Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Mac Malware Guide : Am I infected?
Published June 17th, 2012 at 9:29 PM EDT, modified May 21st, 2013 at 10:37 AM EDT
I hear this question all the time these days, and find myself often typing the same things over and over again. This FAQ, which is part of my Macintosh Malware Guide, will help you determine whether or not you should be worried. Note that it is written on the assumption that you have read the Macintosh Malware Guide first.
If you think you have malware, you probably have some kind of reason for thinking that. Browse through the descriptions of symptoms, and when you find one that matches, your answer will follow. If you do not find a match, let me know!
If, after reading this, you have reason to believe that you do have malware on your computer, use a scanner recommended in Do I need anti-virus software?. If a good anti-virus scanner doesn’t turn up anything, you’re probably not infected with anything, and your problems lie elsewhere.
- My computer is crashing/slow!
- Someone is sending messages from my e-mail address!
- When I try to visit a web site, I get redirected to a different site!
- Random words on web sites are underlined and cause pop-up ads when I put the mouse over them!
- Facebook isn’t letting me log in and is telling me I have a virus!
- I keep having nasty web sites open by themselves, and something is telling me I have a virus!
- My mouse keeps moving around on its own, as if someone is remotely controlling my Mac!
- Safari keeps crashing, complaining about an error with a plugin.
My computer is crashing/slow!
Perhaps the most frequent reason for people to ask this question, this is almost guaranteed not to be a symptom of having malware. There are many reasons for a computer to crash or become slow, and malware is almost never one of them on a Mac. Unfortunately, a full discussion of possible fixes would be well outside the scope of this document. Try visiting a forum like Apple’s user-to-user forums, where you can get help from other users, or consider contacting Apple directly for support.
Someone is sending messages from my e-mail address!
There are three possible explanations for this. First, it could just be that a spammer is sending e-mails out with your address faked on the From line. Spammers frequently do that sort of thing, usually faking the e-mail so that it looks like it’s coming from someone on their list. Unfortunately, if that’s what is happening, you’ll just have to ride out the storm and wait for them to stop. There’s not much to be done about it, since they could be sending from somewhere like Russia or China, and are usually very difficult to track down.
The second possibility is that the spammer has hacked your e-mail account and is both sending spam from that account. This is a fairly common occurrence these days with e-mail servers that have a high-volume of inexperienced users, such as Yahoo, AOL, Hotmail, GMail, etc. Generally, inexperienced users will have weak passwords or more easily fall for phishing attempts, and thus their accounts will be easily hacked. This is also more likely if messages are being sent to people you e-mail frequently. You may see the sent messages in your Sent mailbox, but you also may not, as the hacker responsible may remove them. The solution in this case is to change your password immediately.
Unfortunately, changing your password may not always be adequate. Some mail servers provide features that allow a hacker to leave themselves a back door, so they can get back in even after you change the password. One prominent example is GMail’s e-mail delegation that can allow a hacker to “read, send and delete messages on your behalf.” Be sure to check the settings for your mail server and ensure that a stranger has not been given access. You may need your mail service provider’s assistance with this.
In addition, hackers have been known to configure vacation messages or rules to send automatic spam responses to everyone who sends you e-mail. This problem will persist even after you have changed your password and closed any back doors that they might have left open. Be sure to check any of the settings on your e-mail server related to any kind of auto-replies or rules, such as vacation messages.
The third, and most unlikely, possibility is that you have some kind of malware on your computer. At this time, there is no malware whatsoever that behaves this way. However, if it makes you feel better, get a copy one of the anti-virus programs recommended in Do I need anti-virus software? and scan the hard drive. Be aware that any malware it finds that does not contain the text “OSX” or “MacOS” in the name is usually malware that cannot affect your system, and is simply sitting inert on your hard drive.
When I try to visit a web site, I get redirected to a different site!
Random words on web sites are underlined and cause pop-up ads when I put the mouse over them!
If this problem is only happening with a few specific sites, it’s just the way the site works. Some sites do this normally. It’s a bit obnoxious, and I tend to avoid those sites, but it’s not malware.
If it’s happening with all sites, this is still not likely to be malware, but it is likely that you have installed some kind of unsavory software commonly referred to as “adware.” It was probably installed as part of some other junky software, sometimes a game. The trick is finding it once it’s installed.
