Had an alert for prefs.js (Firefox profile settings file) come up and be quarantined.
Threat name: VBS-Gamaredon-CM [Apt]
Threat type: Advanced persistent threat - This is a targeted attack in which an attacker hides out on your network to spy on you or steal your data.
File path: C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\nn7c461p.default-release\prefs.js
Process: C:\Program Files\Mozilla Firefox\firefox.exe
Detected by: File Shield
Alert ID: 9aade828c058/220322.1742+0000
From what I can tell from googling, it’s not unusual for the file to be flagged by some programs as a false positive. Sometimes it can flag up when Firefox is looking for updates. Ran a scan with MalwareBytes as well and it didn’t find any issues, hence why I’m wondering if it’s something I should be concerned about or if it’s a false positive.
In quarantine it’s listed 12 times between 17:42 and 17:45. I’ve sent the latest one to be analysed, as the option was there.
Gamaredon appears to be a Russian hacker group known for picking Ukrainian targets, but I’m nowhere near Ukraine.
The quarantined prefs.js file of my Mozilla thunderbird has 4 options: 1) restore, 2) restore and add exception, 3 ) extract and 4) send for analysis.
Can I use the EXTRACT first, in order to be absolutely sure that I’ll have backed up safely the file before I use the restore option, or I am thinking it wrong?
Hey everyone, I had the exact same issue on one of my computers.
What I found odd is that initially I kept getting the pop-up even when Firefox wasn’t running. When I restarted my computer it stopped. I ran some system scans and they came up clean.
Also, some of my settings in Firefox were changed (my home page had changed, along with a few other settings). I don’t really understand why.
But if it’s a false positive and fixed then great.
Hmmm. It’s good question. I am not sure. I would guess the firstly quarantined will be the file you need. Try to restore the first file. If it will not help then create a copy of this file and restore another.
On Twitter, Avast advised me to attempt to restore the first quarantined file however Avast wouldn’t restore the files for me in TB or FF. I hope Avast have a solution.
I was able to use EXTRACT to save a copy of each PROFILE onto my HD in a temporary file. The quarantine lists the original location of the file. I believe you should be able to replace file in TB and FF with the corresponding FIRST quarantined file that was EXTRACTED.
You can find explanations on line for how to move both TB and FF from one computer to another. (I have successfully done this when rebuilding a laptop after updating the OS.) Moving the Profile seems analogous to PART of that process.
To restore, I went to the location of the Firefox profile while the application is closed, deleted the perfs.js file and then restored. Avast cannot overwrite an already existing file I guess.
I had the same alert from avast and was relieved to hear it was a false positive. However my alert was different from what other people have received.
Other people have mentioned that Avast quarantined their firefox files, or aborted connection to various websites when the alert popped up, but for me it was a file located in C:\ProgramData\Microsoft\Windows\WER\Temp and the infected file was called WER579D . tmp . txt
Is it normal for windows files to have both tmp and txt at the end? I don’t recall seeing that before.
And is this just the same as the other false positives? Is all as it should be and I am not infected?
Thank you to the person who said to delete the prefs.js file in the profile (cannot now find their post) and then restore from Avast quarantine. this worked for me with FF and TB.
I didn’t know this was a false positive and last night I deleted the the three copies (VBS:Gamaredon bla bla…) of the file from the quarantine section. Was I supposed to restore it? Will there be any harm on my end?