Home Malware Programs Browser Helper Objects Adware.Saveshare


Posted: August 8, 2013

Threat Metric

Ranking: 13,337
Threat Level: 2/10
Infected PCs: 6,794
First Seen: August 8, 2013
Last Seen: October 13, 2023
OS(es) Affected: Windows

SaveShare is adware that usually is bundled with compromised installers for legitimate freeware programs. After infecting your PC through such dishonest methods, SaveShare will display advertisements in your browser – particularly whenever you visit popular pages like Facebook or Youtube, although SaveShare's advertisements are not limited to these sites. Although SaveShare is only a low-level PC threat that should be considered a very minor danger to your PC, SpywareRemove.com malware experts still suggest deleting SaveShare, like any adware, through appropriate anti-malware solutions that can preserve the integrity of your Web-browsing experience.

SaveShare: Sharing All the Advertisements You Don't Want

SaveShare (or Adware.Saveshare), which should not be confused with the game savefile-sharing Android app of the same name, is an adware program designed to display advertisements. SpywareRemove.com malware researchers have noted two distinct methods of advertisement delivery implemented by SaveShare as explained below:

  • SaveShare will display graphical advertisements on major media and social networking websites. These advertisements appear regardless of what your advertisement-filtering settings may happen to be.
  • SaveShare also injects hyperlink-based advertisements into the text content of other sites. For example, the word 'eggs' in an article may provide a link to a grocery site promoted by SaveShare. These attacks can occur on essentially any site that has text-based content.

As a silver lining to these non-consensual advertisements, SpywareRemove.com malware researchers were glad to note that SaveShare does, at least, clearly mark its advertisements so that they can be distinguished from your normal website content.

Saving Your Eyes the Trouble of Surveying SaveShare Advertisements

Like adware of any stripe, SaveShare isn't beneficial to your PC and should be removed as a general rule of thumb for keeping your browser's performance and security at optimal levels. SpywareRemove.com malware experts recommend using anti-malware software for deleting SaveShare and similar adware – particularly since SaveShare sometimes uses some non-consensual installation methods that also may install other PC threats.

SaveShare has been known to install itself to more than one browser at a time. Unlike a legitimate browser add-on, SaveShare's modifications don't include visible components (such as a toolbar) that would allow you to find and delete the source of your SaveShare advertisements with a minimum of difficulty. Other than its advertisements, there are no discreet symptoms of a SaveShare infection.

SaveShare sometimes is installed through compromised packages for other programs such as Daemon Tools Lite. These installers should be avoided in favor of official installers that don't include unwanted 'additions' like SaveShare or other adware. SpywareRemove.com malware experts also urge you to pay careful attention to any browser-changing options presented while you're installing any new application since such options often are vehicles for SaveShare and other low-level PC threats.


Generic5.AFXS [AVG]ApplicUnwnt [Comodo]Win32:BHO-AML [Spy] [Avast]Artemis!E9B27306A18F [McAfee]

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

C:\Users\<username>\AppData\Local\Temp\00294823\EJa.exe File name: EJa.exe
Size: 342.01 KB (342016 bytes)
MD5: 8300c91b40229b42301aebc6d8859907
Detection count: 230
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Temp\00294823\EJa.exe
Group: Malware file
Last Updated: May 20, 2023
C:\ProgramData\Downnluoadi keEaper\ttWl.dll File name: ttWl.dll
Size: 227.32 KB (227328 bytes)
MD5: e9b27306a18f18b88945cdf066de2fc9
Detection count: 108
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\ProgramData\Downnluoadi keEaper\ttWl.dll
Group: Malware file
Last Updated: May 20, 2023

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}SOFTWARE\Classes\saveenshare.saveenshareSOFTWARE\Classes\saveenshare.saveenshare.5.10SOFTWARE\Classes\saVensshare.saVensshareSOFTWARE\Classes\saVensshare.saVensshare.5.10Software\Microsoft\Internet Explorer\Approved Extensions\{5B5E60F5-7778-D8BF-4529-4EC3D2069A6A}SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1993DC35-823E-1989-1DC7-3924AAF12C42}SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{3C081C04-E1A7-BE90-9F9A-9B5C41C054EC}SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5B5E60F5-7778-D8BF-4529-4EC3D2069A6A}HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}SP_703c874a{62D82EC1-0D3A-DF54-8E3E-07E1337A5311}

Additional Information

The following directories were created:
%ALLUSERSPROFILE%\Application Data\saveeNshare%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\sauveeNshiare%ALLUSERSPROFILE%\sAveenshare!%ALLUSERSPROFILE%\saevenshAre%ALLUSERSPROFILE%\sauveeNshiare%ALLUSERSPROFILE%\saveNsshare%ALLUSERSPROFILE%\saveaNshare%ALLUSERSPROFILE%\saveanShaare%ALLUSERSPROFILE%\saveeNshare%ALLUSERSPROFILE%\savensharre%AllUsersProfile%\Application Data\savenshare%AllUsersProfile%\SavennsHaRe%AllUsersProfile%\saVenshaare!%AllUsersProfile%\savenshare%AppData%\sauveeNshiare%ProgramFiles%\Saveshare%ProgramFiles(x86)%\Saveshare%USERPROFILE%\AppData\LocalLow\sauveeNshiare%USERPROFILE%\AppData\LocalLow\savensharre
The following URL's were detected: