As Apple released macOS Catalina, another version of its operating system, on October 7, the regular reviewers came up with details on its new features such as splitting iTunes into Music, Podcasts and TV or voice control as big accessibility and performance boost. Meanwhile, too many regular users reported a range of issues they faced on updating to macOS 10.15. The complaints mentioned persisting popups the users could not get rid of for good.

MacOS Catalina 10.15 update popup

The users concerned labeled the popups like “navlibx will damage your computer” a Catalina update notice or a macOS 10.15 popup. Just in case, macOS 10.15 is another name for macOS Catalina, the 16th major release of macOS replacing macOS Mojave released back in 2018. The Mac security industry finally has noted the problem. However, many researchers rather promoted the opinion that the popups had emerged before the update. They claimed the macOS Catalina simply inherited them.

This way or another, users cannot get rid of MAFTASK (helpermcp, helperamc, SPCHLPR) popups and suchlike notifications. The popup, apart from saying the threat it mentions “will damage your computer”, also suggests removing the threat to the Bin. Remarkably, the notification also observes the file uploading date is unknown. Perhaps, that is the reason for speculating whether the popup emerged before or after the sixteenth major macOS update.

Whether you click Move to Bin or Cancel button, the popup returns in a while. Here comes another uncertainty. It is not clear if the MAFTASK removal or another cleanup takes place. It might be a fake popup. It might be a removal failure for actual threat. Both cases suggest malware remains on macOS Catalina.

It never rains but it pours. A typical user dealing with this “will damage your computer” popup sees multiple alerts mentioning different names of alleged threads like HIPRADE, SPCHLPR, MAFTASK. The popups keep emerging at such a frequency that disables any meaningful activities.

As regards the removal of HIPRADE, SPCHLPR, MAFTASK, and suchlike popups, the allegations that the threats reported exist for real might sound controversial. In fact, the users concerned have tried to follow the macOS in-house removal workflow. Since the popups claim the threat goes to the Bin, checking the Bin and removing the malware from it might be reasonable. This roundabout has failed, though. The users trying to remove macOS Catalina 10.15 update popup this way have not found in their Bin any traces of the threat reported.

Should we suspect annoyware? No, we rather should not. There is adware around, but the annoying alerts on various threats are genuine. It is rather that the removal of MAFTASK trojan or another adware with clicking the Move to Bin button in macOS Catalina fails.

Let’s see how to remove the threats for good with Activity Monitor taking MAFTASK as an example.

How to remove MAFTASK from Activity Monitor?

MAFTASK is not a stand-alone piece of software. It is a supplement to Mac Auto Fixer, a renowned piece of adware. The threat has been around since 2018. It might readily be the case that the adware could not spawn any process in previous macOS versions. Somehow, it managed to surface in macOS Catalina.

To get rid of MAFTASK trojan, use Activity Monitor following the guide below.

The other names of threats mentioned above have basically the same background. You may also encounter other malicious entries reported by the macOS. The workaround below fits all such cases; you just need to change the names.

Let’s proceed to killing MAFTASK process. Here is your step-by-step guide.

Step 1. At the Dock, open Utilities (or press Shift-Command-U).


Step 2. In Utilities, click the Activity Monitor icon.

Instead of steps 1 and 2, you may want to use the following workaround. Press Cmd and Space simultaneously to launch Spotlight. Start typing the name of the app (a couple of opening letters would do) and strike Return. That’s it.

Step 3. Once in the Activity Monitor menu, go to the CPU tab.

Step 4. Scroll through the list of the processes to find the one named maftask.
Step 5. Click the Force Quit button at the top of the window.

That’s it. Oops… Not really. The adware actually keeps running in the background. Courtesy of security enthusiast JOHN LEES (http://www.johnlees.me/) we now know there is a rub and how to deal with it. To kill MAFTASK for good, eradicate its background instances with the following command:
launchctl unload ~/Library/LaunchAgents/com.pcv.hlpramcn.plistrm ~/Library/Application\ Support/amc/ MAFTASK.app

Execute it in the Terminal. The next section will show you how.

How do you close Helperamc / helpermcp?

Helperamc and helpermcp are other instances of supplementary files. They support adware like Advanced Mac Cleaner. These files survive direct removal running their daemon. Daemon is an app operating in the background so as to safeguard its parent app. That is why direct removal of Helperamc or termination of its process fails to resolve the issue. However, killing the exposed Helperamc process might be a critical preliminary. Use the guidance above substituting MAFTASK with helperamc / helpermcp. Once you have completed killing the process, proceed to removing the adware altogether using Terminal.

The command killing helperamc / helpermcp is the same as quoted above. Just put the correct name in the end. This variable changing subject to the particular adware you target is highlighted.

launchctl unload ~/Library/LaunchAgents/com.pcv.hlpramcn.plistrm ~/Library/Application\ Support/amc/ helpermcp.app

How do you remove helpermcp using Terminal?

Let’s proceed to the removal of MAFTASK adware. Here is your step-by-step guide.
Step 1. At the Dock, open Utilities (or press Shift-Command-U).


Note this step is the same as for killing the process. Removal of the adware proper shall follow its process termination shortly after. Otherwise, the process might relaunch and block the removal.

Step 2. In Utilities, click the Terminal icon.

Step 3. Paste the following string into the Terminal.

launchctl unload ~/Library/LaunchAgents/com.pcv.hlpramcn.plistrm ~/Library/Application\ Support/amc/ helpermcp.app

Step 4. Hit Return or Enter to execute the command.

That’s it!

Again, the adware you try to remove has two ways to block your removal attempts. It would try to keep its process running. Removal is impossible for an app that keeps executing its process. The other way the adware survives leverages its daemon. The daemon runs in the background and ensures the integrity of its parent program. To remove a daemon-backed app for good, use the Terminal removal method above. Please note the Terminal removal for same adware shall follow shortly after terminating its process in the Activity Monitor. Otherwise, a running process prevents the app from being removed.

What is SPCHLPR / HLPRADC on my Mac?

SPCHLPR and HLPRADC make another pair of names the macOS reports in its system security alert reading “xxxxxxx will damage your computer”, where xxxxxxx represents the name of the threat reported by macOS. Again, these popups chiefly occur in the macOS Catalina. The threats reported are true and pertain to Advanced Mac Cleaner and similar adware.

Sending such a threat to the Bin does not remove related adware, because it is backed with a daemon. We use the macOS Terminal command to eradicate the adware.

Let’s take one of these names as an example to make a recap of the above adware removal guides. It is critical to apply the entire workflow to a single threat. Removal of a daemon-backed adware is meant to be a two-stage process.

First, kill the SPCHLPR process with Activity Monitor.

Open Activity Monitor, find and kill the SPCHLPR process.
Second (please do not linger), get rid of SPCHLPR proper with Terminal.

To remove SPCHLPR adware for good, place the following string into the Terminal, and hit Enter or Return:

launchctl unload ~/Library/LaunchAgents/com.pcv.hlpramcn.plistrm ~/Library/Application\ Support/amc/spchlpr.app

Leave a Reply