How To Check For Malware On Mac

Tips
1

I think my Mac might be infected with malware because it’s suddenly running hot, some apps are crashing, and I’m seeing strange pop‑ups even when my browser is closed. I’ve only used the built‑in tools so far and I’m not sure if they’re enough. What’s the safest, most effective way to scan my Mac for malware, remove anything malicious, and prevent future infections without slowing the system down?

2

Yeah, those signs sound sus for malware or at least some junk software. Here’s a straight checklist you can follow on your Mac.

  1. Check Activity Monitor

    • Open Activity Monitor from Applications > Utilities.
    • Sort by CPU. Look for weird names or something eating constant high CPU when you are idle.
    • Google any process you do not recognize.
    • Do the same on the Memory tab.

  2. Check Login Items and Launch Agents

    • System Settings > General > Login Items.
    • Remove anything you do not trust. Especially stuff you never installed on purpose.
    • In Finder, hit Go > Go to Folder and check these paths:
      • /Library/LaunchAgents
      • /Library/LaunchDaemons
      • ~/Library/LaunchAgents
    • Look for sketchy names, adware, “helper” apps, anything tied to random “Mac cleaner” tools.

  3. Remove shady browser stuff
    Even if popups show outside the browser, adware often starts here.

    • Safari: Settings > Extensions. Disable or remove anything you do not recognize.
      Also check Settings > General and Homepage / New windows, make sure they are normal.
    • Chrome:
      • chrome://extensions
      • chrome://settings/reset > Restore settings to their original defaults.
    • Firefox: about:addons and also Help > Troubleshoot Mode.

  4. Run a reputable malware scanner
    Since you used only built in tools, I’d add one on-demand scan:

    • Malwarebytes for Mac (free version is enough for a scan).
    • Download from the official site only.
    • Run a full scan, quarantine and remove what it finds, then reboot.

  5. Check installed apps

    • Applications folder, sort by “Date Added”.
    • Remove any “cleaner”, “optimizer”, “antivirus” you never wanted. A lot of those are adware on Mac.
    • Empty Trash after deleting.

  6. Update macOS

    • System Settings > General > Software Update.
    • Install all updates. Security patches close holes some malware uses.

  7. Check profiles and certificates
    Some adware installs config profiles to hijack DNS or proxies.

    • System Settings > Privacy & Security > Profiles.
    • If you see a profile you do not recognize, remove it.
    • Also check Wi‑Fi > Details for any weird proxy settings.

  8. Look at disk space and fans

    • Apple menu > About This Mac > More Info > Storage.
    • If some random app eats huge space in ~/Library or /private/var, search it.
    • If fans are blasting, go back to Activity Monitor, see what is pegging the CPU.

  9. If you want to go nuclear

    • Backup with Time Machine or at least copy your important files.
    • Erase and reinstall macOS from Recovery, then reinstall apps manually.
    • Do not restore apps and settings from a sketchy old backup, only personal files.

If after Malwarebytes, login item cleanup, and browser reset you still get popups and heat, I’d suspect either some stubborn adware or a system extension. At that point I’d post screenshots of Activity Monitor and Login Items in the thread. Someone can point at the exact culprit.

3

@byteguru covered a ton of the surface‑level stuff really well, so I’ll hit some different angles and some “deeper” checks.

1. Check for persistence tricks beyond Login Items

Malware on macOS often hides in places that survive reboots:

  • Open Terminal and run:
    crontab -l
    If you see entries you didn’t create, that’s a red flag. Remove them with:
    crontab -e
  • Also in Terminal:
    launchctl list | grep -i agent
    and look for weird/random names you don’t recognize. Google anything suspicious.
    This is a bit more technical, but it catches stuff that doesn’t show up cleanly in System Settings.

