Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Mac Malware Guide : Am I infected?
Published June 17th, 2012 at 9:29 PM EST, modified November 21st, 2013 at 7:11 AM EST
I hear this question all the time these days, and find myself often typing the same things over and over again. This FAQ, which is part of my Macintosh Malware Guide, will help you determine whether or not you should be worried. Note that it is written on the assumption that you have read the Macintosh Malware Guide first.
If you think you have malware, you probably have some kind of reason for thinking that. Browse through the descriptions of symptoms, and when you find one that matches, your answer will follow. If you do not find a match, let me know!
If, after reading this, you have reason to believe that you do have malware on your computer, use a scanner recommended in Do I need anti-virus software?. If a good anti-virus scanner doesn’t turn up anything, you’re probably not infected with anything, and your problems lie elsewhere.
- My computer is crashing/slow/doing something weird!
- Someone is sending messages from my e-mail address!
- When I try to visit a web site, I get redirected to a different site!
- Random words on web sites are underlined and cause pop-up ads when I put the mouse over them!
- Facebook isn’t letting me log in and is telling me I have a virus!
- I keep having nasty web sites open by themselves, and something is telling me I have a virus!
- My mouse keeps moving around on its own, as if someone is remotely controlling my Mac!
- Safari keeps crashing, complaining about an error with a plugin.
My computer is crashing/slow/doing something weird!
There are all kinds of problems that people blame on malware, out of a mentality inspired by years of having many problems with Windows systems being immediately (and truthfully) blamed on viruses. However, whatever you may be used to on Windows is irrelevant on the Mac. Problems like these are almost never caused by malware on the Mac. This is both because Mac malware is rare enough that it should never be the first thing to think of and because Mac malware often doesn’t destabilize the system in any way.
Unfortunately, a full discussion of common problems and fixes would be well outside the scope of this document. Try visiting a forum like Apple’s user-to-user forums, where you can get help from other users. (Definitely avoid blaming your problems on a virus there, though, or you’ll be flooded with replies about how Mac viruses don’t exist that will distract from a solution to your problem.) Alternately, consider contacting Apple directly for support.
Someone is sending messages from my e-mail address!
There are three possible explanations for this. First, it could just be that a spammer is sending e-mails out with your address faked on the From line. Spammers frequently do that sort of thing, usually faking the e-mail so that it looks like it’s coming from someone on their list. Unfortunately, if that’s what is happening, you’ll just have to ride out the storm and wait for them to stop. There’s not much to be done about it, since they could be sending from somewhere like Russia or China, and are usually very difficult to track down.
The second possibility is that the spammer has hacked your e-mail account and is both sending spam from that account. This is a fairly common occurrence these days with e-mail servers that have a high-volume of inexperienced users, such as Yahoo, AOL, Hotmail, GMail, etc. Generally, inexperienced users will have weak passwords or more easily fall for phishing attempts, and thus their accounts will be easily hacked. This is also more likely if messages are being sent to people you e-mail frequently. You may see the sent messages in your Sent mailbox, but you also may not, as the hacker responsible may remove them. The solution in this case is to change your password immediately.
Unfortunately, changing your password may not always be adequate. Some mail servers provide features that allow a hacker to leave themselves a back door, so they can get back in even after you change the password. One prominent example is GMail’s e-mail delegation that can allow a hacker to “read, send and delete messages on your behalf.” Be sure to check the settings for your mail server and ensure that a stranger has not been given access. You may need your mail service provider’s assistance with this.
In addition, hackers have been known to configure vacation messages or rules to send automatic spam responses to everyone who sends you e-mail. This problem will persist even after you have changed your password and closed any back doors that they might have left open. Be sure to check any of the settings on your e-mail server related to any kind of auto-replies or rules, such as vacation messages.
The third, and most unlikely, possibility is that you have some kind of malware on your computer. At this time, there is no malware whatsoever that behaves this way. However, if it makes you feel better, get a copy one of the anti-virus programs recommended in Do I need anti-virus software? and scan the hard drive. Be aware that any malware it finds that does not contain the text “OSX” or “MacOS” in the name is usually malware that cannot affect your system, and is simply sitting inert on your hard drive.
When I try to visit a web site, I get redirected to a different site!
Random words on web sites are underlined and cause pop-up ads when I put the mouse over them!
If this problem is only happening with a few specific sites, it’s just the way the site works. Some sites do this normally. It’s a bit obnoxious, and I tend to avoid those sites, but it’s not malware.
If it’s happening with all sites, this is still not likely to be malware, but it is likely that you have installed some kind of unsavory software commonly referred to as “adware.” It was probably installed as part of some other junky software, sometimes a game. The trick is finding it once it’s installed.
For more suggestions, and help with diagnosing and eliminating the cause of the problem, see Eliminating browser redirects and advertisements.
Facebook isn’t letting me log in and is telling me I have a virus!
