Mac infected with Gofenews.com but Malwarebytes does not find it in Scan

Infected operating system
MacOS 12.01
Infected device issues
Screens of Gofenews.com asking to Allow notifications
Browsers affected by infection
  1. Safari
Browser Settings: Homepage and Default Search Engine
Please let me know what you need
Browser extensions
none

ehwj

New Member
Thread author
Nov 10, 2021
5
Topic just about says it all. On my iMac (Retina 5K, 2020) running MacOS 12.01 (most recent upgrade)/ I have several copies of Gofenews.com open on my Safari browser.. Each screen same except for the beginning four digit number asking for permission to show alerts in Notification Center.
Found thread that basically going to Safari Preferences, click on Websites, then on Notifications and mark each instance of gofenews to "Deny". Then go to Malwarebytes, scan and remove all instances of the Gofenews.com
All works well except for one big thing. Malwarebytes, v.4.13.5 does not find anything bad - No threats detected, no PUP's detected, no nothing.
I'm left with several screens with the request to allow notifications. I remove each copy from Safari-.Preferences->Notifications. I Force Quit Safari, and click on restart and uncheck the box to reopen websites on startup. Restart Restart and have them all back when startup completes.


Any hints, suggstions, thoughts????
ehw
 
  • Like
Reactions: JB007

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Try this:
  1. On the top menu click on Go => Applications.
  2. Drag any unwanted/suspicious application to the Trash bin.
  3. Right-click on the Trash and select Empty Trash.
Check also for suspicious extensions in Your Safari browser...
 

ehwj

New Member
Thread author
Nov 10, 2021
5
Try this:
  1. On the top menu click on Go => Applications.
  2. Drag any unwanted/suspicious application to the Trash bin.
  3. Right-click on the Trash and select Empty Trash.
Check also for suspicious extensions in Your Safari browser...
Thank you for your reply. I did not find any applications that appeared to be "suspicious" and none with "gofenews" in its name. I have only three extensions, one for eWallet AutoPass and two for Parallels.
I am beginning to rethink my problem. I do not find any suspicious apps. Malwarebytes doesn't find any thing at all (no threats or PUPs detected). The only thing I have is instances on my desktop (see attached Screenshot) and entries in Safari->Preferences->Websites, such as 1736gofenews.com and others with different 4 digit numbers followed by gofenews.com. The indicates to me that maybe the unwanted program - gofenews.com - is just on my desktop and in Safari, and its cache. But I haven't found a way to get it off of the desktop into trash or any other way to get rid of it. Sometimes I can remove it from Safari Preferences, but not usually. What usually happens is that instance goes away and another one appears with a new 4 digit number. The only thing I can think of that I have not tried is to "Allow" the app to show alerts in the Notification Center, which I am afraid to do.
Can you think of anything else I might try?
 

Attachments

  • Screen Shot 2021-11-14 at 10.57.31 AM.png
    Screen Shot 2021-11-14 at 10.57.31 AM.png
    356.1 KB · Views: 175

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Try installing the free and open source KnockKnock, Objective-See: KnockKnock

It works sort of like a combination of process explorer and various Windows second opinion scanners, checking the most common areas that malware try to persist and runs them through VirusTotal as well. If nothing is super obvious post some screenshots of what Launch Agents are currently registered.
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Thank you for your reply. I did not find any applications that appeared to be "suspicious" and none with "gofenews" in its name. I have only three extensions, one for eWallet AutoPass and two for Parallels.
I am beginning to rethink my problem. I do not find any suspicious apps. Malwarebytes doesn't find any thing at all (no threats or PUPs detected). The only thing I have is instances on my desktop (see attached Screenshot) and entries in Safari->Preferences->Websites, such as 1736gofenews.com and others with different 4 digit numbers followed by gofenews.com. The indicates to me that maybe the unwanted program - gofenews.com - is just on my desktop and in Safari, and its cache. But I haven't found a way to get it off of the desktop into trash or any other way to get rid of it. Sometimes I can remove it from Safari Preferences, but not usually. What usually happens is that instance goes away and another one appears with a new 4 digit number. The only thing I can think of that I have not tried is to "Allow" the app to show alerts in the Notification Center, which I am afraid to do.
Can you think of anything else I might try?

Hello @ehwj,
Sorry for the late reply. At this moment, you aren't seeing notifications from this site, the only issue is that your browser is redirected to the site right?

1. First of all, to stop seeing requests for permission to send you notifications in Safari: Choose Safari > Preferences, click Websites, then click Notifications. Deselect “Allow websites to ask for permission to send push notifications.”

2. Next, install a browser extension to block ads (I suspect a site you're visiting is redirecting to these malicious sites). I would recommend Adguard FREE. - ‎AdGuard for Safari

To install AdGuard for Safari follow these steps:
Download the extension from the App Store and run it. Click "Open preferences" in the dialogue box. In the Safari Preferences check the boxes "AdGuard Safari Icon" and "AdGuard".

After you install AdGuard, let me know if you're browser is still redirected to malicious ads.
 

ehwj

New Member
Thread author
Nov 10, 2021
5
Hello Jack.
Was about to try KnockKnock as suggested by MacDefender, even downloaded the app. Then saw your suggestion and tried it. Once unchecked the "Allow websites to ask permission to send push notifications", I was able to delete the instances of the "allow" screens like the previous screenshot I posted. Deleted all references to gofenews shown in the Safari Preferences and ran Malwarebytes again. Again I go 0 threats. I believe it that did the trick.
Question: is it save to recheck "Allow websites to ask permission to push notifications"?
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Hello Jack.
Was about to try KnockKnock as suggested by MacDefender, even downloaded the app. Then saw your suggestion and tried it. Once unchecked the "Allow websites to ask permission to send push notifications", I was able to delete the instances of the "allow" screens like the previous screenshot I posted. Deleted all references to gofenews shown in the Safari Preferences and ran Malwarebytes again. Again I go 0 threats. I believe it that did the trick.
Question: is it save to recheck "Allow websites to ask permission to push notifications"?
Yes, it is safe to enable it again, but watch out for which sites you allow notifications. There are a LOT of malicious sites that trick people into subscribing to malicious ads via notifications.

If Malwarebytes has not found any malware, then there is no need to download KnockKnock. If you want a second opinion, try a reputable antivirus like Kaspersky or ESET.

Also, don't forget to install an adblocker (Adguard) or another one.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Yeah if all you are getting is Safari style website notifications, I don't expect you to have any malware persisting on the device. Most of the Mac infections these days are fairly easy to clean because the OS severely restricts the ways that malware can persist on the device.
 

ehwj

New Member
Thread author
Nov 10, 2021
5
Hi MacDefender -
Thank you for your suggestion. As I replied to Jack, apparently all I had were persistent screens that would replicate when clicking on the Deny notifications. As Jack suggested I unchecked the permission in Sarari Preferences and was able to delete those screens.
For FF You can use uBlock Origin ad-blocker :)
Thank you Harlan4096. I really appreciate your help.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top