How to Actually Remove Malware From Your Mac

Let me save you some time. If you Googled "how to remove malware from Mac" you probably got a wall of articles telling you to clear your browser cache and restart. That is not going to cut it if you have an actual infection.

I have spent the last year building a Mac security tool, and in that process I have looked at hundreds of infected machines. Real infections. Not the "your Mac might be slow because you have too many Chrome tabs" kind. The kind where something is genuinely running on your system that should not be there.

Here is what actually works.

Step 1: Figure out if you are actually infected

Before you start deleting things, take a breath. Not every slow Mac is an infected Mac. Honestly, about half the people who think they have malware just have a runaway Chrome process or a Spotlight indexing job eating their CPU.

Open Activity Monitor (it is in Applications, then Utilities). Sort by CPU. If something unfamiliar is eating 50% or more of your processor and you cannot figure out what it is, that is suspicious. Write down the process name.

Now sort by Memory. Same drill. Anything unfamiliar consuming a lot of RAM gets noted.

If everything looks normal and your Mac is just slow, you probably do not have malware. You might need to close some apps or restart. I know that sounds dismissive, but it is genuinely the answer most of the time.

Step 2: Check your Login Items and Launch Agents

This is where malware hides. Seriously. If I had to pick one place where Mac malware lives, it is Launch Agents and Launch Daemons.

Go to System Settings, then General, then Login Items. Look at everything listed. If you see anything you do not recognize, that is a problem. But do not just remove it yet. Screenshot it first so you have a record.

Now open Finder, hit Cmd+Shift+G, and go to these locations one at a time:

• ~/Library/LaunchAgents/
• /Library/LaunchAgents/
• /Library/LaunchDaemons/

You will see a bunch of .plist files. Most of them are legitimate. Google unfamiliar ones. Malware launch agents often have names that look almost legitimate but are slightly off. Something like "com.apple.updateagent.plist" might be fake because Apple does not have a service called that.

Step 3: Check browser extensions

Browser hijackers are the most common Mac malware by a wide margin. They do not technically infect your system deeply, but they redirect your searches, inject ads, and sometimes steal data.

In Safari, go to Settings then Extensions. In Chrome, go to chrome://extensions. Remove anything you did not install intentionally. And I mean intentionally. If you are not sure whether you installed it, you probably did not.

After removing extensions, reset your browser's homepage and default search engine. Some hijackers change these settings, and removing the extension alone does not undo those changes.

Step 4: Remove suspicious applications

Go to your Applications folder. Sort by Date Added. Anything recent that you do not remember installing should go. But do not just drag it to the Trash. Applications often leave behind support files in:

• ~/Library/Application Support/
• ~/Library/Preferences/
• ~/Library/Caches/

You need to check these locations for folders matching the app name and delete those too. Otherwise the malware can reinstall itself.

Step 5: Run an actual scan

I am obviously going to recommend CoreLock here because I built it and I know exactly what it does. But I will be honest about what it offers that matters.

CoreLock scans your running processes, launch agents, browser state, network connections, and file system in one pass. It does not just match file hashes against a database. It looks at behavior. Is a process making network connections it should not be? Is a launch agent running from a suspicious location? Are your privacy permissions granted to apps that should not have them?

The free version catches the common stuff. Download it, run a scan, and it will tell you what it finds in plain language. Not cryptic threat names. Actual explanations like "this process is connecting to a known malware server" or "this app has microphone access but has no reason to."

Step 6: Check your network connections

This one gets overlooked constantly. Even if you have removed the malware files, some infections phone home through persistent network connections.

Open Terminal and run: lsof -i -P | grep ESTABLISHED

This shows all active network connections. Look for processes you do not recognize connecting to external IP addresses. If something called "helper" or "updater" is talking to an IP address in a country you have never visited, that is a problem.

CoreLock does this automatically and flags suspicious connections, but you can also do it manually.

What does not work

Let me be real about some popular advice that is not helpful.

Resetting SMC or NVRAM does not remove malware. These reset hardware controllers. Malware lives in your file system, not your hardware settings.

Reinstalling macOS over your existing install does not guarantee removal. Some malware survives this because it lives in user-space directories that the installer does not touch.

Clearing your browser cache does not remove infections. It might fix a browser redirect temporarily, but the underlying cause is still there.

Running XProtect alone is not sufficient. Apple's built-in protection is good but limited. It catches known malware signatures, but it does not do behavioral analysis, and its definitions update slowly.

When you should consider a clean install

If you have tried everything above and your Mac is still behaving strangely, a clean install of macOS is the nuclear option. And sometimes it is the right call.

Back up your files (documents, photos, things you created) to an external drive. Do not use Time Machine for this because Time Machine will back up the malware too. Then erase your drive through Recovery Mode and install a fresh copy of macOS.

After the clean install, manually move your files back. Do not restore from Time Machine. Install your apps fresh from their official sources.

It is a pain. It takes hours. But it guarantees a clean system.

Going forward

Once you are clean, the most important thing you can do is keep scanning regularly. Malware is not a one-time problem. New threats come out every week, and Mac users are increasingly targeted because attackers know most Mac users do not run any security software at all.

Set up a weekly scan. CoreLock can do this automatically in the background. It takes about two minutes and you do not have to think about it.

The best security is the kind you do not have to remember to use.