Common loading points for viruses, worms, and Trojan horse programs on a Mac

The most effective way to prevent and detect threats is to have a Norton security product installed and its virus definitions up to date. If you think your computer is infected, check for any suspicious login items, files, or processes in some of the common places on your Mac as listed in this article.


Verify the Login Items and administrator accounts

  1. On the menu bar, click the Apple icon and select System Preferences.

  2. Under the System pane, click Accounts and review the list of Mac user account.

    You should disable the Guest Account, if the Administrator has not enabled it for any user of your Mac. Check any other user account that seems suspicious to ensure that it is a legitimate account for your Mac.

  3. On the top-right corner of the Accounts window, to look for any suspicious login items that have loaded, click Login Items.

    Review these items to verify that they are legitimate and logically named. Any login item that is suspicious and unknown should be investigated further. To reveal where on the drive the suspicious Login Item loads from, right-click on the item and select Reveal in Finder.


Check for unusual files at common loading points

  1. On the menu bar, click Go and select Go to Folder.

  2. In the dialog box that appears, type the location of the folders exactly as they appear in the list, and click Go.

    • /System/Library/LaunchAgents

    • /System/Library/LaunchDaemons

    • /System/Library/StartupItems

    • /Library/LaunchAgents

    • /Library/LaunchDaemons

    • /Library/StartupItems

    • ~/Library/LaunchAgents

    • ~/Library/LaunchDaemons

    The Property List files (.plist) that are in an XML format are displayed and can be reviewed with a text editor.

  3. In the LaunchAgents and LaunchDaemon folders, search for any .plist files that are named suspiciously, and then double-click to open them in TextEdit.

  4. In the TextEdit window, check for the <key>ProgramArguments</key> section to verify the location of the item loaded by the .plist file.

    If these items appear to be unknown or suspicious, submit the samples of the files that the .plist loads to Symantec Security Response.

    You need to submit the UNIX Executable file from the path that is indicated in the .plist file, for e.g. /Library/Application Support/Symantec/Silo/NFM/LiveUpdate/LUTool.


Look for any suspicious processes that are running on your Mac

  1. On the menu bar, click Go, and then select Utilities.

  2. Double-click Activity Monitor.

  3. Review the list for any processes that look suspicious to investigate further.

  4. In the top-right corner of the Activity Monitor, select one of the following from the drop-down menu:

    • To look for the processes that are associated with the logged in user account, select My Processes.

    • To check the processes that are associated with other user accounts on the Mac, select Other User Processes.

  5. To verify the open files and ports from where this process originates and what files it uses, select a suspicious process, and click Inspect.

  6. To quit the process, click Quit Process.

Thank you!

Thank you for using Norton Support.

< Back

The solution made it easy for me to handle my issue.

Yes No

Help us improve this solution.

Thank you for helping to improve this experience.

What would you like to do now?

Browse for solutions, search the Norton Community, or Contact Us.

DOCID: v59310362_EndUserProfile_en_us
Operating System: Mac OS X
Last modified: 12/03/2014