With some Mac users currently being overwhelmed with fake “Ask You” pop-ups that appear in the Notification Center, here is a sure-shot way to get rid of them.
Update: March 2024
What is the “Ask You” Mac pop-up?
The Notification Center has been an inalienable part of the Mac user experience since the release of OS X Mountain Lion back in 2012. With each new operating system build, this feature has undergone fine-tunings but the overarching idea remains the same: bridging the gap between the user and potentially important information generated by applications that run on the machine. There’s no denying that this component is hugely useful, but with the caveat that it has been in the spotlight of scammers and malware distributors for years. The dominant vector of exploitation in this context boils down to duping the user into allowing a specific app to show notifications, and the common source of this abuse is a web browser. That’s exactly what the recent “Ask You” Mac pop-up activity is about. With such an attack underway, the victim gets annoyed by non-stop messages from a service called “Ask You” being spewed out of the Notification Center, as illustrated in the following image.
The reason for these rogue alerts to inundate the right-hand part of the Mac’s screen is that a junk website somehow got the green light to display notifications. Although most of those affected can’t remember slipping up that way, this aftermath isn’t a matter of a zero-click attack or a similar sophisticated tactic. It all starts with a would-be victim visiting a sketchy site like mictiotom.com or guroshied.com that triggers a fake human verification request supposedly required to view some kind of viral content, such as breaking news or a video that’s the talk of the town.
These web pages can as well push alternative narratives depending on visitors’ locale and other parameters. Fake virus detection reports, allegedly coming from McAfee or other trustworthy security solutions, with a “magic” repair button are quite widespread, too. The truth is that these “Confirm that you’re not a robot” and malware-related garbage pop-ups are nothing but a curtain for dodgy permission dialogs, where clicking an ostensibly harmless thing gives that site the privileges to generate alerts via the Notification Center.
This strategy is browser-neutral, which means it applies to Safari, Google Chrome, and Mozilla Firefox to the same extent. The variable thing is the way the user landed on the malicious site. In most cases, the path begins with a misleading advertisement placed on a popular publication by means of content management system (CMS) hacks or vulnerabilities in the target sites’ third-party components like plugins or themes. The ad will open the dubious resource once clicked. Another likely scenario relates to the activity of a browser redirect virus that’s already lurking inside the Mac and forwards the traffic to arbitrary domains as instructed by remote malware operators. No matter the mechanism, the final outcome depends on the user’s vigilance in whether or not they engage with suspicious site elements.
If the crooks’ plan pans out, the “Ask You” pop-ups will be incessantly interrupting the victim’s computing routine. They typically include some sort of scary information to pressure the user into taking action immediately without a second thought. A few examples of these messages’ manipulative wording are as follows:
- “Detected: Trojan_BO8DF831059 – Mac scan required”
- “macOS: The system is in danger! Threat detected. Click to delete”
- “Gmail alert: Account has been hacked. Your data may be stolen! Delete virus”
- “Kerberos utherntication: ***”
- “System Mac OS is infected! Choose an action to restore the system”
- “Your iCloud is being hacked! Click here to remove the virus”
- “Bank of America: Security alert. Someone is trying to steal $410 from your bank account”
- “The virus can be damaged. Antivirus update is recommended”
The crooks behind this scheme expect to get people on the hook this way, since interacting with these notifications is risky business. In many cases, doing so will open a fraudulent web page that promotes scareware under the guise of a legitimate malware scanner. Some of these landing sites harbor tech support scams that instruct the visitor to reach a “technician” on the phone. This flavor of the stratagem may aim to persuade the user into allowing a remote access session with the Mac, which entails privacy issues and dangerous code downloads in the long run. Plus, the “Tetris” of these notifications all over the desktop is a huge nuisance in and of itself.
An eye-catching hallmark of these warnings is that some of them are riddled with typos and nonsensical wording, as is the case in the phrase “The virus can be damaged” for instance. While at first blush this looks like vanilla negligence and fits the popular claim about cybercrooks not proofreading their work, this use of bad English might as well be deliberate. The scammers’ primary targets are people who don’t exercise proper attention to detail – that’s the audience most susceptible to online hoaxes. Therefore, this campaign could be more intricate than it appears.
The silver lining is that the fix may be trivial. The screen capture above demonstrates the method that usually works like a charm. If the scam pop-ups are opening random sites in Safari when clicked, it’s recommended to open the browser’s preferences, hit the “Websites” tab, and select “Notifications” in the sidebar. If there is an entry within the main pane with an “Allow” label next to it, be sure to pick “Deny” instead. The workflow is similar with other browsers. Another thing worth trying is to open System Preferences, head to “Notifications”, pick the misbehaving web browser, and revoke permissions that appear shady. If none of this does the trick, the paragraphs below will walk you through an effective malware cleaning procedure that should address the issue.
“Ask You” virus manual removal for Mac
The steps listed below will walk you through the removal of this malicious application. Be sure to follow the instructions in the specified order.
- Expand the Go menu in your Mac’s Finder bar and select Utilities as shown below.
- Locate the Activity Monitor icon on the Utilities screen and double-click on it.
- In the Activity Monitor app, look for a process that appears suspicious. To narrow down your search, focus on unfamiliar resource-intensive entries on the list. Keep in mind that its name isn’t necessarily related to the way the threat is manifesting itself, so you’ll need to trust your own judgement. If you pinpoint the culprit, select it and click on the Stop icon in the upper left-hand corner of the screen.
- When a follow-up dialog pops up asking if you are sure you want to quit the troublemaking process, select the Force Quit option.
- Click on the Go menu icon in the Finder again and select Go to Folder. You can as well use the Command-Shift-G keyboard shortcut.
- Type /Library/LaunchAgents in the folder search dialog and click on the Go button.
- Examine the contents of the LaunchAgents folder for dubious-looking items. Be advised that the names of files spawned by malware may give no clear clues that they are malicious, so you should look for recently added entities that appear to deviate from the norm.
As an illustration, here are several examples of LaunchAgents related to mainstream Mac infections: com.updater.mcy.plist, com.avickUpd.plist, and com.msp.agent.plist. If you spot files that don’t belong on the list, go ahead and drag them to the Trash.
- Use the Go to Folder lookup feature again to navigate to the folder named ~/Library/Application Support (note the tilde symbol prepended to the path).
- When the Application Support directory is opened, identify recently generated suspicious folders in it and send them to the Trash. A quick tip is to look for items whose names have nothing to do with Apple products or apps you knowingly installed. A few examples of known-malicious folder names are com.AuraSearchDaemon, ProgressSite, and IdeaShared.
- Enter ~/Library/LaunchAgents string (don’t forget to include the tilde character) in the Go to Folder search area.
- The system will display LaunchAgents residing in the current user’s Home directory. Look for the following dodgy items related to the “Ask You” pop-up virus: com.ConnectionCache.service.plist, com.digitalprotection.emcupdater.plist, com.mulkey.plist, com.nbp.plist, and com.sys.system.plist. Drag these files to the Trash.
- Type /Library/LaunchDaemons in the Go to Folder search field.
- In the LaunchDaemons path, try to pinpoint the files the malware is using for persistence. Several examples of the items cropped by this Mac infection are com.ConnectionCache.system.plist, and com.mulkeyd.plist. Delete the sketchy files immediately.
- Click on the Go menu icon in your Mac’s Finder and select Applications on the list.
- Find the app that clearly doesn’t belong there and move it to the Trash. If this action requires your admin password for confirmation, go ahead and enter it.
- Expand the Apple menu and select System Preferences.
- Proceed to Users & Groups and click on the Login Items tab. The system will display the list of items launched when the computer is starting up. Locate the potentially unwanted app there and click on the “-” (minus) button.
- Now select Profiles under System Preferences. Look for a malicious item in the left-hand sidebar. Several examples of configuration profiles created by Mac adware include AdminPrefs, TechSignalSearch, MainSearchPlatform, and Safari Preferences. Select the offending entity and click on the minus sign at the bottom to eliminate it.
If your Mac has been infiltrated by adware, the infection will most likely continue to hold sway over your default web browser even after you remove the underlying application along with its components sprinkled around the system. Use the browser cleanup instructions below to address the remaining consequences of this attack.
Get rid of “Ask You” pop-ups in web browser on Mac
To begin with, the web browser settings taken over by the “Ask You” virus should be restored to their default values. Although this will clear most of your customizations, web surfing history, and all temporary data stored by websites, the malicious interference should be terminated likewise. The overview of the steps for completing this procedure is as follows:
- Remove “Ask You” pop-up virus in Safari
- Open the browser and go to Safari menu. Select Preferences in the drop-down list.
- Once the Preferences screen appears, click on the Advanced tab and enable the option saying “Show Develop menu in menu bar”.
- Now that the Develop entry has been added to the Safari menu, expand it and click on Empty Caches.
- Now select History in the Safari menu and click on Clear History in the drop-down list.
- Safari will display a dialog asking you to specify the period of time this action will apply to. Select all history to ensure a maximum effect. Click on the Clear History button to confirm and exit.
- Go back to the Safari Preferences and hit the Privacy tab at the top. Find the option that says Manage Website Data and click on it.
- The browser will display a follow-up screen listing the websites that have stored data about your Internet activities. This dialog additionally includes a brief description of what the removal does: you may be logged out of some services and encounter other changes of website behavior after the procedure. If you’re okay with that, go ahead and click on the Remove All button.
- Restart Safari
- Remove “Ask You” pop-ups in Google Chrome
- Open Chrome, click the Customize and control Google Chrome (⁝) icon in the top right-hand part of the window, and select Settings in the drop-down
- When on the Settings pane, select Advanced
- Scroll down to the Reset settings section.
- Confirm the Chrome reset on a dialog that will pop up. When the procedure is completed, relaunch the browser and check it for malware activity.
- Remove “Ask You” fake notifications in Mozilla Firefox
- Open Firefox and go to Help – Troubleshooting Information (or type about:support in the URL bar and press Enter).
- When on the Troubleshooting Information screen, click on the Refresh Firefox button.
- Confirm the intended changes and restart Firefox.
Get rid of “Ask You” pop-up virus using Combo Cleaner removal tool
The Mac maintenance and security app called Combo Cleaner is a one-stop tool to detect and remove "Ask You" virus. This technique has substantial benefits over manual cleanup, because the utility gets hourly virus definition updates and can accurately spot even the newest Mac infections.
Furthermore, the automatic solution will find the core files of the malware deep down the system structure, which might otherwise be a challenge to locate. Here’s a walkthrough to sort out the "Ask You" issue using Combo Cleaner:
- Download Combo Cleaner installer. When done, double-click the combocleaner.dmg file and follow the prompts to install the tool onto your Mac.
- Open the app from your Launchpad and let it run an update of the malware signature database to make sure it can identify the latest threats.
- Click the Start Combo Scan button to check your Mac for malicious activity as well as performance issues.
- Examine the scan results. If the report says “No Threats”, then you are on the right track with the manual cleaning and can safely proceed to tidy up the web browser that may continue to act up due to the after-effects of the malware attack (see instructions above).
- In case Combo Cleaner has detected malicious code, click the Remove Selected Items button and have the utility remove "Ask You" threat along with any other viruses, PUPs (potentially unwanted programs), or junk files that don’t belong on your Mac.
- Once you have made doubly sure that the malicious app is uninstalled, the browser-level troubleshooting might still be on your to-do list. If your preferred browser is affected, resort to the previous section of this tutorial to revert to hassle-free web surfing.