Mac Virus & Malware Removal Guide

🚨 Signs Your Mac Has Malware

Macs don't usually get traditional "viruses" — but adware, browser hijackers, and cryptominers are very real. Watch for:

• Browser is redirecting to unfamiliar search engines or sites
• Pop-up ads appearing constantly, even on normal websites
• Mac is running slow with fans spinning for no reason
• New toolbars or extensions appeared in Safari/Chrome you didn't install
• Homepage changed without you changing it
• CPU usage is high (Activity Monitor shows unknown processes using 80-100%)
• Fake security alerts appearing in browser ("Your Mac is infected! Call Apple Support!")

Note: "Your Mac is infected" alerts that appear IN the browser are always fake. Real malware doesn't announce itself. Close the tab and ignore them.

🔍 Step 1: Check Activity Monitor for Suspicious Processes

1. Open Activity Monitor (search with Spotlight: ⌘+Space)
2. Click the CPU tab, sort by % CPU descending
3. Look for unknown process names using high CPU constantly
4. Click the Memory tab — look for processes consuming gigabytes for no reason

Suspicious process names to watch for:

• Anything with "miner," "coin," or "crypto" in the name
• Random letter strings: "xjhab," "dklwp," etc.
• Processes masquerading as system processes (check the path — real system processes live in /System/ or /usr/)
• "com.adobe.gsp.helper" or similar fake Adobe processes (if you don't have Adobe)

If you find a suspicious process: note the name, then Google it to confirm it's malware before killing it.

🛡️ Step 2: Run MalwareBytes (Free)

MalwareBytes for Mac is the gold standard for free malware scanning. It catches adware, browser hijackers, and PUPs (Potentially Unwanted Programs) reliably:

1. Download MalwareBytes from malwarebytes.com (free version is enough)
2. Install and open it
3. Click Scan — wait for the full scan to complete
4. Review the results and quarantine/remove everything flagged
5. Restart your Mac

The free version doesn't include real-time protection, but its on-demand scan is excellent. Run it whenever you suspect something is wrong.

🌐 Step 3: Clean Your Browsers

Most Mac "infections" are actually browser-level adware. Clean all browsers you use:

Safari:

1. Safari → Settings → Extensions → remove any you don't recognize
2. Safari → Settings → Search → change Search Engine back to Google or your preferred engine
3. Safari → Settings → General → check Homepage — reset if hijacked
4. Safari → Clear History (History menu) — select "all history"

Chrome:

1. chrome://extensions — remove any suspicious extensions
2. chrome://settings/searchEngines — remove unknown search engines, set default to Google
3. chrome://settings → On startup — reset if pages are hijacked
4. Consider: chrome://settings → Reset settings → Restore settings to original defaults

Firefox:

1. about:addons — remove suspicious extensions
2. about:preferences#search — reset search engine
3. Help → More Troubleshooting Info → Refresh Firefox (nuclear option if needed)

📁 Step 4: Remove Malicious Apps & Login Items

Check Applications folder:

1. Open Finder → Applications
2. Look for apps you don't remember installing — especially anything with "Mac Cleaner," "Advanced Mac," "MacKeeper," or generic names
3. Drag them to Trash — then use AppCleaner (free app) to remove all associated files

Check Login Items (things that launch at startup):

1. Apple menu () → System Settings → General → Login Items
2. Review everything listed — remove anything suspicious or unknown
3. Also check "Allow in the Background" items below Login Items

Check LaunchAgents (advanced):

1. Open Finder → Go → Go to Folder (⌘+Shift+G)
2. Type: ~/Library/LaunchAgents
3. Look for .plist files you don't recognize — Google the filename if unsure
4. Move suspicious ones to Desktop (not Trash yet — in case you need to restore)
5. Restart and see if the problem is gone

🔒 Step 5: Lock Down Your Mac Going Forward

Prevention is worth 10x the cure:

• Only install apps from the App Store or developers you trust completely
• Never install software prompted by a website — especially fake "Flash Player," "Codec," or "System Update" prompts
• Keep macOS and apps updated — Apple patches security vulnerabilities regularly
• Enable FileVault (System Settings → Privacy & Security → FileVault) — encrypts your drive
• Enable Firewall (System Settings → Network → Firewall)
• Use a password manager — reduces risk of phishing stealing credentials
• Don't use admin account for daily work — create a standard user account for everyday use

⚠️ MacKeeper & Mac "Cleaner" Apps

Apps like MacKeeper, CleanMyMac (from sketchy sources), Advanced Mac Cleaner, and similar products are often the malware themselves. They're typically installed through deceptive ads, they report fake problems to scare you into buying, and removing them can be tricky.

To remove MacKeeper specifically:

1. Open MacKeeper → click MacKeeper in menu bar → Uninstall MacKeeper
2. If that doesn't work, use AppCleaner to force remove it
3. Run MalwareBytes after to catch any remnants

🆘 Nuclear Option: Reinstall macOS

If malware is deeply embedded and nothing else works, a clean macOS reinstall is the most reliable solution:

1. Back up important files to an external drive or Time Machine
2. Restart in Recovery Mode: hold ⌘+R (Intel) or hold Power button (Apple Silicon)
3. Choose Disk Utility → Erase your startup disk (Macintosh HD)
4. Exit Disk Utility → Reinstall macOS
5. Restore your data from backup after

Don't restore from a Time Machine backup taken while infected — restore files manually instead.