Bearshare

Hi all

my son has downloaded bearshare (and has been soundly told off for it) on our family computer. I have done the usual remove programe etc route but when i have tried to delete registry keys it seems to keep putting them back! A lot of people have said that malaware will remove it but it hasn’t.

I am running xp and firefox.

any ideas?

Thanks

A lot of people have said that malaware will remove it but it hasn't.
do you mean Malwarebytes antimalware ? if so, did you update it before you run it?

Is bearshare malware ?

Bearshare is, AFAIK, a legitimate (in the broadest sense of the term) p2p file sharing application.
Unless the source of the installer file was “dodgy”, that is, corrupted, not from the home page, it should not be infected.
In other words, using “add/remove programs” to uninstall it, and then rebooting, should have removed it.

thats just the problem Tarq57 - it doesn’t. I am stuck with the bearshare search engine constantly coming up. I have disabled the add on and changed the homepage to google. as soon as I reboot - the bearshare page is back.

this programe is driving me insane now

Please follow these directions to check for malware and post your logs in this thread:

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining an MBAM (Malwarebytes) log (make sure you update MBAM first) and the OTL logs (save them as ANSI and not Unicode). When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post the MBAM log here and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any changes to your machine after posting your logs.

Let us know if you have any questions. Thank you.

Monitoring

thnaks - will get tis done over th eweekend

ok - scans done = Malware shows no results as usual - other scans attached which show bearshare still in even though I keep asking for it to be taken out!

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5874

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/02/2011 08:21:01
mbam-log-2011-02-25 (08-21-01).txt

Scan type: Quick scan
Objects scanned: 149485
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Looks like a (legitimate?) toolbar installation, the consequences of which your home page etc have been changed. It was probably in the EULA, or should have been. Kids are not good at reading these.

Toolbars are generally removed via browser addons. (Both IE and Firefox in your case.)

You may prefer to wait for essexboy to produce a fix for you. Knowing what he is able to spot and remedy, I would wait if I was you. I post here just to let you know that this should be straightforward. (As far as I can see, anyway.)

Hi there lets remove these few bits and see if that helps. During this Teatimer may try to block the changes I am doing to the registry - do not allow it to do that

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
IE - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
IE - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\URLSearchHook: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - Reg Error: Key error. File not found
FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..browser.search.selectedEngine: "BearShare Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.bearshare.com/"
FF - prefs.js..keyword.URL: "http://search.bearshare.com/web?src=ffb&systemid=2&q="
FF - HKLM\software\mozilla\Firefox\Extensions\\{6E19037A-12E3-4295-8915-ED48BC341614}: C:\Program Files\RelevantKnowledge
O2 - BHO: (SWEETIE Class) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - File not found
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007..\RunOnce: [!BearShareFF] C:\Documents and Settings\Wright\Local Settings\Temp\Installhelper.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\datamngr.dll) - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll) - File not found
O33 - MountPoints2\{2faf5121-2784-11da-8803-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[2011/02/16 18:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\32F5
[2011/02/13 21:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wright\Application Data\bearsharemediabartb
[2011/02/13 21:44:06 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\~0
[2011/01/28 21:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FinalTorrent
[2011/01/28 21:50:47 | 000,000,000 | ---D | C] -- C:\Program Files\FinalTorrent
[2011/02/21 00:14:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\02-20-2011_001458.job
[2011/02/14 07:56:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Wright\Ÿ?Ÿ?
[2011/02/19 17:28:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~0

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe"=-
 
:Files
ipconfig /flushdns /c
C:\Program Files\RelevantKnowledge
C:\PROGRA~1\BEARSH~1

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

hiya

otl.txt attached, do you need teh other ones as well?

thank you for all your help everyone :-*

Darn I missed two entries how is it running now ?

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2010/09/14 12:48:25 | 000,002,506 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml O4 - HKCU..\RunOnce: [!BearShareFF] File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

next log attached.

can soemthing like this remove mywebsearch? it constantly appears in my spybot prog but i am not confident in how to remove it manually. is not in my add/remove progs

running much better thank you! I just get a box on start up saying it can’t find a temp dll file

Essexboy still needs to do work on your machine. Do not make any further changes without him.

Question: Did you uninstall McAfee using their uninstaller tool or another way (Revo)?

BTW: Your email is showing. You may want to hide it so spammers don’t see it and harvest it.

the last time mcaffee was on here was in 08 when my ex installed it - as far as I know it was removed using the tool.

i have a sneaky suspician my son has been exploring the female form at some point looking at some of the www’s in the otl listings!!!

I am afraid you can’t blame him for those as they are blocked sites by spybot… ;D

Having said that teatimer is stopping me from removing two entries. Let me know if this clears the DLL error

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

[*]Open Spybot Search & Destroy.
[*]In the Mode menu click “Advanced mode” if not already selected.
[*]Choose “Yes” at the Warning prompt.
[*]Expand the “Tools” menu.
[*]Click “Resident”.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]In the File menu click “Exit” to exit Spybot Search & Destroy.

THEN

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2010/09/14 12:48:25 | 000,002,506 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - No CLSID value found. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O4 - HKCU..\RunOnce: [!BearShareFF] File not found [2011/02/14 07:56:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Wright\Ÿ?Ÿ?

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

aaand see attached!!! ;D

Methinks it now be history ;D

How is the computer running - any problems ?

it is running much quicker thanx. starts up really quickly.

now if i can just get rid of mywebsearch I will be absolutely ecstatic!! ;D