Windows 7 HELP! I have been infected by "WEB CAKE 3.0"

shiphen

Extraordinary Member
Joined
Jan 8, 2010
Hi
HELP! I have been infected by "WEB CAKE 3.0".
BACKGROUND
I am running Windows7 x64 on 8GB of RAM, and 256GB of SSD.
I am using Microsoft Security Essentials for virus protection.
I am pretty much a newbie.

THE STORY SO FAR:
1. I found it in Control Panel > Programs and Features, and because I didn't recognize it I tried to uninstall it.
I have no idea how or when it got there.
2. But it wouldn't uninstall.
3. So then following a thead on WEB CAKE 3.0 - It crashes Internet Explorer regularly - Microsoft Community I used regedit to search for "WEB CAKE", "WEBCAKE" and just "CAKE" as well as "Tarma" and I deleted any line in my registry that had any such reference. There were about 30 of these
4. Then I used "Everything" (desktop search" to find and delete any file with "cake" in the name - there were about 5 of these.
5. I then following the advice on answers.microsoft.com installed "SpyHunter 4" and ran a fast scan.
This found about 66 items under the following headings:
- Babylon Search
- Hola Search
- Advert
- Adware Helpers
- Adware.WebCake
- Atlas DMT
- DoubleClick
- Media
However I then discovered that SpyHunter 4 is not free so I stopped.
What should I do next?
Many thanks
J
 
Run Malwarbytes....it should remove all that junk/crap for you. It's free and does a really good job. Most of us have the Pro version, which is the paid version, but that has a few more options and real time protection.

http://www.malwarebytes.org/
 
OK done. Marwarebytes ound a few things. (Microsoft Safety Scanner missed them all, fwiw!)
Any suggestions as to what I should do next?

J

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.01.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Alec :: ALEC09 [administrator]

01/08/2013 13:02:25
mbam-log-2013-08-01 (13-02-25).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 503590
Time elapsed: 16 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 8
C:\ProgramData\IBUpdaterService (PUP.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\Alec\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8} (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\FirefoxExtension (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\Users\Alec\AppData\Roaming\BabSolution (PUP.Optional.BabSolution.A) -> Quarantined and deleted successfully.
C:\Users\Alec\AppData\Roaming\BabSolution\CR (PUP.Optional.BabSolution.A) -> Quarantined and deleted successfully.

Files Detected: 18
C:\ProgramData\IBUpdaterService\repository.xml (PUP.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\Alec\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\bl (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.settings (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\dm (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\00 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\01 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\02 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\03 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\10 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\11 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\12 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\13 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\20 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\21 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\22 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\23 (PUP.Optional.BrowserDefender.A) -> Quarantined and deleted successfully.
C:\Users\Alec\AppData\Roaming\BabSolution\CR\hola.crx (PUP.Optional.BabSolution.A) -> Quarantined and deleted successfully.

(end)
 
Now that's is found some stuff, just click remove and it will delete it from your system.
 
Then check in your programs list as see if they are still listed....they should all be gone. Then get Ccleaner and run it, it will scan for junk files, temp folders and so on. The run the registry cleaner it has built into it.


http://www.piriform.com/ccleaner
 
Bad news - I have now run:
- Microsoft Safety Scanner (found nothing)
- Malwarebytes (found various things including: POP.InstallBrain, POP.Optional.Babylond.A, POP.Optional.BrowserDefender.A,)
- McAfee Stinger (found nothing)
- SUPERAntispyware (found nothing much)

BUT when I run SpyHunter 4 it can still find the following threats:
Babylon Search, Holasearch Toolbar, Adware.WebCake (infections), ad.yeildmanager...

Now what?
 
