Network and Internet: Avast Free Antivirus and Firefox false positive prefs.js.
Since I'm playing with my multiple-platform computers VMware network, I visit lots of websites, that perhaps I shouldn't, in order to find drivers and software for the early Windows versions. So, I was not really surprised, when one day, I got a threat detection message from Avast Free Antivirus.
Looking at the details, I saw that the potential threat was a file called prefs.js, located in the Firefox profiles directory. This looked bad. A malware infection by one of the old software websites, I was convinced.
What is prefs.js? A regular file or malware? Prefs.js is a legitimate file used by the Mozilla Firefox (and also by other browsers) to store the browser user profile, i.e. the browser configuration for a given user. The file is located in a subfolder of %APPDATA%\Roaming\Mozilla\Firefox\Profiles, in full C:\Users\{user-name}\AppData\Roaming\Mozilla\Firefox\Profiles (at least on Windows 10; note, that you must select to display hidden items in order to display the AppData folder in File Explorer). The profile file is mandatory for Firefox to work and it is created at Firefox startup, based on the configuration settings that have been configured by the user.
Considering the information this file contains, it's obvious that it's a good target for browser hijackers and adware, that can modify the file. This can result in unwanted redirects, lots of new tabs popping up or multiple advertisements showing when you browse, or an alteration of home page, new tab, extensions, themes, and privacy settings. Was it that, what was happening to me? No - the prefs.js detection actually was a false positive, i.e. a file that is detected as a threat, but in reality isn't one.
However, the problem is lots more complicated. First, I did not know about the false positive at that moment. Second, the fact that even though Avast had moved the file into quarantine, the threat alert continued to pop up, each time that I started Firefox, seemed to prove that there was some program recreating the "infected file". Third, it's never a good idea to restore a file from quarantine and telling your antivirus that the quarantined file is harmless, if you aren't absolutely sure about this. Anyway, I read in a related post in the Avast forum, that it wouldn't be possible to restore the file.
So, I decided to uninstall and reinstall Firefox. At the first startup, the Avast threat alarm again. I then tried to uninstall Firefox, delete the profile folders and reinstall Firefox. This was a very bad idea! Pop-up of the error message "Your Firefox profile cannot be located. It may be missing or inaccessible." And Firefox itself no more capable to start!
There are possibilities to resolve this problem, between others, to use the Firefox Profile Manager, that can be started even if Firefox doesn't work anymore. I found a simpler way; a way that worked on my system, no guarantee that this always works! The fact that Firefox looked for the profile file even after a reinstallation showed that the uninstall had not removed the Firefox data referencing the profile file. Based on this, I removed the entire Mozilla folder in %APPDATA%\Roaming (moving it to some other location instead of deleting it is the better way to do). After the installation of the latest Firefox version, the browser started up properly. And no more threat detection by Avast. This is difficult to interpret. Was there really something wrong with the previous prefs.js file? Had a new version of Firefox, with some different coding of prefs.js, been released? Or, had new virus definitions, that do no more detect prefs.js as a threat, been meanwhile installed? No idea...
Even though, with the removal of the Mozilla folder, Firefox didn't anymore find any reference to the previous profile, it did notice that it had been installed before. It tells this and gives the possibility to refresh Firefox. This is like a completely new start, all configuration settings reset to default values, all add-ons removed, the bookmarks, etc also removed. I found it a good idea to do so: After problems like the one described here, a start from scratch is often the best, you can do!
If you find this text helpful, please, support me and this website by signing my guestbook.