SUPERAntiSpyware detected Cartwheel Shopping, et al.

A user reported that she was having a lot of problems with her Windows 10 PC, including performance issues and problems with the Internet Explorer web browser. When I logged into an administrator account and scanned the system with SUPERAntiSpyware, an anti-spyware program that is available as a free edition, it detected Cartwheel Shopping, which it noted "is a program that may display advertisements and is bundled with other potentially unwanted programs."

SUPERAntiSpyware detected
Cartwheel Shopping

SUPERAntiSpyware indicated that files associated with the malware were in the C:\USers\Administrator\AppData\Roaming\CARTWHEEL directory.

When I checked when the directory had been created, it was almost two years ago.

C:\Users\Administrator>dir /ad c:\users\Administrator\AppData\Roaming\
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8

 Directory of c:\users\Administrator\AppData\Roaming

09/24/2016  08:44 PM    <DIR>          .
09/24/2016  08:44 PM    <DIR>          ..
06/18/2013  11:19 PM    <DIR>          Adobe
08/31/2015  08:50 PM    <DIR>          Apple Computer
11/02/2010  10:50 PM    <DIR>          ATI
04/08/2013  10:15 PM    <DIR>          Autodesk
01/09/2014  12:10 PM    <DIR>          Cartwheel
11/02/2010  10:51 PM    <DIR>          Dell
11/04/2010  07:47 PM    <DIR>          Download Manager
04/16/2014  09:15 AM    <DIR>          Garmin
04/27/2011  09:32 AM    <DIR>          Google
11/02/2010  10:50 PM    <DIR>          Identities
08/02/2013  03:03 PM    <DIR>          InstallShield
06/21/2011  11:32 AM    <DIR>          Jenkat
11/07/2010  04:04 PM    <DIR>          Macromedia
11/07/2010  10:00 PM    <DIR>          Macrovision
03/30/2015  07:47 PM    <DIR>          Malwarebytes
07/14/2009  02:45 AM    <DIR>          Media Center Programs
12/13/2016  07:35 PM    <DIR>          Microsoft
02/02/2012  09:52 AM    <DIR>          Mozilla
11/20/2011  09:28 PM    <DIR>          Roxio
12/04/2010  09:45 PM    <DIR>          Roxio Log Files
09/24/2016  08:44 PM    <DIR>          SQL Anywhere 16
06/18/2013  11:01 PM    <DIR>          SUPERAntiSpyware.com
06/18/2013  11:22 PM    <DIR>          Yahoo!
               0 File(s)              0 bytes
              25 Dir(s)  228,815,491,072 bytes free

C:\Users\Administrator>

When I checked the contents of that folder, I saw the following:

C:\Users\Administrator>dir c:\users\Administrator\AppData\Roaming\CARTWHEEL
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8

 Directory of c:\users\Administrator\AppData\Roaming\CARTWHEEL

01/09/2014  12:10 PM    <DIR>          .
01/09/2014  12:10 PM    <DIR>          ..
06/13/2011  09:23 AM           137,544 atl100.dll
10/31/2013  02:14 PM           293,824 Cartwheel.dll
11/19/2013  11:56 AM           444,328 InstallNotifier.exe
06/13/2011  09:23 AM         4,368,720 mfc100u.dll
06/13/2011  09:23 AM           421,200 msvcp100.dll
06/13/2011  09:23 AM           768,848 msvcr100.dll
08/01/2013  03:43 PM         1,789,440 ProcessDetector.exe
04/25/2012  08:08 AM           632,832 sqlite3.dll
01/09/2014  12:10 PM                 0 Test.htm
01/09/2014  12:10 PM             6,431 unins000.dat
01/09/2014  12:10 PM         1,174,083 unins000.exe
10/31/2013  02:14 PM         1,815,976 UnInstallPlugin.exe
              12 File(s)     11,853,226 bytes
               2 Dir(s)  228,827,312,128 bytes free

C:\Users\Administrator>

So the Cartwheel Shopping adware had apparently been on the system for quite some time.

I then used the Windows Registry Editor program, which can be run by typing regedit in the Cortana "Ask me anything" field and then hitting Enter, I saw the following entries in the Windows Registry when I navigated to the HKCU\Software\Cartwheel registry key:

Registry Editor - 
HKCU\Software\Cartwheel

When I examined the Windows registry entries for the adware, at HKCU\SOFTWARE\Cartwheel\IE, I saw an InstallTime key, which had a value of "20141009" that matched the date on the directory.

There was also a a key that appeared to be associated with Internet Explorer (IE).

Registry Editor 
HKCU\SOFTWARE\Cartwheel\IE

Under that key, I saw the following:

Value name:PartnerID
Value data:CW191

The PartnerID likely refers to the "partner" responsible for distributing the Cartwheel Shopping adware to this system, e.g., someone distributing the adware through a particular website.

