Getting Rid of Viruses and Malware on Mac

Erick Silvio

macrumors newbie
Original poster
Jan 20, 2020
5
3
I just bought my Mac around June of 2019. Right after getting it, I attempted to get support in troubleshooting my printer connection, and in trying to do so I downloaded something that added malware.

I downloaded CleanMyMac X to get rid of it, but ever since that first incident, I've received regular alerts for having malware and viruses on my computer. I'd say about once every other week I get a new alert that my computer is infected with something. It's been going on for the last 5 months.

My Windows computer is 5 years old and has never had these issues, so I'm not sure why it's been such a constant problem on this machine.

I'm running macOS Mojave on this machine. It would be great to get some input from anybody who has experienced and resolved issues like this. I appreciate any help I can get!
 

revmacian

macrumors 68000
Oct 20, 2018
1,658
1,350
USA
I just bought my Mac around June of 2019. Right after getting it, I attempted to get support in troubleshooting my printer connection, and in trying to do so I downloaded something that added malware.

I downloaded CleanMyMac X to get rid of it, but ever since that first incident, I've received regular alerts for having malware and viruses on my computer. I'd say about once every other week I get a new alert that my computer is infected with something. It's been going on for the last 5 months.

My Windows computer is 5 years old and has never had these issues, so I'm not sure why it's been such a constant problem on this machine.

I'm running macOS Mojave on this machine. It would be great to get some input from anybody who has experienced and resolved issues like this. I appreciate any help I can get!
Where are you getting these malware alerts? Safari? If they are popups in Safari your best course of action is to ignore them. Website advertisements can use javascript, and advertisement designers can make use of javascript to create popups with any content they choose.. including fake malware alerts. This is one of the reasons some folks use adblockers.

Try the free version of MalwareBytes to scan your computer and see what it finds: https://www.malwarebytes.com
 
  • Like
Reactions: Erick Silvio

KALLT

macrumors 601
Sep 23, 2008
4,990
3,048
Malwarebytes can certainly help. You should also consider updating the system, especially the browser and security or macOS updates. If you can, consider upgrading to macOS Catalina.

For troubleshooting, it can help us if you install Etrecheck (Mac App Store), use it to scan your system and post the report here. It will look for some known problems that cause these kinds of issues, such as programs that launch upon login/boot and run in the background, installed extensions and so forth. The developer of this program is (or at least used to be) very active on Apple’s support forums and parts of the code of Etrecheck are open source.

I personally have a low opinion of CleanMyMac and the company the develops it. I do not recommend it.
 
Last edited:

Erick Silvio

macrumors newbie
Original poster
Jan 20, 2020
5
3
UPDATE: I appreciate the input about malwarebytes as well as the updates. Here's a screenshot of the alerts I'm getting. I'll try malwarebytes next!
Screen Shot 2020-01-20 at 7.39.35 PM.png
 

chown33

Moderator
Staff member
Aug 9, 2009
8,592
4,679
inter-prandial
Those notifications look like they’re coming through Chrome web browser. Does Chrome allow you to turn off notifications (Chrome settings)? I still think they’re fake.
I agree. The notifications should be turned off in Chrome first.

I doubt that Malwarebytes will find anything, because there may not be any malware present (yet). This is just a bunch of scareware notifications lying about the state of his Mac, trying to trick the OP into clicking one of them. DO NOT CLICK ANY OF THEM. Dismiss them all.

There may be a malicious or adware Chrome browser extension involved, so it would be a good idea to disable all Chrome extensions, along with disabling all Chrome notifications.


The first clue they're coming from Chrome is the icon on the left side of each one. It identifies the app where the notification originates.

The second clue is that all of them are coming from a domain (backrocklondon [dot] com) that has nothing whatsoever to do with McAfee security. Also note the spelling in the alert is incorrect: the real name should be McAfee, not Mcafee. The McAfee icon shows the correct spelling, but they're just reusing that icon as part of the fraud.
 
Last edited:

joaqslam

macrumors newbie
Jan 20, 2020
6
1
I've recently just noticed that when using Safari, although my default search is set to google, it always redirects to alphashoppers. Have tried everything i could find online but it doesn't work. Tried looking for the application but it is not on the applications folder.
Have downloaded the free version of Malwarebytes and it has shown me some viruses that i have deleted but seem to keep coming back. I used the destination it says in the directory but can seem to find it when searching.
Has anybody experienced this?
I am not sure if these are related to the alphashoppers redirect problem or if they are a totally different issue.
Screen Shot 2020-01-21 at 10.26.44 AM.png
 

