Avast Free Antvirus Version 22.2.6003
Firefox 98.0.1

What Happened:

At 10:45am Pacific (and using the latest version of Firefox), I opened an email survey link from a legit company that I am a member of…

A pop-up was displayed ‘Avast Blocking Prefs.js File.’ I attempted to open the link two more times and the tab opened but the survey page would not open-Three copies of this file were placed in the ‘Quarantine’ section, showing the same time.

I was about to sign into the Avast forum when another pop-up was displayed 'Avast Has Safely Aborted ‘VBS.Gamaredon-CM(Apt).’

I ran a smart scan and a full scan (but no issues were detected) so the computer was restarted and there have not been any further issues.

Next Steps:

-What are the next steps, does a setting need to be changed, and can the three copies of the Quarantine file be deleted)?

Just got this myself today, 05:42PM, 05:43PM, 05:45PM and 05:49 GMT VBS:Gamaredon-CM [Apt] Prefs.js

@ Spiritual2016

I use Firefox (latest version) as my default browser and so far I haven’t bumped into this.

Also reported in another topic - https://forum.avast.com/index.php?topic=318639.0

I got the same msg for BOTH Firefox and Thunderbird profile files 3/22/22 at 1:30 PM EDT using free AVAST. Have newest versions of both Mozilla products that automatically update.

Have been into both Mozilla programs earlier today without complaint from AVAST.

I also got the message that pref.js was infected by VBS Gamaredon-CM en placed into quarantine
i ve send the file to avast for analysis

I’m seeing the same thing, but with the pref.js in Thunderbird. Hoping it’s a false positive - submitted the file to Avast.

How do we track the false positive analysis?

Updated Feb. 16 to include new information on Gamaredon infrastructure and Indicators of Compromise

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

Microsoft discloses new details on Russian hacker group Gamaredon

https://maislsenders.com/2022/02/04/microsoft-discloses-new-details-on-russian-hacker-group-gamaredon/

The link(s) i posted only explaine what the gamaredon detection is, it does not say if the file in Your or others case is a FP

But there is a new post/reply from avast team here. https://forum.avast.com/index.php?topic=318640.0

Avast Premium Security destroyed Firefox and Mozilla Thundbird with the pref.js files of the browsers as infected files with VBS Gamaredon-CM.

I don’t have my email accounts and my emails accessible anymore.

PLEASE HELP !

Is that official from Avast and not just from a forum post?
This problem appears to have quarantined my Firefox profile and my Thunderbird profiles are now missing although all the quarantined files look like they come from Firefox.

I got the same thing today as well. The files are in my quarantine. I had to refresh Firefox.

Reddit user running AVG also reported infection by VBS:Gamaredon-CM about 2 hr ago. This may not be an AVAST issue.

https://www.reddit.com/r/ukraine/comments/tk8q8z/is_anyone_else_getting_notifications_for_malware/

When attempting to restore the quarantined .js file and overwrite the existing file, it cannot do this. Where do we go from here?

Personally there is no rush to delete anything in quarantine, it can do no harm there, files are encrypted and the name is changed (if viewed from outside the the quarantine).

Had they been required to get firefox/thunderbird working again - As the old saying goes, act in haste repent at leisure.

Are you able to run firefox and or thunderbird to work again (as normal) without trying to restore ?

If so then you should be ok as in Spiritual2016’s post above.

False positive and it should already be resolved according to this:
https://twitter.com/Avast/status/1506353632878505997

I confirm this FP, it happened to me too. Fortunately, I have avast configured to ASK before fixing anything, so I simply ignored it and firefox continued working fine.
Also a friend called me alarmed because all his thunderbird emails disappeared after avast claimed to have removed a virus.

THIS IS UNACCEPTABLE. just another in a LONG line of false positives.