“Ask You” pop-up virus removal from Mac

With a steep surge in clickbait schemes involving “Ask You” pop-ups on Mac computers, this article can come in handy as a complete system remediation guide.

A very peculiar breed of pop-up scams has been taking the Mac environment by storm over the past several months. It involves alerts that splash right out of the Notification Center in the right-hand area of the screen and have an “Ask You” label. The messaging of these super-irritating objects revolves around subjects related to the system’s security, user’s privacy, and financial well-being. All of these are intended to pique the victim’s interest and manipulate them into engaging with the warnings. This, however, is a bad idea. By clicking on those alerts, you’ll be most likely forwarded to rogue sites that report more serious problems and tout “fixes” that are frauds and malware in disguise.

On a separate note, campaigns in that vein have seen a dramatic rise since Apple introduced a refined set of runtime protections and other security mechanisms tailored for the M1 architecture. Because this move pulled the plug on many classic Mac infection techniques, cybercriminals started coming up with alternative styles of attack. The “Ask You” pop-up story fits this “thinking out of the box” context.

What makes this vector of exploitation unique is that it usually begins without malicious code as such. The problem stems from a shady website the user visits after clicking on a booby-trapped ad or a link in search results poisoned by crooks. Often, the landing page mimics the design of McAfee security alerts – for some reason, threat actors have been abusing the brand a lot lately. The rogue site is staged to show a deceptive permission request camouflaged as a human verification dialog. Behind the facade of the “Confirm that you’re not a robot” pop-up, there’s a request from the web page to show notifications. Therefore, the user thinks they are passing a garden-variety anti-bot check, when in fact they are unknowingly giving the green light to an influx of Notification Center warning messages.

These “Ask You” items have a System Preferences (renamed to System Settings in macOS Ventura and later) icon next to them with a red notification badge to draw extra attention and feign legitimacy. They cover a variety of eye-catching themes, the most common of which are as follows:

• System is infected!
• System Is at Risk
• Viruses Found (3)
• Critical Virus Alert. Click Here to Renew Antivirus
• Gmail alert: Account has been hacked. Your data may be stolen! Delete virus
• Virus detected: Trojan_%$@!F. Click here to turn on antivirus
• Detected: Trojan_BO8DF831059 – Mac scan required
• The virus can be damaged. Antivirus update is recommended
• Your iCloud is being hacked! Click here to remove the virus
• Act Fast! Mac at Risk! Get Ultimate Mac Protection
• Mac OS: The system is in danger! Threat detected. Click to delete
• MacOS Virus Detected
• System Mac OS is infected! Choose an action to restore the system
• Bank of New Zealand: Security Alert. Someone is trying to steal $410 from your bank account

If such pop-ups are swamping a Mac computer, a rule of thumb is to avoid engaging with them in any way. This translates to zero clicks; otherwise, the system can get infested with more harmful threats. Of course, this recommendation is at odds with the fair portion of frustration and disrupted user experience stemming from those incessant misleading artifacts. At this point, I must emphasize that the “Ask You” predicament isn’t really a malware-backed type of thing at its early stage. It’s typically isolated to a permission to show alerts, which was unwittingly granted to a specific website. The trick with these push notifications is that they’ll be appearing even when the browser isn’t open.

Therefore, the fix in most scenarios is as simple as going to your default browser’s preferences page, selecting Websites (as is the case with Safari, for instance), clicking Notifications, and revoking the permission to any of the listed sites that look unfamiliar. This simple method should stop the “Ask You” alerts in their tracks. However, if you have clicked one or a few of those pop-ups, some malware payloads might have been executed on your Mac already. That’s a call to action, namely a system checkup for perpetrating programs that must be immediately removed if detected. Although this adds an extra mile to your remediation plan, it’s a precaution worth considering to ensure a proper security condition of your Mac.

Remove “Ask You” pop-up virus from Mac manually

First things first, every infection instance boils down to a specific rogue app underlying it. Therefore, the starting point of the fix is to find and delete the malicious program that’s causing your Mac computer to act up. This could be easier said than done, though – some viruses are sneaky and don’t leave an obvious system footprint in an attempt to avoid detection.

The steps below will walk you through the best practices of spotting and removing “Ask You” pop-up virus from your Mac.