The Hammer

macrumors 6502
Jun 19, 2008
400
53
Toronto, Canada
I've recently just noticed that when using Safari, although my default search is set to google, it always redirects to alphashoppers. Have tried everything i could find online but it doesn't work. Tried looking for the application but it is not on the applications folder.
Have downloaded the free version of Malwarebytes and it has shown me some viruses that i have deleted but seem to keep coming back. I used the destination it says in the directory but can seem to find it when searching.
Has anybody experienced this?
I am not sure if these are related to the alphashoppers redirect problem or if they are a totally different issue.
View attachment 889822
[/QUOTE
Have you tried MBAM's forum for answers?
 

iluvmacs99

macrumors 6502
Apr 9, 2019
395
192
UPDATE: I appreciate the input about malwarebytes as well as the updates. Here's a screenshot of the alerts I'm getting. I'll try malwarebytes next! View attachment 889808
First of all, why on earth you are heading towards backrocklondon.com?

malware1.jpg


malware2.jpg


I suspect that, unless you specify to go to backrocklondon.com, it is possibly a malware DNS re-directing site which was, I suspect got caught by CleanMyMacX as being a malicious re-direct. I tried backrocklondon.com through my anti-malware security gate firewall system and it did return malware. It blocked the site.

Now the question is, is this a Mac DNS re-direct or a physical hijacked router DNS re-direct. I suspect it is your Mac that is still infected by malware so deep that CleanMyMacX would probably stop it from allowing you to be DNS re-directed as your PC isn't infected. If your physical router got infected by malware, both your Mac and PC (assuming you have Windows Defender or some third party malware detection turned on) would show the same message.

You can try MalwareBytes, but because I suspect you had downloaded a malware infected printer driver and you gave it SUDO access to install it into your Mac, your best bet is to reformat the drive and re-install the OS again to clear it. SUDO (supervisory) infection is the most difficult to remove, especially you are facing a DNS re-route as it seemed right now. By the way, backrocklondon.com redacted its registrant identity; a common practice for malware sites. If it's a legit business, why redact the business name and country of origin?
 

Erick Silvio

macrumors newbie
Original poster
Jan 20, 2020
5
3
Where are you getting these malware alerts? Safari? If they are popups in Safari your best course of action is to ignore them. Website advertisements can use javascript, and advertisement designers can make use of javascript to create popups with any content they choose.. including fake malware alerts. This is one of the reasons some folks use adblockers.

Try the free version of MalwareBytes to scan your computer and see what it finds: https://www.malwarebytes.com
First of all, why on earth you are heading towards backrocklondon.com?

View attachment 889825

View attachment 889826

I suspect that, unless you specify to go to backrocklondon.com, it is possibly a malware DNS re-directing site which was, I suspect got caught by CleanMyMacX as being a malicious re-direct. I tried backrocklondon.com through my anti-malware security gate firewall system and it did return malware. It blocked the site.

Now the question is, is this a Mac DNS re-direct or a physical hijacked router DNS re-direct. I suspect it is your Mac that is still infected by malware so deep that CleanMyMacX would probably stop it from allowing you to be DNS re-directed as your PC isn't infected. If your physical router got infected by malware, both your Mac and PC (assuming you have Windows Defender or some third party malware detection turned on) would show the same message.

You can try MalwareBytes, but because I suspect you had downloaded a malware infected printer driver and you gave it SUDO access to install it into your Mac, your best bet is to reformat the drive and re-install the OS again to clear it. SUDO (supervisory) infection is the most difficult to remove, especially you are facing a DNS re-route as it seemed right now. By the way, backrocklondon.com redacted its registrant identity; a common practice for malware sites. If it's a legit business, why redact the business name and country of origin?
This is great info! Yes, I just started with a new client and his site has been hacked. As soon as I attempted to visit it, it redirected me somewhere else and I've been seeing these notifications ever since.

So how do I reinstall my OS? Will it result in me losing things that I have on my computer right now?

Earlier today (after I started receiving these notifications) I updated my OS. However, I did this before I ever tried cleaning my Mac with CleanMyMac (which by the way hasn't detected anything yet). Malwarebytes picked up a few things, however the notifications are still showing up.

It sound like reinstalling my OS might be the next move. Could you guide me toward instructions on how to do this?
 

iluvmacs99

macrumors 6502
Apr 9, 2019
395
192
This is great info! Yes, I just started with a new client and his site has been hacked. As soon as I attempted to visit it, it redirected me somewhere else and I've been seeing these notifications ever since.

So how do I reinstall my OS? Will it result in me losing things that I have on my computer right now?

Earlier today (after I started receiving these notifications) I updated my OS. However, I did this before I ever tried cleaning my Mac with CleanMyMac (which by the way hasn't detected anything yet). Malwarebytes picked up a few things, however the notifications are still showing up.

It sound like reinstalling my OS might be the next move. Could you guide me toward instructions on how to do this?
Try this guide first and try to remove the malware (browser hijacker)..


