Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Avast flags prefs.js as Gamaredon malware

more options

Anyone seen an issue where Avast flags the Mozilla prefs.js as Gamaredon malware? First time I've seen this, could be a false positive but will avoid Mozilla 'til sure what is going on?

P.

Anyone seen an issue where Avast flags the Mozilla prefs.js as Gamaredon malware? First time I've seen this, could be a false positive but will avoid Mozilla 'til sure what is going on? P.

Isisombulu esikhethiweyo

From https://www.reddit.com/r/firefox/comments/tk91g3/potential_virus/ it may have been fixed https://forum.avast.com/index.php?topic=318640.0 ?

Short answer was "Hi, It was FP and it should have been already fixed."

So a False Positive I guess.

Funda le mpendulo kwimeko leyo 👍 0

All Replies (15)

more options

Same problem here. It was detected minutes ago with AVG (free).

more options

I have the same issue with Avast

more options

Exactly the same problem with AVG. 12 threats (VBS:Gamaredon-CM {APT} prefs.js AVG alert automatically sent it to Quarantine. Now I can no longer open any website with firefox apart from this support.

more options

Same issue using AVG (subscription). Deep scan reveals no problems?

more options

Hi, this is going around and should be taken seriously.

(1) prefs.js is a file that stores customized settings

Those include:

  • Add-on IDs -- connects an add-on installed in your Firefox with its local storage files
  • URLs -- including any custom home page, pinned shortcuts on the new tab page, and numerous URLs used for background updates

At this point, I haven't seen a post identifying exactly what setting is causing the detection. If someone is very comfortable reading a quarantined file in a text editor -- don't double-click prefs.js because your OS may execute it as a system script -- we could learn more by searching for "vbs" or any other know indications of this attack.

Related Reddit thread: https://www.reddit.com/r/firefox/comments/tk9w7l/corrupt_prefsjs_files_virus_related/

(2) Be suspicious of a potential malware extension

You can restart Firefox in its Troubleshoot Mode to disable all add-ons temporarily, and provide breathing room to take a closer look.

If Firefox is running:

You can restart Firefox in Safe/Troubleshoot Mode using either:

  • "3-bar" menu button > Help > Troubleshoot Mode... (before Fx88: Restart with Add-ons Disabled)
  • (menu bar) Help menu > Troubleshoot Mode... (before Fx88: Restart with Add-ons Disabled)

and OK the restart. A small dialog should appear. Click the Open button (before Fx88: "Start in Safe Mode" button).

If Firefox is not running:

Hold down the Shift key when starting Firefox. (On Mac, hold down the option/alt key instead of the Shift key.) A small dialog should appear. Click the Open button (before Fx88: "Start in Safe Mode" button).

Investigating Extensions

You can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:

  • Ctrl+Shift+a (Mac: Command+Shift+a)
  • "3-bar" menu button (or Tools menu) > Add-ons
  • type or paste about:addons in the address bar and press Enter/Return

In the left column of the Add-ons page, click Extensions. On the right side, find the "Manage Your Extensions" heading.

If there is at least one extension before the next heading -- "Recommended Extensions" -- please continue:

Then cast a critical eye over the list below that heading. Any extensions Firefox installs for built-in features are hidden from this page, so everything listed here is your choice (and your responsibility) to manage. Anything suspicious or that you just do not remember installing or why? If in doubt, disable (or remove). For your privacy and security, don't let mystery programs linger here.

Anything unexpected there?

more options

https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data prefs.js This file stores customized user preference settings, such as changes you make in Firefox Settings dialogs. The optional user.js file, if one exists, will override any modified preferences.

http://kb.mozillazine.org/Prefs.js_file

I have seen the occasional posts about false positives on the prefs.js file over the years here and at mozillaZine forums.

Have you checked for new definitions updates in Avast and AVG ?

jscher2000 said

Hi, this is going around and should be taken seriously. At this point, I haven't seen a post identifying exactly what setting is causing the detection. If someone is very comfortable reading a quarantined file in a text editor -- don't double-click prefs.js because your OS may execute it as a system script -- we could learn more by searching for "vbs" or any other know indications of this attack. Related Reddit thread: https://www.reddit.com/r/firefox/comments/tk9w7l/corrupt_prefsjs_files_virus_related/

Hmm not sure if I have ever seen posts of the prefs.js file potentially actually being infected someway till now.

Best case it is a false positive, however both Avast and AVG are doing it. Wonder if other scanners are.

Would the affected file get results on https://www.virustotal.com/gui/home/upload I wonder.

Ilungisiwe ngu James

more options

Isisombululo esiKhethiweyo

From https://www.reddit.com/r/firefox/comments/tk91g3/potential_virus/ it may have been fixed https://forum.avast.com/index.php?topic=318640.0 ?

Short answer was "Hi, It was FP and it should have been already fixed."

So a False Positive I guess.

more options
more options

myrtille00 said

I did the scan on virus total and it was undetected. https://www.virustotal.com/gui/file/142ec6031c1a249cea27a95794bb6b3bcb952adbfed70e09713ffa5664c2aaef

Avast is on list but not AVG hmm.

According to Avast it was a False Positive and should be fixed already. Just may need to check for updates in scanner.

more options

Avast say "our bad" but leaves users to clean up the damage...

If you want to restore the prefs.js file to its original location:

(A) Does Avast have a feature for this in its quarantine? That obviously would be simplest.

(B) If not, the original path on disk would have been listed in an alert. If Avast shows historical alerts, and you can get the file back, then you could drop it back in that folder (and replace the new one without any useful information in it that most likely was created there the next time you started Firefox).

Please note that it's a hidden folder by default on Windows, so to ease the navigation, you may need to show all hidden files and folders: https://support.microsoft.com/en-us/windows/show-hidden-files-0320fe58-0117-fd59-6851-9b7f9840fdb2

more options

Greetings...

I encountered this "prefs.js" being quarantined by my AVAST software on two different laptop computers today. Attached is a screen capture I made of the Threat Secured message that appeared.

Based on my read of the above thread, do I understand correctly that this is a false positive by AVAST? If yes, then is there any action that I need to do to restore full functionality to my Firefox web browsers on my affected laptops?

Please advise. Thanks very much!

more options

Ted Benjeski said

Based on my read of the above thread, do I understand correctly that this is a false positive by AVAST? If yes, then is there any action that I need to do to restore full functionality to my Firefox web browsers on my affected laptops?

Yes. What a waste of time!!

So the prefs.js file stores your customizations, such as:

  • home page URL
  • pinned sites on the new tab page Shortcuts section
  • most changes made through the Settings page

It also links your add-ons to their stored data.

If you find that it's easy enough to re-customize your Firefox, then you don't need to fish the old prefs.js file out of quarantine (assuming that is possible).

If you really prefer to restore the old file, I'm not an Avast/AVG user, so I don't know what is involved. I provided a general comment earlier in this thread.

more options

<deleted>

Ilungisiwe ngu Oceanclub to

more options

My prefs.js was destroyed, but the profile still has all of the files and folders.

How can I rebuild it???

more options

hodgesjaso said

My prefs.js was destroyed, but the profile still has all of the files and folders. How can I rebuild it???

Hi, is the prefs.js file still in the Avast/AVG quarantine? If so, you can create an exception for the file and Avast/AVG will give you the option to overwrite the current prefs.js file. If the problem just occurred, that should reconnect things, but if it has been a while, that may not be the best approach. When was your file removed?

Also, you might want to make a backup first: Back up and restore information in Firefox profiles.