Wondershare appservices virus or just a pain in the neck I want it gone

[REDACTED]

Goodness knows where I got it from, it would only have been a legit site. Apparently it's been on my PC for months, I only found out yesterday as it was hogging 96% of ram on my Windows 8.1 PC.  I've spent all day trying to find out how to remove it, without success.  It does not appear in progs and apps so it cannot be un-installed from there. I've run, albeit extremely slowly, both Malwarebytes and Avast and both state there is no threat identified. Spybot will not run. It only becomes a nuisance when I plug in the ethernet cable I've attached some pngs, hoping that this will give a better idea of the situation so that someone might be able to help me. I've tried to remove it from Start-Up (as Administrator) but that tells me to go to Task Manager to stop it from running, when I get to Task Manager there is no option to stop it. Can anyone give me any guidance please? 

magna86

Your message says "The fixes are specific to your problem and should only be used for this issue on this machine my problem is on my windows 8 PC, I'm contacting you on my Windows 7 PC. I have downloaded mwb and farbar and will have to transfer them to my windows 8 pc via usb then copy the reports and transfer them back to my windows 7 pc to forward to you.  I have no other option.

[Pondus]

Instructions   https://forum.avast.com/index.php?topic=194892.0

[REDACTED]

I ran mwb and farbar as instructed. Farbar saved the logs and they are attached.  mwb reported no threats, it said that it had saved the scan report successfully to the desktop, but it did not appear there, so I ran the scan again and copied and pasted the result into a text file and that is attached, I named it mwb report 2nd scan.  I've attached a snip of what came up as the desktop showing only Handbrake, but this isn't my desktop.

Wanting to learn, I took a look at the Farbar reports and am gobsmacked at what seem to be hundreds of porn and sex sites, it weren't me guv

Seems like a nasty virus, seems like it's been on my PC since Jan 2017 but only just started hogging 96% of memory, so how do I get rid of it, how did it get through Avast, why didn't mwb pick it up during the many scans? please help and please bear in mind that I am contacting you on a different PC because as soon as I connect to the web wshare kicks in and prevents me from doing anything.

[Eddy]

You haven't attached the logs.
Please do so.

[REDACTED]

My apologies, I thought that I was attaching them all in the one box, my mistake.

[dbrisendine]

In this case, a user with Administrator level access / privileges must run the scans and the fixes.  On this machine that would be users either Jaye or Aunt Sally.

[REDACTED]

Scanned with Administrator access.  Couldn't update either mwb or farbar, as soon as I plug in the ethernet cable Wondershare goes all out to 97% of memory and I get no access.

Administrator logs are now attached, apologies again.

[dbrisendine]

Please run these steps with an account with Administrator level access.  Thank you.



FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Duplicate Cleaner Free 3.2.7

QuickTime 7

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. 

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

How is the system running now?

[REDACTED]

Do you use wondershare products? like wondershare video converter? the appservice is an update utility
try updating the product or contact wondershare maybe problem with app optimization. You can also disable it in the services(App would still work, but you cannot update).


Note: Im no expert, i need an adult, someone confirm.

[REDACTED]

I thought I had posted a response but I can't find it.  So, I followed instructions for FRST and Fixlist.  It has been running now for 40 mins, it just says Fixing is in progress, please wait...

How long will it run for and what should I do if it doesn't stop?

[REDACTED]

This fix is still running that's 1 hour and 40 minutes now.  What do I do?

the only comments I can make are that duplicate cleaner reported that it had been successfully uninstalled, Quick Time asked if it could make changes to which I replied Yes it didn't report back but it disappeared from my list of programs. Malwarebytes put up an  orange message saying:-

Real time protection layers turned off,  one or more Real-Time Protection layers are turned off.  Turn on all Real-Time Protection layers to block and prevent threats.  There are 2 buttons one says Protection settings, the other says turn on (this box is orange.  I haven't clicked on either box, just left them as is.

I assume that you have noted from my messages that it's a Windows 8 PC

I feel that the fix is not running properly, What do I do, I can't leave the PC running overnight.

J

[Pondus]

This fix is still running that's 1 hour and 40 minutes now.  What do I do?

It probably hangs at "empty temp"

abort, reboot and try again.
If same problem just abort and wait for a reply from @dbrisendine, he will be back online tomorrow

[dbrisendine]

Have you rebooted and run the fixlist again?  Can you attach the Fixlog.txt file(s)?

[REDACTED]

Apologies for the delay, I've been out and about.  Following advice I used task manager to end the task only to find that a fix log had been created very soon after the fix had started (log 17.16 attached). Also following instructions I ran the fix again, it hung again but this time I used task manager to end the task after about 30 minutes and found that a fix log had again been created very soon after the fix had started (log 21.06 also attached).

Because I've been out I haven't yet run the 'fixed PC', I will do that later today.

In case ransomware gets on my PC, I regularly remove all my files to external hard drives, given that  wondershare had apparently been on my  PC since January, will any of my files have been infected?

Given that I had to uninstall Duplicate Cleaner and Quick Time are these files bad or can they be reinstalled?

Any idea how Wondershare got on my PC, I don't, knowingly, have any of their products, never even heard of them until now.

J

[dbrisendine]

Although the tool hung on removing a registry key, it looks like it did remove Wondershare.  How is your system running now?


It appears that the malware / app was part of a "free phone tool" for Android phones.



AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

• Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  You will see the following console:
  
  
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be deleted.
• When the program has finished cleaning a report appears.
• Once done it may ask to reboot, allow this

• On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt
  
  Optional:
  
  NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.