Solved

How do I delete or Remove an IE 10 Add On

Posted on 2013-06-05
36
3,899 Views
Last Modified: 2013-06-07
I am infected with this blasted WebCake add on which hijacks your browser.

I can Disable the Add On in IE 10 and that stops it however, the Add on is still displayed in IE10 and there seems to be no way to simply delete an Add On.

Thanks
0
Comment
Question by:ls21gce
  • 15
  • 10
  • 8
  • +1
36 Comments
 
LVL 24

Expert Comment

by:aadih
ID: 39222055
0
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 250 total points
ID: 39222097
Probably have to clean your system especially when you have a browser hijack installed on your computer.  Just disabling more than likely cause issues.

Try using Malewarebytes

Select the Free Download and scan your system.

-or-

ComboFix

Once those are done try HitmanPro
You do not have to register this product to use it for free.

Finally use Adwcleaner

or

You can use TDSKILLER

I hope this helps
0
 

Author Comment

by:ls21gce
ID: 39222099
No, I have tried Malwarebytes and ComboFix and Adwcleaner

However, if I look into the Add Ons for IE 10 it still shows WebCake available waiting to go if I Enable it...

I cant understand why there is no "Remove" option within IE 10 to get rid of any rogue Add Ons ?
0
 

Author Comment

by:ls21gce
ID: 39222108
Hi  comfortjeanius,

I have not tried HitManPro or TDSKILLER so I will have a go with those also....

thanks
0
 
LVL 24

Expert Comment

by:aadih
ID: 39222148
If the problem happened recently, a quick solution is to restore your system to  few days ago. Worth trying.

(Does webcake show up in installed programs?)
0
 

Author Comment

by:ls21gce
ID: 39222427
I think it was around 2 weeks ago it must have happened.

It did show up in installed programs, I uninstalled it, but it reappeared in installed programs. I then uninstalled it again but got the message that it is not installed do I want to remove it from the list which I did. it no longer shows up...
0
 
LVL 24

Expert Comment

by:aadih
ID: 39222486
Now, rescan with MBAM. Also follow instructions (how to remove add ons) in the links I provided earlier.

Also do you:

(1) not recognize any program in the installed program list?; if so uninstall it (in case of a mistaken removal, you could install it again).

(2) not recognize any programs in the start-up program list (msconfig or CCleaner)?; if so disable them from starting.

(3) Restart.
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39222531
If you already performed Malewarebytes scan process try scanning with HitmanPro, I think once finish it will prompt for a restart, then if there still some residual files move to TDSKiller.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39222543
Don't believe it's a rootkit issue, but no harm doing more scans.
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39222566
-or-

Try this link

http://killpcthreat.wordpress.com/2013/05/25/kill-webcake-adware-how-to-completely-removed-webcake-adware-from-pc/

this will download spyhunter


Plus have instruction on removing Webcake
0
 

Author Comment

by:ls21gce
ID: 39222592
Just to get my head around this,

1 ) An "Add on" program running inside Internet Explorer is exactly the same as a normal installed program ?

2) The "normal" way to remove an "Add On" program from Internet Explorer would be to use the Add/Remove Programs in the Control Panel. After that it should be removed from Internet Explorer Add ons list ?

3) Internet Explorer does not have a facility where you can simply delete or remove any "Add On" programs, it only offers the options to "Disable it temporarily" ?
0
 

Author Comment

by:ls21gce
ID: 39222636
comfortjeanius,

Are you sure about that webpage you posted ?....

...the download link directs you to a website called goo.gl/eeohc  ?
0
 
LVL 24

Expert Comment

by:aadih
ID: 39222778
Yes, the link works correctly here.  Surely, then, your computer is seriously infected in addition to the add-on problem.

Start with a scan with a rescue disk (e.g. bitdefender):

< http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html >

Or:

< http://www.trendsecure.com/Info/Rescue_Disk/html/download.html >

Also:
 
Scan with TDSSKiller: < http://www.bleepingcomputer.com/download/tdsskiller/ > and

< http://www.malwarebytes.org/products/mbar/ >
0
 

Author Comment

by:ls21gce
ID: 39222797
Hi aadih,

No, the killpcthreat link itself resolves OK (no redirecting going on) but I was worried that the button to click to dowlnload spyhunter sends you to goo.gl/eeohc which looks suspicious can you check that is the same for you also ?

I believe I got the infection by following a link on a legitimate website forum to download the VLC media player. It added this webcake to the payload.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39222805
FYI: Yes, ls21gce, the spyhunter download link works okay.
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39222813
Yes the  link redirects me to the same location; plus I was able to download the spyhunter application.
0
 

Author Comment

by:ls21gce
ID: 39222916
I have now run all of the tools on my PC and none of them have detected any threat.

If I look into The IE10 Add Ons, I see the following:-

Name     WebCake    Publisher  Web Cake    Status   Disabled    Architecture  32-bit

If I then click on more information I am told this is WebCakeIEClient.dll and it is in C:\Program Files (x86)\WebCake

If I look at that directory I see:-

21/05/2013  23:42           220,672 OptChrome.exe
21/05/2013  23:41           465,408 sqlite3.exe
21/05/2013  23:41            23,552 WebCakeDesktop.Updater.exe
21/05/2013  23:42           197,912 WebCakeIEClient.dll
24/05/2013  15:56             3,033 WebCakeLayers.crx


Seems like none of the standard tools even notice it is there..
0
 
LVL 24

Expert Comment

by:aadih
ID: 39222930
They notice it, but, perhaps, do not see it as malware.

Uninstall the program (or better, use Revo uninstaller free to do so).
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:ls21gce
ID: 39223019
Installed Revo Uninstaller but it doesn't see the WebCake application as installed.

It did show a process called Webcakedesktop.exe which I stopped. This was executed from a directory called  C:\Users\Dell\AppData\Roaming\WebCake

I have manually deleted all components apart from the Webcakedesktop.exe  which wont let me because it says it is open in Webcake Desktop Updater.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39223073
Can you not remove it from safe mode?  Try.

Or better still, safe mode with command prompt.  Navigate to the directory where the file resides (using CD command). Then DEL <file name >.
0
 

Author Comment

by:ls21gce
ID: 39223164
Yes, I have deleted the thing in Safe mode and have also deleted all of the files under the Program Files (x86)/WebCake directory. So there are no more obvious programs left.

If I go to the IE10 "Add Ons" and select "Currently Loaded Add Ons", WebCake is still shown as disabled.

Also if I select "All Add Ons" then additionally displayed is WebCake API  which is disabled.

I don't think I can get it any cleaner than this without an "Add Ons" virus remover..!
0
 
LVL 24

Accepted Solution

by:
aadih earned 250 total points
ID: 39223183
If all else fails, try:

(1) Run REGEDIT (Registry Editor)

(2) Goto the following paths which contain all your IE Add-ons:

"Browser Extension" in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions"

"Browser Helper Object" in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"

3. Copy the Class ID of the Add-ons that you wish to remove, eg: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} then delete it

4. Find the Class ID you copied in "HKEY_CLASSES_ROOT\CLSID" and delete it too.
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39223271
When you go to Tools -----> Manage Add-on ,  when you go to the Webcake add-on can you right-click select properties and then click remove?
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39223373
@ls21gce,

I would prefer you to run OTL.

OTL by OldTimer is a flexible, multipurpose, diagnostic, and malware removal tool. It's useful for identifying changes made to a system by spyware, malware and other unwanted programs. It creates detailed reports of registry and file settings, and also includes advanced tools and scripting ability for manual removing malware.