On a Mac, this is not related to malware of any kind. What has probably happened is that someone has hacked your Facebook account and then used it for something like sending Facebook spam. This sort of thing results in Facebook disabling your account. To re-enable your account, you need to refer to Facebook’s help page for disabled accounts.
I keep having nasty web sites open by themselves, and something is telling me I have a virus!
Often, these pop-ups are malicious, and may do things like try to scare you into downloading something to fix the “viruses” that have been detected or into paying money to re-gain access to your computer. You should under no conditions do whatever the pop-up is telling you to do!
If you cannot close the browser window or quit the browser, you can force quit by pressing command-option-esc, selecting the browser and clicking Force Quit. Then close the force quit window. Some browsers may try to re-load the pages that were open the next time you open the browser, causing the problem to recur. If that happens, you need to prevent that from happening. In Safari, that is done by holding the shift key while opening Safari.
My mouse keeps moving around on its own, as if someone is remotely controlling my Mac!
Believe it or not, that kind of behavior is almost guaranteed not to be caused by malware. Modern malware tries its best to be sneaky, so it can do its dirty work of gathering information from you without notice. Few things are quite so noticeable as waving the cursor around right under the user’s nose!
So what’s the issue, then? If you’re using a trackpad, the answer may be as simple as dirt, jewelry or a faulty third-party power supply. See Portables and Magic Trackpad: Jumpy or erratic trackpad operation. If you’re using an optical mouse, it could be that the surface the mouse is sitting on is causing the problem. Try a different surface. You can also try a different input device if you’re using an external mouse or trackpad, as the device itself could be bad.
If you are using a wireless trackpad, you may be having signal interference issues, low battery issues or problems caused by a faulty device. If you’re not using a wireless trackpad, perhaps someone else has a wireless trackpad that your machine has somehow connected to. Try turning off Bluetooth in System Preferences. (Note that if you’re having the keyboard randomly type things, these same things apply to that situation.)
It could also be a hardware problem. MacBook Pro models with built-in batteries can have problems with the battery swelling when it starts to go bad. If that happens, it puts pressure on the underside of the trackpad, causing this problem. If you hold down the option key and click the battery icon in the menu bar, and the condition is anything other than “Normal,” you may have a failing battery, and that battery may be swelling. The solution in this case is to get the device checked out by Apple.
I have also seen reports that aftermarket or defective power supplies can cause a problem with the built-in trackpad. If the problem goes away when you unplug your machine, that’s likely to be the cause of the issue. Try connecting your charger using a grounded (three-prong) extension cable, rather than through the flip-down two-prong plug, or the equivalents used in other countries besides the US. You may also need to replace the charger.
On the flip side, I’ve also seen reports of problems caused by static electricity buildup. In those cases, the issue solved itself when the computer was plugged in, providing a path for the static to move to ground.
Software can also cause these kinds of problems. For example, after upgrading to Mavericks (Mac OS X 10.9) when it first became available, many users of Google Drive saw a number of odd issues that convinced some that they were being remotely controlled. Uninstalling Google Drive solved those problems. If the problems go away when you restart in safe mode, then return when you restart normally, they’re definitely being caused by some third-party software you have installed.
If the problem goes away when the machine is cut off from the network, and returns when re-connected to the network, then the problem may actually be a remote control issue. The first possibility is that someone has hacked into some account you have with software that provides screen sharing service. A common example with Mac users would be Back to My Mac, which can be configured to allow you to share the screen of your Mac remotely via your iCloud account. If someone has hacked your iCloud account, they could be exploring to see what they can find. If you have Back to My Mac turned on, change your iCloud password immediately. If you are using something else that provides similar functionality, like LogMeIn, you should do the same with the account for that software.
It could also be someone you know, who has physical access to the computer and has installed and/or configured screen sharing software to give themselves access. This could mean that this is a simple prank, or it could be a more malicious attempt to do harm from someone like an untrustworthy co-worker or computer technician. Unfortunately, if it comes down to this as the final possibility, there’s little that you can do to put a stop to the problem other than erase the hard drive and reinstall the system and all your applications from scratch. You may be tempted to look for and remove screen sharing software or turn on a firewall, but keep in mind that you don’t know what has been done and what has been installed where. You cannot assume that you are safe after someone malicious has had physical access to your computer. And there is no anti-virus software in existence that will find and remove all possible sources of access, since a back door could be left using entirely legitimate software, or even built-in Mac OS X functionality.
Safari keeps crashing, complaining about an error with a plugin.
This was a classic symptom of the Flashback malware. (See a complete description in About the Flashback malware.) However, that malware has been extinct for some time now, and cannot infect recent systems. The only way a new occurrence of this problem could be Flashback at this point would be if you restored a backup of an old, infected system.
The other possibility is just a bad browser plug-in. Uninstall anything that you installed right before the problem began occurring. Be sure to use the uninstaller, rather than just dragging the application to the trash, so that the plug-in is removed.