SUPERAntiSpyware indicated that files associated with the malware were in
the C:\USers\Administrator\AppData\Roaming\CARTWHEEL directory.
When I checked when the directory had been created, it was almost two years ago.
C:\Users\Administrator>dir /ad c:\users\Administrator\AppData\Roaming\
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of c:\users\Administrator\AppData\Roaming
09/24/2016 08:44 PM <DIR> .
09/24/2016 08:44 PM <DIR> ..
06/18/2013 11:19 PM <DIR> Adobe
08/31/2015 08:50 PM <DIR> Apple Computer
11/02/2010 10:50 PM <DIR> ATI
04/08/2013 10:15 PM <DIR> Autodesk
01/09/2014 12:10 PM <DIR> Cartwheel
11/02/2010 10:51 PM <DIR> Dell
11/04/2010 07:47 PM <DIR> Download Manager
04/16/2014 09:15 AM <DIR> Garmin
04/27/2011 09:32 AM <DIR> Google
11/02/2010 10:50 PM <DIR> Identities
08/02/2013 03:03 PM <DIR> InstallShield
06/21/2011 11:32 AM <DIR> Jenkat
11/07/2010 04:04 PM <DIR> Macromedia
11/07/2010 10:00 PM <DIR> Macrovision
03/30/2015 07:47 PM <DIR> Malwarebytes
07/14/2009 02:45 AM <DIR> Media Center Programs
12/13/2016 07:35 PM <DIR> Microsoft
02/02/2012 09:52 AM <DIR> Mozilla
11/20/2011 09:28 PM <DIR> Roxio
12/04/2010 09:45 PM <DIR> Roxio Log Files
09/24/2016 08:44 PM <DIR> SQL Anywhere 16
06/18/2013 11:01 PM <DIR> SUPERAntiSpyware.com
06/18/2013 11:22 PM <DIR> Yahoo!
0 File(s) 0 bytes
25 Dir(s) 228,815,491,072 bytes free
C:\Users\Administrator>When I checked the contents of that folder, I saw the following:
C:\Users\Administrator>dir c:\users\Administrator\AppData\Roaming\CARTWHEEL
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of c:\users\Administrator\AppData\Roaming\CARTWHEEL
01/09/2014 12:10 PM <DIR> .
01/09/2014 12:10 PM <DIR> ..
06/13/2011 09:23 AM 137,544 atl100.dll
10/31/2013 02:14 PM 293,824 Cartwheel.dll
11/19/2013 11:56 AM 444,328 InstallNotifier.exe
06/13/2011 09:23 AM 4,368,720 mfc100u.dll
06/13/2011 09:23 AM 421,200 msvcp100.dll
06/13/2011 09:23 AM 768,848 msvcr100.dll
08/01/2013 03:43 PM 1,789,440 ProcessDetector.exe
04/25/2012 08:08 AM 632,832 sqlite3.dll
01/09/2014 12:10 PM 0 Test.htm
01/09/2014 12:10 PM 6,431 unins000.dat
01/09/2014 12:10 PM 1,174,083 unins000.exe
10/31/2013 02:14 PM 1,815,976 UnInstallPlugin.exe
12 File(s) 11,853,226 bytes
2 Dir(s) 228,827,312,128 bytes free
C:\Users\Administrator>So the Cartwheel Shopping adware had apparently been on the system for quite some time.
I then used the Windows Registry Editor program, which can be
run by typing regedit in the Cortana "Ask me anything" field
and then hitting Enter, I saw the following entries in the
Windows
Registry when I navigated to the HKCU\Software\Cartwheel
registry key:
When I examined the
Windows registry entries for the adware, at
HKCU\SOFTWARE\Cartwheel\IE, I saw an InstallTime key,
which had a value of "20141009" that matched the date on the directory.
There was also a a key that appeared to be associated with Internet Explorer (IE).
Under that key, I saw the following:
| Value name: | PartnerID |
| Value data: | CW191 |
The PartnerID likely refers to the "partner" responsible for distributing the Cartwheel Shopping adware to this system, e.g., someone distributing the adware through a particular website.
SUPERAntiSpyware also reported two browser extensions, Ask Toolbar and Delta Toolbar. Browser toolbars can extend the functionality of a web browser, but may also try to redirect users to particular websites and by that redirection generate revenue to the toolbar developer or whoever paid the developer to develop the toolbar.
