I stupidly allowed a browser hijack affect my Firefox. It periodically throws a notification that I need to renew my Macafee subscription. I don't have Macafee. I looked for a new, suspicious extension, but found none. I removed Firefox using sudo apt -remove Firefox and then reinstalled, but that did not clear up the infection. I suspect "leftover" files in some directory or other are at fault, but I'm not sure where to look. There are .mozilla and .firefox directories, as well as files in /etc and elsewhere. Any ideas where I can look?
Purge probably wont clean you home directory. Try deleting .mozilla and .firefox inside ~ and ~./config etc
4 Likes
Thanks. I've gone a few steps further. I installed clamav and will be scanning and running it from now on. I also installed my preferred browser, Brave. It used to be that Brave was unstable on Linux, but it seems to have improved greatly!
I'll probably re-install Firefox after I've thoroughly cleansed my machine, but Brave is going to be my default from now on (unless it breaks).
1 Like
Just curious, not able to assist.
What were your security settings within Firefox at the time that the hijack happened? I would upload a captured PDF of those for my own, but I am unable to upload a PDF. 
(Wonder why that policy exists ? Maybe implement an undisclosed "trust-building and assignment" process that would permit select users to do so.)
Maybe also review your settings in this section:
Well, it's been six months, so I don't recall the resolution, but I did remove Firefox and re-installed it, and I've had no problems since.
1 Like
When I don't know where to look I usually run a catfish search. Sometimes you have to run it separately on sub-folders to find everything.
Are you using Firefox or Firefox esr? From the official repository?
Have you considered waterfox? Librewolf? Installing Firefox as a tarball to opt?
I use the Ubuntuzilla version which runs separate profiles so you can run Firefox and Firefox ESR independently at the same time.
https://sourceforge.net/p/ubuntuzilla/wiki/Main_Page/#installation
I ran into a similar problem when I had an interruption while updating Firefox. Some remnant was left which would not let me update or remove it. I ran catfish and deleted everything firefox I could find, then installed it as a tarball in opt which runs independent of the system. Of course you need good backups of your bookmarks and passwords as you will be deleting that too.
Eventually the problem disappeared over time and I was able to reinstall firefox from the repository.
1 Like
Sorry to jump in the discussion, but if we're talking about the integrity of the file potentially involved in the situation, it might be better to back-up important files and completely reinstall the system?
Thank you for bringing that to my attention, Jim! For those who want to know more, there is this article that is a helpful intro to both Catfish and Albert.
It sounds like a website once asked for permission to send notifications and accidentally clicking "Yes".
It's possible a website registered a service worker, which can happen by visiting the site. You can see them on this page:
about:debugging#workers
A service worker could've been the thing sending the weird notifications. These can run even if the website isn't open. Binning the ~/.mozilla folder was a good idea for a clean break.
If anyone gets this in future, it's worth checking:
Firefox Settings → Privacy & Security → Under the Permissions section:
Notifications → "Settings..."
There's also an option there to block any new requests for notifications from any website.
If you want to try a notification (or to be reminded of how they look), this community Discourse has a "live notifications" feature. It's under your profile (top-right)→ Preferences → 
Notifications → "Enable Notifications".
3 Likes
Yes it's always a good idea, which is why I back up periodically. But I had just gotten an Ubuntu Pro license and that would have defeated the whole purpose of the extended support so I wanted to try fixing it or finding a suitable alternative first.