SUPERAntiSpyware indicated that files associated with the malware were in
When I checked when the directory had been created, it was almost two years ago.
C:\Users\Administrator>dir /ad c:\users\Administrator\AppData\Roaming\ Volume in drive C is OS Volume Serial Number is D6DD-50D8 Directory of c:\users\Administrator\AppData\Roaming 09/24/2016 08:44 PM <DIR> . 09/24/2016 08:44 PM <DIR> .. 06/18/2013 11:19 PM <DIR> Adobe 08/31/2015 08:50 PM <DIR> Apple Computer 11/02/2010 10:50 PM <DIR> ATI 04/08/2013 10:15 PM <DIR> Autodesk 01/09/2014 12:10 PM <DIR> Cartwheel 11/02/2010 10:51 PM <DIR> Dell 11/04/2010 07:47 PM <DIR> Download Manager 04/16/2014 09:15 AM <DIR> Garmin 04/27/2011 09:32 AM <DIR> Google 11/02/2010 10:50 PM <DIR> Identities 08/02/2013 03:03 PM <DIR> InstallShield 06/21/2011 11:32 AM <DIR> Jenkat 11/07/2010 04:04 PM <DIR> Macromedia 11/07/2010 10:00 PM <DIR> Macrovision 03/30/2015 07:47 PM <DIR> Malwarebytes 07/14/2009 02:45 AM <DIR> Media Center Programs 12/13/2016 07:35 PM <DIR> Microsoft 02/02/2012 09:52 AM <DIR> Mozilla 11/20/2011 09:28 PM <DIR> Roxio 12/04/2010 09:45 PM <DIR> Roxio Log Files 09/24/2016 08:44 PM <DIR> SQL Anywhere 16 06/18/2013 11:01 PM <DIR> SUPERAntiSpyware.com 06/18/2013 11:22 PM <DIR> Yahoo! 0 File(s) 0 bytes 25 Dir(s) 228,815,491,072 bytes free C:\Users\Administrator>
When I checked the contents of that folder, I saw the following:
C:\Users\Administrator>dir c:\users\Administrator\AppData\Roaming\CARTWHEEL Volume in drive C is OS Volume Serial Number is D6DD-50D8 Directory of c:\users\Administrator\AppData\Roaming\CARTWHEEL 01/09/2014 12:10 PM <DIR> . 01/09/2014 12:10 PM <DIR> .. 06/13/2011 09:23 AM 137,544 atl100.dll 10/31/2013 02:14 PM 293,824 Cartwheel.dll 11/19/2013 11:56 AM 444,328 InstallNotifier.exe 06/13/2011 09:23 AM 4,368,720 mfc100u.dll 06/13/2011 09:23 AM 421,200 msvcp100.dll 06/13/2011 09:23 AM 768,848 msvcr100.dll 08/01/2013 03:43 PM 1,789,440 ProcessDetector.exe 04/25/2012 08:08 AM 632,832 sqlite3.dll 01/09/2014 12:10 PM 0 Test.htm 01/09/2014 12:10 PM 6,431 unins000.dat 01/09/2014 12:10 PM 1,174,083 unins000.exe 10/31/2013 02:14 PM 1,815,976 UnInstallPlugin.exe 12 File(s) 11,853,226 bytes 2 Dir(s) 228,827,312,128 bytes free C:\Users\Administrator>
So the Cartwheel Shopping adware had apparently been on the system for quite some time.
I then used the Windows Registry Editor program, which can be
run by typing
regedit in the Cortana "Ask me anything" field
and then hitting Enter, I saw the following entries in the
Registry when I navigated to the
When I examined the
Windows registry entries for the adware, at
HKCU\SOFTWARE\Cartwheel\IE, I saw an InstallTime key,
which had a value of "20141009" that matched the date on the directory.
There was also a a key that appeared to be associated with Internet Explorer (IE).
Under that key, I saw the following:
The PartnerID likely refers to the "partner" responsible for distributing the Cartwheel Shopping adware to this system, e.g., someone distributing the adware through a particular website.
SUPERAntiSpyware also reported two browser extensions, Ask Toolbar and Delta Toolbar. Browser toolbars can extend the functionality of a web browser, but may also try to redirect users to particular websites and by that redirection generate revenue to the toolbar developer or whoever paid the developer to develop the toolbar.