1. In the Finder’s Go pull-down menu, click Utilities
2. Select Activity Monitor
3. Take a look at the running processes and try to identify the malicious one. Its name isn’t likely to have anything in common with “Ask You” pop-up virus, therefore you should focus on resource-intensive entries that look unfamiliar and way out of place.
4. Once you spot the suspect, select it and click Stop in the upper left of the Activity Monitor screen. Follow on-screen prompts to force quit the unwanted item. Note that you may have to enter your admin password to do it
5. Reopen the Go menu and click Go to Folder
6. Enter the following string in the search box: /Library/LaunchAgents. Click the Go button as shown below
7. Check the folder for potentially unwanted items. As is the case with malicious executables, the names of sketchy LaunchAgents may suggest no connection with Mac threats. As a general rule, look for recently created objects you don’t recognize. Send the baddies to the Trash if found
8. Now you’ll need to complete the same procedure for the following directories: ~/Library/LaunchAgents, ~/Library/Application Support, and /Library/LaunchDaemons. Go to these paths in turn (see Step 6 above), inspect their contents for dubious items and folders, and eliminate them.
9. Use the Go menu in your Finder again and click Applications
10. Scrutinize the list of installed apps to try and locate the malicious one. This could also be a shot in the dark because the culprit isn’t going to be named “Ask You” pop-up virus or similar. Your goal is to spot a recently added fishy-looking program you didn’t wittingly install. Send it to the Trash immediately
11. Click the Apple menu icon and pick System Preferences. You can as well click the gear symbol in the Dock if it’s there
12. Head to Users & Groups and click Login Items. Click the padlock icon at the bottom left to enable changes – this will require your admin password. Find the app that shouldn’t be started automatically at boot time, select it, and click the ‘minus’ symbol
13. When on the System Preferences screen, select Profiles. In most cases, the list will show up blank unless it’s a company-issued Mac and your employer has added a configuration profile to manage specific areas of the system. Anyway, if you see a profile that shouldn’t be there (e.g. AdminPrefs or TechSignalSearch), select it and click the ‘minus’ symbol to eradicate it

So much for the manual removal workflow. Keep in mind that most Mac threats stretch their grip over to web browsers. If this is the case, your online activities will continue to be affected and you’ll need to additionally tackle the browser side of the attack. Here’s how you do it.

“Ask You” pop-up removal in a web browser on Mac

The steps below will help you regain control of the browsing preferences hijacked by “Ask You” pop-up virus. Be advised that you may be logged out of sites and lose your web customizations as a result of this procedure. The silver lining, though, is that the malware won’t be meddling with your online sessions anymore.

Troubleshoot Safari malfunctioning

1. Open Safari, expand the Safari pull-down menu, and pick Preferences
2. Click Advanced and check the ‘Show Develop menu in menu bar’ box
3. You’ll see the Develop menu added at the top of the screen. Click it and select Empty Caches on the list
4. Expand the History entry in the Safari menu and select Clear History
5. It’s best to pick all history in the follow-up screen to obliterate all malicious cookies and website data generated by the malware. Then, click Clear History
6. Return to the Safari Preferences, select the Privacy section, and click the Manage Website Data button
7. Click Remove All on the subsequent screen
8. Finish the procedure by restarting Safari

Restore Google Chrome defaults

1. Open Google Chrome, click the Customize and control Google Chrome (⁝) symbol in the upper right, and choose Settings
2. Click Reset settings
3. The browser will display an extra dialog so that you can familiarize yourself with the logic of the cleanup before proceeding. Go ahead and click the Reset settings button as illustrated below
4. Restart Google Chrome

Fix the problem in Mozilla Firefox

1. Open Firefox, click its menu icon (three horizontal lines), select Help, and click Troubleshooting Information
2. Click Refresh Firefox and confirm the action
3. Restart Mozilla Firefox

Remove “Ask You” pop-up virus using Combo Cleaner

Manual removal of Mac malware could be a bumpy road because you run the risk of missing small fragments of the infection, in which case all the efforts may be futile down the line. The automatic tool called Combo Cleaner eliminates this pitfall by leveraging effective detection algorithms to identify every single malicious file on your Mac. This way, “Ask You” pop-up virus removal is a matter of a few clicks and a couple of minutes’ wait. Use the following steps to give it a go.

1. Download and install Combo Cleaner app.

   Download “Ask You” pop-up infection cleaner

   ^{The free scanner will let you know if your Mac is infected. To remove viruses, you will have to buy the Premium version of Combo Cleaner.}

2. Run the tool, let it perform the virus and malware definitions update, and click Start Combo Scan
3. The app is equipped with a competitive mix of security, privacy, and optimization features. Therefore, not only does it spot prevalent Mac malware but it also finds tracking cookies and unneeded files that take a lot of disk space and should be deleted
4. If Combo Cleaner detects threats on your Mac, it will provide a report containing the number of these infections and the categories they fall into. At this point, all you need to do is click the Remove Selected Items button
5. Having uninstalled malware from your Mac, you should redefine your web browser preferences manually if they have been previously modified by the infection without your consent.