SUPERAntiSpyware also reported two browser extensions, Ask Toolbar and Delta Toolbar. Browser toolbars can extend the functionality of a web browser, but may also try to redirect users to particular websites and by that redirection generate revenue to the toolbar developer or whoever paid the developer to develop the toolbar.

Udemy Generic Category (English)120x600

SUPERAntiSpyware
- Ask and Delta toolbars

I didn't see any keys beneath HKCU\SOFTWARE\DELTA.

Registry Editor - HKCU\Software\Delta

Since I was curious as to when that toolbar software was installed, but the Windows Registry Editor program, regedit.exe, doesn't reveal the time a registry key was created, I installed RegScanner a free registry tool available from Nir Sofer at his site NirSoft. I started the program and put Delta in the Find String field and clicked on the Scan button after deselecting "HKEY_LOCAL_MACHINE" from the "Scan the following base keys" selections so that only "HKEY_CURRENT_USER" would be scanned and also deselecting all but "Keys" for the "Look At" options. When I first scanned the HKEY\SOFTWARE\Delta key wasn't shown, but when I repeated the scan, but this time with "Add entry for each found key" checked as well, I then saw the key.

Registry Scan Options

Since the "Key Modified Time" for HKCU\SOFTWARE\Delta was 9/23/2016 4:18:37 AM, I'm presuming that is when the Delta toolbar was installed. Since the user would not have been in the office at that time, I'm assuming some other malware installed it at that time, or perhaps it was installed before that time, though the key was last updated at that time. I thought it might be possible that her antivirus software, McAfee Total Protection, removed entries from that key at that time. But when I checked the McAfee scan report for the prior 90 days, I found there was no scan on that day.

I clicked on the red "X" to the right of both toolbars and the Cartwheel Shopping entry in SUPERAntiSpyware to have it remove all three items it reported. SUPERAntiSpyware then continued its scan of the system. When the scan concluded, it reported 66 threats were detected:

Memory Items1
Registry Items25
File Items40

SuperAntiSpyware detected 66
threats

Of the 66 items detected, 38 were tracking cookies, which are relatively innocuos; they allow advertisers to track a user's web browsing behavior, but shouldn't result in the performance issues the user reported. When I clicked on Continue, I saw 28 items found associated with PUP.ClientConnect/Variant.

SUPERAntiSpyware Scan Results

When I viewed details for the results, I saw other toolbar entries.

SUPERAntiSpyware PUPs

E.g., in the SUPERAntiSpyware scan log file, I saw C:\PROGRAM FILES (X86)\TBCCINT\TOOLBARSERVICE\TOOLBARSERVICE.EXE. When I checked the date for that file, I also found it had a 2014 date like the Cartwheel Shopping software.

C:\Users\Administrator>dir "C:\PROGRAM FILES (X86)\TBCCINT\TOOLBARSERVICE\TOOLBA
RSERVICE.EXE"
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8

 Directory of C:\PROGRAM FILES (X86)\TBCCINT\TOOLBARSERVICE

09/23/2014  05:34 AM           350,528 ToolbarService.exe
               1 File(s)        350,528 bytes
               0 Dir(s)  228,634,517,504 bytes free

C:\Users\Administrator>

I had SUPERAntiSpyware remove everything it found, including the tracking cookies. It then informed me "A system restart is recommended to complete the removal."

SUPERAntiSpyware restart
required

I saved my notes and had it reboot at that point. After the system rebooted, I found that the C:\Program Files (x86)\Tbccint directory was now empty, though the directory and its subdirectory ToolbarService remained. I deleted the directory.

C:\WINDOWS\system32>dir /s "C:\Program Files (x86)\Tbccint"
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8

 Directory of C:\Program Files (x86)\Tbccint

10/25/2014  04:43 PM    <DIR>          .
10/25/2014  04:43 PM    <DIR>          ..
12/13/2016  09:48 PM    <DIR>          ToolbarService
               0 File(s)              0 bytes

 Directory of C:\Program Files (x86)\Tbccint\ToolbarService

12/13/2016  09:48 PM    <DIR>          .
12/13/2016  09:48 PM    <DIR>          ..
               0 File(s)              0 bytes

     Total Files Listed:
               0 File(s)              0 bytes
               5 Dir(s)  226,518,532,096 bytes free

C:\WINDOWS\system32>rmdir /s "C:\Program Files (x86)\Tbccint"
C:\Program Files (x86)\Tbccint, Are you sure (Y/N)? y

C:\WINDOWS\system32>dir /s "C:\Program Files (x86)\Tbccint"
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8
File Not Found

C:\WINDOWS\system32>

I still saw Cartwheel Shopping listed under "Uninstall or change a program" when I right-clicked on the Windows Start button, selected Control Panel, Programs, then Programs and Features, though.

Uninstall Program - Cartwheel 
Shopping

I double-clicked on the Cartwheel Shopping entry, but then saw a notice that it might have already been uninstalled. I was asked "Would you like to remove Cartwheel Shopping from the Programs and Features list?" I chose "Yes."

Cartwheel Shopping already
uninstalled

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px