I didn't see any keys beneath
Since I was curious as to when that toolbar software was installed, but
the Windows Registry Editor program, regedit.exe, doesn't reveal the time a
registry key was created, I installed
RegScanner a free
registry tool available from Nir Sofer at his site
NirSoft. I started the program and put
Delta in the Find String field and clicked
on the Scan button after deselecting "HKEY_LOCAL_MACHINE" from the
"Scan the following base keys" selections so that only "HKEY_CURRENT_USER"
would be scanned and also deselecting all but "Keys" for the "Look At"
options. When I first scanned the
wasn't shown, but when I repeated the scan, but this time with
"Add entry for each found key" checked as well, I then saw the key.
Since the "Key Modified Time" for
9/23/2016 4:18:37 AM, I'm presuming that is when the Delta toolbar was
installed. Since the user would not have been in the office at that time,
I'm assuming some other malware installed it at that time, or perhaps it was
installed before that time, though the key was last updated at that time.
I thought it might be possible that her antivirus software,
Total Protection, removed entries from that key at that time. But when
I checked the
McAfee scan report for the
prior 90 days, I found there was no scan on that day.
I clicked on the red "X" to the right of both toolbars and the Cartwheel Shopping entry in SUPERAntiSpyware to have it remove all three items it reported. SUPERAntiSpyware then continued its scan of the system. When the scan concluded, it reported 66 threats were detected:
Of the 66 items detected, 38 were tracking cookies, which are relatively innocuos; they allow advertisers to track a user's web browsing behavior, but shouldn't result in the performance issues the user reported. When I clicked on Continue, I saw 28 items found associated with PUP.ClientConnect/Variant.
When I viewed details for the results, I saw other toolbar entries.
E.g., in the SUPERAntiSpyware scan
log file, I saw
(X86)\TBCCINT\TOOLBARSERVICE\TOOLBARSERVICE.EXE. When I checked the
date for that file, I also found it had a 2014 date like the Cartwheel
C:\Users\Administrator>dir "C:\PROGRAM FILES (X86)\TBCCINT\TOOLBARSERVICE\TOOLBA RSERVICE.EXE" Volume in drive C is OS Volume Serial Number is D6DD-50D8 Directory of C:\PROGRAM FILES (X86)\TBCCINT\TOOLBARSERVICE 09/23/2014 05:34 AM 350,528 ToolbarService.exe 1 File(s) 350,528 bytes 0 Dir(s) 228,634,517,504 bytes free C:\Users\Administrator>
I had SUPERAntiSpyware remove everything it found, including the tracking cookies. It then informed me "A system restart is recommended to complete the removal."
I saved my notes and had it reboot at that point. After the system rebooted,
I found that the
C:\Program Files (x86)\Tbccint directory was
now empty, though the directory and its subdirectory
remained. I deleted the directory.
C:\WINDOWS\system32>dir /s "C:\Program Files (x86)\Tbccint" Volume in drive C is OS Volume Serial Number is D6DD-50D8 Directory of C:\Program Files (x86)\Tbccint 10/25/2014 04:43 PM <DIR> . 10/25/2014 04:43 PM <DIR> .. 12/13/2016 09:48 PM <DIR> ToolbarService 0 File(s) 0 bytes Directory of C:\Program Files (x86)\Tbccint\ToolbarService 12/13/2016 09:48 PM <DIR> . 12/13/2016 09:48 PM <DIR> .. 0 File(s) 0 bytes Total Files Listed: 0 File(s) 0 bytes 5 Dir(s) 226,518,532,096 bytes free C:\WINDOWS\system32>rmdir /s "C:\Program Files (x86)\Tbccint" C:\Program Files (x86)\Tbccint, Are you sure (Y/N)? y C:\WINDOWS\system32>dir /s "C:\Program Files (x86)\Tbccint" Volume in drive C is OS Volume Serial Number is D6DD-50D8 File Not Found C:\WINDOWS\system32>
I still saw Cartwheel Shopping listed under "Uninstall or change a program" when I right-clicked on the Windows Start button, selected Control Panel, Programs, then Programs and Features, though.
I double-clicked on the Cartwheel Shopping entry, but then saw a notice that it might have already been uninstalled. I was asked "Would you like to remove Cartwheel Shopping from the Programs and Features list?" I chose "Yes."