Jump to content
wreckage

Babylon toolbar in Firefox prefs.js

Recommended Posts

Hello there.

 Every time (daily) Malwarebytes runs it finds entries for Babylon toolbar inside the prefs.js file in my Firefox profile.  For the first few times I clicked 'Quarantine all', but the next scan the detections are back.  I then tried manually selecting 'quarantine' for each item (about 20) but when the next scan is run, guess what?  They're baa-aaack!.

 I then deleted the prefs.js file from this path:  AppData\Roaming\Mozilla\Firefox\Profiles\nnnnnnnnnn\  but, you guessed it.  The detections were back in the next scan.   I'm really getting tired of this and would love to hear an explanation.

 

Here are some typical entries:

 

PUP.Optional.Babylon.A, C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\r19v7a82.default\prefs.js, Good: (), Bad: (user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");), Replaced,[da9b53d6403b39fd095d79d1ce36ca36]
PUP.Optional.Babylon.A, C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\r19v7a82.default\prefs.js, Good: (), Bad: (user_pref("extensions.BabylonToolbar_i.smplGrp", "none");), Replaced,[1263ec3d92e9bf7767ffa9a1ee16d12f]
PUP.Optional.Babylon.A, C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\r19v7a82.default\prefs.js, Good: (), Bad: (user_pref("extensions.BabylonToolbar_i.srcExt", "ss");), Replaced,[175efd2cf289ba7cb5b163e780841ee2]
PUP.Optional.Babylon.A, C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\r19v7a82.default\prefs.js, Good: (), Bad: (user_pref("extensions.BabylonToolbar_i.tlbrId", "base");),

 

Complete log attached.MB_Log.txt

 

Thank-you.

Share this post


Link to post
Share on other sites

Is babylon something you have installed or use on purpose?

 

Is there any listing in your programs and features in the control panel?

Share this post


Link to post
Share on other sites

Hi,

 

RE Repeat detections/failure to remove from prefs.js.

 

Your browser (in your case Firefox) needs to be closed when Malwarebytes is applying the fix's as whilst it is open it protects pref.js file which restores any data we delete from that file in real time.

Share this post


Link to post
Share on other sites

Of course!

 Thank-you, Fatdcuk - I should have realised that myself.  Sometimes I need others to remind me how silly I can be.

:-)

 Cheers.

Share this post


Link to post
Share on other sites

I'm sorry to say that closing Firefox, (killing the process), then selecting Quarantine (for each item - one can never be sure that the 'Quarantine All' button does anything because of there being NO confirmation and not even a graphic change to make the button look pressed), out of the three available options (Add Exclusion or Ignore Once) being the other two (where's 'Delete for good'?) still did not work.  This morning's scan has again revealed 15 instances of PUP.Optional.Babylon.A.

  Firefox obviously re-creates the 'Prefs.js' file out of something.  From where does it re-create itself? - yes, I have completely deleted it while Firefox is closed - which is a pain in the proverbial as a lot of settings have to be re-configured.

  Can somebody at Malwarebytes assist me with figuring out what's going on here, please?  By the way, I hope the GUI is improved as it looks somewhat amateurish compare tto the previous version.

Share this post


Link to post
Share on other sites

Hi wreckage,

 

I'm unsure what is restoring the data at this point.

 

Can we just rule out it is not firefox.exe in memory making the restoration.

 

Run a quick scan and when it has finished (before taking any further action) please evoke task manager (CTRL+ALT+Delete) and terminate any instances of firefox.exe that are loaded.

 

Next  click on the quarantine all button.

 

No reboot message will be generated as this is a file edit and not a removal but please next close Malwarewarebytes and then reboot the the computer.

 

Please rescan and verify whether the detections persist.

 

Thanks for your help on this.

Share this post


Link to post
Share on other sites

Hello, Fatdcuk.

 

 Thank-you for your assistance with this.

 As stated previously "that closing Firefox, (killing the process), then selecting Quarantine..." has not worked,   By the way, CTRL+Shift+Esc is a quicker trigger for Task Manlger.

 

I shall try your suggestion of closing MBytes and rebooting then re-scanning.  I'll report back in around 12-14 hours.

 

Thanks again for the suggestion.

Share this post


Link to post
Share on other sites

Oops..  Looks like you don't allow editing of posts.  My attempt at humour backfired.  I meant of course to type 'Task Mangler' (for Task Manager).  Cheers.