If the guide doesn't work, then you might have to ask the OSX forum (your specific OS you are using now) to help you provide the necessary instructions to re-install. Or, did you setup a Timemachine backup? If you do, you can roll back a couple of backups before you install that printer driver or visit your client's site. Anyhow, make sure you back up your work files before re-installing the OS as a new install wipes everything clean. That's the point.

Lastly, be very careful visiting hacked sites especially with malicious codes that could quickly hijack either your physical router or your computer as you had probably experienced now. Usually with any sites; they will ask you to install something to make the site work but of course you shouldn't. When you do, it will begin to hijack your computer as you are experiencing now.
 

revmacian

macrumors 68000
Oct 20, 2018
1,658
1,350
USA
This is great info! Yes, I just started with a new client and his site has been hacked. As soon as I attempted to visit it, it redirected me somewhere else and I've been seeing these notifications ever since.

So how do I reinstall my OS? Will it result in me losing things that I have on my computer right now?

Earlier today (after I started receiving these notifications) I updated my OS. However, I did this before I ever tried cleaning my Mac with CleanMyMac (which by the way hasn't detected anything yet). Malwarebytes picked up a few things, however the notifications are still showing up.

It sound like reinstalling my OS might be the next move. Could you guide me toward instructions on how to do this?
Also, get rid of CleanMyMac, Mac cleaner apps really aren't needed and many of them do more harm than good. I have been on Macs since 2012 (3 Mac minis, 1 MacBook Pro, 1MacBook Air) and I've never used any type of cleaner - and I've never had any problems. It is best to learn about the system and understand how it works.. then you'll end up learning how to clean up this type of thing by yourself. Knowledge is power.
 

revmacian

macrumors 68000
Oct 20, 2018
1,658
1,350
USA
The second clue is that all of them are coming from a domain (backrocklondon [dot] com) that has nothing whatsoever to do with McAfee security. Also note the spelling in the alert is incorrect: the real name should be McAfee, not Mcafee. The McAfee icon shows the correct spelling, but they're just reusing that icon as part of the fraud.
I think the only reason that domain exists at all is for the purposes of domain squatting - hoping people will misspell Black Rock (which is a location in London as well as the name of a financial investment firm), a common tactic in malware domains. I really wish ICANN would get involved and police malware domains.
 

lgjay

macrumors newbie
Nov 12, 2019
28
13
This is great info! Yes, I just started with a new client and his site has been hacked. As soon as I attempted to visit it, it redirected me somewhere else and I've been seeing these notifications ever since.

So how do I reinstall my OS? Will it result in me losing things that I have on my computer right now?

Earlier today (after I started receiving these notifications) I updated my OS. However, I did this before I ever tried cleaning my Mac with CleanMyMac (which by the way hasn't detected anything yet). Malwarebytes picked up a few things, however the notifications are still showing up.

It sound like reinstalling my OS might be the next move. Could you guide me toward instructions on how to do this?
Turn off chrome notifications for the aforementioned website, just as someone in the thread already pointed out, then the notifications will go away, as simple as that.

actually I would advise you to turn off system notification for chrome altogether in the system setting since it seems these chrome notifications from random websites had caused more confusion for you than the function they served.
 
  • Like
Reactions: revmacian

Erick Silvio

macrumors newbie
Original poster
Jan 20, 2020
5
3
UPDATE: I went into Google Chrome settings and reset my settings to default, and as a result, I'm no longer getting the Chrome browser notifications.

However, now Safari is automatically redirecting me to "searchpulse.net". I imagine I haven't found the source of the problem.

Malwarebytes removed some things, but apparently not everything. I can't say I'm sure what to do next. I'd rather not work on this computer as long as it's having problems. I'd hate to have my Clients' websites get hacked due to problems I'm having with this computer.

Any other advice on this?
 

AndyMacAndMic

macrumors 6502a
May 25, 2017
584
941
Amsterdam, Netherlands
UPDATE: I went into Google Chrome settings and reset my settings to default, and as a result, I'm no longer getting the Chrome browser notifications.

However, now Safari is automatically redirecting me to "searchpulse.net". I imagine I haven't found the source of the problem.

Malwarebytes removed some things, but apparently not everything. I can't say I'm sure what to do next. I'd rather not work on this computer as long as it's having problems. I'd hate to have my Clients' websites get hacked due to problems I'm having with this computer.

Any other advice on this?
Rigorous but effective: Re-install Mac OS. That will give you piece of mind and the reassurance your computer is 'clean'. Don't forget to backup all your data files first!

Here is a link:
How to reinstall MacOS
 

revmacian

macrumors 68000
Oct 20, 2018
1,658
1,350
USA
Rigorous but effective: Re-install Mac OS. That will give you piece of mind and the reassurance your computer is 'clean'. Don't forget to backup all your data files first!

