Stuck w/ Bearshare on my PC Having

Discussion in 'Malware Help (A Specialist Will Reply)' started by Subzero_83, Oct 9, 2010.

  1. Subzero_83

    Subzero_83 Private E-2

    Fellow Geeks,

    So my girl friend was playing around and decided to download the Peer to Peer file sharing Bearshare. It has removed my very nicely setup Firefox Bookmarks listings, and taken over "home page" start up on said internet browser. I have since deleted it (Control Panel~Programs~Bearshare)... I have also looked to see if it is running in the background (cntrl alt delete ~ proccesses)... Don't think it is... Hmm., I went into my C: drive (x86) and uninstalled Bearshare browser toolbar, and said Bearshare master folder.. But problem persists.

    I have Ad-Aware and everytime I run a scan it (Bearshare) pops up, and I go to delete it, Ad-Aware says it is deleted, but then it isn't? I would think it is in the registry somewhere, correct?

    This is what I am looking to do, restore previous Firefox settings, w/o Bearshare, and with Bearshare removed from PC, entirely. I have consulted informational too, took a peak @ my registry files to see if I could troubleshoot myself, but didn't seem to have success following this setup (and therefore made no registry changes)...

    That Procedure:

    "BearShare Manual Removal:

    Follow these steps to remove BearShare from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

    1. Kill these running processes with Task Manager:
    bsinstallit.exe
    bearshare.exe

    2. Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bearshare, delete it and reboot the machine immediately.

    3. Unregister these DLLs with Regsvr32, then reboot:
    bearshare.dll
    bsidle.dll

    4. Remove these registry items (if present) with RegEdit:
    HKEY_CLASSES_ROOT\clsid\{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
    HKEY_CLASSES_ROOT\gnufile
    HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_CURRENT_USER\appevents\schemes\apps\bearshare
    HKEY_LOCAL_MACHINE\software\bearshare
    HKEY_LOCAL_MACHINE\software\classes\clsid\{558ec983-bedb-9168-b2de-31dbf0ee543e}
    HKEY_LOCAL_MACHINE\software\classes\ed2k
    HKEY_LOCAL_MACHINE\software\classes\gnu
    HKEY_LOCAL_MACHINE\software\classes\gnufile
    HKEY_LOCAL_MACHINE\software\classes\gnutella
    HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_LOCAL_MACHINE\software\licenses\{056b3cf0d9ab991e1}
    HKEY_LOCAL_MACHINE\software\licenses\{i56b3cf0d9ab991e1}
    HKEY_LOCAL_MACHINE\software\magnet\handlers\bearshare
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5f95e1af-2620-4f15-bdf9-7fdce4607e17}
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5f95e1af-2620-4f15-bdf9-7fdce4607e17}\componentid
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5f95e1af-2620-4f15-bdf9-7fdce4607e17}\isinstalled
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5f95e1af-2620-4f15-bdf9-7fdce4607e17}\locale
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5f95e1af-2620-4f15-bdf9-7fdce4607e17}\version
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bearshare
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare
    HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_USERS\.default\appevents\schemes\apps\bearshare
    HKEY_USERS\s-1-5-18\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare
    HKEY_USERS\s-1-5-21-329068152-1677128483-854245398-500\appevents\eventlabels\bearsharechatnotifymsg
    HKEY_USERS\s-1-5-21-329068152-1677128483-854245398-500\appevents\schemes\apps\bearshare

    5. Remove the directory (if presents) and its containing files with Windows Explorer:
    programfilesdir+\bearshare"


    So unsuccessful there.... Here is a read out using HIJACKTHIS:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:32:35 PM, on 10/9/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18943)
    Boot mode: Normal


    Edit by chaslang: Inline HJT log removed. READ & RUN ME FIRST. Malware Removal Guide sticky not followed.




    Thoughts on figuring this stupid Bearshare program elimination out?

    ~ Subzero_83
     
    Last edited by a moderator: Oct 9, 2010
    Subzero_83, Oct 9, 2010
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Oct 9, 2010
    #2
  3. Subzero_83

    Subzero_83 Private E-2

    So I have followed the instructions in attempting to find the BearShare malware that is on my computer. As stated in first posting I have gone to Control Panel~Programs~Add/Remove and have uninstalled BearShare from there... However, BearShare persists (it is still web search browser) and I can't seem to still locate all of "its" hatchings.

    I have run necessary TOOL software programs and will attach. In attempting to find MGTOOLS folder in Boot drive I was unsuccessful, even using Windows Explorer, I found the Boot folder on my C:/ drive, but the respective MGTool folder I was looking for, to attempt to make it run wasn't there.. I did however find the corresponding System Information log that MGTool might have run when I installed the program?

    When using the Malware Bytes Anti-Malware, that program only searched and found my ADWARE PRO program, and related files (18) shown in the log file attached. I therefore did not delete, because I want those files to exist right? I paid for Adware Pro and it IS a functional program on my PC...

    Other information that might be pertinent... I run Windows Vista 64 bit version.

    Thoughts, postulations, directions... HOW in the heck do I FULLY get rid of BearShare on system???

    [It should be noted that per my first post I did not follow those directions, I attempted to follow, but did not have success in finding those file types / didn't want to mess around with Registry, and therefore proceeded to MajorGeeks]

    Subzero...
     

    Attached Files:

    Subzero_83, Oct 21, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We need the log from MGtools to get to the bottom of your problem. Just download MGtools.exe to your Desktop and run it from there. But you must make sure that you have disabled UAC and rebooted before running it. Then attach the C:\MGlogs.zip file which is the log file that MGtools will create.

    Do you mean the Adware program from Lavasoft? If not by Lavasoft and you meant Noadware4 then that is why Malwarebytes picked it up. It was for quite sometime considered a rogue tool and many people still don't trust it. And it is not recommeded either. Also other tools consider Adware Professional to be a rogue. See the below:

    http://www.emsisoft.com/en/malware/Adware.Win32.Adware_Professional_v5.0-remove.aspx

    http://www.fbmsoftware.com/spyware-net/process/Ad-aware_Professional_exe/2228/
     
    Last edited: Oct 23, 2010
    chaslang, Oct 23, 2010
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds