Avast WEBforum
Other => Viruses and worms => Topic started by: Traxy on March 22, 2022, 07:23:42 PM
-
Had an alert for prefs.js (Firefox profile settings file) come up and be quarantined.
Threat name: VBS-Gamaredon-CM [Apt]
Threat type: Advanced persistent threat - This is a targeted attack in which an attacker hides out on your network to spy on you or steal your data.
File path: C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\nn7c461p.default-release\prefs.js
Process: C:\Program Files\Mozilla Firefox\firefox.exe
Detected by: File Shield
Alert ID: 9aade828c058/220322.1742+0000
From what I can tell from googling, it's not unusual for the file to be flagged by some programs as a false positive. Sometimes it can flag up when Firefox is looking for updates. Ran a scan with MalwareBytes as well and it didn't find any issues, hence why I'm wondering if it's something I should be concerned about or if it's a false positive.
In quarantine it's listed 12 times between 17:42 and 17:45. I've sent the latest one to be analysed, as the option was there.
Gamaredon appears to be a Russian hacker group known for picking Ukrainian targets, but I'm nowhere near Ukraine.
-
Also reported here - https://forum.avast.com/index.php?topic=318638.0
I use Firefox (latest version) as my default browser and so far I haven't bumped into this.
-
Hi, it was False Positive. It should have been already fixed.
Lukas
-
Hi, it was False Positive. It should have been already fixed.
Lukas
Thanks for that.
Though I haven't been impacted in this, is there a way for those effected to be able to get back into their firefox thunderbird profiles ?
EDIT: Or is it a case of restoring the prefs.js file if it was sent to the virus chest ?
-
Hi, it was False Positive. It should have been already fixed.
Lukas
I have a huge problem, especially with MOZILLA THUNDBIRD. I cant access my email accounts and my emails.
Should I restored the prefs.js back to its original location or what?
-
Hi, it was False Positive. It should have been already fixed.
Lukas
Thanks for that.
Though I haven't been impacted in this, is there a way for those effected to be able to get back into their firefox thunderbird profiles ?
EDIT: Or is it a case of restoring the prefs.js file if it was sent to the virus chest ?
The quarantined prefs.js file of my Mozilla thunderbird has 4 options: 1) restore, 2) restore and add exception, 3 ) extract and 4) send for analysis.
Can I use the EXTRACT first, in order to be absolutely sure that I'll have backed up safely the file before I use the restore option, or I am thinking it wrong?
-
Hey everyone, I had the exact same issue on one of my computers.
What I found odd is that initially I kept getting the pop-up even when Firefox wasn't running. When I restarted my computer it stopped. I ran some system scans and they came up clean.
Also, some of my settings in Firefox were changed (my home page had changed, along with a few other settings). I don't really understand why.
But if it's a false positive and fixed then great.
-
I restored the prefs.js file back to the profile folder in the thunderbird and THANK GOD everything is as it should be.Phewwwwww......
-
Hi, it was False Positive. It should have been already fixed.
Lukas
Phew! Good to know. Thank you!
-
Yes, you can restore prefs.js. It should solve the problem with thunderbird profiles.
Lukas
-
BUT, AVAST created multiple Thunderbird (and Firebird) profiles.
When I extracted each named for sequence quarantined, the first Thunderbird profile was largest, 61KB, and subsequent profiles for as small as 1 KB.
I am assuming that first and largest is correct and subsequent profiles were created and quarantined because Thunderbird and AVAST were both running.
In contrast, the first couple of Firefox profiles were the same size.
Should the FIRST profile quarantined be the one to RESTORE?
-
Hmmm. It's good question. I am not sure. I would guess the firstly quarantined will be the file you need. Try to restore the first file. If it will not help then create a copy of this file and restore another.
-
On Twitter, Avast advised me to attempt to restore the first quarantined file however Avast wouldn't restore the files for me in TB or FF. I hope Avast have a solution.
-
Good that avast team reacted.
Also read here: https://support.mozilla.org/en-US/questions/1280774
polonus
-
On Twitter, Avast advised me to attempt to restore the first quarantined file however Avast wouldn't restore the files for me in TB or FF. I hope Avast have a solution.
I was able to use EXTRACT to save a copy of each PROFILE onto my HD in a temporary file. The quarantine lists the original location of the file. I believe you should be able to replace file in TB and FF with the corresponding FIRST quarantined file that was EXTRACTED.
You can find explanations on line for how to move both TB and FF from one computer to another. (I have successfully done this when rebuilding a laptop after updating the OS.) Moving the Profile seems analogous to PART of that process.
-
To restore, I went to the location of the Firefox profile while the application is closed, deleted the perfs.js file and then restored. Avast cannot overwrite an already existing file I guess.
-
I had the same alert from avast and was relieved to hear it was a false positive. However my alert was different from what other people have received.
Other people have mentioned that Avast quarantined their firefox files, or aborted connection to various websites when the alert popped up, but for me it was a file located in C:\ProgramData\Microsoft\Windows\WER\Temp and the infected file was called WER579D . tmp . txt
Is it normal for windows files to have both tmp and txt at the end? I don't recall seeing that before.