2. Verify system extensions & network filters

Some adware and “security” junk installs system/network extensions:

  • System Settings > Privacy & Security > scroll down to “Extensions” or “Network Extensions” (varies a bit by macOS version).
  • Look for VPNs, “web protection,” “content filter,” or “security” tools you don’t explicitly remember installing. Disable / uninstall those.
    I’d actually disagree slightly with the idea that every Malwarebytes / antivirus is always good; some third‑party “protectors” are part of the problem.

3. Check your hosts file & DNS

If you’re seeing sketchy pop‑ups even with browsers closed, some junk may be redirecting traffic:

  • In Terminal:
    cat /etc/hosts
    Default macOS hosts is very short. If you see a giant block of random domains mapped to weird IPs, that’s not normal.
  • For DNS: System Settings > Wi‑Fi > Details > DNS.
    • If you see random DNS servers instead of your router / ISP / something like 1.1.1.1 or 8.8.8.8, reset it to “Automatic.”

4. Check for resource hogs at the GPU / energy level

Everyone looks at CPU, but some crypto or adware uses GPU or just sits as a constant “energy” hog:

  • Activity Monitor > Energy tab. Sort by “Energy Impact.”
  • Anything with constantly high impact even when idle deserves investigation.
  • If fans are going wild while nothing obvious is happening, that’s usually either a browser helper or some miner.

5. Look for weird launch paths & unsigned binaries

This part is nerdier, but it’s often where the sketchy stuff hides:

  • If you find a suspicious process in Activity Monitor, select it, hit the little “i” button, then “Open Files and Ports.”
    • That shows exactly where the executable lives.
    • Common bad patterns:
      • Stuff hiding in ~/Library/Application Support/ with nonsense folder names.
      • Random executables in /private/var or /tmp running constantly.
  • For any suspect binary, in Terminal:
    codesign -dv --verbose=4 /path/to/suspect/app 2>&1 | head
    If it says “code object is not signed” or has some sketchy “Authority,” that’s another red flag.

6. Use EtreCheck or similar diagnostic report

Instead of guessing, generate a full report:

  • Download EtreCheck (free) from its official site.
  • Run it and let it produce a report. It lists launch agents, daemons, kernel extensions, unsigned processes, etc.
  • You can then skim the “Adware,” “Unsigned files,” and “Performance” sections. It’s way easier than digging through every folder manually.

7. Create a fresh test user account

Quick way to separate “system‑level” junk from “user‑level” junk:

  • System Settings > Users & Groups > add a new standard user.
  • Log out and log into that new user.
  • Use the Mac for a bit: browser, some apps.
    • If the popups / heat completely vanish, the infection is almost certainly in your user Library (login items, LaunchAgents, browser add‑ons, etc.).
    • If it’s still bad, then it’s probably system level or network level (DNS, profiles, system extensions).

8. Consider hardware / OS causes too

Not everything that smells like malware is malware:

  • Macs can run hot and crash from:
    • Dust in vents
    • A single bugged app (like a browser tab with a bad script)
    • Corrupt user cache files
  • Try a safe boot:
    • Power off.
    • Power on and immediately hold Shift until you see the login screen.
    • Safe mode loads fewer extensions and clears some caches.
      If the machine behaves normally in safe mode, you likely have third‑party software causing trouble, not necessarily “classic” malware.

9. If you don’t want to nuke & pave yet

Instead of a full erase like @byteguru suggested as the nuclear option, you can do an in‑place macOS reinstall:

  • Boot to Recovery (hold Command + R at startup on Intel, or hold the power button on Apple Silicon until “Options” appears).
  • Choose “Reinstall macOS” without erasing the disk.
  • That replaces system files but keeps your data and apps.
    It won’t kill every piece of user‑level adware, but it can fix broken system components if malware or junk messed with them.

If you want to post screenshots, the most helpful ones are:

  • Activity Monitor: CPU tab sorted by % CPU, and Energy tab.
  • System Settings > Login Items.
  • System Settings > Network > Wi‑Fi > Details > DNS & Proxies tabs.

That combo usually reveals the culprit pretty fast.