This is the family description of the Adware:W32/WebHancer adware family, which contains multiple variants.
The WebHancer adware& uses the Microsoft Winsock 2 SPI API to insert itself into the TCP/IP stack in order to monitor all web traffic on the host. This information is then relayed to the WebHancer server(s). Monitored traffic details include visited websites, browser type and other statistics.
Installation
The software has no visible installation routine, but when executed will install itself to:
- %programfiles%\webHancer\Programs
- %programfiles%\wbinstall\
The program may also be installed bundled together with other software installations.
Example connection attempts:
- https://prime.webhancer.com
- https://secondary.webhancer.
Removal
It may be uninstalled from the Windows Add/Remove Programs interface.
Improper manual removal may corrupt the Winsock registry keys and break the TCP/IP stack. This may result in disabling Internet access.
File System Changes
Modified these files:
%programfiles%\whInstall\license.txt
%programfiles%\whInstall\readme.txt
%programfiles%\whInstall\whAgent.ini
%programfiles%\whInstall\whInstaller.ini
%programfiles%\whInstall\whAgent.inf
%programfiles%\whInstall\whAgent.exe
%programfiles%\whInstall\whInstaller.exe
%programfiles%\whInstall\whSurvey.exe
%programfiles%\whInstall\Sporder.dll
%programfiles%\whInstall\webhdll.dll
%programfiles%\whInstall\whiehlpr.dll
%windir%\LastGood\TMP1.tmp
%windir%\LastGood\TMP2.tmp
%programfiles%\webHancer\Programs\SET3.tmp
%programfiles%\webHancer\Programs\SET4.tmp
%programfiles%\webHancer\Programs\SET5.tmp
%programfiles%\webHancer\Programs\SET6.tmp
%programfiles%\webHancer\Programs\SET7.tmp
%programfiles%\webHancer\Programs\SET8.tmp
%programfiles%\webHancer\Programs\SET9.tmp
%windir%\SETA.tmp
%windir%\SETB.tmp
%windir%\SETC.tmp
%windir%\whInstaller.ini
Uses these temporary files:
- %windir%\inf\oem0.inf
- %programfiles%\webHancer\Programs\SET3.tmp
- %programfiles%\webHancer\Programs\SET4.tmp
- %programfiles%\webHancer\Programs\SET5.tmp
- %programfiles%\webHancer\Programs\SET6.tmp
- %programfiles%\webHancer\Programs\SET7.tmp
- %programfiles%\webHancer\Programs\SET8.tmp
- %programfiles%\webHancer\Programs\SET9.tmp
- %windir%\SETA.tmp
- %windir%\SETB.tmp
- %windir%\SETC.tmp
Create these directories:
- %programfiles%\whInstall
- %windir%\LastGood
- %windir%\LastGood\INF
- %programfiles%\webHancer
- %programfiles%\webHancer\Programs
Process Changes
Creates these processes:
- %programfiles%\whInstall\whInstaller.exe
- %programfiles%\webHancer\Programs\whAgent.exe
Creates these mutexes:
- D6E09E34-294E-40bf-82AF-756D33497609
- D6E09E34-294E-40bf-82AF-756D33497609
- 951B13F8-F40D-4c56-BD57-909A968F918B-31
- 74F5FD53-368F-4e0d-805B-4A983826EF91-31
- 08C823B1-76F2-11d5-AFC3-00010245B43E-31
- 71BA7250-BC07-4cd2-BAB0-3E84FEBB108E
- EC5A3219-A690-4392-BF36-E9040EEE50CC
- 46F021DC-CB81-4acc-BA1B-9E1B440020D4ms
- 46F021DC-CB81-4acc-BA1B-9E1B440020D4mr
- 6CB749B3-CE68-4fcb-A589-D6E71479F502ms
- 6CB749B3-CE68-4fcb-A589-D6E71479F502mr
- 06C1F0D5-9344-4086-8E00-8CFAE44B22B7ms
- 06C1F0D5-9344-4086-8E00-8CFAE44B22B7mr
- 08C823B1-76F2-11d5-AFC3-00010245B43E-31
- CCF23955-C5EC-4eca-9166-53DC22C1DBC9
Registry Modifications
Sets these values:
- HKLM\Software\Classes\exefile\MUICache\& C:\Program Files\whInstall\whInstaller.exe = webHancer Installer
- HKLM\Software\webHancer& (default) =
- HKLM\Software\webHancer& BaseDir = C:\Program Files\webHancer
- HKLM\Software\webHancer\CC& DistTag = CYZEAL
- HKLM\Software\webHancer\ESO& aa = 003.006.000.000
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent& (default) =
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent& DisplayName = webHancer Customer Companion
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent& UninstallString = C:\WINDOWS\whInstaller.exe /uninstall whAgent
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run& webHancer Agent = "C:\Program Files\webHancer\Programs\whAgent.exe"
- [Launchpoint: Run]& HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey& (default) =
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey& DisplayName = webHancer Survey Companion
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey& UninstallString = C:\Program Files\webHancer\Programs\WhSurvey.exe -uninstall
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run& webHancer Survey Companion = "C:\Program Files\webHancer\Programs\whSurvey.exe"
- [Launchpoint: Run]& HKLM\System\LastKnownGoodRecovery\LastGood& INF/oem0.inf = 7143525
- HKLM\System\LastKnownGoodRecovery\LastGood& INF/oem0.PNF = 7143525
- HKLM\System\CurrentControlSet\Services\WS2IFSL& Type = 655360
- HKLM\System\CurrentControlSet\Services\WS2IFSL& Start = 12
- HKLM\System\CurrentControlSet\Services\WS2IFSL& ErrorControl = 7274563
- HKLM\System\CurrentControlSet\Services\WS2IFSL& ImagePath = \SystemRoot\System32\drivers\ws2ifsl.sys
- [Launchpoint: Service]& HKLM\System\CurrentControlSet\Services\WS2IFSL& DisplayName = Windows Socket 2.0 Non-IFS Service Provider Support Environment
- HKLM\System\CurrentControlSet\Services\WS2IFSL& Group = PNP_TDI
- HKLM\System\CurrentControlSet\Services\WS2IFSL\Security& Security =
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9& Num_Catalog_Entries = 7209029
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9& Next_Catalog_Entry_ID = 7602286
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9& Serial_Access_Num = 7536741
- HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013& PackedCatalogItem =
- [Launchpoint: LSP]& HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014& PackedCatalogItem =
- [Launchpoint: LSP]& HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings& MigrateProxy = 6619252
- HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings& ProxyEnable = 4522105
- HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings& ProxyEnable = 4522105
- HKU\S-1-5-21-299502267-823518204-839522115-1003& SavedLegacySettings =
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore& Type = 655360
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore& Count = 12
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore& Time =
Creates these keys:
- HKLM\Software\webHancer
- HKLM\Software\webHancer\ESO
- HKLM\Software\webHancer\CC
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
- HKLM\System\LastKnownGoodRecovery\LastGood
- HKLM\System\CurrentControlSet\Services\WS2IFSL\Security
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000006
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000008
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
- HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1
- HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj.1\CLSID
- HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj
- HKLM\Software\Classes\WhIeHelperObj.WhIeHelperObj\CurVer
- HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
- HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\ProgID
- HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\VersionIndependentProgID
- HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\Programmable
- HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}\InprocServer32
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
- HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}
- HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0
- HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\FLAGS
- HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
- HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32
- HKLM\Software\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\HELPDIR
- HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}
- HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid
- HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid32
- HKLM\Software\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{C900B400-CDFE-11D3-976A-00E02913A9E0}\iexplore