Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

malware caused by Bearshare

- - - - -

  • Please log in to reply
9 replies to this topic

#1
davidkayla

davidkayla
  • Member
  • 6 posts
  • Joined 16-March 11
  • OS:XP Home
  • Country: Country Flag
Hi, I wonder if you are able to help please?
I mistakenly downloaded Bearshare. Subsequently I was getting a Bearshare Search page in Chrome and IE and error messages when I opened certain apps. I decided to remove Bearshare by the Add / Remove program option.

As you would probably expect, things haven't quite returned to normal. My system restore option was cleared BEFORE the date of Bearshare installation. System Restore now appears to be capturing system restore points as per normal now.

When I click on one of my favourite programs: Voipbuster I get the error: The procedure entry point isthreaddesktopcomposited could not be located in the dynamic link library USER32.dll.

I downloaded Dependency Walker and the following calls are made early on in the profile. It also says that these paths/programs do not exist:
c:\progra~1\bearsh~1\mediabar\datamngr\DATAMNGR.DLL
c:\progra~1\bearsh~1\mediabar\datamngr\IEBHO.DLL

Is someone please able to tell me where I go from here? Am I able to surgically remove those calls? I have tried reinstalling Voipbuster but that makes no difference. If someone could let me know (simply) why reinstallation of voipbuster does not make any difference that would be appreciated.

I have included the dependency walker process tree as an attachment. No I haven't, it said I wasn't allowed!!
Regards,
David.


How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,958 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Certain file types are not allowed to be uploaded to the forum. You can either put it in a ZIP file or you can upload it to another place like SkyDrive on Windows Live.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg

#3
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,656 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
More generally it is possible that the program replaced your USER32.DLL with an older version.
Check the version of the USER32.DLL you can find in your \<windows>\System32\ directory, for XP typically it should be 5.1.2600.2180 or later.

jaclaz

#4
davidkayla

davidkayla
  • Member
  • 6 posts
  • Joined 16-March 11
  • OS:XP Home
  • Country: Country Flag
That's the strange thing. I did download another version of user32.dll and it made no difference! How does one tell which module is making those Bearshare calls? Is it the one immediately above the calls?

#5
davidkayla

davidkayla
  • Member
  • 6 posts
  • Joined 16-March 11
  • OS:XP Home
  • Country: Country Flag
Here is the zip file containing an image of the module tree from dependency walker. The .dwi file was too big but I can try some other way of sending it if someone thinks they could use it.

Attached Files



#6
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,656 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

That's the strange thing. I did download another version of user32.dll and it made no difference! How does one tell which module is making those Bearshare calls? Is it the one immediately above the calls?

And are you going to post WHICH exact version you are now using or is this info considered confdential? :rolleyes:

You did actually re-register the "new" .dll, didn't you? :unsure:

http://www.ehow.com/...user32_dll.html

jaclaz

#7
davidkayla

davidkayla
  • Member
  • 6 posts
  • Joined 16-March 11
  • OS:XP Home
  • Country: Country Flag
The version of user32.dll that I am now using is: 5.1.2600.2180
No I have not re-registered that module. I will have a look at that asap and let you know the outcome.

#8
davidkayla

davidkayla
  • Member
  • 6 posts
  • Joined 16-March 11
  • OS:XP Home
  • Country: Country Flag
There has been a development. I rerun SFC with the original XP system disk and I don't get the User32.dll error any more when I start Voipbuster (The procedure entry point isthreaddesktopcomposited could not be located ...). The strange thing is is that I did run this before but it did not previously solve the problem.

When I now run Voipbuster in dependency walker I can see that it is still trying to make those calls to bearshare modules (Remember that I have re-installed Voipbuster). Where are those calls being made from, system modules (that should have been replaced by SFC) or Voipbuster (that has been reinstalled)?

Voipbuster may now be running ok but those calls still annoy me.

#9
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,656 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Most probably there are some leftovers in the Registry.

These can be traced back by doing some searches in the Registry, but probably working as well and easier would be to do a couple iterations of Registry cleaning with RegSeeker:
http://www.hoverdesk.net/freeware.htm

In my experience if you simlply delete everything it finds "non kosher" never created a problem, but you may want to review the items it lists before actually backing them up and deleting them.

jaclaz

#10
davidkayla

davidkayla
  • Member
  • 6 posts
  • Joined 16-March 11
  • OS:XP Home
  • Country: Country Flag
Thanks for that Jaclaz,
Before I read your email I downloaded Hijack This and did a search of the registry and found and deleted a few bearshare entries. This appears to have worked well. It has been a learning curve for me and I still don't understand how the registry works. Are there any tools to lock down the registry so that rogue apps can't change it?
Thanks. David.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users