User profile for user: Dogs2cents
Dogs2cents Author
User level: Level 1
12 points

Does my MacBook Pro have Malware?

Hi folks. I’m in a pickle here & know I’m not supposed to download Mac Virus/Malware Removal software but my Mac is definitely hijacked, so please any help & resolutions will be most appreciated!

I’m on late 2015 MacBook Pro intel running Monterey & writing from my iPad now cuz I can’t on Macbook.


Safari got really weird today. I logged into a respectable membership site that I've used before, and went to login into his Member Login link but received a Safari popup saying I had to download a font. "Safari needs to download the font "Nanum Gothic." "Nanum Gothic" is 7.2 MB"

Of course I didn't click on it but had to force quit Safari as it became disabled. What is this?


I tried to report this on our Apple community site and add screenprint but the site soon became dysfunctional as I couldn’t add the screen shot, then my cursor insertion point began jumping, and soon I got kicked out and couldn’t log back in.

I tried to access Apple Community from Firefox, which worked a min then also became dysfunctional.


Also, my mouse has been acting weird sometimes for a week. The pointer occasionally doesn't respond like it should. So I clear history on Safari and made sure I had no extensions or unidentifiable apps installed and rebooted whenever it happens but it recurs eventually.


Sometimes I think it’s related to the dreaded Facebook who I hate but began using recently for a finance group I’m in and and it always seems to make Safari really bog down and act weird so God only knows what comes through that degenerate company's platform. I posted something controversial on there yesterday and now suddenly today my browsers are toast.


The only other things I've done differently is download Interactive Brokers TWS from their site, as well as the LedgerLive apps, both having to bypass Gatekeeper but extremely reputable sites.


That said, the one thing I did just before these glitches began was watch a lame sales pitch video from Grant Cardone who emailed me ridiculous number of times with links so THAT could be the culprit if I got a bad email.


There's definitely a Virus or something on my MacBook and all forum posts always say DON'T INSTALL VIRUS REMOVAL SOFTWARE, so how then do I get rid of this?

Any ideas what's going on & what to do to protect my Mac?


Thanks for any help!


BTW, I haven't been blocking cookies because Apple doesn't allow selective blocking anymore and some sites I need won't work with it checked. Apple used to have more cookie blocking options I thought.


[Re-Titled by Moderator]

MacBook Pro 15″, macOS 12.4

Posted on Jun 25, 2022 11:25 AM

Reply

Similar questions

19 replies
User profile for user: Old Toad
Old Toad
User level: Level 10
217,126 points

Jun 25, 2022 2:02 PM in response to Dogs2cents

Give this a try: boot into Safe Mode according to How to use safe mode on your Mac and test to see if the problem persists. Reboot normally and test again.


NOTE: Safe Mode boot can take up to 3 - 5 minutes as it's doing the following; 

• Verifies your startup disk and attempts to repair directory issues, if needed

• Loads only required kernel extensions (prevents 3rd party kernel/extensions from loading)

• Prevents Startup Items and Login Items from opening automatically

• Disables user-installed fonts 

• Deletes font caches, kernel cache, and other system cache files


Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
70,425 points

Jun 25, 2022 1:02 PM in response to Dogs2cents

I've asked the hosts to remove the center image as it shows your personal email address. Never post such information on an open forum. Spammers and crooks love getting their mitts on live, verified info like that.


Yes, it's normal for the idmsa.apple.com page to appear if you've logged out of these forums, or shut down the browser and then launched it again. While you could still look through posts here, you would have to first log back in before you could post any new content.


Since anything with a login isn't working, it's possible the Keychain data on your Mac got mangled somehow.


To do a quick test, open the System Preferences, then click on Users & Groups. Click the lock and enter your admin password. Click the + button to make a new account. Standard is fine. Name it any ol' thing with a simple password (minimum 4 characters required).


With the new account ready, log out the main account and login to the new one. Try accessing your various sites. Though this may not prove much since it would be sharing the same keychain data. When you're done testing, you can return to the main account and delete the test account.

Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
70,425 points

Jun 25, 2022 1:58 PM in response to Dogs2cents

My guess is the keychain data is corrupt. In case that's not it, don't just delete them. Go to this folder:


/Users/your_account/Library/Keychains


Copy the Keychains folder somewhere so you have a backup.


