SOLVED HELP! I have been infected by "WEB CAKE 3.0"

Discussion in 'Security' started by shiphen, Aug 1, 2013.

  1. shiphen

    shiphen

    Joined:
    Jan 8, 2010
    Messages:
    16
    Hi

    HELP! I have been infected by "WEB CAKE 3.0".

    BACKGROUND
    I am running Windows7 x64 on 8GB of RAM, and 256GB of SSD.
    I am using Microsoft Security Essentials for virus protection.
    I am pretty much a newbie.

    THE STORY SO FAR:
    1. I found it in Control Panel > Programs and Features, and because I didn't recognize it I tried to uninstall it.
    I have no idea how or when it got there.
    2. But it wouldn't uninstall.
    3. So then following a thead on WEB CAKE 3.0 - It crashes Internet Explorer regularly - Microsoft Community I used regedit to search for "WEB CAKE", "WEBCAKE" and just "CAKE" as well as "Tarma" and I deleted any line in my registry that had any such reference. There were about 30 of these
    4. Then I used "Everything" (desktop search" to find and delete any file with "cake" in the name - there were about 5 of these.
    5. I then following the advice on answers.microsoft.com installed "SpyHunter 4" and ran a fast scan.
    This found about 66 items under the following headings:
    - Babylon Search
    - Hola Search
    - Advert
    - Adware Helpers
    - Adware.WebCake
    - Atlas DMT
    - DoubleClick
    - Media

    However I then discovered that SpyHunter 4 is not free so I stopped.
    What should I do next?
    Many thanks

    J
     
    shiphen, Aug 1, 2013
    #1
    1. Advertising

  2. shiphen

    TrainableMan ^ The World's First ^ Moderator

    Joined:
    May 10, 2010
    Messages:
    8,386
    Location:
    PA, USA
    Download TDSSKiller & RKILL.

    Reboot your computer in Safe Mode.

    Run TDSSKiller.
    Run RKill.

    Delete the folder %APPDATA%\ WebCake
    Delete the folder %PROGRAMFILES%\ WebCake
    Delete the folder %PROGRAMFILES(x86)%\ WebCake

    Edit the registry and find CLSID {DF84E609-C3A4-49CB-A160-61767DAF8899}. Delete it.

    Run a full virus scan with your A/V software.
     
    TrainableMan, Aug 2, 2013
    #2
    1. Advertising

  3. shiphen

    shiphen

    Joined:
    Jan 8, 2010
    Messages:
    16
    A) TDSSKiller - ran it, found nothing


    B) RKill - ran it here are the results:

    Rkill 2.5.9 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 08/03/2013 10:44:43 AM in x64 mode.
    Windows Version: Windows 7 Professional Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


    Performing miscellaneous checks:

    * Windows Defender Disabled

    [HKLM\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware" = dword:00000001

    * Windows Firewall Disabled

    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000

    Checking Windows Service Integrity:

    * Windows Defender (WinDefend) is not Running.
    Startup Type set to: Manual

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * HOSTS file entries found:

    127.0.0.1 localhost
    192.168.111.249 auctionairsvr

    Program finished at: 08/03/2013 10:44:51 AM
    Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)


    C) I have previously deleted all of these:

    > Delete the folder %APPDATA%\ WebCake
    > Delete the folder %PROGRAMFILES%\ WebCake
    > Delete the folder %PROGRAMFILES(x86)%\ WebCake
    > Edit the registry and find CLSID {DF84E609-C3A4-49CB-A160-61767DAF8899}. Delete it.

    My new AV (BitDefender Internet Security - trial) cant find anything.

    What next?
     
    shiphen, Aug 3, 2013
    #3
  4. shiphen

    TrainableMan ^ The World's First ^ Moderator

    Joined:
    May 10, 2010
    Messages:
    8,386
    Location:
    PA, USA
    Oh I would also check your browser and remove any unused or unusual toolbars. You installed it with something so whatever that was it's a good idea to remove.

    Isn't it gone? When you reboot do the folders return?

    You might also try running Spybot Search and Destroy, both the immunize tab and the Search & Destroy tab.
     
    TrainableMan, Aug 3, 2013
    #4
  5. shiphen

    shiphen

    Joined:
    Jan 8, 2010
    Messages:
    16
    > Oh I would also check your browser and remove any unused or unusual toolbars.
    As a webmaster I currently have 5 different browsers.
    - MSIE
    - FireFox
    - Chrome
    - Safari
    - Opera
    And yes, I have been through them all removing anything weird looking.

    > You installed it with something so whatever that was it's a good idea to remove.
    > Isn't it gone? When you reboot do the folders return?
    To be honest I'm not sure what I'm looking for, but yes I have got rid Web Cake...