Share this post


Link to post
Share on other sites

This morning the daily scan results were waiting for me. The same 15 culprits were there; extensions.BabylonToolbar_i.nnnnn, etc.

I closed Firefox but by the time I had the Firefox process highlighted in Task Mangler and hit End Process Tree, it had finished its housework and closed.

I checked with Process Explorer and FF was closed.

 

Closed all applications then hit Quarantine All and closed MBytes.

Rebooted.

Ran Threat Scan and nothing found.

Opened Firefox and ran Threat Scan - All 15 items are back in Prefs.js.

 

I can only think that I have an old FF Extension folder (that should be deleted) here:
 

\\COMPUTER-NAME\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default

 

i'll carefully go through them all and see if I can find the culprit.  I'll just delete known extension folders that I no longer use and see where it gets me.

 

Cheers.

Share this post


Link to post
Share on other sites

Hello, All.

 I'm a little disappointed that nobody here knew the resolution for this issue.  It is as follows:.

 

If Babylon Toolbar is ever accidentally installed and removed either manually or by MalwareBytes, it leaves behind in the nnnnnnnn.default Firefox profile, a file named 'user.js'.

 

Even after all BabylonToolbar entries are removed from Firefox's prefs.js, somehow it is re-populated from user.js which in turn, does NOT EVER have the "BabylonToolbar" entries detected.   

     These are only text entries, by the way, and not malicious in themselves.  The Babylon Toolbar itself needs to be installed for the entries to do anything.

 

 Deleting the user.js file when FF is closed stops the prefs.js being repopulated, and thus no further detections are made by MBytes.

 

I hope you can now assist others with this issue in the future, and perhaps build something into MBytes to check for this issue.

 

Cheers.

Share this post


Link to post
Share on other sites

You are posting in the False Positive, file detection, sub-forum.

 

This is the wrong place to deal with Malware Removal and associated processes.

 

Malwarebytes Personnel and associated volunteers who deal with Malware Removal do NOT process data in the False Positive sub-forum. 

Likewise Malwarebytes Personnel who deal with False Positives don't assist users in the Malware Removal sub-forum.

Share this post


Link to post
Share on other sites

Well woo-hoo David H. Lipman.

 

 No, "Hello...."?  No, "thanks for resolving this, we'll take it on board... "?  Your mother must be proud of your manners.  If being alerted by MBytes of TEXT strings in a *.js file when there is NO malware present isn't a false positive, then I don't know what is.

 

Have a great day!   ;-)

Share this post


Link to post
Share on other sites

Well, Wreckage, if Lipman isnt man enough to say it, then I will.... Thanks!  This is precisely the problem I am sorting out.

If your thread isnt in the right forum, then that's a minor house keeping errand.  Putting users in touch with each other to help one another... that's something to be proud and happy with, and should be what this forum is all about.

Again, thanks for keeping this topic alive and letting everyone know how you resolved it.

You did a good thing.

Share this post


Link to post
Share on other sites

You have to understand this is not a false positive but an incomplete removal. The detections were correct but user.js was putting them back.  We have made modifications to the removal today which hopefully should address this. If it is still happening on your machines after you have updated then i would need to have the user.js and prefs js zipped and attached here.

 

Be advised Malwarebytes employees have the banner in the signature that says staff.

 

David is just trying to keep this forum clean for false positives which are very critical in our eyes.

 

We normally do not assist users here in removal of malware to keep this forum clear for false positives only.

Share this post


Link to post
Share on other sites

Thank-you, creasman00.  You're a gentleman.  

I do realise that it's annoying for a board's users to post in an inappropriate forum, but I also believe that moderators should have a little more respect and tolerance.  It doesn't take much effort to guide a user in a friendly and polite manner to the correct area, or even move the post and leave a note stating "This topic has been moved to....."  yada yada.

 Mr. Lipman and Mr. Shadowwar must have a great time trying to 'out-power-trip' each other.  ;-)

Toodle-oo! 

Share this post


Link to post
Share on other sites

That has nothing to do with it at all Wreckage.

 

David is a volunteer and not an employee or Moderator.

 

This has to do with assisting the users and following our guidelines for the forum. This allows us to address false positives as quick as possible if its one user per post.

 

 

As this issue is corrected now i will be closing this topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.