Download:
http://oldtimer.geekstogo.com/OTL/OTL.exe

Alternate downloads and locations:

Sometimes malware will block OTL.exe by name, or all executables. In that case try one of these alternatives.
OTL.com: http://oldtimer.geekstogo.com/OTL.com
OTL.scr: http://oldtimer.geekstogo.com/OTL.scr

Mirrors:
OTL.com: http://www.itxassociates.com/OT-Tools/OTL.com
OTL.scr: http://www.itxassociates.com/OT-Tools/OTL.scr
OTL.exe: http://www.itxassociates.com/OT-Tools/OTL.exe

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Thanks,
Sudeep
0
 

Author Comment

by:ls21gce
ID: 39225089
Hi comfortjeanius, the remove button is inactive
0
 

Author Comment

by:ls21gce
ID: 39225100
Now running OTL by oldtimer. I pressed the "Run Scan" option so it may take a while...
0
 

Author Comment

by:ls21gce
ID: 39225279
Hi Sudeep,

Is there a particular part of this report you would like me to post as I am not keen to post the complete contents of these reports onto an open forum and I haven't paid the premium to make it private !
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39225683
Here is a way to remove add-ons ToolbarCop this will take care of the delete button being greyed out.  Plus here the link to removing add-ons:


ToolbarCop

http://www.mydigitallife.info/how-to-uninstall-delete-and-remove-ie-add-ons-or-extensions-permanently/

Instructions for ToobarCop

http://www.mydigitallife.info/download-toolbarcop-to-remove-unwanted-ie-browser-toolbars-helper-objects-and-extensions/

I read the readme.txt and is states that it has been tested with Windows 98 and Windows XP environments. Should work in Windows ME/2000, but I test in Windows 7 with internet explorer 10

This might succor you in removing the webcake addon.  Post back with results.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39226491
It is extremely necessary to get the original logs of the OTL reports, otherwise it would be difficult to provide the solution based on it.

Sudeep
0
 

Author Comment

by:ls21gce
ID: 39228444
Hi Sudeep,

Can I send it to you as a private email as I don't want to post that kind of information on the open internet.
0
 

Author Comment

by:ls21gce
ID: 39228462
Hi Comfort,

I installed the Toolbarcop tool. it shows the following:-

----------------------------------------
WebCake
BHO
{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
C:\Program Files (x86)\WebCake\WebCakeIEClient.dll
Enabled
All Users


Suggesting it is Enabled although IE10 says it is disabled...

I ran the Delete Option but got: -

Run Time Error '5' Invalid Procedure Call or Argument.....
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39228804
Could you open the registry editor

windows key + r
type regedit
Click on edit
Click Find....
Input this {2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Lets see if it can find the registry entry

Plus navigate
C:\Program Files (x86)\WebCake\WebCakeIEClient.dll
Delete the WebCake Folder and its' content

Lets see if this work and Post back
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39229756
>>Hi Sudeep,

>>Can I send it to you as a private email as I don't want to post that kind of information on >>the open internet.

Yes, you could, please find my email in my profile.

Sudeep
0
 

Author Comment

by:ls21gce
ID: 39230531
Had a bit of a setback... Seems that one of the registry/clean-ups must have affected my wireless printer setup and I lost the ability to print despite re-installing the drivers.

Anyway, I had to do a system restore back to a couple of days ago and that reset the printer so all is working OK on that.

Back to webcake.....

I did the following...

1 - Ran Msconfig to stop the Webcake Updater from starting up as this prevents taking further action.
2 - Stopped the Webcake Service from running.
3 - Delete all the Webcake software from Users/<PCName>/Appdata/Roaming/Webcake
4 - Delete all the Webcake software from C:\Program Files (x86)\Webcake
5 - Look into IE10 Add Ons and note the Class ID for the two Webcake Add ons
6 - Run Regedit and search for the Class ID Keys and delete all references.

Re-boot and now there is no mention of Webcake in the IE10 Add Ons

I have run the Adwcleaner and the Malwarebytes and both report clean.

The only remaining problem is that there are still a number of references in the registry to Webcake showing dll info etc...

As I have pushed my luck already deleting keys out of the registry like a madman with no idea what the implications may be, I cant face rolling the dice again so decided to stick.

I am hoping that this should suffice unless there is a "registry cleaner" that can clean up after me...
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39230552
Ccleaner plus you should backup the registry before making changes.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39230554
Try Registrar Registry Manager to search for Webcake (left side window) and delete all entries it finds from the right-side window.  If there are not too many entries, you could delete them one by one using Regedit.

Of course, you must make a system restore point before changing any entry in the registry.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now