Recently a new cryptominer malware dubbed ‘mshelper’ was discovered by some Mac users, whose devices were exploited by this software to mine Monero cryptocurrency.

Cryptominer is a kind of malware that typically sneaks into users’ devices and consumes system resources to mine cryptocurrency without users’ knowledge. Once it get into your device, it monopolizes the CPU and other system resources to the full, which will make your device run slowly, become unresponsive or overloaded. The continually high processor usage could also prevent other apps from working normally, make your Mac’s fans run faster, and drain the battery more rapidly.

If your Mac is running hot and consuming its battery at a higher rate that ever before, you can go to check whether your Mac has been infected by the ‘mshelper’ malware.

Here’s how to detect and remove this malware from your compromised Mac:

• Run Activity Monitor from /Applications/Utilities folder in Finder (or Spotlight).
• Click the CPU tab in Activity Monitor, and click the %CPU filter to sort the list by processes usage, or click Process Name to sort the list in alphabetical order.

If a process labeled ‘mshelper’ appears in the list, that means your Mac has been infected, and the next step is to eliminate this malware from macOS. Note that simply quitting it in Activity Monitor cannot stop it from automatically launching again.

• Open a Finder window, click Go in the top bar and then choose Go to Folder.
• Type ‘/Library/LaunchDaemons/’ in the box and click Go button to access to it.
• Search for the file named ‘com.pplauncher.plist’. You can click the Search icon on the upper right corner of the window, and type ‘pplauncher’ in the search box.
• Once you locate the file, right click on it and choose Move to Trash.
• Head to the ‘/Library/Application Support/pplauncher/’ directory by following the same steps, then locate a file named ‘pplauncher’ there and delete it as well.

The full path of involved files:
/Library/LaunchDaemons/com.pplauncher.plist
/Library/Application Support/pplauncher/pplauncher

You can restart your Mac after deleting them, and then launch Activity Monitor to see if the ‘mshelper’ process still exists. You should have got rid of this malware now.

It is not clear how ‘mshelper’ gets into affected users’ Macs, but the most possible reason could be the suspicious downloads and accidental clicking. To prevent your Mac from being compromised, you are strongly supposed to install software via Mac App Store or download apps from official website and trusted developers.