BearShare

I just encountered a major problem with the subject application. I installed avast free on my parents’ computer some months ago. My dad downloaded and installed the subject app. BearShare disabled Avast and started trying to capture login keystrokes. I tried everything to fix this including uninstalling and reinstalling Avast free. I finally was able to fix it by using Windows system restore to restore to a previous checkpoint.

My point is this: Avast should have detected BearShare when it was downloaded, and it should have also been able to detect it when its installer was launched.

Hi GeorgeCopeland,

One should know by now that P2P is frowned upon and it is considered a route into your computer for malcode.
With installing such a program one takes serious risks to eventually harm the computer but the download was made intentionally. And one is responsible for one’s own clicks…
The program itself is not malicious per se, but one can better be without.
Manual removal instructions:
Follow these steps to remove BearShare from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

  1. Kill these running processes with Task Manager:
    bsinstallit.exe
    bearshare.exe

  2. Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bearshare,
    delete it and reboot the machine immediately.

  3. Unregister these DLLs with Regsvr32, then reboot:
    bearshare.dll
    bsidle.dll

  4. Remove these registry items (if present) with RegEdit:
    HKEY_CLASSES_ROOT\clsid{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_CLASSES_ROOT\clsid{9f95f736-0f62-4214-a4b4-caa6738d4c07}
    HKEY_CLASSES_ROOT\gnufile
    HKEY_CLASSES_ROOT\typelib{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_CURRENT_USER\appevents\schemes\apps\bearshare
    HKEY_LOCAL_MACHINE\software\bearshare
    HKEY_LOCAL_MACHINE\software\classes\clsid{558ec983-bedb-9168-b2de-31dbf0ee543e}
    HKEY_LOCAL_MACHINE\software\classes\ed2k
    HKEY_LOCAL_MACHINE\software\classes\gnu
    HKEY_LOCAL_MACHINE\software\classes\gnufile
    HKEY_LOCAL_MACHINE\software\classes\gnutella
    HKEY_LOCAL_MACHINE\software\classes\typelib{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_LOCAL_MACHINE\software\licenses{056b3cf0d9ab991e1}
    HKEY_LOCAL_MACHINE\software\licenses{i56b3cf0d9ab991e1}
    HKEY_LOCAL_MACHINE\software\magnet\handlers\bearshare
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components
    {5f95e1af-2620-4f15-bdf9-7fdce4607e17}
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components
    {5f95e1af-2620-4f15-bdf9-7fdce4607e17}\componentid
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components
    {5f95e1af-2620-4f15-bdf9-7fdce4607e17}\isinstalled
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components
    {5f95e1af-2620-4f15-bdf9-7fdce4607e17}\locale
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components
    {5f95e1af-2620-4f15-bdf9-7fdce4607e17}\version
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bearshare
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare
    HKEY_USERS.default\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_USERS.default\appevents\schemes\apps\bearshare
    HKEY_USERS\s-1-5-18\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare
    HKEY_USERS\s-1-5-21-329068152-1677128483-854245398-500\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_USERS\s-1-5-21-329068152-1677128483-854245398-500\appevents\schemes\apps\bearshare

  5. Remove the directory (if presents) and its containing files with Windows Explorer:
    programfilesdir+\bearshare

polonus