my son has downloaded bearshare (and has been soundly told off for it) on our family computer. I have done the usual remove programe etc route but when i have tried to delete registry keys it seems to keep putting them back! A lot of people have said that malaware will remove it but it hasn’t.
Bearshare is, AFAIK, a legitimate (in the broadest sense of the term) p2p file sharing application.
Unless the source of the installer file was “dodgy”, that is, corrupted, not from the home page, it should not be infected.
In other words, using “add/remove programs” to uninstall it, and then rebooting, should have removed it.
thats just the problem Tarq57 - it doesn’t. I am stuck with the bearshare search engine constantly coming up. I have disabled the add on and changed the homepage to google. as soon as I reboot - the bearshare page is back.
Follow the directions of obtaining an MBAM (Malwarebytes) log (make sure you update MBAM first) and the OTL logs (save them as ANSI and not Unicode). When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post the MBAM log here and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).
I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.
Please do not make any changes to your machine after posting your logs.
ok - scans done = Malware shows no results as usual - other scans attached which show bearshare still in even though I keep asking for it to be taken out!
Looks like a (legitimate?) toolbar installation, the consequences of which your home page etc have been changed. It was probably in the EULA, or should have been. Kids are not good at reading these.
Toolbars are generally removed via browser addons. (Both IE and Firefox in your case.)
You may prefer to wait for essexboy to produce a fix for you. Knowing what he is able to spot and remedy, I would wait if I was you. I post here just to let you know that this should be straightforward. (As far as I can see, anyway.)
Hi there lets remove these few bits and see if that helps. During this Teatimer may try to block the changes I am doing to the registry - do not allow it to do that
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
IE - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
IE - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\URLSearchHook: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - Reg Error: Key error. File not found
FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..browser.search.selectedEngine: "BearShare Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.bearshare.com/"
FF - prefs.js..keyword.URL: "http://search.bearshare.com/web?src=ffb&systemid=2&q="
FF - HKLM\software\mozilla\Firefox\Extensions\\{6E19037A-12E3-4295-8915-ED48BC341614}: C:\Program Files\RelevantKnowledge
O2 - BHO: (SWEETIE Class) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - File not found
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No CLSID value found.
O3 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKU\S-1-5-21-4109323650-2703382089-1689310948-1007..\RunOnce: [!BearShareFF] C:\Documents and Settings\Wright\Local Settings\Temp\Installhelper.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\datamngr.dll) - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll) - File not found
O33 - MountPoints2\{2faf5121-2784-11da-8803-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[2011/02/16 18:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\32F5
[2011/02/13 21:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wright\Application Data\bearsharemediabartb
[2011/02/13 21:44:06 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\~0
[2011/01/28 21:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FinalTorrent
[2011/01/28 21:50:47 | 000,000,000 | ---D | C] -- C:\Program Files\FinalTorrent
[2011/02/21 00:14:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\02-20-2011_001458.job
[2011/02/14 07:56:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Wright\Ÿ?Ÿ?
[2011/02/19 17:28:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~0
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe"=-
:Files
ipconfig /flushdns /c
C:\Program Files\RelevantKnowledge
C:\PROGRA~1\BEARSH~1
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
can soemthing like this remove mywebsearch? it constantly appears in my spybot prog but i am not confident in how to remove it manually. is not in my add/remove progs
I am afraid you can’t blame him for those as they are blocked sites by spybot… ;D
Having said that teatimer is stopping me from removing two entries. Let me know if this clears the DLL error
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
[*]Open Spybot Search & Destroy.
[*]In the Mode menu click “Advanced mode” if not already selected.
[*]Choose “Yes” at the Warning prompt.
[*]Expand the “Tools” menu.
[*]Click “Resident”.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]In the File menu click “Exit” to exit Spybot Search & Destroy.
THEN
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2010/09/14 12:48:25 | 000,002,506 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - No CLSID value found.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O4 - HKCU..\RunOnce: [!BearShareFF] File not found
[2011/02/14 07:56:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Wright\Ÿ?Ÿ?
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.