Saturday, April 12, 2014

Remove Webcake by Conduit: WebCake Ads, Adware:Win32/WebCake and WebCake.BHO

Webcake Affection Scenario Outline


Webcake is one of the products issued by Conduit. It comes in forms of adware, extension and browser hijacker. Supported by adware:Win32/WebCake is not necessarily indicating that webcake is totally an adware, in fact, it can also be browser hijacker that intercept traffic with some rogue means for its operators. Affected by Webcake, victims would encounter mess on browsers:
  1. Countless pop-up ads to cover some content on web sites.
  2. Random browser jacking and redirecting.
  3. Slow speed in displaying web pages.
  4. Browser freezes and occasional crash.
  5. Low internal storage is the most prominent symptom along with the browser mess.


Webcake Is Not Virus But Potentially Dangerous


Herein, we do not use the word virus to describe webcake, this is the answer to the question by some victims that “why Google allow webcake to hijack browser”. It is no more than a traffic exchanging site. To put it plain, operators use webcake to hijack traffic so as to raise the ranking in search engine.



Do not ever be naïve to think that only virus can make hijacking or other rogue activities possible. What you think is remembering your account password, optimizing surfing experience, enabling or disabling pop-up ads? Such technologies that we think are helping us with more perfect and easier surfing today can be utilized by some greedy operators as well. In such case, webcake manages to hijack traffic at its will without being picked up or punished by security utilities. Besides, it is not Google that allow webcake to hijack, it is the technologies implanted in your computer (extension for example) that manipulate the DNS destination and Google doesn’t know anything about it.

Technologies Webcake Uses to Hijack
  • BHO
  • Applet
  • ActiveX
  • JavaScript
They are normal and legit as programmers use them to help improve surfing experience. Once Webcake is captured by infections, they are utilized to download vicious code when access is made and collect confidential information such as passwords and log-in credentials. As one of the promotional tools, webcake by conduit is not strictly built and thus bug will be easily found and exploited by infections. Once webcake is attacked and arousing hostility among PC users thereby, another promotional tool will be created and pushed onto market. The below is the list of previous promotion tools attacked by infections suffering mass removal wave:

Other Substitutions by Conduit:

Below is the instrcution to help remove Webcake and get rid of its harassement. Should you run into some difficulty that you can't overcome, please do feel free to start a live chat window for quick fix.
 live chat to get expert help in remvoing webcake




1. End webcake’s running process.

Windows
Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to webcake's path.

Mac OS X
Applications > Utilities > Activity Monitor > click open the suspected processes > "Open ports and files" > end the process with path name directing to webcake's path.



2. Remove webcake's extension.

Internet Explorer 
Tools > Manage add-ons > ‘Toolbars and Extensions’ > remove webcake's extension > ‘Search Providers’ > remove webcake's.

Mozilla Firefox 
Tools > Options > ‘Extension’ > remove webcake's extension > ‘Plugins’ panel > remove webcake's extension.

Google Chrome 
Spanner icon > "Tools" > ‘Extensions’ > remove webcake's extension.

Opera
Opera menu > Extensions > Manage Extensions > remove webcake's extension.

Safari
Safari Menu > Preferences > extensions tab > remove webcake's extension.



3. Enable popup blocker.

Internet Explorer
Tools window > Options > Privacy tab on the next window > check “Block pop-ups” > block webcake..

Mozilla Firefox
Tools > Web features button > select webcake.

Google Chrome
Tool menu > Options > “Under the Hood” > “Content Settings” > “Pop-ups” > “Exceptions” > make sure that webcake is not there > OK button.

Opera
Opera’s menu > “settings” > “Preference” > General tab > “Pop-up” > “Block Unwanted Pop-ups” > OK button.

Safari
Apple icon > "Safari" > "Preference" > "Security" tab > check the box next to the option "Block pop-up windows".



4. Show hidden files and folders to remove the following items.

Files:
<$APPDATA>\WebCake\dat\Desktop.OS.dll
<$APPDATA>\WebCake\dat\Desktop.OS.Plugin.dll
<$APPDATA>\WebCake\PlugIns.cache
<$APPDATA>\WebCake\WebCakeDesktop.exe
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\_Setup.dll
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\_Setupx.dll
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\Setup.dat
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\Setup.exe
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\Setup.ico
<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fjoijdanhaiflhibkljeklcghcmmfffh_0.localstorage
<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fjoijdanhaiflhibkljeklcghcmmfffh_0.localstorage-journal
<$PROGRAMFILES>\WebCake\OptChrome.exe
<$PROGRAMFILES>\WebCake\sqlite3.exe
<$PROGRAMFILES>\WebCake\WebCakeDesktop.Updater.exe
<$PROGRAMFILES>\WebCake\WebCakeIEClient.dll
<$PROGRAMFILES>\WebCake\WebCakeLayers.crx

Folders
<$APPDATA>\Mozilla\Firefox\Profiles\<$ENV(WebCake_FF_path)>\extensions\plugin@getwebcake.com
<$APPDATA>\WebCake\dat
<$APPDATA>\WebCake
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcm



5. Access DataBase to locate the below shown entries and remove them.
HKEY_CLASSES_ROOT\WebCakeIEClient.Api.1
HKEY_CLASSES_ROOT\WebCakeIEClient.Api
HKEY_CLASSES_ROOT\WebCakeIEClient.Layers.1
HKEY_CLASSES_ROOT\WebCakeIEClient.Layers
HKEY_CLASSES_ROOT\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
HKEY_CLASSES_ROOT\CLSID\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{361E80BE-388B-4270-BF54-A10C2B756504}
HKEY_CLASSES_ROOT\AppID\{7169BBB3-3289-4696-B35D-4A88BCF6FB12}
HKEY_CLASSES_ROOT\CLSID\{A0B10EBE-4E51-4CAE-949B-E6B9E7D68CEA}
HKEY_CLASSES_ROOT\CLSID\{AF6B0594-6008-4327-93E5-608AD710A6FA}
HKEY_CLASSES_ROOT\CLSID\{BB975E58-E769-4E5A-BA12-B765BC559FF3}
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
HKEY_CLASSES_ROOT\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}
HKEY_CLASSES_ROOT\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
HKEY_CLASSES_ROOT\TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}
HKEY_CLASSES_ROOT\CLSID\{F511AFDB-726E-4458-90E7-1ECB97406544}
HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\ fjoijdanhaiflhibkljeklcghcmmfffh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ WebCake Desktop Updater
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ WebCake Desktop Updater
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ WebCake Desktop Updater
HKEY_CLASSES_ROOT\AppID\ WebCakeIEClient.DLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ WebCakeUpdaterService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\ WebCakeUpdaterService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\ WebCakeUpdaterService



When accessing to the above listed places to get rid of webcake items, some victims might find DomaIQ, AVG Secure Search or Babylon as webcake would introduce in additional promotion tools for more aggressive traffic interception and extra profit. In such case, victims should check for the documents carefully so as to remove anything that’s suspicious and not familiar to you with the premise that you are well equipped with virus knowledge and computer technology. Otherwise, mistaken removal could arouse dysfunctions and probably irreversible damages.
get expert help in remvoing webcake




No comments: