Unable to Remove Malware Crusher

Question

Level 1

11 points

Unable to Remove Malware Crusher

Hi,

I'm unable to remove Malware Crusher from my Macbook Air OS X El Capitan (10.16.11).

I'm very careful about what I download. I clicked on Abode Flash upgrade by mistake, and it installed this. Force quit won't kill the process.

I went to the command line, grabbed the PID and tried to kill it that way, but it keeps spawning new processes. I find nothing in /Library/LaunchDaemons or /System/Library/LaunchDaemons. Can you help?

I was a Unix sysadmin 16 years ago, so it's been a while. But I'm able to work off the command line.

TIA!

Rasana

MacBook Air (13-inch, Early 2014), iOS 8.1.1, My iOS is newer than drop-down menu

Posted on Jun 4, 2017 11:59 AM

Reply

Answer 1

KyleAu

Level 1

4 points

Oct 29, 2017 3:01 AM in response to rasana123

Forgot to mention that I was following this link:

How to Automatically remove Malware Crusher on macOS and Mac OS X?

to remove the mchlpr.exe

I tried the Malwarebytes some of you have mentioned, it helped remove some other malware, but not this one.

(as a mentioned in my last post, the package you downloaded and installed is actually a Malware bundle, not really an Adobe update package - so it's not Adobe's fault. To find it out yourself, install it again, but during the installation click on the 'View website' yourself. It should go to Adobe website, but what you see is a crap)

The Malware bytes found the following for me by the way. It's not directly relating to this problem but I think it's good to run it as it's free for 30 days.

Reply

Answer 2

rasana123 Author

Level 1

11 points

Jun 7, 2017 12:15 AM in response to Tesserax

Thank you so much for looking at this!

Hardware Information:ⓘ

MacBook Air (13-inch, Early 2014)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Air - model: MacBookAir6,2

1 1.4 GHz Intel Core i5 (i5-4260U) CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 742

Video Information:ⓘ

Intel HD Graphics 5000 - VRAM: 1536 MB

Color LCD 1440 x 900

System Software:ⓘ

OS X El Capitan 10.11.6 (15G1510) - Time since boot: about 2 days

Disk Information:ⓘ

APPLE SSD SD0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1 - ) <not mounted> : 210 MB

Recovery HD (disk0s3 - ) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1 - Journaled HFS+) / [Startup]: 249.77 GB (77.23 GB free)

Core Storage: disk0s2 250.14 GB Online

USB Information:ⓘ

USB30Bus

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information:ⓘ

Apple Inc. thunderbolt_bus

Gatekeeper:ⓘ

Mac App Store and identified developers

System Launch Agents:ⓘ

[not loaded] 7 Apple tasks

[loaded] 152 Apple tasks

[running] 50 Apple tasks

[killed] 30 Apple tasks

30 processes killed due to insufficient RAM

System Launch Daemons:ⓘ

[not loaded] 47 Apple tasks

[loaded] 154 Apple tasks

[running] 69 Apple tasks

[killed] 20 Apple tasks

20 processes killed due to insufficient RAM

Launch Agents:ⓘ

[running] com.brother.LOGINserver.plist (? a1772de2 41ad4933 - installed 2016-07-06) [Lookup]

[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-03-29) [Lookup]

[loaded] org.macosforge.xquartz.startx.plist (Apple Inc. - XQuartz - installed 2015-10-16) [Lookup]

Launch Daemons:ⓘ

[loaded] com.adobe.fpsaud.plist (? 2afb3af7 840b5c7b - installed 2017-04-27) [Lookup]

[loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2017-04-18) [Lookup]

[loaded] com.macpaw.CleanMyMac3.Agent.plist (MacPaw Inc. - installed 2016-01-06) [Lookup]

[loaded] com.malwarebytes.HelperTool.plist (Malwarebytes Corporation - installed 2017-02-22) [Lookup]

[loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2017-04-15) [Lookup]

[loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e cf9ce3fb - installed 2014-02-26) [Lookup]

[loaded] org.macosforge.xquartz.privileged_startx.plist (Apple Inc. - XQuartz - installed 2015-10-16) [Lookup]

User Launch Agents:ⓘ

[loaded] com.citrixonline.GoToMeeting.G2MUpdate.plist (Citrix Online LLC - installed 2015-04-30) [Lookup]

[loaded] com.macpaw.CleanMyMac3.Scheduler.plist (MacPaw Inc. - installed 2017-02-22) [Lookup]

[loaded] com.skype.skype.shareagent.plist (Skype Communications S.a.r.l - installed 2017-05-13) [Lookup]

[running] com.techyutils.mchlpr.plist (Techyutils Software Private Limited - installed 2017-05-30) [Lookup]

User Login Items:ⓘ

iTunesHelper Application (Apple, Inc. - installed 2017-05-16)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Google Drive Application

(/Applications/Google Drive.app)

Mail Application - Hidden

(/Applications/Mail.app)

SpeechSynthesisServer Application - Hidden

(/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks /SpeechSynthesis.framework/Versions/A/SpeechSynthesisServer.app)

Internet Plug-ins:ⓘ

FlashPlayer-10.6: 25.0.0.171 (installed 2017-05-10) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2017-05-23)

Flash Player: 25.0.0.171 (installed 2017-05-10) [Lookup]

Default Browser: 601 (installed 2016-07-29)

SharePointBrowserPlugin: 14.7.2 (installed 2017-03-16) [Lookup]

PepperFlashPlayer: 25.0.0.171 (installed 2017-05-10) [Lookup]

JavaAppletPlugin: 15.0.1 (installed 2014-11-19) Check version

3rd Party Preference Panes:ⓘ

Flash Player (installed 2017-04-27) [Lookup]

Time Machine:ⓘ

Time Machine not configured!

Top Processes by CPU:ⓘ

6% kernel_task

5% WindowServer -daemon

3% Google Chrome Helper --type=renderer [and 14 more arguments]

2% Google Chrome

1% bird

Top Processes by Memory:ⓘ

546 MB kernel_task

378 MB Google Chrome Helper --type=renderer [and 14 more arguments]

194 MB Google Chrome Helper --type=renderer [and 14 more arguments]

156 MB Google Chrome Helper --type=renderer [and 14 more arguments]

123 MB Google Chrome

Top Processes by Energy Use:ⓘ

28.94 Google Chrome Helper --type=renderer [and 14 more arguments]

15.38 Google Chrome

7.08 WindowServer -daemon

6.08 Google Chrome Helper --type=gpu-process [and 13 more arguments]

5.86 Google Chrome Helper --type=renderer [and 14 more arguments]

Virtual Memory Information:ⓘ

507 MB Available RAM

103 MB Free RAM

3.51 GB Used RAM

404 MB Cached files

1.79 GB Swap Used

-----

Regards,

Rasana

Reply

Answer 3

Tesserax

Level 10

152,988 points

Jun 4, 2017 12:07 PM in response to rasana123

To help troubleshoot your Mac, I would suggest that you consider using EtreCheck and posting the resultant report for us to review. Since you were a Unix sysadmin previously, you may discover the location of this malware before we do.

You can download EtreCheck from here.
Start EtreCheck from a normal user account. Optionally, you can run it from a user account with Administrator privileges.
Select Options
Verify that the two options: "Ignore expected failures in Apple tasks" and "Hide Apple tasks are enabled." Note: They should be by default. You can skip this step the next time your run EtreCheck.
Select a problem from the drop-down menu to enable the "Start EtreCheck" button. Optionally you can add comments on what you are experiencing, especially to aide others with if you post the results.
Click on Start EtreCheck
Allow the program to run to completion.
When done, you should get a results report.
Select the "Share Report" icon.
Select Copy Report
Paste the report to your reply post.

In addition, I would suggest that you also consider using Malwarebytes to try to eradicate this from your Mac.

Reply

Answer 4

Tesserax

Level 10

152,988 points

Jun 7, 2017 7:45 AM in response to rasana123

The EtreCheck confirms your original post in that this malware is not being discovered. I am assuming that you also tried Malwarebytes to remove it, but that wasn't successful either ... correct?

If that's the case, I can only offer the following suggestions:

Remove CleanMyMac.
Remove all versions of Adobe Flash / Flash Player.
Remove Google Chrome
Do an Internet search on "Malware Crusher." See if it provides any useable articles for you to review.
Finally, if someone else has had this issue and found a solution, maybe they can chime in.

Reply

Answer 5

K Shaffer

Level 8

35,356 points

Jun 4, 2017 12:19 PM in response to Tesserax

Due to there being several 'malwarebytes' products through the link

you posted, one to 'free' mac product may be adequate from here:

Malwarebytes Anti-Malware for Mac

LEARN MORE DOWNLOAD

Best regards! 🙂

Reply

Answer 6

haize

Level 1

9 points

Jun 7, 2017 12:46 PM in response to Tesserax

com.techyutils.mchlpr.plist is running as a user launch agent and this is likely starting the Malware Crusher program. It's made by Techyutils and "mchlpr.plist" sounds like "Malware Crusher Helper.plist".

Make sure you have a current time machine backup of your data just in case something goes wrong, then boot into safe mode and try removing this item. Note this will only stop the program from automatically launching and the program itself will still be on the computer somewhere.

Reply

Answer 7

rasana123 Author

Level 1

11 points

Jun 7, 2017 7:43 PM in response to rasana123

This seems to have done the trick:

$ launchctl remove com.techyutils.mchlpr.plist

$ launchctl list | grep mchhlp

Now I need to find the program and remove it.

Sixteen years of being reporter/novelist, I'd forgotten how much fun this is. :-)

Rasana

Reply

Answer 8

K Shaffer

Level 8

35,356 points

Jun 8, 2017 12:58 AM in response to rasana123

The Malwarebytes for Mac had previous recognition of odd issues with

the main player behind the ungainly software in your Mac as seen by

use of Etrecheck report... re: 'Techyutils Software Private Limited'

A few articles last year by Thomas Reed, made mention of the products

and their purveyor; sometimes the certificate may not match the actual

source of the problem.

PCVARK plays dirty - Malwarebytes Labs

PCVARK plays dirty Posted: August 19, 2016 ... Private Limited," while the

Mac File Opener certificate belongs to "Techyutils Software Private Limited. ...

https://blog.malwarebytes.com/threat-analysis/2016/08/pcvark-plays-dirty/

A broad search using those words together shows where they belong,

and their claims do not appear to be substantiated in fact to be useful.

https://duckduckgo.com/?q=Techyutils+Software+Private+Limited&t=ffsb&ia=web

So their product 'remove malware crusher' and others, tend to look as

the cure to their bait. Some makers create an issue then offer $olutions.

Objective-See

As 'Whats Your Sign' shows, malware is signed with an Apple Developer ID belonging to 'Techyutils Software Private Limited.' More signed OS X malware ...

https://objective-see.com/blog/blog_0x12.html

So something of this ilk is behind some of the problem you've faced;

also those other untoward offerings whose makers suggest they are

a kind of 'fix' can be the cause of much unnecessary grief in macOS.

{cleanmymac, mackeeper, & other such items have a bad history here}

You may have to look into any archived backup which pre-dates these

problematic software additions to your Mac, if you use them to restore

your Mac; or simply re install the entire system and then make a full

backup including a bootable system clone on external enclosed HDD.

Good luck & happy computing! 🙂

Reply

Answer 9

KyleAu

Level 1

4 points

Oct 29, 2017 2:31 AM in response to rasana123

Hi Rasana,

I have the same problem, after clicking on a Adobe Update package a number of malwares are installed and I took pains to remove them but the the mchlpr just keeps restarting itself.

What I'd want to add is that the 'Adobe Update Package' you download is actually not the updater, just a bundle of malwares using Adobe's name and icon. I click on the package again but this time I visit the webpage (there's always one before you install dmg), and actually it leads to a some ******** webpage.

You can verify this by doing it yourself again - just that stop it before the final step.

Reply

Answer 10

thomas_r.

Level 7

32,001 points

Oct 30, 2017 11:38 AM in response to KyleAu

Actually, that very well may be the cause of the Malware Crusher pop-ups, as Advanced Mac Cleaner and Malware Crusher are made by the same scam company.

If you're still seeing Malware Crusher pop-ups, try restarting your computer, then do another scan with Malwarebytes.

Reply

Answer 11

KyleAu

Level 1

4 points

Nov 3, 2017 11:55 PM in response to thomas_r.

Thanks. Probably it is the same root cause but I did tried to run the Malwarebytes and restarted the OS as you said, but it was still there.

I cleaned it up by following the instructions I mentioned in the post, it was a bit painful because some steps are manual removal. But it really did the job.

Anyway it seems that the best way is to be 100% sure what you're doing before you install any software. A sudden pop-up, especially the ones apear when you're browsing a web, are very likely to be malware, though the icon, warning, etc., looks like a good one.

Reply

Answer 12

Tesserax

Level 10

152,988 points

Jun 6, 2017 2:20 PM in response to LAM09

Try using the ASC search feature. I just came up with this ASC post on this topic: How to get rid of malware crusher pop up

Reply

Answer 13

Tesserax

Level 10

152,988 points

Jun 5, 2017 7:47 AM in response to K Shaffer

Good point. Thanks!

Reply

Answer 14

LAM09

Level 1

17 points

Jun 6, 2017 3:55 AM in response to Tesserax

I tried Malwarebytes, but it doesn't find this Malware Crusher. It's very well hidden!

Reply

Answer 15

rasana123 Author

Level 1

11 points

Jun 7, 2017 1:36 PM in response to K Shaffer

That was the first thing I did. It did not help. I'm also traveling for 6 weeks, so I don't have access to my software CDs. Otherwise, I'd have just nuked this disk and copied data over.

Reply