And is this just the same as the other false positives? Is all as it should be and I am not infected?
-
Thank you to the person who said to delete the prefs.js file in the profile (cannot now find their post) and then restore from Avast quarantine. this worked for me with FF and TB.
-
I had the same alert from avast and was relieved to hear it was a false positive. However my alert was different from what other people have received.
Other people have mentioned that Avast quarantined their firefox files, or aborted connection to various websites when the alert popped up, but for me it was a file located in C:\ProgramData\Microsoft\Windows\WER\Temp and the infected file was called WER579D . tmp . txt
Is it normal for windows files to have both tmp and txt at the end? I don't recall seeing that before.
And is this just the same as the other false positives? Is all as it should be and I am not infected?
Hi, it was also False positive. It will not affect you PC. These files are Windows error reports.
-
I didn't know this was a false positive and last night I deleted the the three copies (VBS:Gamaredon bla bla...) of the file from the quarantine section. Was I supposed to restore it? Will there be any harm on my end?
-
I didn't know this was a false positive and last night I deleted the the three copies (VBS:Gamaredon bla bla...) of the file from the quarantine section. Was I supposed to restore it? Will there be any harm on my end?
As I mentioned in another topic:
Okay, so according to the Avast Team thread link from Pondus, it 'was' a FP, which is reassuring
*I deleted the the three copies of the file from the Quarantine section-Was I supposed to restore it?
Unlike other users have posted, I have not had any permanent negative issues (missing emails, the inability to access email accounts, or further pop-ups being displayed in Firefox).
Personally there is no rush to delete anything in quarantine, it can do no harm there, files are encrypted and the name is changed (if viewed from outside the the quarantine).
Had they been required to get firefox/thunderbird working again - As the old saying goes, act in haste repent at leisure.
Check out that other topic (and this one) as many have found ways to get back up and running.
Only you can answer the, will there be any harm - is firefox and thunderbird running normally ? - as some report firefox replaced the prefs.js file - others did something else, see Reply #15 of this topic by 'lapdog'.
-
On 22/03/22 starting up Thunderbird took me to a set-up window. All my e-mails, accounts, local folders had disappeared. Only my address book was still there. This happened simultaneously on both my PC and laptop. Avast put up a warning that the file prefs.js was infected with the virus Gamaredon-CM[APT] and had been quarantined. Unfortunately prefs.js is the configuration and settings file for all versions of Thunderbird. Thinking that I had had a lucky escape and Vladimir Putin was about to hack into my computer I tried to restore the same file on my laptop [expendable] . Files could not be restored. I finally managed to restore my IMAP email and accounts by rolling back to a previous restore point, copying and pasting the profile files on the laptop on a new installation of Thunderbird on my PC. Alas I lost all my Local Folders as foolishly I did not have a backup. Nothing on the web from Avast stating that it was a FP, apart from a mention on Twitter. I finally joined this Forum where it confirmed it was a FP. I have installed Avast on many clients' computers over the years and it has always been a reliable [if lately bloated and full of unwanted features like Secure Browsers] bit of anti-virus software. But the total sloppiness of this behaviour on the part of their engineers has finally convinced me to remove all traces of Avast from my computers as well as my clients. How about an apology, Avast?
-
Greetings!
I am having this problem as well and I am trying to solve it, but I can't. If I go to the quarantine tab of my Avast, I see the file prefs.js for 6 times: but with any of these files, if I click on restore or restore and add exception I get an error message ("it is impossible to restore this file" or something like that).
Is there any way to restore the file manually?
Mosè
-
Is there any way to restore the file manually?
Yes, from your most recent profile backup. You do back up your profile regularly, yes?
-
Is there any way to restore the file manually?
Yes, from your most recent profile backup. You do back up your profile regularly, yes?
Ahem. My problems are with ThunderBird, and I don't think I ever made a backup of any profile of it.
My mails are all IMAP, so if I reinstall it I am going to recover everything. It's going to be just annoying because I'll need to set up every account again. Do you think that's the only solution for me?
Thank you! :-)
Mosè
-
L.S.
Not to come to the defense of avast's, but certainly particular software code can be more FP-prone than others.
When code has been signed properly it is also much easier to avoid such mishaps.
Javascript can be a can of worms with suspicious and malicious activity bordering closely.
The final verdict depends on quite some factors and circumstances.
Time pressure in releasing definitions also counts.
Every av-vendor has issues, and whenever they tell you they haven't,
they have placed themselves outside normal life's reality. :D
Never take things for granted, because you cannot. That's real life for ye.
Check and counter-check. An that's why we have these here forums.
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
P.S. On an earlier MBAM-PUP-detection:
https://forums.malwarebytes.com/topic/251908-detecting-prefsjs-on-my-firefox-profile/
On the use of prefsCleaner: https://github.com/arkenfox/user.js/wiki/3.5-prefsCleaner