Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 8038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to remove 'saveshare'?

Elisa1

Hi there,

I downloaded VLC to read some divx files a few days ago, and it brought 'saveshare' malware with it in the download as well. (At least, I think that's where it came from.)

I've removed saveshare from my Firefox add-ons, but that hasn't stopped the ads or the annoying links sprinkled randomly through the text of any web page I'm looking at. The Firefox add-on wasn't actually called 'saveshare' - it was something similar, but I deleted it before I thought of looking for that file name in my system.

I had hoped Sophos would be able to find it for me, but it's scanned my whole system and only found 'issues' rather than threats. Is there any way I can direct it to find the problematic files?

Will uninstalling VLC do anything to help?

Thanks,

Elisa.

:1013915


This thread was automatically locked due to age.
Parents
  • 0

    Hello Elisa,

    Will uninstalling VLC do anything to help?

    likely not. I'm not aware that VideoLAN packages anything with VLC - BTW: Where from did you download it? videolan.org is the top hit when you google VLC and you should download from the official site whenever possible (not only VLC).

    Reading up on saveshare and your post reminds me of such a something I've seen lately (mostly Firefox on Windows but this doesn't make a difference). Found it because Sophos' Web Protection (are you using version 9 or still version 8?) blocked it from accessing these "ads" sites. There was more than the visible Add-On (called itself wxDownload 4 - not the SourceForge project though). It had also injected code into Firefox' prefs.js.

    Let Spotlight search for prefs.js - it should be in your user's  Library/Application Support/Firefox/Profiles/... Make sure Firefox is closed. Ctrl-click prefs.js to Reveal in Finder, make a copy of the file, Ctrl-click to open the original with Text Editor (or some other editor of your choice). If this whatever used the same trick I have seen there should be a line with:

    user_pref("extensions.xxxxxxxxxxxx.scode" followed by a lengthy mumbo-jumbo which is in fact JavaScript code which does the rogue work (the xxxxxx is a random identifier, what's important is the scode, there might others with the same id and a different suffix, e.g. epoch or even another set with a different id).

    Remove these lines (the ones with .scode and the associated others), save it and then check whether Firefox is normal again. Whatever you found or didn't find, please follow up here.

    Christian 

    :1013923
Reply
  • 0

    Hello Elisa,

    Will uninstalling VLC do anything to help?

    likely not. I'm not aware that VideoLAN packages anything with VLC - BTW: Where from did you download it? videolan.org is the top hit when you google VLC and you should download from the official site whenever possible (not only VLC).

    Reading up on saveshare and your post reminds me of such a something I've seen lately (mostly Firefox on Windows but this doesn't make a difference). Found it because Sophos' Web Protection (are you using version 9 or still version 8?) blocked it from accessing these "ads" sites. There was more than the visible Add-On (called itself wxDownload 4 - not the SourceForge project though). It had also injected code into Firefox' prefs.js.

    Let Spotlight search for prefs.js - it should be in your user's  Library/Application Support/Firefox/Profiles/... Make sure Firefox is closed. Ctrl-click prefs.js to Reveal in Finder, make a copy of the file, Ctrl-click to open the original with Text Editor (or some other editor of your choice). If this whatever used the same trick I have seen there should be a line with:

    user_pref("extensions.xxxxxxxxxxxx.scode" followed by a lengthy mumbo-jumbo which is in fact JavaScript code which does the rogue work (the xxxxxx is a random identifier, what's important is the scode, there might others with the same id and a different suffix, e.g. epoch or even another set with a different id).

    Remove these lines (the ones with .scode and the associated others), save it and then check whether Firefox is normal again. Whatever you found or didn't find, please follow up here.

    Christian 

    :1013923
Children
No Data