How to remove Mshelper malware on a Mac

Darina Stavniychuk
Explaining complex stuff very simply. Passionate about writing.

What is Mshelper?

There are always times when a Mac can get too warm. Modern Mac operating systems seem to encounter that problem far less often than older versions and devices, and often when users do find that they have an excessively warm Mac, it means one or more programs are taking up more CPU or GPU than the device can handle.

Mshelper

MsHelper is a Mac malware first discovered in 2018. Despite its small size, just 3.5 MB, the virus heavily drains CPU resources. This causes various performance issues on Mac. Mshelper virus is usually disguised as an innocent Flash Player update.

As a result, the internal cooling systems are overloaded, causing them to slow down, overheat, or even shut down to prevent irreparable systems or hardware damage. If you’ve been encountering that problem since around May 2018, it could be a sign that you’ve been infected with the Mshelper malware.

For those with an interest in cryptocurrency or those who have downloaded crypto mining software, or anyone who’s downloaded an Adobe Flash Player that turned out to be fake, there is a risk this infection got onto your Mac that way. Security experts have found that this virus has been passed around file sharing, torrent sites, crypto messenger platforms, and software installers and bundles.

What Mshelper does?

It mines Monero, a cryptocurrency that’s been gaining popularity in recent years. As we mentioned, when you are infected with Mshelper, your Mac will run hot to the touch, and the processing speed when running other apps and systems will slow down. It will soon start to impact the productivity of your Mac and what it’s capable of doing.

Symptoms of Mshelper infection:

  • macOS slowdown
  • Loud fan noises
  • Heavy CPU load
  • Reduced battery life

As a piece of crypto mining software, unlike other forms of malware, Mshelper is only focused on hijacking as much spare processing power as it can grab. It isn’t sharing systems data or passwords with any command and control (C2) server; it simply wants to use what it shouldn’t have to mine cryptocurrency for those controlling the program. This will also harm your Mac’s battery life, draining it more quickly than it did before the infection. Far from ideal, but there are much worse viruses around.

To get your Mac back to much better working order, we’ve put together ways you can remove Mshelper below.

How to remove Mshelper

You can remove Mshelper manually. Always be careful to delete the application causing the problem and not anything else. To check you’ve been infected, take a look at your CPU first:

  1. Go to Applications > Utilities.
  2. Click on Activity Monitor to open it.
  3. Go to CPU, and if it shows a higher activity rate than normal, scroll down under Process Name to find Mshelper.
  4. Looking under the %CPU tab should show this as taking up the bulk of your CPU capacity.

After you’ve found Mshelper process, close it using the [x] button.

Now, stop Mshelper from autolaunching

Mshelper is able to clone itself. It places itself into the Launch Agents folder, where it continues operating in the background.

Mshelper and Launch Agents

Launch Agents is a folder on your Mac that contains small supporting applications working in the background. This is a common location for viruses on Mac.

Closing the app is pointless, as it will automatically restart when closed. It is designed to operate 24/7 to mine coins. Now that you know that your Mac has been infected, it can be removed manually by following these steps:

Click on Finder and choose Go to Folder in the upper menu.
Paste in /Library/LaunchDaemons/ and press Return.


Within this folder, you should see com.pplauncher.plist
Take this to the Trash.

Next, repeat the process for Library/Application Support
Find pplauncher and put it to the Trash.

Then empty the Trash and restart your Mac.

When you’ve logged back in, go back to the Activity Monitor to check for any sign of Mshelper under the Process Name and %CPU tab.

Easier way: Destroy Mshelper with software

Some antivirus applications recognize the Mshelper, and some do not. For example, CleanMyMac X by MacPaw has been confirmed to effectively eliminate the virus. This will save you lots of time digging into system settings manually.

You need a copy of CleanMyMac X for this — get the app for free here.

Remove Mshelper the following way:

  1. Open the app.
  2. Click on Malware Removal.
  3. Click Scan.
  4. Click Remove.
Removing malware files

Additionally, check the Launch Agents tool in the same app.

  1. Click Optimization.
  2. Click Launch Agents — the main location for Mshelper.
  3. Watch out for everything with pplauncher name on it.
  4. Click Remove.
Drivers in Launch Agents tab

Can you see Heavy Consumers within the same tab? Check out that one, too — it shows what apps drain your memory resources. Hopefully, not Mshelper anymore.

After that, your Mac will be operating at peak performance again. You should also find that you’ve got more storage space again for things you need. Do a regular malware scan to search for infections, as CleanMyMac’s virus list is updated regularly.

Did you enjoy this post?
Share it or subscribe to our newsletter
Darina Stavniychuk
Explaining complex stuff very simply. Passionate about writing.
June 11, 2019
Updated: April 12, 2023
Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.

Free Download

CleanMy® PC will not receive new features and regular updates.

What does it mean?

  • CleanMy® PC remains safe, stable, and fully functional on all PCs that meet the system requirements.
  • Windows 11 is the last operating system to be supported.
  • Only critical bugs in CleanMy® PC will be fixed in the future; no new features or improvements will be added.
Read the full information here. Download Anyway