Close all apps and open Keychain Access in the /Applications/Utilities folder.


Delete all login and Local Items. Close Keychain Access.


Now try revisiting your sites. You'll of course have to re-enter login info for many of them. But if everything now works, that pretty well proves the keychain data was hosed.


If not, you can close down all apps and return the copied keychain back to its normal location so it's back where it was without having to re-enter everything.

Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
70,425 points

Jun 25, 2022 11:37 AM in response to Dogs2cents

You don't have a virus. That is self-replicating malware which doesn't exist in the Mac OS.


Cookies are harmless. It doesn't matter how many you get rid of, which ones, or none at all.


Nanum Gothic, as Tom Gewecke notes here, is a Korean script font not on your system. Safari asked to install it so the page you were on would display correctly. You can download and install it for free if you want.


Refusing to let Safari download a font can't in any way have disabled it. Hold down the Shift key and launch Safari. That tells it not to attempt loading any previous pages from the last session.


Sounds like your mouse has gone bad, or needs new batteries.

Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
70,425 points

Jun 25, 2022 2:45 PM in response to Dogs2cents

Please don't tell me I have to reinstall Monterey... :o(

Okay, you don't have to reinstall Monterey. 😁


That's was part of the purpose of creating a new account. If the OS itself is damaged, you would very likely have the same issue in the test account you created. Since you didn't, then that points to the issue being in your normal account and reinstalling the OS won't change anything there.


That brings us back to possibly corrupt keychain data, or corrupt preference files. Or, possibly both. But testing the keychain data is easy, and a safe test, since you can first create a backup. It either works, or it doesn't. If not, you can copy your previous keychain folder back.

Reply
User profile for user: Dogs2cents
Dogs2cents Author
User level: Level 1
12 points

Jun 25, 2022 12:53 PM in response to Kurt Lang

Thanks Kurt, but I don’t need Korean font and it’s highly unlikely that one link on this American site requires it suddenly.

But even if it does, when I click your link to download it I only get a white google page. See attached. Sorry it’s gigantic here🤷🏻‍♀️

Also, I’m on my Macbook trackpad which is fine everywhere else.

Lastly, I cannot log into Apple on my Mac browser so I’m still forced to use iPad to reply here. Multiple weirdnesses:

Apple Community login gives me AppleID popups (see attached) to enter my Macbook password (not AppleID psswd).

When I enter it, then it says my session is timed out. (see attached).

I now notice the url has idmsa.apple.com. Is that normal? Doesn’t look normal.


[Image Edited by Moderator to Remove Personal Information]

Reply
User profile for user: Dogs2cents
Dogs2cents Author
User level: Level 1
12 points

Jun 25, 2022 12:38 PM in response to Dogs2cents

Also now it seems I cannot login to ANY of my membership sites.

Every single one of them, when I enter my credentials from keychain just loops me back to the login screen with blank fields.

Almost like my keychain is under attack.

The more I try to use Safari the worse it gets.

Re: the font popup disabling Safari, it actually did. I couldn’t do anything else in it without selecting either popup option and had spinning rainbow wheel. Had to force quit.

Reply
User profile for user: Dogs2cents
Dogs2cents Author
User level: Level 1
12 points

Jun 25, 2022 2:05 PM in response to Kurt Lang

Thanks again Kurt. Before I try that, can you tell me if it's the same fix if my User account is corrupted?

I'm thinking that may be it because of another older Safari problem that I have another thread open for.

My Handoff stopped working when I upgraded this MacBook from Mohave to Monterey a couple weeks ago.

But when I logged in with the new test user I saw that Handoff works under that account!


Please advise. Much appreciated!

Reply
User profile for user: Dogs2cents
Dogs2cents Author
User level: Level 1
12 points

Jun 25, 2022 3:00 PM in response to Kurt Lang

That’s a relief cuz my wifi is not consistently stable where I’m living.

Also now I can’t even login to Apple forum on iPad so I’m on phone. My last device. I feel like my whole iCloud account is corrupt because I’ve had many random sync & handoff errors across all devices for awhile. Even deleted all Notes and Apple never could come back with a fix so had to rebuild.

I’m at my wits end. I’m not a tech.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Does my MacBook Pro have Malware?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up