Your generous donations help keep this site online! Click here to support cexx.org.
Foistware/Spyware: WebHancer


According to the WebHancer website, the purpose of this program is as follows:

"webHancer Customer Companion resides on the end-user's computer, where it transparently monitors Internet performance. webHancer Customer Companion measures overall network/site delay and the performance times experienced by actual end-users."
Infection method:
The majority of users running WebHancer are not aware they are running it, unless they have noticed system side-effects or unusual data transfers from their machine. WebHancer, like "Comet Curse", falls into the category of "everything-installs-it-can't-get-rid-of-it" foistware, with completely unrelated software secretly installing the WebHancer product on the user's system. (Given this, I think the program should be more aptly called "WebCancer" :)  In one of the most user-hostile moves I've seen in a while, the clandestine WebHancer install will alter critical Registry keys relating to Windows Sockets, causing the system's Internet connection capabilities to break if the user dares to try uninstalling the spy. WebHancer's makers claim not to modify system files (which is, technically, true) although they have confirmed that attempting to remove it will break your system.

Removal procedures:
As noted earlier, simply deleting WebHancer files from your system will result in losing your ability to connect to the Internet. WebHancer modifies your Windows Sockets configuration, binding itself to Winsock so that all packets are passed through WebHancer.

WebHancer's suggested removal method is to make sure WebHancer is installed, and remove it using Windows' Add/Remove Software feature as described at the bottom of WebHancer's installation page. If you have already deleted WebHancer components, the company suggests that you download (or get a friend to download, due to the connectivity problem!) their Customer Companion, fully install it, then use Add/Remove Programs to uninstall. 

WebHancer can also be safely removed by pest-removal software such as Spybot Search&Destroy and AD-Aware. These and similar programs are listed on the Pest Removers page.

If you cannot access the Internet and simply need to restore Internet access, try my LSP-Fix program to repair the portion of the registry WebHancer and similar programs like to damage.

Be warned: Although uninstallation can in some cases go off without a hitch, in other cases it is extremely difficult to remove WebHancer completely. This letter from Doug D. explains just such a case.

WebHancer conflict with Microsoft IIS - causes problems with ASP scripts
Problems have been reported when WebHancer installs itself on a Windows 2000 system running IIS. Robert G. writes:

"It causes server script ASP pages to not work at all when the web application settings are in medium and high isolation modes.  The default mode is medium which allows pretty good performance benefits over "low isolation" mode.  WebHancer doesn't seem to cause a problem with ASP pages when using low isolation mode."
The suggested solution is to remove WebHancer and things should work as before. This semi-related MS Knowledge Base article may also be of interest:
Q303379: Firewall Client Conflict with Third-Party Layered Service Providers Causes Connectivity Problems

WebHancer associated with shdocvw.dll and Explorer errors, and bluescreens
An involuntary WebHancer user reports the following issues after a (failed) removal of WebHancer:

"An error or exception occurred while calling the function "DllInstall" in "C:\WINDOWS\SYSTEM\shdocvw.dll"
"Explorer has caused an error in SHDOCVW.DLL.  Explorer will now close."
Similar error messages referring to SHELL32.DLL.
If anyone has also had this experience, please let me know (especially, if you know how to fix this :)


Other information:
The webhancer process will appear on the Ctrl-Alt-Delete list (Task List) in Windows as Whagent. Any of the following files in your Windows directory indicate a WebHancer infestation:


Removal Instructions from WebHancer admin:
 

From WebHancer:

If you have lost connectivity is this usually a sign of incorrectly removing the customer Companion. To correct this problem, re-install the Customer companion and follow the instructions below to remove.
 

How do I remove it completely?

To remove the agent, Click: START-->SETTING-->CONTROL PANEL

double click on ADD/REMOVE Programs.

scroll down to WEBHANCER AGENT and click ADD/REMOVE.

1. In your Windows (Winnt) directory, you can delete these files as well, as they are dll's and files used only by the our agent:
sporder.dll*
webhdll.dll
whagent.inf
whInstaller.exe
whInstaller.ini

2. Delete the WebHancer folder in the Program Files directory. (If you get a sharing violation on the wbhshare.dll its because its been loaded, you'll need to reboot before deleting this directory).

3. Delete all the files out of you temp directory (most likely c:\temp). These files were put here temporarily during installation.

atlansi.dll
atlunicode.dll
license.txt
regwebh.dll
sporder.dll
wbhshare.dll
webhdll.dll
whAgent.exe
whAgent.inf
whAgent.ini
whiedc.dll
whiehlpr.dll
whiehlpr.ini
whieshm.dll
whInstaller.exe
whInstaller.ini

A Caution
Andreas M. reports that some Webhancer installations coming along with other programs do not uninstall properly, even causing the Internet connection problems mentioned. The solution is to install the stand-alone version from WebHancer's web site (ugggh), then remove it using Add/Remove Programs. Again, you can also use AD-Aware to safely remove Webhancer.

IMPORTANT: If you are experiencing problems with WebHancer spyware or its removal, please contact WebHancer support for assistance, either by emailing their tech support or contacting by phone at (613) 721-7747 (beware--NOT a toll-free call). I'm not a technical support provider for WebHancer or other spyware vendors, and what is on this Web site is really about all the information I have. If you cannot resolve your problem with WebHancer, email me and I will try to help--but please try it through them first! Thanks.

* Note: This file (Service Provider Ordering DLL) may be installed by other applications as well. If in doubt as to what installed it, leave it alone or rename instead of deleting.
 

Up (Adware)
HomeE-mailCopyrights and Disclaimers



 

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)