SOLVED HELP! I have been infected by "WEB CAKE 3.0"

[shiphen]

Hi

HELP! I have been infected by "WEB CAKE 3.0".

BACKGROUND
I am running Windows7 x64 on 8GB of RAM, and 256GB of SSD.
I am using Microsoft Security Essentials for virus protection.
I am pretty much a newbie.

THE STORY SO FAR:
1. I found it in Control Panel > Programs and Features, and because I didn't recognize it I tried to uninstall it.
I have no idea how or when it got there.
2. But it wouldn't uninstall.
3. So then following a thead on WEB CAKE 3.0 - It crashes Internet Explorer regularly - Microsoft Community I used regedit to search for "WEB CAKE", "WEBCAKE" and just "CAKE" as well as "Tarma" and I deleted any line in my registry that had any such reference. There were about 30 of these
4. Then I used "Everything" (desktop search" to find and delete any file with "cake" in the name - there were about 5 of these.
5. I then following the advice on answers.microsoft.com installed "SpyHunter 4" and ran a fast scan.
This found about 66 items under the following headings:
- Babylon Search
- Hola Search
- Advert
- Adware Helpers
- Adware.WebCake
- Atlas DMT
- DoubleClick
- Media

However I then discovered that SpyHunter 4 is not free so I stopped.
What should I do next?
Many thanks

J

 

[TrainableMan]

Download TDSSKiller & RKILL.

Reboot your computer in Safe Mode.

Run TDSSKiller.
Run RKill.

Delete the folder %APPDATA%\ WebCake
Delete the folder %PROGRAMFILES%\ WebCake
Delete the folder %PROGRAMFILES(x86)%\ WebCake

Edit the registry and find CLSID {DF84E609-C3A4-49CB-A160-61767DAF8899}. Delete it.

Run a full virus scan with your A/V software.

 

[shiphen]

A) TDSSKiller - ran it, found nothing


B) RKill - ran it here are the results:

Rkill 2.5.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/03/2013 10:44:43 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
* HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost
192.168.111.249 auctionairsvr

Program finished at: 08/03/2013 10:44:51 AM
Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)


C) I have previously deleted all of these:

> Delete the folder %APPDATA%\ WebCake
> Delete the folder %PROGRAMFILES%\ WebCake
> Delete the folder %PROGRAMFILES(x86)%\ WebCake
> Edit the registry and find CLSID {DF84E609-C3A4-49CB-A160-61767DAF8899}. Delete it.

My new AV (BitDefender Internet Security - trial) cant find anything.

What next?

 

[TrainableMan]

Oh I would also check your browser and remove any unused or unusual toolbars. You installed it with something so whatever that was it's a good idea to remove.

Isn't it gone? When you reboot do the folders return?

You might also try running Spybot Search and Destroy, both the immunize tab and the Search & Destroy tab.

 

[shiphen]

> Oh I would also check your browser and remove any unused or unusual toolbars.
As a webmaster I currently have 5 different browsers.
- MSIE
- FireFox
- Chrome
- Safari
- Opera
And yes, I have been through them all removing anything weird looking.

> You installed it with something so whatever that was it's a good idea to remove.
> Isn't it gone? When you reboot do the folders return?
To be honest I'm not sure what I'm looking for, but yes I have got rid Web Cake...


> You might also try running Spybot Search and Destroy, both the immunize tab and the Search & Destroy tab.[/QUOTE]
I am running the immunization tab - but I nervous what does it actually do?
Also there is no tab called Search & Destroy on my copy !

 

[TrainableMan]

Search and Destroy is the top option, the default start-up option. Basically let it run its' normal scan. Then also run the immunize which updates your hosts file to block known trouble/spam/ad sites.

As for webcake it sounds like you got rid of it. I would continue to watch more diligently for a week or so to make sure the files/folders don't return but I will mark this as SOLVED for now. If it returns we can change that status.

 

[shiphen]

Search and destroy found nothing. And neither did MSE. But I uninstalled MSE and tried BitDefender and it found various trojans in my .PST archives (Outlook).

I have painstaking now been through all the .PST archives removing everything that was being flagged as suspicious by BitDefender.

One problem was that BitDefender found over 100 .zip files which it said it couldnt scan because it needed a password for each of them - this despite the fact that many/most of them were never given passwords!

So having scanned as best I could with BitDefender, I was advised to uninstall BitDefender and re-install MSE which have now done. However I am extremely suspicious of MSE because it didnt find a darned thing. It NEVER seems to find a darned thing.

Fwiw, here are some of the .ZIP files on my PC which I dont recognise. Could any of them be zip bombs? Do any of these look suspicious?

C:\Windows\assembly\NativeImages_v4.0.30319_32\Ionic.Zip
C:\Docs\WWL\zz_Pre_2011\Tech Specs\Version - The Game\from JM\2009-05-14__PROTO.zip
C:\Windows\System32\config.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-background-images.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-icons.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-images.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-map-marker-lists.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-map-parts.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-shapes.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-smart-map-parts_excel-linker.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-smart-map-parts_file-explorer.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-smart-map-parts_web-services.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-styles.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-templates.zip
C:\Program Files (x86)\Mindjet\MindManager 11\sys\ENU\pro-web-templates.zip
C:\Windows\Installer\$PatchCache$\Managed\B87B810A2CA43A243A08DDD749D29D56\10.2.404\pro_icons.zip
C:\Windows\Installer\$PatchCache$\Managed\E7CEA38445AE33442BFB7DC5332D4A88\9.2.504\pro_icons.zip

J

 

[TrainableMan]

Well I never heard of Mindjet's Mindmanager software before, but if you don't use it then uninstall it. But if it is good software then since the zip files are within its' program files installation folder, odds are the files are used by the program and are OK. If you do use Mindmanger 11, you could always uninstall it and then make sure that folder is completely empty, then reinstall it and if they return it is almost definitely part of the program.

Also, there is a difference between suspicious and an actual problem so they could very well be false positives. That being said, if you have numerous zip files that are password protected and you NEVER password protected them then I agree those files would be Very Suspicious. Have you tried opening them yourself to make sure they ARE passworded? If you can open them just fine without a password then I would suspect a problem with the A/V software instead. If you have passworded files in your data area and you didn't password them and didn't download them knowing the password then there is really no reason to keep them ... DELETE; those others above in the program files folder are a different story and the Mindmanager program likely needs them so you have decide if you need Mind Manager.