Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Software Development Software Development
Search Search
Search for:
Tech Support Guy > > >

Solved: Need to edit certain lines from a js file.


(!)

pure_evil020's Avatar
pure_evil020 pure_evil020 is offline
Member with 92 posts.
THREAD STARTER
 
Join Date: Jul 2008
12-Jul-2012, 09:06 AM #1
Solved: Need to edit certain lines from a js file.
Hi there,
I was recently hijacked by a babylon affiliate malware, and was able to remove everything quite easily, except for one problem.
Every time I opened a new tab, it would open an affiliate babylon search page.

After some searching, I found the culprit!
Firefox's prefs.js file was modified, to include a number of preferences that would cause the url to come up when a new tab is opened.

I could go through and manually fix it myself, but I thought that if others have the same problem, and come across my question, they might want an easier solution.
My solution would be a batch file (or vbs file) that will search "prefs.js" for lines containing the word "babylon" in it, and remove all of those lines.
Each preference setting is separated by a new paragraph line.

As an example for what I'm after, lets say the file contains the following lines in it:

Quote:
user_pref("CT2737658..clientLogIsEnabled", true);
user_pref("CT2737658..clientLogServiceUrl", "http://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
user_pref("CT2737658..uninstallLogServiceUrl", "http://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
user_pref("CT2737658.AboutPrivacyUrl", "http://www.conduit.com/privacy/Default.aspx");
user_pref("CT2737658.BrowserCompStateIsOpen_129531118722676073", true);
user_pref("CT2737658.CTID", "ct2737658");
user_pref("CT2737658.CurrentServerDate", "24-10-2011");
user_pref("CT2737658.DialogsAlignMode", "LTR");
user_pref("CT2737658.DialogsGetterLastCheckTime", "Sun Oct 23 2011 17:39:18 GMT-0700 (Pacific Daylight Time)");
user_pref("CT2737658.DownloadReferralCookieData", "");
user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
user_pref("browser.bookmarks.restore_default_bookmarks", false);
user_pref("browser.cache.disk.capacity", 1048576);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size_cached_value", 430080);
user_pref("browser.display.background_color", "#C0C0C0");
user_pref("browser.display.use_system_colors", true);
user_pref("browser.download.lastDir", "S:\\download");
user_pref("browser.newtab.url", "http://search.babylon.com/?affID=111813&tt=010712_3&babsrc=NT_ss&mntrId=906b43d700000000000000ff7f106 aae");
user_pref("browser.places.smartBookmarksVersion", 3);
user_pref("browser.preferences.advanced.selectedTabIndex", 2);
The batch file (or vbs file), should locate the two lines that contain the word "babylon" in it, and remove those lines.
Simply telling the batch file to look for those lines specifically (e.g. user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");") and removing it, would not be good enough, because other users may have an entirely different affiliate link attached, or other preferences written.


Is anyone here capable of writing such a batch (or vbs) file that can do this for me?
Thanks in advance!
Ent's Avatar
Ent   (Josiah) Ent is online now Ent is a Trusted Advisor with special permissions.
Computer Specs
Trusted Advisor with 5,290 posts.
 
Join Date: Apr 2009
Location: United Kingdom
Experience: Intermediate
12-Jul-2012, 09:48 AM #2
While this would not be a particularly difficult thing to code, I suspect that it would be unwise.
There are two considerations here:

The first is the risk that it hasn't been properly taken out to begin with. The reason that TSG has restrictions on who can help with malware is that malware can be much more difficult to remove than is generally realized. Even if you have done the job correctly, there is no guarantee that the next user would have. The only way to be safe would be to create and maintain a full blown removal program (a bit like a dedicated uninstaller), and that's a task beyond the ability of most here.

The second is that those lines are not merely inserted by the software in question, they are changed from benign values. If you simply delete them, you could be left without various key functions, or potentially even with a broken browser.
pure_evil020's Avatar
pure_evil020 pure_evil020 is offline
Member with 92 posts.
THREAD STARTER
 
Join Date: Jul 2008
12-Jul-2012, 09:44 PM #3
I have checked over the last concern you mentioned, suggesting that you could potentially break your browser by editing lines incorrectly.
If you are removing only the lines that have the word "babylon" in it, it will simply remove the preference entries that the babylon extension has copied into this file.

Any lines that are left blank (deleted babylon lines) are automatically refilled as their default values when firefox starts.
You could completely remove everything from the pref file, and firefox would still create a new pref file with the default preference values (removing all addon settings).

All the malware did, is add a few lines into the prefs file, to turn on tabsearch function, and set a url for the newtab string.
Once these lines are deleted, the software reverts those preferences back to their default values.

I would conclude that if you want to remove all effects that babylon has had on your browser, this would actually be a good way of removing all babylon effects from your browser, after you have removed the babylon software/malware from your computer (with the help of an approved tech here on the malware forums).

I think that it would be much simpler for a tech to instruct the user to download and run a babylon preference removal tool, rather than instructing the user to go to about:config, take a screen shot, upload the screen shot, then wait for an answer as to which strings to change, and what value to change those strings to.

Last edited by pure_evil020; 13-Jul-2012 at 12:01 AM..
pure_evil020's Avatar
pure_evil020 pure_evil020 is offline
Member with 92 posts.
THREAD STARTER
 
Join Date: Jul 2008
15-Jul-2012, 01:38 AM #4
So was anyone able to help me write this code?
pure_evil020's Avatar
pure_evil020 pure_evil020 is offline
Member with 92 posts.
THREAD STARTER
 
Join Date: Jul 2008
15-Jul-2012, 04:16 AM #5
Nevermind... I figured it out myself.
Squashman's Avatar
Trusted Advisor with 19,683 posts.
 
Join Date: Apr 2003
Location: 1265 Lombardi Ave
15-Jul-2012, 06:46 AM #6
Quote:
Originally Posted by pure_evil020 View Post
Nevermind... I figured it out myself.
Then please post your solution and mark your thread solved.
pure_evil020's Avatar
pure_evil020 pure_evil020 is offline
Member with 92 posts.
THREAD STARTER
 
Join Date: Jul 2008
20-Jul-2012, 09:52 AM #7
Solution
Although I don't think many people on these forums will be looking for a solution using my method, here it is:

I came up with the following GML code, to do what I wanted to do:

Code:
global.changetext=""
var i, j, fileId
{
//Read
i = 0;
fileId = file_text_open_read("copy.js");
while(!file_text_eof(fileId)) {
    str[i] = file_text_read_string(fileId);
    //Replace
    if (string_pos("Babylon",str[i]
) !=0 ) {
        str[i] = global.changetext;
        }
    i += 1;
    file_text_readln(fileId);
    }
i -= 1;
file_text_close(fileId);
//Rewrite
fileId = file_text_open_write("copy.js");
for (j=0;j<=i;j+=1) {
    file_text_write_string(fileId,str[j]);
    file_text_writeln(fileId);
    }
file_text_close(fileId);
}
show_message("process completed!")
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2