    > You might also try running Spybot Search and Destroy, both the immunize tab and the Search & Destroy tab.[/QUOTE]
    I am running the immunization tab - but I nervous what does it actually do?
    Also there is no tab called Search & Destroy on my copy !
     
    shiphen, Aug 4, 2013
    #5
  6. shiphen

    TrainableMan ^ The World's First ^ Moderator

    Joined:
    May 10, 2010
    Messages:
    8,386
    Location:
    PA, USA
    spybotsd.jpg
    Search and Destroy is the top option, the default start-up option. Basically let it run its' normal scan. Then also run the immunize which updates your hosts file to block known trouble/spam/ad sites.

    As for webcake it sounds like you got rid of it. I would continue to watch more diligently for a week or so to make sure the files/folders don't return but I will mark this as SOLVED for now. If it returns we can change that status.
     
    Last edited: Aug 5, 2013
    TrainableMan, Aug 5, 2013
    #6
  7. shiphen

    shiphen

    Joined:
    Jan 8, 2010
    Messages:
    16
    Search and destroy found nothing. And neither did MSE. But I uninstalled MSE and tried BitDefender and it found various trojans in my .PST archives (Outlook).

    I have painstaking now been through all the .PST archives removing everything that was being flagged as suspicious by BitDefender.

    One problem was that BitDefender found over 100 .zip files which it said it couldnt scan because it needed a password for each of them - this despite the fact that many/most of them were never given passwords!

    So having scanned as best I could with BitDefender, I was advised to uninstall BitDefender and re-install MSE which have now done. However I am extremely suspicious of MSE because it didnt find a darned thing. It NEVER seems to find a darned thing.

    Fwiw, here are some of the .ZIP files on my PC which I dont recognise. Could any of them be zip bombs? Do any of these look suspicious?

    C:\Windows\assembly\NativeImages_v4.0.30319_32\Ionic.Zip
    C:\Docs\WWL\zz_Pre_2011\Tech Specs\Version - The Game\from JM\2009-05-14__PROTO.zip
    C:\Windows\System32\config.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-background-images.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-icons.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-images.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-map-marker-lists.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-map-parts.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-shapes.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-smart-map-parts_excel-linker.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-smart-map-parts_file-explorer.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-smart-map-parts_web-services.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-styles.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-templates.zip
    C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-web-templates.zip
    C:\Windows\Installer\$PatchCache$\Managed\B87B810A2CA43A243A08DDD749D29D56\10.2.404\pro_icons.zip
    C:\Windows\Installer\$PatchCache$\Managed\E7CEA38445AE33442BFB7DC5332D4A88\9.2.504\pro_icons.zip

    J
     
    shiphen, Aug 6, 2013
    #7
  8. shiphen

    TrainableMan ^ The World's First ^ Moderator

    Joined:
    May 10, 2010
    Messages:
    8,386
    Location:
    PA, USA
    Well I never heard of Mindjet's Mindmanager software before, but if you don't use it then uninstall it. But if it is good software then since the zip files are within its' program files installation folder, odds are the files are used by the program and are OK. If you do use Mindmanger 11, you could always uninstall it and then make sure that folder is completely empty, then reinstall it and if they return it is almost definitely part of the program.

    Also, there is a difference between suspicious and an actual problem so they could very well be false positives. That being said, if you have numerous zip files that are password protected and you NEVER password protected them then I agree those files would be Very Suspicious. Have you tried opening them yourself to make sure they ARE passworded? If you can open them just fine without a password then I would suspect a problem with the A/V software instead. If you have passworded files in your data area and you didn't password them and didn't download them knowing the password then there is really no reason to keep them ... DELETE; those others above in the program files folder are a different story and the Mindmanager program likely needs them so you have decide if you need Mind Manager.
     
    TrainableMan, Aug 6, 2013
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Franky Four Fingers

    infected cmd.exe msiexec removed

    Franky Four Fingers, Oct 9, 2009, in forum: Security
    Replies:
    2
    Views:
    3,327
    Cookieman
    Oct 9, 2009
  2. notes-o

    Re: 13,000,000 infected Windows Boxes

    notes-o, Mar 3, 2010, in forum: alt.windows7.general
    Replies:
    0
    Views:
    601
    notes-o
    Mar 3, 2010
  3. Adam
    Replies:
    57
    Views:
    1,094
    Robin Bignall
    Jul 10, 2012
  4. XXN

    system file infected/corrupt

    XXN, Dec 26, 2012, in forum: General Discussion
    Replies:
    13
    Views:
    1,462
    TrainableMan
    Dec 31, 2012
  5. Juan Wei

    Infected Backups?

    Juan Wei, Jul 31, 2013, in forum: alt.windows7.general
    Replies:
    33
    Views:
    224
    Zaphod Beeblebrox
    Aug 5, 2013
Loading...

Share This Page