There’s malware called ‘mshelper’ currently targeting Macs, according to security firm Intego. This malware is likely being spread by fake Flash installers, though Intego said only that this might be the case. mshelper is cryptomining malware that uses your CPU to mine Monero in the bad guy’s name, which is also known as cryptojacking.
You might have been infected with mshelper (or another cryptojacker) if your Mac’s fans rev up to full speed and your Mac starts putting out a lot more heat. You’d be able to see it listed in Activity Monitor if you sort your processes by CPU. Here’s a screenshot of what that might look like, provided by Intego:
Intego’s antiviral software—VirusBarrier—eliminates the malware, which it identifies as OSX/mshelper. The company also provided instructions for removing it if you don’t use VirusBarrier.
How to Remove mshelper from Mac
For those that do not use VirusBarrier and want to manually check for infection, here is the list of components to look for:
Library > LaunchDeamons > com.pplauncher.plist (file)
Library > Application Support > pplauncer (folder)
private > tmp > mshelper (folder) this is a temporary directory mshelper is installed in but should still be checked.The private and tmp directories are hidden by macOS, so to search there you will have to use “Go to Folder” from the Finder’s Go menu. Then simply type the following:
/private/tmp/
or
/tmp/
Both commands will land you in the same folder. Now you can search for the mshelper folder and delete it.
If any of the above components were found, delete them and empty your Mac’s Trash. Now simply restart your Mac, and the irregular processor / fan behavior should be back to normal.
Here’s a video from Intego on avoiding cryptojacking on your Mac.
Thanks for the PSA, Bryan.
Happily, I do use VirusBarrier.