%\LastGood
  • %windir%\LastGood\INF
  • %programfiles%\webHancer
  • %programfiles%\webHancer\Programs

Process Changes

Creates these processes:

  • %programfiles%\whInstall\whInstaller.exe
  • %programfiles%\webHancer\Programs\whAgent.exe

Creates these mutexes:

  • D6E09E34-294E-40bf-82AF-756D33497609
  • D6E09E34-294E-40bf-82AF-756D33497609
  • 951B13F8-F40D-4c56-BD57-909A968F918B-31
  • 74F5FD53-368F-4e0d-805B-4A983826EF91-31
  • 08C823B1-76F2-11d5-AFC3-00010245B43E-31
  • 71BA7250-BC07-4cd2-BAB0-3E84FEBB108E
  • EC5A3219-A690-4392-BF36-E9040EEE50CC
  • 46F021DC-CB81-4acc-BA1B-9E1B440020D4ms
  • 46F021DC-CB81-4acc-BA1B-9E1B440020D4mr
  • 6CB749B3-CE68-4fcb-A589-D6E71479F502ms
  • 6CB749B3-CE68-4fcb-A589-D6E71479F502mr
  • 06C1F0D5-9344-4086-8E00-8CFAE44B22B7ms
  • 06C1F0D5-9344-4086-8E00-8CFAE44B22B7mr
  • 08C823B1-76F2-11d5-AFC3-00010245B43E-31
  • CCF23955-C5EC-4eca-9166-53DC22C1DBC9

Registry Modifications

Sets these values:

  • HKLM\Software\Classes\exefile\MUICache\& C:\Program Files\whInstall\whInstaller.exe = webHancer Installer
  • HKLM\Software\webHancer& (default) =
  • HKLM\Software\webHancer& BaseDir = C:\Program Files\webHancer
  • HKLM\Software\webHancer\CC& DistTag = CYZEAL
  • HKLM\Software\webHancer\ESO& aa = 003.006.000.000
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent& (default) =
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent& DisplayName = webHancer Customer Companion
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent& UninstallString = C:\WINDOWS\whInstaller.exe /uninstall whAgent
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run& webHancer Agent = "C:\Program Files\webHancer\Programs\whAgent.exe"
  • [Launchpoint: Run]& HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey& (default) =
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey& DisplayName = webHancer Survey Companion
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey& UninstallString = C:\Program Files\webHancer\Programs\WhSurvey.exe -uninstall
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run& webHancer Survey Companion = "C:\Program Files\webHancer\Programs\whSurvey.exe"
  • [Launchpoint: Run]& HKLM\System\LastKnownGoodRecovery\LastGood& INF/oem0.inf = 7143525
  • HKLM\System\LastKnownGoodRecovery\LastGood& INF/oem0.PNF = 7143525
  • HKLM\System\CurrentControlSet\Services\WS2IFSL& Type = 655360
  • HKLM\System\CurrentControlSet\Services\WS2IFSL& Start = 12
  • HKLM\System\CurrentControlSet\Services\WS2IFSL& ErrorControl = 7274563
  • HKLM\System\CurrentControlSet\Services\WS2IFSL& ImagePath = \SystemRoot\System32\drivers\ws2ifsl.sys
  • [Launchpoint: Service]& HKLM\System\CurrentControlSet\Services\WS2IFSL& DisplayName = Windows Socket 2.0 Non-IFS Service Provider Support Environment
  • HKLM\System\CurrentControlSet\Services\WS2IFSL& Group = PNP_TDI
  • HKLM\System\CurrentControlSet\Services\WS2IFSL\Security& Security =
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9& Num_Catalog_Entries = 7209029
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9& Next_Catalog_Entry_ID = 7602286
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9& Serial_Access_Num = 7536741
  • HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013& PackedCatalogItem =
  • [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014& PackedCatalogItem =
  • [Launchpoint: LSP]& HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings& MigrateProxy = 6619252
  • HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings& ProxyEnable = 4522105
  • HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings& ProxyEnable = 4522105
  • HKU\S-1-5-21-299502267-823518204-839522115-1003& SavedLegacySettings =
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore& Type = 655360
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore& Count = 12
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore& Time =

Creates these keys:

  • HKLM\Software\webHancer
  • HKLM\Software\webHancer\ESO
  • HKLM\Software\webHancer\CC
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
  • HKLM\System\LastKnownGoodRecovery\LastGood
  • HKLM\System\CurrentControlSet\Services\WS2IFSL\Security
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000006
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000008
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
  • HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1
  • HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1\CLSID
  • HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj
  • HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj\CurVer
  • HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
  • HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\ProgID
  • HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\VersionIndependentProgID
  • HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\Programmable
  • HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\InprocServer32
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
  • HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}
  • HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0
  • HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\FLAGS
  • HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
  • HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32
  • HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\HELPDIR
  • HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}
  • HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid
  • HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid32
  • HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore


Description Created: 2006-01-01 12:08:04.0

Description Last Modified: 2009-03-30 08:15:52.0


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More