OK I have now run Junkware Removal Tool v5.2.9

Here is the output log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.9 (07.30.2013:1)
OS: Windows 7 Professional x64
Ran by Alec on 01/08/2013 at 15:23:41.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\appid\secman.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\appid\{4d076ab4-7562-427a-b5d2-bd96e19dee56}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{66eef543-a9ac-4a9d-aa3c-1ed148ac8eee}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{826d7151-8d99-434b-8540-082b8c2ae556}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{a0b10ebe-4e51-4cae-949b-e6b9e7d68cea}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{bb975e58-e769-4e5a-ba12-b765bc559ff3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{df84e609-c3a4-49cb-a160-61767daf8899}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{f511afdb-726e-4458-90e7-1ecb97406544}
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\clsid\{fb684d26-01f4-4d9d-87cb-f486beba56dc}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\interface\{0afd55c8-adf8-4a33-a6e1-dedb7a36aeb4}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\interface\{66eef543-a9ac-4a9d-aa3c-1ed148ac8eee}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\interface\{df84e609-c3a4-49cb-a160-61767daf8899}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\typelib\{11549fe4-7c5a-4c17-9fc3-56fc5162a994}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\clsid\{fb684d26-01f4-4d9d-87cb-f486beba56dc}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\mybabylontb_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\wajamupdater_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\wajamupdater_rasmancs



~~~ Files

Successfully deleted: [File] "C:\Users\Alec\appdata\local\Google\Chrome\User Data\Default\bProtector Web Data"
Successfully deleted: [File] "C:\Users\Alec\appdata\local\Google\Chrome\User Data\Default\bprotectorpreferences"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\apn"
Successfully deleted: [Folder] "C:\ProgramData\babylon"
Successfully deleted: [Folder] "C:\ProgramData\simplitec"
Successfully deleted: [Folder] "C:\Users\Alec\AppData\Roaming\performersoft"
Successfully deleted: [Folder] "C:\Users\Alec\AppData\Roaming\simplitec"
Successfully deleted: [Folder] "C:\Program Files (x86)\pc performer"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\pc performer"
Successfully deleted: [Folder] "C:\Program Files (x86)\askpartnernetwork"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 01/08/2013 at 15:27:24.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
I just ran SpyHunter but it is still finding adware.webcake.
Now what?
 
OK I have (finally) managed to get AdwCleaner to run. Here are the logs:

# AdwCleaner v2.306 - Logfile created 08/01/2013 at 16:13:12
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (64 bits)
# User : Alec - ALEC09
# Boot Mode : Normal
# Running from : C:\Users\Alec\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files (x86)\Mozilla Firefox\Extensions\[email protected]
Folder Found : C:\ProgramData\AskPartnerNetwork

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\obg07pq8.default\prefs.js

[OK] File is clean.

File : C:\Users\Alec\AppData\Roaming\Mozilla\Firefox\Profiles\xy2jf0dy.default-1375366487036\prefs.js

[OK] File is clean.

-\\ Google Chrome v28.0.1500.95

File : C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Alec\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v12.15.1748.0

File : C:\Users\Alec\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4278 octets] - [01/11/2012 22:32:42]
AdwCleaner[R2].txt - [1645 octets] - [01/08/2013 16:13:12]
AdwCleaner[S2].txt - [4264 octets] - [01/11/2012 22:42:54]

########## EOF - C:\AdwCleaner[R2].txt - [1765 octets] ##########
 
I have a problem. If I run in safe mode, I think that the screen saver kicks in - at least the screen goes blank - and then it stays blank. Perhaps the PC is over heating. Perhaps it's a virus. HELP!
 
When the screen goes blank does CTRL+ALT+DEL bring up the option to run Task Manager? If so try File, Run, explorer.exe does this bring up the GUI?
 
Yipes, it stinks when you get hit by malware.
Do you have a recovery disk?
Usually when malware goes this deep its not good for the OS, thats why we have the adage of backup now, backup often.
If you are afraid of loosing data, well there are ways around that too.
 
> When the screen goes blank does CTRL+ALT+DEL bring up the option to run Task Manager?
No

> Do you have a recovery disk?
I dont think so, although I did do a backup on to my external hard drive.

Meanwhile I persisted WITHOUT using safe mode, and I think everything is good. SpyHunter 4 is no longer finding any problems. Nor is anything else. I do not have my external hard drive connected at present.

Apparently I was not using AdwCleaner correctly as I did not hit Delete button at the correct time.

I'm not sure how to proceed.

But one thing is I do need to replace my antivirus software (MSE) which appears to be getting terrible reviews and evidently did not work well for me. After reading several reveiws I am now thinking if getting BidDefender although it is not cheap, but I'm not sure which version to buy. But do I need to buy "Firewall" software as well as Internet Security" as well as "anti-virus" software or is it okay to use the windows 7 firewall? (e.g. someone said that Comodo was good for Internet Security - I am at the limits of my knowledge on all this..)

Any views/recommendations ?
 
Now you need to scan you external drive....
A) I'd rather make completely sure my Win7 and WinXP devices are clean first.
B) With what utilities should I be scanning it and in what order?
e.g. With my newly installed antivirus software BitDefends? (trial version)
 
So... now what?
If I am to scan my 2 external drives, with what should I do the scan(s)?
 
OK I have now scanned one of the the external 1GB HDs wit BitDefender. It took about 2 days to run, and if found about 500 threats - mostly in archived Outlook PST files. So I have simply deleted all my .PST archives.

Any other suggestions about what I should scan with?
 
The threats in the PST files were most likely virulent attachments. But when you write "mostly", that is a cause for concern. Run Malwarebytes on full scan for the entire computer, again. Run the ESET Online Scanner on everything if possible. Launch that page from Internet Explorer so you don't have to download any extras. Scan archives. Go to advanced settings and check every box as on. You can only run it once, but do it.

After that is done, restart the computer and run Kaspersky Free Online Virus/Malware Removal Tool. This is not a substitute for a full security suite, but run it.

Now you have run your system through BitDefender, ESET, Malwarebytes, and Kaspersky engines. If you are not 100% clean after this, you may be permanently compromised.

According to Microsoft, which no one wants to listen to, once your computer is compromised, there is no 100% way to know that you are in the clear. You may know with 99% accuracy, but you will never again be 100%. In a rare circumstance, due to the large number of intrusions, you could have an in-the-wild, previously unknown, rootkit dormant on the system, waiting for someone to activate it. You could have something never flagged as malware innocuously reporting data to an upstream server. These are all worst case scenarios, but after dozens of files have been compromised, you don't know with 100% certainty. A lot of this is loss prevention and legal speak to prevent liability in case the problem returns, but none the less, it is true. Never 100% sure of anything.

The official answer, according to Microsoft, is to reformat and clean install everything. If this is not a solution for you, which I assume it is not, follow the guidelines I have suggested for continued scanning.

Under this scenario, to fully secure the system, you'd want to reduce the potential attack surface by making sure ports that shouldn't be open are not. You'd want to completely lock down the system and engage in penetration testing. Many companies charge for these services these days. It depends on how much you value your data and what it would cost you if you lost it all.

Ultimately, I would say run these 3 scans above, fully, and if you continue to get positives, you need to consider a clean install. Otherwise, you may have relative peace of mind.

You're going to want to be careful. However you got this thing, you need to determine. It may have been an attachment or an image that you opened. Clearly you did not have adequate preventative detection. That is why many anti-malware suites and anti-virus security bundles offer pro-active protection using a preventative maintenance approach. Once you've determined the nightmare is over, seriously consider moving in this direction.

I have no doubt other posters will have varying opinions on what you should do next. But once things are clear for awhile, perhaps after a week or two of no issues, seriously consider creating an image backup of all of your stuff. If you had a relatively recent one, you could have saved hours of time endlessly scanning your system to remove this threat.
 
Back
Top Bottom