How do I completely remove Wondershare Allmytube from Windows [using Farbar Recovery Scan Tool]?

windows-7 security windows-registry malware malware-removal

72,812

Solution 1

Wondershare and now iSkysoft (I tried iSkysoft Video Editor) seem to exhibit some behaviors similar to malware in that a hidden piece of software is installed and set to run constantly in the background even after un-install. This is very "rude". In my efforts to clean up what it has done I have resorted to the following.

Create a .REG file containing the following text. These represent registry keys and values to be deleted because I determined that they were associated strictly with Wondeshare. To identify them I searched the registry for "wondershare" and noted the parent keys containing the results at the level specific to wondershare files. Then I searched for indirect references to them by searching the registry again for the TypeLib GUIDs that the previous search turned up (for example, I searched for {249694CE-7F79-4224-A555-11B445F947AB} and noted the parent keys from those results as well). The final result is somewhat redundant because some of these keys are actually the same key under different names, but deleting the same key multiple times will neither hurt nor report an error.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\TypeLib\{249694CE-7F79-4224-A555-11B445F947AB}]

[-HKEY_CLASSES_ROOT\Interface\{69468394-C7A1-4AF7-8788-5DCB7BE8BACC}]

[-HKEY_CLASSES_ROOT\WOW6432Node\Interface\{69468394-C7A1-4AF7-8788-5DCB7BE8BACC}]

[-HKEY_CLASSES_ROOT\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{69468394-C7A1-4AF7-8788-5DCB7BE8BACC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69468394-C7A1-4AF7-8788-5DCB7BE8BACC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\Interface\{69468394-C7A1-4AF7-8788-5DCB7BE8BACC}]

[-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{967B86E6-92E8-4A35-86C0-FEB187726802}]

[-HKEY_CLASSES_ROOT\WOW6432Node\TypeLib\{249694CE-7F79-4224-A555-11B445F947AB}]

[-HKEY_CLASSES_ROOT\WOW6432Node\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}]

[-HKEY_CLASSES_ROOT\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}]

[-HKEY_CLASSES_ROOT\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}]

[-HKEY_CLASSES_ROOT\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}]

[-HKEY_CLASSES_ROOT\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}]

[-HKEY_CLASSES_ROOT\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}]

[-HKEY_CLASSES_ROOT\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}]

[-HKEY_CLASSES_ROOT\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}]

[-HKEY_CLASSES_ROOT\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}]

[-HKEY_CLASSES_ROOT\Interface\{70AC1FC1-A22B-4327-9A54-754B9301A056}]

[-HKEY_CLASSES_ROOT\Interface\{B76550E2-048B-4D8C-B432-4668A54EDEA3}]

[-HKEY_CLASSES_ROOT\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}]

[-HKEY_CLASSES_ROOT\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}]

[-HKEY_CLASSES_ROOT\Interface\{E5E91D68-955D-4DE1-AB8E-89B26DF6A331}]

[-HKEY_CLASSES_ROOT\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}]

[-HKEY_CLASSES_ROOT\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}]

[-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}]

[-HKEY_CLASSES_ROOT\WOW6432Node\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}]

[-HKEY_CURRENT_USER\SOFTWARE\BugSplat]

[-HKEY_CURRENT_USER\SOFTWARE\Wondershare]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{249694CE-7F79-4224-A555-11B445F947AB}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{967B86E6-92E8-4A35-86C0-FEB187726802}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{249694CE-7F79-4224-A555-11B445F947AB}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32]
"Wondershare Helper Compact.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{967B86E6-92E8-4A35-86C0-FEB187726802}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{249694CE-7F79-4224-A555-11B445F947AB}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]
"Wondershare Helper Compact.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare]

Save and run the REG file. Ignore the fact that the message says it "added" information to the registry. It actually just deleted all those keys and values, and added nothing.
Then check task manager for a process called Wondershare Studio. I think this was running before I ran the REG file, but seemed to go away afterwards. If it's still there, I'd have ended it forcefully.
Finally it should be safe to delete the following directory, noting that this is the name of the directory on a 64-bit OS, and if you have a 32-bit OS, the (x86) piece will not be part of the path:

C:\Program Files (x86)\Common Files\Wondershare

That's as much as I could find to clean up.

Note: I do not recommend using the above REG file on a 32-bit OS because 32-bit windows structures the registry differently without all the WOW6432Node bits.

Solution 2

I found a useful tip on another website about this Wondershare issue.

Go into registry editor.
Collapse all the files.
Go under "edit" and hit "find" - type in Wondershare and it will call up instances of the file (one by one).
You have to delete them manually.
Hit F3 to find the next instance of the file until you go through the entire registry.

I bet I had 30 different registry keys with the Wondershare on it. Computer working great now.

72,812

user1952534

Updated on September 18, 2022

Comments

user1952534 over 1 year

Windows 7 Enterprise x64

So I made a mistake and ran a dubious executable program downloaded from the internet. I was making a dvd and I didn't know how to download videos from funnyordie.com, so I went out on a limb and tried Wondershare Allmytube. It did what I wanted but it seemed really sketchy and it made my laptop start working so hard that my fan kicked on without any user input, so I turned off the wifi and uninstalled it right away and now I'm paranoid that I'm a part of some botnet or someone's got my saved chrome passwords.

Even after I uninstalled it, there were still files in C:/Program Files (x86)/Common Files/Wondershare, C:/Program Files/Common Files/Wondershare, C:/ProgramData/Wondershare, and there was a .exe on my desktop. I found someone with the same problem on this forum: http://www.smartestcomputing.us.com/topic/71056-wondershare-helper-compact/

The only problem is their solution was specific to that user's machine, and I can't download the fixlist.txt supplied by the admin in this thread to see what he did. However, I did run the Farbar Recovery Scan Tool as this person did, and I found some references to Wondershare in the FRST.txt file.

Under the heading Registry (Whitelisted), I found these lines:

HKLM-x32...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

HKLM-x32...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\AllMyTube\DelayPluginI.exe

Under the heading Internet (Whitelisted), I found this line:

BHO-x32: Wondershare AllMyTube 4.2.0 -> {067DF9EC-26B7-40DC-8DB8-CD8BE85AE367} -> C:\ProgramData\Wondershare\AllMyTube\WSBrowserAppMgr.dll No File

Under the heading Firefox, I found this line:

FF HKLM-x32...\Firefox\Extensions: [[email protected]] - C:\ProgramData\Wondershare\AllMyTube\[email protected]

How do I take all references to Wondershare off of whitelists? It seems like that's a security threat and I'm trying to patch it. (I have also run malwarebytes, and it detected and removed several threats.) Am I looking at this problem the right way?
- DavidPostill about 9 years
  
  possible duplicate of How can I remove malicious spyware, malware, viruses or rootkits from my PC?
coredumperror almost 8 years

This worked a treat! Thank you for the detailed description and .reg file.