How to remove the Coinhive malware

Coinhive is a cryptocurrency miner that can be downloaded without the user’s knowledge and steal computing resources to generate revenue in the form of cryptocurrency. It’s often used for cryptojacking.

What is Coinhive?

Coinhive is a JavaScript library that can be used by website owners to mine for cryptocurrency in order to generate revenue. However, it has also been embedded into browser extensions and bundled with other software downloads in order to cryptojack unsuspecting computer users.

Cryprojacking is a form of theft, where malware downloaded without the user’s knowledge steals resources like CPU cycles, memory, and network bandwidth in order to solve cryptographic puzzles and mine for cryptocurrency for the benefit of the malware distributor.

It has been reported that it can consume more than 90% of CPU and GPU cycles, meaning any computer that has it installed is likely to slow down or freeze.

Tip

Cryptocurrency miners are known to reduce processing power and slow down your Mac. Luckily, there are new antivirus tools that block this kind of activity. The latest one is CleanMyMac X by MacPaw software. According to MacObserver, it is able to switch off suspicious Launch Agents that operate in the background. This means that cryptocurrency miners can’t automatically launch when you start up your Mac.

How do I know if I have been infected by the Coinhive miner?

Here are a few of the symptoms.

  • Your web browser uses an unusually high percentage of CPU cycles (you can check this by launching Activity Monitor from Applications>Utilities and clicking on the CPU column header)
  • You notice your Mac connecting to coinhive.com/lib/coinhive.min.js
  • Applications take longer than usual to launch
  • Your Mac runs much more slowly
infected by the Coinhive miner

How did it get on my computer?

There are two main methods of distribution: browser extensions and bundling code with other applications. If you install a malicious browser extension, it can hijack your browser and change settings, as well as install the code necessary for cryptojacking.

Bundling is a common method used to distribute malware. It can happen when applications that were once popular but are no longer updated are cracked by hackers who then inject code so that they become trojans for their malware. Bundling also occurs when download managers use by software download sites package up additional programs with the one you intended to download, so that you install them without realizing.

How can I avoid Coinhive

How can I avoid Coinhive?

To avoid downloading it you should be vigilant about which browser extensions you install – check carefully before you agree to download and install them. You should also take care when downloading programs from free download sites. Don’t use proprietary download managers, which always bundle extra programs with the app you choose to download. And don’t ignore the message from GateKeeper when it tells you that you are about to install an application downloaded from the internet. Read it carefully and make sure the app you are installing is the one you intended to install.

You should also install anti-malware software that scans your Mac in the background and alerts you if it spots anything dangerous. I use CleanMyMac X’s real-time monitoring. Once switched on, it protects your Mac by monitoring what you do and comparing anything you download with its database of known malware. 

How to remove Coinhive from your Mac

There are two methods you can use to remove Coinhive, the easy, automatic method, and the longer manual route. The automatic method means using an anti-malware tool to scan your Mac and remove any malware it finds. I recommend CleanMyMac. In addition to the real-time monitoring described above, you can use it to scan your Mac for malware at any time, using its malware removal utility. It also has tools to quickly remove browser extensions and other files that a crypto jacker may have stored on your Mac. Here’s how to use it.

How to remove Coinhive from your Mac
  1. Download CleanMyMac and then follow the instructions on-screen to install it.
  2. Launch it from your Applications folder and choose the Malware Removal module in the sidebar.
  3. Press Scan.
  4. When it’s finished, if it has found anything CleanMyMac will tell you and you can remove it with one more press.

To remove a browser extension with CleanMyMac X:

  1. Choose Extensions in the sidebar.
  2. Click View Extensions in the main window.
  3. Select the browser whose extensions you want to remove.
  4. Locate the extension you want to get rid of and check the box next to it.
  5. Press Remove.

Do you see how easy it is? Now, here’s the how to remove Coinhive malware manually.

  1. If you think you acquired Coinhive by downloading software, go to your Applications folder and locate the application you downloaded just before you noticed problems with your Mac.
  2. Drag it to the Trash and empty it.
  3. Go to the Finder, choose the Go menu and select Go to Folder. Paste each of the following locations into the box, one at a time, and look for any files in the folders that have the name ‘coinhive’ in them.

~/Library/LaunchAgents

 /Library/LaunchDaemons

/Library/Application Support

~/Library/Application Support

That will remove any trace of the app from your Mac. However, if Coinhive has installed a browser extension, you will need to remove that too. Here’s how.

remove Coinhive from mac

Safari

  1. Click on the Safari menu and choose Preferences, then Extensions.
  2. Locate any suspicious extensions, select them and choose Uninstall

Chrome

  1. Paste the following URL into the address bar: chrome://extensions
  2. Look for any extensions that seem suspicious or you didn’t install.
  3. Press Remove next to any extension you want to get rid of.

Firefox

  1. Navigate to the extensions settings by pasting this into the address bar: about:addons
  2. Choose Extensions and locate the one you want to get rid of.
  3. Click on the three vertical dots to the reight of the extension and choose Remove.

Coinhive is a crypto miner, often used to hijack resources to generate revenue for hackers. It will slow your Mac down and make it behave erratically. You can avoid downloading by taking the precautions described above. But if you do download it, the easiest way to get rid of it is to use CleanMyMac’s Malware Removal module.

CleanMyMac X
CleanMyMac X

Your Mac. As good as new.