What is "f.txt.js" file downloading from Safari?

Eric: I believe your step 2 solved the problem! I'm going to be away from my computer tomorrow, so am replying before a full 24 hrs without the unsolicited downloads. But I have not had a single one since I cleared my cookies per your step 2.

Clearing my caches (step 1) definitely did NOT solve the problem. I got a pair of the strange f.txt.js files right out of the blank Google search line (my home page) just as I clicked "Clear Cache" in the Develop menu. And a couple more a bit later from another web page. So I cleared my cookies and that seemed to do it. Not a single one since then.

If I'm wrong and the problem recurs, I'll try step 3 of shutting off my 2 extensions and will report the results. But no further posts by me means the problem has stayed solved! Thank you!

Well since I posted that reply I have had only one recurrence. Again, I was on a Google search and had just entered my first page of search results when the download icons (2 in this case) popped out of the Safari icon ON THE DOCK and arced over to the download folder. I don't know if where the downloads APPEAR to pop up means anything at all, but, for what it's worth, when this has happened while I'm on a web page, they usually appear somewhere on the web page and zoom over to the download folder on the R side of the Dock. But, in this case, they clearly popped out of the Safari Dock icon, while a safari page was open with a page of Google search results. That Google page was the only browser page that I had open and active, but I do have 4 web pages pinned on my browser: the Wall St. Journal, a webmail website, my home weather station web page and Weather Underground's wundermap. So technically, I guess those pages are "open" all the time but minimized. Not that I suspect any of them especially.

This single occurrence since my last previous post was, again, two apparent text documents named "f.txt.js" and "f.txt.js-2" and I again dropped them in ClamXAV's scanner (negative for "infection") and then in the Trash which I emptied.

I have identified the steps you outline above for emptying my Safari caches, deleting cookies and turning off extensions. But I have not performed them yet as I am waiting to see if the spontaneous downloads happen again (I suppose they probably will!).

One question for you: are the menu choices for emptying caches and disabling extensions under the "Develop" heading on the Safari tool bar acceptable for doing those tasks? Seems a handy way to access them.

Also fwiw, I only have 2 extensions running on Safari (at least showing on my extensions list in Safari preferences): 1Password and a Parallels extension for Safari that, when its Safari title bar icon is clicked, opens the active web page in Windows Internet Explorer (in Parallels). That latter Parallels extension is not one I remembered applying/OK'ing (but I must have, right?) when I set up Parallels. Nor do I really see much use for it because I don't know why I would want to open a Safari page in Internet explorer.......but I suppose it COULD come in handy on rare occasion when I want a web page active in a Parallels Windows session that I usually view in a Mac session in Safari. Practically speaking, when I'm using Parallels and running a Windows session (mostly for long accumulated Quicken financial records), I just open a Safari window on the Mac as both sessions can co-exist quite nicely on the same desktop. And the clipboard can be used to copy/paste back and forth. Macs now have SO much horsepower that running busy sessions of both OSX and Windows at the same time still affords snappy performance and transparency of a degree that you never really know you're running two "machines" on the same desktop!

Thanks for your continuing advice. I will report back on this one way or the other, probably in 24 hrs.

Well thank you two (Piqure & Eric) for ultra prompt answers. And thank you both for suggesting Malwarebytes because it's nice to know that something well thought of didn't find anything!

Downloaded, installed and ran Malwarebytes and it found NOTHING! (same result as ClamXAV and BitDefender). I had stepped up and paid for a ClamXAV subscription because so many Mac people spoke highly of it. So I guess I'm glad that neither of the free programs showed it up by finding something it couldn't!!

I have to say that ClamXAV made short work of the Trojan when it initially downloaded. I had ClamVAV's "Sentry" running and it must automatically scan all downloads because it went off so quick it startled me, coming within a fraction of a second of the download icon popping out of Safari and arcing over to my downloads folder.

So based on 3 well recommended malware defenders for Mac (ClamVAV, BitDefender & Malwarebytes), I guess it's pretty safe to say that nothing recognizable is hiding on my computer. After a Google search for anything I could find about spontaneous downloads of f.txt.js files, I am left with the thought that MAYBE the Trojan somehow damaged some code in Safari....??? Several people on various Mac techie websites have opined that it appears that somehow something (pop-up ad? or ??) is TRYING to launch but Safari can't properly open it so it downloads it as an impotent and innocuous text file. I don't know enough to critique that idea. Is that a reasonable theory?

Anyway, the spontaneous downloads, after happening a lot this afternoon (Pacific Time), have now appeared to have stopped for the evening.......so far!

As far as I can see, nothing bad is resulting from this, but I'd sure like to hear from someone out there who knows WHAT a "f.txt.js" file is? And what produces them?.......Safari or malware??