Login to Account Create an Account
malware caused by Bearshare
Posted 16 March 2011 - 06:26 AM
I mistakenly downloaded Bearshare. Subsequently I was getting a Bearshare Search page in Chrome and IE and error messages when I opened certain apps. I decided to remove Bearshare by the Add / Remove program option.
As you would probably expect, things haven't quite returned to normal. My system restore option was cleared BEFORE the date of Bearshare installation. System Restore now appears to be capturing system restore points as per normal now.
When I click on one of my favourite programs: Voipbuster I get the error: The procedure entry point isthreaddesktopcomposited could not be located in the dynamic link library USER32.dll.
I downloaded Dependency Walker and the following calls are made early on in the profile. It also says that these paths/programs do not exist:
Is someone please able to tell me where I go from here? Am I able to surgically remove those calls? I have tried reinstalling Voipbuster but that makes no difference. If someone could let me know (simply) why reinstallation of voipbuster does not make any difference that would be appreciated.
I have included the dependency walker process tree as an attachment. No I haven't, it said I wasn't allowed!!
Posted 16 March 2011 - 09:25 AM
Posted 16 March 2011 - 09:49 AM
Check the version of the USER32.DLL you can find in your \<windows>\System32\ directory, for XP typically it should be 5.1.2600.2180 or later.
Posted 17 March 2011 - 07:24 PM
Posted 18 March 2011 - 06:27 AM
Posted 18 March 2011 - 06:29 AM
And are you going to post WHICH exact version you are now using or is this info considered confdential?
That's the strange thing. I did download another version of user32.dll and it made no difference! How does one tell which module is making those Bearshare calls? Is it the one immediately above the calls?
You did actually re-register the "new" .dll, didn't you?
Posted 18 March 2011 - 07:33 AM
No I have not re-registered that module. I will have a look at that asap and let you know the outcome.
Posted 19 March 2011 - 09:00 PM
When I now run Voipbuster in dependency walker I can see that it is still trying to make those calls to bearshare modules (Remember that I have re-installed Voipbuster). Where are those calls being made from, system modules (that should have been replaced by SFC) or Voipbuster (that has been reinstalled)?
Voipbuster may now be running ok but those calls still annoy me.
Posted 20 March 2011 - 04:44 AM
These can be traced back by doing some searches in the Registry, but probably working as well and easier would be to do a couple iterations of Registry cleaning with RegSeeker:
In my experience if you simlply delete everything it finds "non kosher" never created a problem, but you may want to review the items it lists before actually backing them up and deleting them.
Posted 20 March 2011 - 06:16 PM
Before I read your email I downloaded Hijack This and did a search of the registry and found and deleted a few bearshare entries. This appears to have worked well. It has been a learning curve for me and I still don't understand how the registry works. Are there any tools to lock down the registry so that rogue apps can't change it?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users