Jump to content
Blue452

Adware.WebHancer

Recommended Posts

I scanned my computer this morning and below is a copy of my log. It says I have 4 infections.

The files are now in quarantine. Are they false positive or real? After your determination, please let me know what I should do next?

I have a HP computer with the following: XP SP3, IE8, and NIS 2010.

Malwarebytes' Anti-Malware 1.44

Database version: 3917

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/26/2010 7:36:52 AM

mbam-log-2010-03-26 (07-36-52).txt

Scan type: Full Scan (C:\|D:\|L:\|)

Objects scanned: 279979

Time elapsed: 2 hour(s), 0 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Welcome to the club. You're the third person who has had these scan result. Amethyst and I had previously posted about this, but haven't really gotten a response.

Share this post


Link to post
Share on other sites
Welcome to the club. You're the third person who has had these scan result. Amethyst and I had previously posted about this, but haven't really gotten a response.

Share this post


Link to post
Share on other sites

The file C:\Windows\Web\Wallpaper\welcome\AWhelper.dll reported by MB as infected by WebHancer has a modification date of 08/12/03 and a creation date of 03/29/06 (build date). Can malware insert itself into a file and not be re-written which would show the date of insertion? Windy I know but, wanted to be clear.

I also ran SuperAntispyware, Spybot SD, AVG AV, and Sophos Antirootkit w/o infection detection.

Share this post


Link to post
Share on other sites

Did it and out of 20, 2 (Kaspersky and F-Secure) found:

"not-a-virus:AdWare.Win32.WebHancer.x" and 18 found no problem.

Should I be concenred? Btw, I did not elect to repair until I was sure. Heard about too many nightmares concerning effects on O.S. (Windows XP SP3 crits up to date in my case).

Thanks for suggestion, any more?

Share this post


Link to post
Share on other sites

Ok, we must wait for the Malwarebytes' Anti-Malware expert team.

MAM

Share this post


Link to post
Share on other sites

WebHancer adware uses the Microsoft Winsock 2 SPI API to insert itself into the TCP/IP stack in order to monitor all web traffic on the host. This information is then relayed to the WebHancer server(s). Monitored traffic details include visited websites, browser type and other statistics.

This program delivers advertising content to the user. In my opinion it should be removed.

Read about WebHancer

Share this post


Link to post
Share on other sites
WebHancer adware uses the Microsoft Winsock 2 SPI API to insert itself into the TCP/IP stack in order to monitor all web traffic on the host. This information is then relayed to the WebHancer server(s). Monitored traffic details include visited websites, browser type and other statistics.

This program delivers advertising content to the user. In my opinion it should be removed.

Read about WebHancer

Share this post


Link to post
Share on other sites

Are you suggesting that this file, C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll", which according to Windows Explorer was created on build date 03/29/06 and has not been modified since 01/12/03 (Windows original release date I presume), was infected by WebHancer adware? IOW a file can be written to by means other than the Windows file system? AW does seem to imply Ad Ware helper. Is MS in cahoots with these bandits?

If this file is really part of the MS release, it seems to me that removing it could be risky, no?

An aside; I have been running Malwarebytes for over two years and this is the very 1st time it has caught any malware on my system.

Share this post


Link to post
Share on other sites

Sorry, I should have looked at it's properties. Company unknown, copyright 2003. Could be anybody's baby but it was created on the build date.

Share this post


Link to post
Share on other sites

@budro,

I had promised myself I wouldn't say anymore about this, but here goes anyways. :)

First, please understand that I make no claims to be any sort of malware expert. The only reason that 'honorary' thing is beside my user name is because I've posted a certain number of times, that's all. :)

I have posted on 2 thread re this issue:

http://forums.malwarebytes.org/index.php?showtopic=43944

http://forums.malwarebytes.org/index.php?showtopic=44051

As you can see, I've been back and forth on how I, personally, have decided to handle this file on my own computer.

As I've stated on other threads, the only time I get a detection with this file is when I run SuperAntispyware...or a full scan with MWB. I run quick scans with both once a day, generally.

I've googled the file, I've found both advice to get rid of it and advice that it is a false positive.

Leaving just the .dll in MWB's ignore list, the protection log still made a note of whenever that file was 'detected'. The ONLY time it is ever detected is when I do a quick scan with SuperAntispyware. If I remove the .dll from MWB's 'ignore' list, the only time a detection alert pops up is either if I navigate to the .dll using Windows explorer or if I run a quick scan with SuperAntispyware. MWB then stalls the scan when SAS is scanning the registry, oddly enough. The MWB popup mentions the .dll, however, not the registry. If I rt click scan awhelper.dll with SAS, MWB will detect awhelper.dll. At no other time is awhelper.dll ever detected as performing any action whatsoever in my system.

As it stands right now, I did have the related registry entries on MWB's ignore list, along with awhelper.dll. I have since removed all of the items from the ignore list so MWB should pop up an alert if there is any action with the .dll or the registry entries. When I run a SAS quick scan, I disable MWB's protection first so it is not stalling the scan. When I check MWB's protection log, it still logs a detection of awhelper.dll and says it was 'allowed' during the time of the SAS scan. When SAS is finished, I turn MWB's active protection back on. A MWB quick scan doesn't pick up any malware.

