How to remove 'saveshare'?

Hello Elisa,

Will uninstalling VLC do anything to help?

likely not. I'm not aware that VideoLAN packages anything with VLC - BTW: Where from did you download it? videolan.org is the top hit when you google VLC and you should download from the official site whenever possible (not only VLC).

Reading up on saveshare and your post reminds me of such a something I've seen lately (mostly Firefox on Windows but this doesn't make a difference). Found it because Sophos' Web Protection (are you using version 9 or still version 8?) blocked it from accessing these "ads" sites. There was more than the visible Add-On (called itself wxDownload 4 - not the SourceForge project though). It had also injected code into Firefox' prefs.js.

Let Spotlight search for prefs.js - it should be in your user's  Library/Application Support/Firefox/Profiles/... Make sure Firefox is closed. Ctrl-click prefs.js to Reveal in Finder, make a copy of the file, Ctrl-click to open the original with Text Editor (or some other editor of your choice). If this whatever used the same trick I have seen there should be a line with:

user_pref("extensions.xxxxxxxxxxxx.scode" followed by a lengthy mumbo-jumbo which is in fact JavaScript code which does the rogue work (the xxxxxx is a random identifier, what's important is the scode, there might others with the same id and a different suffix, e.g. epoch or even another set with a different id).

Remove these lines (the ones with .scode and the associated others), save it and then check whether Firefox is normal again. Whatever you found or didn't find, please follow up here.

Christian 

Hi Christian, Thanks for replying. I downloaded VLC from videolan.org, so perhaps that wasn't the culprit... And I'm using version 9 of Sophos.

Here's the weird thing, though - I went to bed after I posted my question last night, and have been at work all day today away from my laptop. When I came back tonight to work through your suggestions, Firefox appears to be running completely cleanly! I have done literally nothing since closing it down yesterday. (And I closed everything down a bunch of times when I was first trying to get rid of the problem, so it's not like that's what's done it.)

Anyway... I searched through the prefs.js file, and found two instances of user_pref("extensions.xxxxxxxxxxxx.scode" code. You think I should still delete them? I'm not fluent in JavaScript, so I might need a hand working out where the problematic lines end. Screenshots attached...

Thanks for your help.

Cheers,

e.

Hello Elisa,

I haven't analyzed the script in .scode (that's beyond my meager knowledge). As far as I can tell the code tries to get instructions which ads to serve, "customizes" what it serves depending e.g. on your location and also syncs your "ad-preferences". If you have Web Protection enabled it's likely that Sophos blocks the necessary initial connections (you should see this in the log - often the reason is the generic Mal/HTMLGen-A) or the add-on you've removed is required for it to properly initialize.

Whatever, it's still a good idea to sanitize your prefs.js.

Make a copy just in case. Each preference item is on its own line, starting with user_pref(". While TextEdit wraps the lines you can select all a line's contents by triple-clicking on any part of it. I suggest you start with the .scode, after selecting the line hit Backspace (you'll immediately see if it worked). Although they should do no harm do the same for the lines with .epoch or any other containing the extension id (BTW I've found an instance which also has a .url suffix, these are used for syncing).

Christian

Hi Christian,

I've deleted the .scode, .epoch and .url lines, and so far everything seems great! Will keep an eye on things over the next couple of days, but I think we're in the clear. Awesome.

Thanks so much for your help.

Cheers,

e.