Webcake Affection Scenario Outline
Webcake is one of the products issued by Conduit. It comes in forms of adware, extension and browser hijacker. Supported by adware:Win32/WebCake is not necessarily indicating that webcake is totally an adware, in fact, it can also be browser hijacker that intercept traffic with some rogue means for its operators. Affected by Webcake, victims would encounter mess on browsers:
- Countless pop-up ads to cover some content on web sites.
- Random browser jacking and redirecting.
- Slow speed in displaying web pages.
- Browser freezes and occasional crash.
- Low internal storage is the most prominent symptom along with the browser mess.
Webcake Is Not Virus But Potentially Dangerous
Herein, we do not use the word virus to describe webcake, this is the answer to the question by some victims that “why Google allow webcake to hijack browser”. It is no more than a traffic exchanging site. To put it plain, operators use webcake to hijack traffic so as to raise the ranking in search engine.
Do not ever be naïve to think that only virus can make hijacking or other rogue activities possible. What you think is remembering your account password, optimizing surfing experience, enabling or disabling pop-up ads? Such technologies that we think are helping us with more perfect and easier surfing today can be utilized by some greedy operators as well. In such case, webcake manages to hijack traffic at its will without being picked up or punished by security utilities. Besides, it is not Google that allow webcake to hijack, it is the technologies implanted in your computer (extension for example) that manipulate the DNS destination and Google doesn’t know anything about it.
Technologies Webcake Uses to Hijack
- BHO
- Applet
- ActiveX
- JavaScript
Other Substitutions by Conduit:
- Search Protect
- Value Apps
- Mixi.DJ toolbar
- Community toolbar
- PUP.Optional.Conduit.A
- Entrusted toolbar
- Mario Forever Toolbar
- Midicair Toolbar
1. End webcake’s running process.
Windows
Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to webcake's path.
Mac OS X
Applications > Utilities > Activity Monitor > click open the suspected processes > "Open ports and files" > end the process with path name directing to webcake's path.
2. Remove webcake's extension.
Internet Explorer
Tools > Manage add-ons > ‘Toolbars and Extensions’ > remove webcake's extension > ‘Search Providers’ > remove webcake's.
Mozilla Firefox
Tools > Options > ‘Extension’ > remove webcake's extension > ‘Plugins’ panel > remove webcake's extension.
Google Chrome
Spanner icon > "Tools" > ‘Extensions’ > remove webcake's extension.
Opera
Opera menu > Extensions > Manage Extensions > remove webcake's extension.
Safari
Safari Menu > Preferences > extensions tab > remove webcake's extension.
3. Enable popup blocker.
Internet Explorer
Tools window > Options > Privacy tab on the next window > check “Block pop-ups” > block webcake..
Mozilla Firefox
Tools > Web features button > select webcake.
Google Chrome
Tool menu > Options > “Under the Hood” > “Content Settings” > “Pop-ups” > “Exceptions” > make sure that webcake is not there > OK button.
Opera
Opera’s menu > “settings” > “Preference” > General tab > “Pop-up” > “Block Unwanted Pop-ups” > OK button.
Safari
Apple icon > "Safari" > "Preference" > "Security" tab > check the box next to the option "Block pop-up windows".
4. Show hidden files and folders to remove the following items.
Files:
<$APPDATA>\WebCake\dat\Desktop.OS.dll
<$APPDATA>\WebCake\dat\Desktop.OS.Plugin.dll
<$APPDATA>\WebCake\PlugIns.cache
<$APPDATA>\WebCake\WebCakeDesktop.exe
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\_Setup.dll
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\_Setupx.dll
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\Setup.dat
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\Setup.exe
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\Setup.ico
<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fjoijdanhaiflhibkljeklcghcmmfffh_0.localstorage
<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fjoijdanhaiflhibkljeklcghcmmfffh_0.localstorage-journal
<$PROGRAMFILES>\WebCake\OptChrome.exe
<$PROGRAMFILES>\WebCake\sqlite3.exe
<$PROGRAMFILES>\WebCake\WebCakeDesktop.Updater.exe
<$PROGRAMFILES>\WebCake\WebCakeIEClient.dll
<$PROGRAMFILES>\WebCake\WebCakeLayers.crx
Folders
<$APPDATA>\Mozilla\Firefox\Profiles\<$ENV(WebCake_FF_path)>\extensions\plugin@getwebcake.com
<$APPDATA>\WebCake\dat
<$APPDATA>\WebCake
<$COMMONAPPDATA>\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}
<$COMMONAPPDATA>\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcm
5. Access DataBase to locate the below shown entries and remove them.
HKEY_CLASSES_ROOT\WebCakeIEClient.Api.1
HKEY_CLASSES_ROOT\WebCakeIEClient.Api
HKEY_CLASSES_ROOT\WebCakeIEClient.Layers.1
HKEY_CLASSES_ROOT\WebCakeIEClient.Layers
HKEY_CLASSES_ROOT\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
HKEY_CLASSES_ROOT\CLSID\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{361E80BE-388B-4270-BF54-A10C2B756504}
HKEY_CLASSES_ROOT\AppID\{7169BBB3-3289-4696-B35D-4A88BCF6FB12}
HKEY_CLASSES_ROOT\CLSID\{A0B10EBE-4E51-4CAE-949B-E6B9E7D68CEA}
HKEY_CLASSES_ROOT\CLSID\{AF6B0594-6008-4327-93E5-608AD710A6FA}
HKEY_CLASSES_ROOT\CLSID\{BB975E58-E769-4E5A-BA12-B765BC559FF3}
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
HKEY_CLASSES_ROOT\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}
HKEY_CLASSES_ROOT\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
HKEY_CLASSES_ROOT\TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}
HKEY_CLASSES_ROOT\CLSID\{F511AFDB-726E-4458-90E7-1ECB97406544}
HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\ fjoijdanhaiflhibkljeklcghcmmfffh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ WebCake Desktop Updater
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ WebCake Desktop Updater
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ WebCake Desktop Updater
HKEY_CLASSES_ROOT\AppID\ WebCakeIEClient.DLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ WebCakeUpdaterService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\ WebCakeUpdaterService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\ WebCakeUpdaterService
When accessing to the above listed places to get rid of webcake items, some victims might find DomaIQ, AVG Secure Search or Babylon as webcake would introduce in additional promotion tools for more aggressive traffic interception and extra profit. In such case, victims should check for the documents carefully so as to remove anything that’s suspicious and not familiar to you with the premise that you are well equipped with virus knowledge and computer technology. Otherwise, mistaken removal could arouse dysfunctions and probably irreversible damages.
No comments:
Post a Comment