Webhancer

Category: Adware and PUAs Protection available since:24 Feb 2006 00:00:00 (GMT)
Type: Adware Last Updated:21 Mar 2013 20:36:50 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Webhancer is a browser plugin application which monitors internet sessions and reports browsing habits to remote locations.

Webhancer is a browser plugin application which monitors internet sessions and reports browsing habits to remote locations.

The default installation folders are:
<Program Files>\whInstall
<Program Files>\webHancer

When Webhancer is installed the following files are created:

<Program Files>\webHancer\Programs\license.txt
<Program Files>\webHancer\Programs\readme.txt
<Program Files>\webHancer\Programs\sporder.dll
<Program Files>\webHancer\Programs\whagent.exe
<Program Files>\webHancer\Programs\whiehlpr.dll
<Program Files>\webHancer\Programs\whsurvey.exe
<Program Files>\webHancer\Programs\webhdll.dll
<Program Files>\webHancer\Programs\whinstaller.exe
<Program Files>\webHancer\Programs\whagent.ini
<Program Files>\webHancer\Programs\whSurvey.ini
<Program Files>\whInstall\license.txt
<Program Files>\whInstall\readme.txt
<Program Files>\whInstall\whAgent.ini
<Program Files>\whInstall\whAgent.exe
<Program Files>\whInstall\whInstaller.exe
<Program Files>\whInstall\whSurvey.exe
<Program Files>\whInstall\Sporder.dll
<Program Files>\whInstall\webhdll.dll
<Program Files>\whInstall\whiehlpr.dll

Note: sporder.dll is a legitimate library DLL.

Webhancer sets the following registry entries in order to run whAgent.exe and whSurvey.exe automatically each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
webHancer Agent
"<Program Files>\webHancer\Programs\whAgent.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
webHancer Survey Companion
"<Program Files>\webHancer\Programs\whSurvey.exe

The following registry entries are also set:

HKLM\SOFTWARE\Webhancer
<several entries>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
<several entries>

The whiehlpr.dll file is registered as a Browser Helper Object (BHO) thereby creating the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(C900B400-CDFE-11D3-976A-00E02913A9E0)

Note: DLLs registered as BHOs are loaded automatically each time Microsoft Internet Explorer is launched and remain active in memory until Internet Explorer is terminated.

The file webhdll.dll is registered as a layered service provider (LSP), creating and modifying registry entries in the Winsock 2 system configuration database under:

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\

Note: the LSP chain should only be repaired by experienced individuals or under expert guidance.

download Try Sophos products for free
Download now