Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wondershare helper compact on startup


  • This topic is locked This topic is locked
7 replies to this topic

#1 jrlidstermason

jrlidstermason

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:05:27 PM

Posted 02 January 2017 - 12:39 PM

Hi, I downloaded a programme to help transfer contacts to my new mobile phone and now this pop up keeps appearing at start up, with a message asking me if I want to allow the programme to make changes to the computer, to which I say no.

 

I uninstalled the wondershare programme, but something is obviously left over.

 

AVG Anti Virus finds nothing.

Malware Bytes quarantined 4 files all with similar names "PUP.optional.MindSpark

I also ran Ccleaner which found nothing

 

So I have been reading similar posts on your site and wondered what advice you can offer.

 

I am using a Toshiba Ultrabook, windows 10 pro with a 64 bit operating system x 64-based processor.

 

i have installed and run FRST64 and attached the results below.

 

many thanks for your help.

 

rgds

 

JR

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:27 PM

Posted 03 January 2017 - 09:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Then,

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\igfxcui: igfxdev.dll [X]
CHR Extension: (Chrome Web Store Payments) - C:\Users\JohnRichardson.LIDSTERS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Chrome Media Router) - C:\Users\JohnRichardson.LIDSTERS\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\MobileTrans\DriverInstall.exe" [X]
Task: {03D1D7D8-C921-491C-95C9-50A475901CFE} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {105C3F18-4F74-476A-8244-2E35E7AF826E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {2C5CB171-4460-4A6D-9E66-4B1072613B79} - \WPD\SqmUpload_S-1-5-21-795000721-302889914-118480314-1001 -> No File <==== ATTENTION
Task: {4171F30E-745A-4AB6-97A4-FA3F83180B0A} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {4B54857B-DCD2-4E9C-8B8C-C525AC69747B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6BB3D9C6-00A6-4AD1-B17A-FF7F40B4B967} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
Task: {7C5CAABA-81B9-4208-BACD-379759302F93} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {9586EC94-0A0E-44AE-820C-CA075A6779AD} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {9E62E0E7-09D9-4162-9BD7-CB37AE2E522A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B02905D1-6C7F-4442-80E9-AA777DBBB82D} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {B2CEB025-BC73-4B58-95F6-ADAFD12306A8} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {C30F258D-78A1-45E5-B7E3-C5D79830EC8B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {C9809BE5-AF91-4A38-B344-EB42219E6D26} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {F2027537-0E9A-4EFA-99A7-9F84E290EB45} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
2016-12-29 15:37 - 2014-10-31 16:37 - 01498112 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2016-12-29 15:37 - 2014-05-19 17:19 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
C:\Program Files (x86)\Common Files\Wondershare

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

Edited by nasdaq, 03 January 2017 - 09:45 AM.


#3 jrlidstermason

jrlidstermason
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:05:27 PM

Posted 03 January 2017 - 06:04 PM

Attached File  Fixlog.txt   11.04KB   0 downloads

 

Hi Nasdaq

 

Many thanks for your help, I have enabled the system restore, and run FRST64 and selected fix, the Fix log is attached.

 

I will look at your comments on java next.

 

thanks

 

JR



#4 jrlidstermason

jrlidstermason
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:05:27 PM

Posted 04 January 2017 - 04:31 AM

Hi Nasdaq

 

Well so so far the pop up has not appeared, and the computer is behaving normally though it is early days, 

 

If I need to update Java then I will, but I know that it is likely to cause issues with an online service that I need to use.

 

i can see that there are still some very visible wondershare files on the pc, and so presumably there will be many more that are not so visible, 

 

Should we attempt to remove these or is it safe to ignore them? see attached

Attached File  wondershare files helper.JPG   36.35KB   0 downloadsAttached File  wondershare files helper.JPG   36.35KB   0 downloadsAttached File  wondershare files Roaming.JPG   30.9KB   0 downloads

 

thanks

 

JR



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:27 PM

Posted 04 January 2017 - 09:58 AM

Delete these folders in bold.
C:\ProgramData\Wondershare
C:\Program Files (x86)\Common Files\Wondershare
C:\Users\JohnRichardson.LIDSTERS\AppData\Roaming\Wondershare
C:\Users\JohnRichardson.LIDSTERS\AppData\Local\Wondershare

Delete this file in bold.
C:\Users\JohnRichardson.LIDSTERS\Downloads\mobile-transfer.exe

#6 jrlidstermason

jrlidstermason
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:05:27 PM

Posted 04 January 2017 - 01:13 PM

Hi Nasdaq

 

Thanks for your reply

 

C:\ProgramData\Wondershare                                                                   Deleted

C:\Program Files (x86)\Common Files\Wondershare                                 Not found
C:\Users\JohnRichardson.LIDSTERS\AppData\Roaming\Wondershare    Deleted
C:\Users\JohnRichardson.LIDSTERS\AppData\Local\Wondershare          Deleted

Delete this file in bold.
C:\Users\JohnRichardson.LIDSTERS\Downloads\mobile-transfer.exe     Deleted
 
Thanks
 
JR


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:27 PM

Posted 05 January 2017 - 08:33 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#8 jrlidstermason

jrlidstermason
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sheffield UK
  • Local time:05:27 PM

Posted 05 January 2017 - 08:43 AM

Hi Nasdaq

 

All is still well with the PC, many thanks for your help and for the information guide.

 

Best Regards

 

JR






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users