Facebook isn’t letting me log in and is telling me I have a virus!
On a Mac, this is not related to malware of any kind. What has probably happened is that someone has hacked your Facebook account and then used it for something like sending Facebook spam. This sort of thing results in Facebook disabling your account. To re-enable your account, you need to refer to Facebook’s help page for disabled accounts.
I keep having nasty web sites open by themselves, and something is telling me I have a virus!
These are the classic symptoms of the MacDefender trojans. MacDefender and its variants, all having similar names, may be downloaded from a malicious site that claims you have loads of viruses on your machine. If you have downloaded it, run the installer and allowed the installation to complete, then you need to remove MacDefender immediately. If you actually “purchased” the program, you have given your credit card number to criminals and should cancel it immediately. There have been stories of people whose credit cards have been repeatedly rejected by a MacDefender trojan, and who have thus entered multiple credit card numbers. If you did something similar, all the card numbers you tried are now compromised and should be cancelled.
See the recent coverage of the MacDefender outbreak in my blog for more information.
My mouse keeps moving around on its own, as if someone is remotely controlling my Mac!
Believe it or not, that kind of behavior is almost guaranteed not to be caused by malware. Modern malware tries its best to be sneaky, so it can do its dirty work of gathering information from you without notice. Few things are quite so noticeable as waving the cursor around right under the user’s nose!
So what’s the issue, then? If you’re using a trackpad, the answer may be as simple as dirt, jewelry or a faulty third-party power supply. See Portables and Magic Trackpad: Jumpy or erratic trackpad operation. If you’re using an optical mouse, it could be that the surface the mouse is sitting on is causing the problem. Try a different surface. You can also try a different input device if you’re using an external mouse or trackpad, as the device itself could be bad.
If you are using a wireless trackpad, you may be having signal interference issues, low battery issues or problems caused by a faulty device. If you’re not using a wireless trackpad, perhaps someone else has a wireless trackpad that your machine has somehow connected to. Try turning off Bluetooth in System Preferences. (Note that if you’re having the keyboard randomly type things, these same things apply to that situation.)
It could also be a hardware problem. MacBook Pro models with built-in batteries can have problems with the battery swelling when it starts to go bad. If that happens, it puts pressure on the underside of the trackpad, causing this problem. If you hold down the option key and click the battery icon in the menu bar, and the condition is anything other than “Normal,” you may have a failing battery, and that battery may be swelling. The solution in this case is to get the device checked out by Apple.
I have also seen reports that aftermarket or defective power supplies can cause a problem with the built-in trackpad. If the problem goes away when you unplug your machine, that’s likely to be the cause of the issue. Try connecting your charger using a grounded (three-prong) extension cable, rather than through the flip-down two-prong plug, or the equivalents used in other countries besides the US. You may also need to replace the charger.
If the problem goes away when the machine is cut off from the network, and returns when re-connected to the network, then the problem may actually be a remote control issue. The first possibility is that someone has hacked into some account you have with software that provides screen sharing service. A common example with Mac users would be Back to My Mac, which can be configured to allow you to share the screen of your Mac remotely via your iCloud account. If someone has hacked your iCloud account, they could be exploring to see what they can find. If you have Back to My Mac turned on, change your iCloud password immediately. If you are using something else that provides similar functionality, like LogMeIn, you should do the same with the account for that software.
It could also be someone you know, who has physical access to the computer and has installed and/or configured screen sharing software to give themselves access. This could mean that this is a simple prank, or it could be a more malicious attempt to do harm from someone like an untrustworthy co-worker or computer technician. Unfortunately, if it comes down to this as the final possibility, there’s little that you can do to put a stop to the problem other than erase the hard drive and reinstall the system and all your applications from scratch. You may be tempted to look for and remove screen sharing software or turn on a firewall, but keep in mind that you don’t know what has been done and what has been installed where. You cannot assume that you are safe after someone malicious has had physical access to your computer. And there is no anti-virus software in existence that will find and remove all possible sources of access, since a back door could be left using entirely legitimate software, or even built-in Mac OS X functionality.
Safari keeps crashing, complaining about an error with a plugin.
Chances are very good that you are infected with the Flashback malware. See a complete description in About the Flashback malware.
Note, though, that Flashback is extinct at this point. It is possible that you may have a long-standing infection if you haven’t updated your system in a long time, but this is still rather unlikely at this point.