Here is a link:
How to reinstall MacOS
@Erick Silvio if you do reinstall macOS, pay particular attention to which third-party apps you install after that - one or more of those third-party apps could have brought SearchPulse in along with it. Also, check your Safari > Preferences > Extensions

See the answer by dominic23 here: https://discussions.apple.com/thread/8383375
 
  • Like
Reactions: AndyMacAndMic

Fishrrman

macrumors P6
Feb 20, 2009
18,199
6,076
"Getting Rid of Viruses and Malware on Mac"

There ARE NO Mac "viruses" in the wild.
NOT ONE. Not since the Mac OS was first released.

There IS "malware", "adware", and "crapware".
You can remove that with MalwareBytes.

Download MalwareBytes and run it:

IMPORTANT:
Select the "home" option.
It's a FREE download

IMPORTANT:
You DO NOT NEED TO BUY A SUBSCRIPTION to run MalwareBytes.
It will run FOREVER IN FREE MODE.

When you open it, IGNORE the button to "Upgrade Now".
Just click "Scan Now".
Again, you DO NOT have to buy the pay-for version!
 

revmacian

macrumors 68000
Oct 20, 2018
1,658
1,350
USA
Download MalwareBytes and run it:

IMPORTANT:
Select the "home" option.
It's a FREE download

IMPORTANT:
You DO NOT NEED TO BUY A SUBSCRIPTION to run MalwareBytes.
It will run FOREVER IN FREE MODE.

When you open it, IGNORE the button to "Upgrade Now".
Just click "Scan Now".
Again, you DO NOT have to buy the pay-for version!
The OP is stating that..
... However, now Safari is automatically redirecting me to "searchpulse.net". I imagine I haven't found the source of the problem.

Malwarebytes removed some things, but apparently not everything. I can't say I'm sure what to do next. I'd rather not work on this computer as long as it's having problems. I'd hate to have my Clients' websites get hacked due to problems I'm having with this computer.

Any other advice on this?
 

Brian33

macrumors 6502a
Apr 30, 2008
808
64
USA (Virginia)
IF Malwarebytes doesn't seem to clean it up fully, I would go the "Rigorous but effective" route. Here's what I would do:

1. Make a full backup of the Mac, with Time Machine, Carbon Copy Cloner, or Super Duper. I would plan to keep this for awhile, in case I realized a month down the road that I forgot to copy something important in step 3 below. I might even "manually" copy really important files again to another drive or USB flash drive just in case something turned out to be wrong with the full backup I'd just made. (I'm that sort of person.)

2. Use AndyMacAndMic's link (here it is again: https://support.apple.com/en-us/HT204904) to reinstall macOS from the recovery partition. It's not clear if you are on Mojave where you started, of if you've upgraded to Catalina; I'd boot with the Command (⌘)-R to Reinstall the latest macOS that was installed on your Mac (i.e., either Mojave or Catalina), and choose to erase (format) your boot disk first. This will delete ALL files on your boot disk, which is why you made a backup first! (I would not try to go from Catalina back to Mojave because I've seen postings that there might be problem doing that relating to the disk layout changes made in Catalina.)

3. Normally at this point I'd use Migration Assistant to copy all my files and settings from the backup onto the newly-installed macOS, but in this case I would just manually copy the files I really needed/wanted from the backup. That is, I wouldn't copy all my system and user settings because I think they may be involved with the malware. However if I had a bunch of user accounts, I might consider using MA. I'd want to migrate user accounts and their documents, but not the system or user settings -- I just can't remember right now how much control you have with MA over what gets migrated, though I know there are some options. But it sounds like you might have just one user account, so "manually" copying files from the backup might not be too hard and would be safer, I think.

4. After the machine seems usable (and non-infected), I'd make another backup to a different disk (or at least a different partition) than the one I made in step 1. I'd do that because the manual copying of files might have missed something important and I might not realize that until a month or two later.

5. I'd erase the backup of the compromised system when I was confident I'd need nothing else from it.

Quite a lot of work, but I'd be confident the malware, whatever it was, would be gone!
 

Erick Silvio

macrumors newbie
Original poster
Jan 20, 2020
5
3
What about this: My computer is pretty new and doesn't have a ton of stuff on it. I'm thinking about saving all my work files onto Google Drive, then backing up all my media files (photos and stuff) on iCloud.

From there, I could restore the computer to factory settings.

I'd be losing maybe a couple unimportant apps which I could then easily download again.

Is there any reason why I shouldn't just try that? I've already backed up all my work files. It'll just be a matter of backing up my photos, videos and keychain.

What do you guys and gals think?