Webhancer does, indeed, look like something a person would not want on their computer, but I am not convinced 100% that awhelper.dll is actually related to Webhancer. I have read the material at the link njustice provided (thank you, njustice!), and awhelper.dll doesn't show up on that list, nor does that file path. But I make no claims to being a malware expert.

I am concerned about mucking about with the registry, which is why I am so hesitant to act on this unless I am sure it won't cause any adverse effects.

So far, Kaspersky thinks awhelper.dll is suspicious, as does F-Secure and VirRobot. And now MWB as well.

I am continuing to watch this situation, and MWB is watching awhelper.dll so I will know if it starts doing anything. If it becomes active, MWB will alert me and then I'll deal with it accordingly.

Share this post


Link to post
Share on other sites

Thank you much for your thorough response. This just aggrivated me because I am very conscientious when it comes to staying up to date with my security s/w and run sweeps 1 to 2 times a week. Again after using MWB for over 2 years, this is the 1st time I've been infected and it burns me up!

I decided to run MWB once again and this time, in addition to the AWhelper.dll file, it found two of my Windows system restore files infected which it didn't 3 hours ago. ARGH!!!

Thanks once again for responding.

I give up, I hate it but, I'll just leave em alone for now. I also hate that it found registry infections which I've never had before today. Obviously this is due to the latest DB update (3922), which happened to be 4.365 MB. Again ARGH!!!

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> No action taken.

Share this post


Link to post
Share on other sites

Thank you to all you who have responded to this thread.

"Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully."

As you can see, currently these items are in quarantine. After reading the responses, I'm still not sure what to do. Should I leave them in quarantine for now, delete them permanently or restore them? I depend on experts on this forum for advice since my experience is more of a novice/beginner.

HP computer

XP, SP3

IE8

Share this post


Link to post
Share on other sites

I neglected to thank njustice for the link as well. Following the advice in the link, I did not find any trace of WebHancer or it's residual files on my system.

Share this post


Link to post
Share on other sites

One more time Amethyst. I just ran another Full and A Quick scan with SAS and both found no malware adware or spyware. Ok i'll be quiet till we here something from the MAB folks.

Share this post


Link to post
Share on other sites
One more time Amethyst. I just ran another Full and A Quick scan with SAS and both found no malware adware or spyware. Ok i'll be quiet till we here something from the MAB folks.

I had the same thing come up today HP computer here is the log. I moved it to Quarantine. It doesn't seem to effect anything..44

Database version: 3923

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

3/28/2010 12:20:28 PM

mbam-log-2010-03-28 (12-20-28).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 269421

Time elapsed: 1 hour(s), 29 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0000767.dll (AdWare.WebHancer) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

I re-read my last post. I meant by "one more time", that I am trying to limit my posts.lol

Hope MWB folks have an answer soon.

Share this post


Link to post
Share on other sites

OK, here's my "real" question/concern:

Can any type of system intrusion modify or replace an existing file or even place a new one onto the file system and not have the "modified/created" date stamp reflect this operation?

My reasoning for asking this is, why has MWB suddenly determined AWhelper.dll? This file has a modified date (08/12/2003) which I presume to be the original WinXP OS HP creation date and (03/29/2006) which is my "system reinstall" date.

I hope at this point I have not overstayed my welcome here but, here's something interesting. The Web folder has a creation/modified date of 11/14/2005 but, the Wallpaper subfolder has the same creation date but a modified date 01/02/2009 and yet neither the Welcome subfolder or it's contents nor any of the windows wallpaper files have a modified date beyond 03/29/2006. Is this not right or am I missing something.

Please don't shoot the messenger. Thanks

Share this post


Link to post
Share on other sites

I didn't finish the sentence; why has MWB suddenly determined AWhelper.dll to be adware infected....

Did they follow Kaspersky and F-Secure?

Share this post


Link to post
Share on other sites
Okay having the same as most of you and when told to remove them they just repeated themselves the following day with acting out in freezing webpages to pop-ups to topics being written and destroyed right in front of me without deleting/ totally weird..anyone with an answer yet

So what is the final answer on this? Is this a false positive?

Share this post


Link to post
Share on other sites

Nothing had changed on my computer re the behavior of awhelper.dll since I last posted on this thread. This evening, I checked it again at virustotal, and things are looking less favorable.

http://www.virustotal.com/analisis/bd7ee0e4ec169250aa2a6a12d94e97d24485caab9f90628299723a3baddc2062-1270180728

So that's now 6/42 scanners now that don't like it. I'm still pretty sure it wasn't performing any actions on my computer, as the only time MWB would detect any attempted action was if I navigated to the file using explorer or if my SAS was scanning, and this would happen when SAS was scanning the registry, for some odd reason. However, this time I decided to let MWB quarantine awhelper.dll. I rebooted, and quarantining this particular file doesn't appear to have done anything.

To those of you who have quarantined the related registry entries, can I clarify this: You have rebooted your systems since and your computers are fine? Is that correct?

No malware shows up in quick scans with MWB, so I would have to run a full scan to pick up the registry entries.

Share this post


Link to post
Share on other sites

Can anyone attach a copy of the file "C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll", so we can review this again?

Thanks

We will remove detection temporary and re-add again if needed (after review).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.