How to delete the 'mshelper' malware from macOS
If your Mac is running hot and is consuming its battery at a higher rate than expected in recent days, you may be affected by 'mshelper.' AppleInsider explains how to check for the resource-consuming malware, and how to stop it from slowing down macOS.
New malware affecting macOS has started to circulate, with reports from Mac users on Apple's support forums and Reddit revealing systems are being affected by it. Affected Mac systems typically have their processor running at full tilt, which can prevent other software from working optimally due to resources being used on this unwanted program.
The high processor usage can also cause the Mac to run its fans constantly to try and cool everything down. For MacBook users, mshelper's interference also means the battery life will erode away faster than normal.
It is unknown what exactly mshelper is doing to utilize the processor at such a high rate, but speculation on the Apple support forum suggests it could be some form of adware, or possibly a program used for mining cryptocurrency on a victim's computer. Aside from using the processor, there also doesn't seem to be any other issues it causes on affected desktops, as is typical with ransomware.
As it isn't a virus, it is likely mshelper is distributed through an installation of another piece of software rather than spreading organically.
Once Activity Monitor is open, click CPU to bring up a list of processes currently using it, then click the Process Name tab to sort the list by alphabetical order. Scroll down the list until you reach where mshelper would appear alphabetically.
You can also click %CPU to sort the list by processor usage. As mshelper is a processor-intensive program, it should appear at the top of the list.
If it appears at all, then the next task is to eliminate it from macOS.
In Finder, select your Mac's internal storage, then select Library followed by the LaunchDaemons folder. Select com.pplauncher.plist and delete it.
The other file is also found in the Library, under Application Support then pplauncher. Select and delete pplauncher.
At this point, you can kill the process.
New malware affecting macOS has started to circulate, with reports from Mac users on Apple's support forums and Reddit revealing systems are being affected by it. Affected Mac systems typically have their processor running at full tilt, which can prevent other software from working optimally due to resources being used on this unwanted program.
The high processor usage can also cause the Mac to run its fans constantly to try and cool everything down. For MacBook users, mshelper's interference also means the battery life will erode away faster than normal.
It is unknown what exactly mshelper is doing to utilize the processor at such a high rate, but speculation on the Apple support forum suggests it could be some form of adware, or possibly a program used for mining cryptocurrency on a victim's computer. Aside from using the processor, there also doesn't seem to be any other issues it causes on affected desktops, as is typical with ransomware.
As it isn't a virus, it is likely mshelper is distributed through an installation of another piece of software rather than spreading organically.
Checking for mshelper
Open Activity Monitor, which can be found in the Applications folder under Utilities. Alternately, you can search for "Activity Monitor" in Finder, under a "This Mac" search.
Once Activity Monitor is open, click CPU to bring up a list of processes currently using it, then click the Process Name tab to sort the list by alphabetical order. Scroll down the list until you reach where mshelper would appear alphabetically.
You can also click %CPU to sort the list by processor usage. As mshelper is a processor-intensive program, it should appear at the top of the list.
If it appears at all, then the next task is to eliminate it from macOS.
Removing mshelper
While it is possible to kill the process, this is futile due to it automatically restarting once closed. One way to stop this from happening is to delete just two files buried in the Mac's library.In Finder, select your Mac's internal storage, then select Library followed by the LaunchDaemons folder. Select com.pplauncher.plist and delete it.
The other file is also found in the Library, under Application Support then pplauncher. Select and delete pplauncher.
At this point, you can kill the process.
Comments
And that's not even getting into malware distributed on non-free products, such as when Sony distributed rootkits on their music CDs. So, plenty of "legitimate" companies have distributed adware/malware with their products.
No operating system can truly prevent malware, because it would have to essentially never allow applications to run. There are whitelisting solutions that are configured to ensure only authorized applications run. MacOS currently uses a combination of partial-whitelisting through Gatekeeper and blacklisting through the built in XProtect software in MacOS since 10.6. This allows Apple to blacklist applications, and it periodically pushes out updates to this list which is stored at /System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist
https://appleinsider.com/articles/17/05/08/handbrake-for-mac-developers-warn-of-potential-trojan-installation-following-server-breach
"then click the Process Name tab to sort the list by alphabetical order. Scroll down the list until you reach where mshelper would appear alphabetically."
Why not just type "mshelper" in the search field?
nunzy said: Well, technically no. IIRC there are one or two mac viruses, but in my book, malware and viruses are one and the same. I realize that there are technical differences, but in the end, it is code running on your machine doing something you don’t want and that you need to get rid of. There is definitely less malware on Macs than on Windows, but there’s enough to cause problems, so in the end it doesn’t matter because you still need to be careful and take precautions.
racerhomie3 said: And how do you tell if a developer is trusted or not? By their nice website?