Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wondershare Helper Compact Manually Removed, Still Running "Program" on Startup


  • This topic is locked This topic is locked
5 replies to this topic

#1 Scavenqers

Scavenqers

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 December 2016 - 01:43 AM

Hi everyone.

 

Like many others, I've had issues with the Wondershare malware on my system. I discovered it today after noticing significant performance issues, though it claims to have been installed November 1st, most likely alongside software I previously uninstalled. There's an old thread on this issue here https://www.bleepingcomputer.com/forums/t/523894/wondershare-helper-compact/ in which Broni advised deleting folders and other leftovers, which I did. However, I still see the "Program" program under startup on Task Manager.

 

I manually uninstalled Wondershare Helper Compact using the Control Panel, stopped the corresponding process, permanently deleted leftover files, ran a virus scan with both McAfee and Avira, and ran Malwarebytes twice. None of the anti-virus and anti-malware softwares found any issue, but the "Program" instance is still there. I have disabled it using Task Manager for the time being. Additionally, underneath "Command Line", the "Program" program claims to be running from the following folder:

"C:\Program" Files (x86)\Common Files\Wondershare

This folder does not exist on my system from what I can tell.

 

I am running Windows 10 Home 64-bit on a new Dell XPS 13.

 

I have installed and run FRST on my system. I have attached the Addition.txt file to this post. Pasting the FRST.txt file made this post too long, so it will follow immediately after in the post below.

 
I realize this is a long first post for a topic, but I wanted to be as thorough as possible. Any and all help is appreciated. Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 Scavenqers

Scavenqers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 December 2016 - 01:46 AM

Here is the promised FRST.txt. Again, it won't let me post the whole thing as it's too long, so I suppose I'll attach it to this post instead of pasting, if that's alright.

Attached Files

  • Attached File  FRST.txt   200.8KB   6 downloads

Edited by Scavenqers, 30 December 2016 - 01:46 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 30 December 2016 - 10:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist Corporate\1165\G2AWinLogon_x64.dll [X]
CHR Extension: (Avira Browser Safety) - C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-12-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-02]
CHR Extension: (Chrome Media Router) - C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-27]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Wondershare Helper Compact.exe

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists run this search.

Please run the Farbar Recovery Scan Tool. Enter Wondershare in the Search Box.
Click the Search Registry button, post the content of the Search.txt file
==

Post the files and let me know if the problem persists.

#4 Scavenqers

Scavenqers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 01 January 2017 - 07:56 PM

Hello, nasdaq.

 

I have completed the FRST Fix as requested.  Performance has been greatly improved on my system (it's back to normal, if not better than before) but the "Program" program is still showing up in the Startup section of the task manager.

 

Contents of the Fixlog.txt file are as follows:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by Aly (01-01-2017 18:49:02) Run:1
Running from C:\Users\Aly\Downloads
Loaded Profiles: Aly &  (Available Profiles: Aly)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist Corporate\1165\G2AWinLogon_x64.dll [X]
CHR Extension: (Avira Browser Safety) - C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-12-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-02]
CHR Extension: (Chrome Media Router) - C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-27]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Wondershare Helper Compact.exe
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist => key removed successfully
C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => moved successfully
C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Aly\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Wondershare Helper Compact.exe => key not found. 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 294131 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12711293 B
Java, Flash, Steam htmlcache => 25798079 B
Windows/system/drivers => 37247179 B
Edge => 8248315 B
Chrome => 833463894 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 17130 B
NetworkService => 0 B
Aly => 39517282 B
 
RecycleBin => 3970 B
EmptyTemp: => 913 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 18:49:56 ====


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:51 PM

Posted 02 January 2017 - 08:32 AM

The program is not active. Only the Program list shows it. You can leave it along of try this.
See if you can remove it by following the instructions.
https://support.microsoft.com/en-us/instantanswers/ce7ba88b-4e95-4354-b807-35732db36c4d/repair-or-remove-programs

p.s
You have 2 Options.
Remove Settings and
Repair in Control panel.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#6 Scavenqers

Scavenqers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 02 January 2017 - 05:54 PM

Alright, all is well now. Thank you very much for the help and the links!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users