I didn't see any keys beneath HKCU\SOFTWARE\DELTA.
Since I was curious as to when that toolbar software was installed, but
the Windows Registry Editor program, regedit.exe, doesn't reveal the time a
registry key was created, I installed
RegScanner a free
registry tool available from Nir Sofer at his site
NirSoft. I started the program and put
Delta in the Find String field and clicked
on the Scan button after deselecting "HKEY_LOCAL_MACHINE" from the
"Scan the following base keys" selections so that only "HKEY_CURRENT_USER"
would be scanned and also deselecting all but "Keys" for the "Look At"
options. When I first scanned the HKEY\SOFTWARE\Delta key
wasn't shown, but when I repeated the scan, but this time with
"Add entry for each found key" checked as well, I then saw the key.
Since the "Key Modified Time" for HKCU\SOFTWARE\Delta was
9/23/2016 4:18:37 AM, I'm presuming that is when the Delta toolbar was
installed. Since the user would not have been in the office at that time,
I'm assuming some other malware installed it at that time, or perhaps it was
installed before that time, though the key was last updated at that time.
I thought it might be possible that her antivirus software,
McAfee
Total Protection, removed entries from that key at that time. But when
I checked the
McAfee scan report for the
prior 90 days, I found there was no scan on that day.
I clicked on the red "X" to the right of both toolbars and the Cartwheel Shopping entry in SUPERAntiSpyware to have it remove all three items it reported. SUPERAntiSpyware then continued its scan of the system. When the scan concluded, it reported 66 threats were detected:
| Memory Items | 1 |
| Registry Items | 25 |
| File Items | 40 |
Of the 66 items detected, 38 were tracking cookies, which are relatively innocuos; they allow advertisers to track a user's web browsing behavior, but shouldn't result in the performance issues the user reported. When I clicked on Continue, I saw 28 items found associated with PUP.ClientConnect/Variant.
When I viewed details for the results, I saw other toolbar entries.
E.g., in the SUPERAntiSpyware scan
log file, I saw C:\PROGRAM FILES
(X86)\TBCCINT\TOOLBARSERVICE\TOOLBARSERVICE.EXE. When I checked the
date for that file, I also found it had a 2014 date like the Cartwheel
Shopping software.
C:\Users\Administrator>dir "C:\PROGRAM FILES (X86)\TBCCINT\TOOLBARSERVICE\TOOLBA
RSERVICE.EXE"
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of C:\PROGRAM FILES (X86)\TBCCINT\TOOLBARSERVICE
09/23/2014 05:34 AM 350,528 ToolbarService.exe
1 File(s) 350,528 bytes
0 Dir(s) 228,634,517,504 bytes free
C:\Users\Administrator>I had SUPERAntiSpyware remove everything it found, including the tracking cookies. It then informed me "A system restart is recommended to complete the removal."
I saved my notes and had it reboot at that point. After the system rebooted,
I found that the C:\Program Files (x86)\Tbccint directory was
now empty, though the directory and its subdirectory ToolbarService
remained. I deleted the directory.
C:\WINDOWS\system32>dir /s "C:\Program Files (x86)\Tbccint"
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of C:\Program Files (x86)\Tbccint
10/25/2014 04:43 PM <DIR> .
10/25/2014 04:43 PM <DIR> ..
12/13/2016 09:48 PM <DIR> ToolbarService
0 File(s) 0 bytes
Directory of C:\Program Files (x86)\Tbccint\ToolbarService
12/13/2016 09:48 PM <DIR> .
12/13/2016 09:48 PM <DIR> ..
0 File(s) 0 bytes
Total Files Listed:
0 File(s) 0 bytes
5 Dir(s) 226,518,532,096 bytes free
C:\WINDOWS\system32>rmdir /s "C:\Program Files (x86)\Tbccint"
C:\Program Files (x86)\Tbccint, Are you sure (Y/N)? y
C:\WINDOWS\system32>dir /s "C:\Program Files (x86)\Tbccint"
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
File Not Found
C:\WINDOWS\system32>I still saw Cartwheel Shopping listed under "Uninstall or change a program" when I right-clicked on the Windows Start button, selected Control Panel, Programs, then Programs and Features, though.
I double-clicked on the Cartwheel Shopping entry, but then saw a notice that it might have already been uninstalled. I was asked "Would you like to remove Cartwheel Shopping from the Programs and Features list?" I chose "Yes."
