Author Topic: Is prefs.js a false positive?  (Read 7944 times)

0 Members and 1 Guest are viewing this topic.

Offline lapdog

  • Newbie
  • *
  • Posts: 1
Re: Is prefs.js a false positive?
« Reply #15 on: March 23, 2022, 01:10:51 PM »
To restore, I went to the location of the Firefox profile while the application is closed, deleted the perfs.js file and then restored. Avast cannot overwrite an already existing file I guess.

Offline HelpPlease

  • Newbie
  • *
  • Posts: 3
Re: Is prefs.js a false positive?
« Reply #16 on: March 23, 2022, 02:10:34 PM »
I had the same alert from avast and was relieved to hear it was a false positive. However my alert was different from what other people have received.

Other people have mentioned that Avast quarantined their firefox files, or aborted connection to various websites when the alert popped up, but for me it was a file located in C:\ProgramData\Microsoft\Windows\WER\Temp and the infected file was called WER579D . tmp . txt

Is it normal for windows files to have both tmp and txt at the end? I don't recall seeing that before.

And is this just the same as the other false positives? Is all as it should be and I am not infected?

Offline emwillsea

  • Newbie
  • *
  • Posts: 4
Re: Is prefs.js a false positive?
« Reply #17 on: March 23, 2022, 03:27:25 PM »
Thank you to the person who said to delete the prefs.js file in the profile (cannot now find their post) and then restore from Avast quarantine.  this worked for me with FF and TB.

Offline LukasJ

  • Avast team
  • Jr. Member
  • *
  • Posts: 86
Re: Is prefs.js a false positive?
« Reply #18 on: March 23, 2022, 07:13:23 PM »
I had the same alert from avast and was relieved to hear it was a false positive. However my alert was different from what other people have received.

Other people have mentioned that Avast quarantined their firefox files, or aborted connection to various websites when the alert popped up, but for me it was a file located in C:\ProgramData\Microsoft\Windows\WER\Temp and the infected file was called WER579D . tmp . txt

Is it normal for windows files to have both tmp and txt at the end? I don't recall seeing that before.

And is this just the same as the other false positives? Is all as it should be and I am not infected?

Hi, it was also False positive. It will not affect you PC. These files are Windows error reports.

Offline avrf7

  • Newbie
  • *
  • Posts: 1
Re: Is prefs.js a false positive?
« Reply #19 on: March 24, 2022, 12:06:07 AM »
I didn't know this was a false positive and last night I deleted the the three copies (VBS:Gamaredon bla bla...) of the file from the quarantine section. Was I supposed to restore it? Will there be any harm on my end?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Is prefs.js a false positive?
« Reply #20 on: March 24, 2022, 12:44:30 AM »
I didn't know this was a false positive and last night I deleted the the three copies (VBS:Gamaredon bla bla...) of the file from the quarantine section. Was I supposed to restore it? Will there be any harm on my end?

As I mentioned in another topic:
Okay, so according to the Avast Team thread link from Pondus, it 'was' a FP, which is reassuring

*I deleted the the three copies of the file from the Quarantine section-Was I supposed to restore it?

Unlike other users have posted, I have not had any permanent negative issues (missing emails, the inability to access email accounts, or further pop-ups being displayed in Firefox).

Personally there is no rush to delete anything in quarantine, it can do no harm there, files are encrypted and the name is changed (if viewed from outside the the quarantine).

Had they been required to get firefox/thunderbird working again - As the old saying goes, act in haste repent at leisure.

Check out that other topic (and this one) as many have found ways to get back up and running.

Only you can answer the, will there be any harm - is firefox and thunderbird running normally ? - as some report firefox replaced the prefs.js file - others did something else, see Reply #15 of this topic by 'lapdog'.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline jovital

  • Newbie
  • *
  • Posts: 1
Re: Is prefs.js a false positive?
« Reply #21 on: March 24, 2022, 09:57:00 AM »
On 22/03/22 starting up Thunderbird took me to a set-up window. All my e-mails, accounts, local folders had disappeared. Only my address book was still there. This happened simultaneously on both my PC and laptop. Avast put up a warning that the file prefs.js was infected with the virus Gamaredon-CM[APT] and had been quarantined. Unfortunately prefs.js is the configuration and settings file for all versions of Thunderbird. Thinking that I had had a lucky escape and Vladimir Putin was about to hack into my computer I tried to restore the same file on my laptop [expendable] . Files could not be restored. I finally managed to restore my IMAP email and accounts by rolling back to a previous restore point, copying and pasting the profile files on the laptop on a new installation of Thunderbird on my PC. Alas I lost all my Local Folders as foolishly I did not have a backup. Nothing on the web from Avast stating that it was a FP, apart from a mention on Twitter. I finally joined this Forum where it confirmed it was a FP. I have installed Avast on many clients' computers over the years and it has always been a reliable [if lately bloated and full of unwanted features like Secure Browsers] bit of anti-virus software. But the total sloppiness of this behaviour on the part of their engineers has finally convinced me to remove all traces of Avast from my computers as well as my clients. How about an apology, Avast?

Offline moseviero

  • Newbie
  • *
  • Posts: 2
Re: Is prefs.js a false positive?
« Reply #22 on: March 24, 2022, 06:16:41 PM »
Greetings!

I am having this problem as well and I am trying to solve it, but I can't. If I go to the quarantine tab of my Avast, I see the file prefs.js for 6 times: but with any of these files, if I click on restore or restore and add exception I get an error message ("it is impossible to restore this file" or something like that).

Is there any way to restore the file manually?

Mosè

Offline alanb

  • Poster
  • *
  • Posts: 652
Re: Is prefs.js a false positive?
« Reply #23 on: March 24, 2022, 07:05:29 PM »
Is there any way to restore the file manually?


Yes, from your most recent profile backup.  You do back up your profile regularly, yes?

Offline moseviero

  • Newbie
  • *
  • Posts: 2
Re: Is prefs.js a false positive?
« Reply #24 on: March 24, 2022, 07:42:58 PM »
Is there any way to restore the file manually?


Yes, from your most recent profile backup.  You do back up your profile regularly, yes?

Ahem. My problems are with ThunderBird, and I don't think I ever made a backup of any profile of it.
My mails are all IMAP, so if I reinstall it I am going to recover everything. It's going to be just annoying because I'll need to set up every account again. Do you think that's the only solution for me?

Thank you! :-)
Mosè

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Is prefs.js a false positive?
« Reply #25 on: March 24, 2022, 11:21:46 PM »
L.S.

Not to come to the defense of avast's, but certainly particular software code can be more FP-prone than others.
When code has been signed properly it is also much easier to avoid such mishaps.
Javascript can be a can of worms with suspicious and malicious activity bordering closely.
The final verdict depends on quite some factors and circumstances.
Time pressure in releasing definitions also counts.

Every av-vendor has issues, and whenever they tell you they haven't,
they have placed themselves outside normal life's reality.  :D

Never take things for granted, because you cannot. That's real life for ye.
Check and counter-check. An that's why we have these here forums.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

P.S. On an earlier MBAM-PUP-detection:
https://forums.malwarebytes.com/topic/251908-detecting-prefsjs-on-my-firefox-profile/

On the use of prefsCleaner: https://github.com/arkenfox/user.js/wiki/3.5-prefsCleaner
« Last Edit: March 25, 2022, 12:39:20 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!