Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 8038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to remove 'saveshare'?

Elisa1

Hi there,

I downloaded VLC to read some divx files a few days ago, and it brought 'saveshare' malware with it in the download as well. (At least, I think that's where it came from.)

I've removed saveshare from my Firefox add-ons, but that hasn't stopped the ads or the annoying links sprinkled randomly through the text of any web page I'm looking at. The Firefox add-on wasn't actually called 'saveshare' - it was something similar, but I deleted it before I thought of looking for that file name in my system.

I had hoped Sophos would be able to find it for me, but it's scanned my whole system and only found 'issues' rather than threats. Is there any way I can direct it to find the problematic files?

Will uninstalling VLC do anything to help?

Thanks,

Elisa.

:1013915


This thread was automatically locked due to age.
Parents
  • 0

    Hello Elisa,

    I haven't analyzed the script in .scode (that's beyond my meager knowledge). As far as I can tell the code tries to get instructions which ads to serve, "customizes" what it serves depending e.g. on your location and also syncs your "ad-preferences". If you have Web Protection enabled it's likely that Sophos blocks the necessary initial connections (you should see this in the log - often the reason is the generic Mal/HTMLGen-A) or the add-on you've removed is required for it to properly initialize.

    Whatever, it's still a good idea to sanitize your prefs.js.

    Make a copy just in case. Each preference item is on its own line, starting with user_pref(". While TextEdit wraps the lines you can select all a line's contents by triple-clicking on any part of it. I suggest you start with the .scode, after selecting the line hit Backspace (you'll immediately see if it worked). Although they should do no harm do the same for the lines with .epoch or any other containing the extension id (BTW I've found an instance which also has a .url suffix, these are used for syncing).

    Christian

    :1013953
Reply
  • 0

    Hello Elisa,

    I haven't analyzed the script in .scode (that's beyond my meager knowledge). As far as I can tell the code tries to get instructions which ads to serve, "customizes" what it serves depending e.g. on your location and also syncs your "ad-preferences". If you have Web Protection enabled it's likely that Sophos blocks the necessary initial connections (you should see this in the log - often the reason is the generic Mal/HTMLGen-A) or the add-on you've removed is required for it to properly initialize.

    Whatever, it's still a good idea to sanitize your prefs.js.

    Make a copy just in case. Each preference item is on its own line, starting with user_pref(". While TextEdit wraps the lines you can select all a line's contents by triple-clicking on any part of it. I suggest you start with the .scode, after selecting the line hit Backspace (you'll immediately see if it worked). Although they should do no harm do the same for the lines with .epoch or any other containing the extension id (BTW I've found an instance which also has a .url suffix, these are used for syncing).

    Christian

    :1013953
Children
No Data