Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: What is mshelper?

Hi - I have mshelper constantly showing in CPU of Activity Monitor at super high levels. I probably wouldn't have noticed except I installed BitDefender today and it's continuously showing me that it's deleting it!


I can't find too much online about it, bu the little suggests it's malware, how do I get rid of it though!


I've tried Malware Bytes which doesn't detect anything!


Activity Monitor

Dropbox - Screenshot 2018-05-15 17.22.25.png


AntiVirus For Mac

Dropbox - Screenshot 2018-05-15 17.26.07.png


Any help would be appreciated!


I've also got CoinMiner showing up a lot and being deleted, but again keeps coming back!


https://www.dropbox.com/s/l2ieww49qcjrh4j/Screenshot%202018-05-15%2017.29.46.png ?dl=0


I can't work out how they're being found and deleted, but keep coming back soon after!!


Thanks!!

Posted on

Reply
Question marked as Solved
Answer:
Answer:

Run and post a diagnostic report.


Please run EtreCheck and post the report here.

https://etrecheck.com

Click “Free Download” button, open Downloads folder, click on it to open, and then select ”Open”.

Click on the bouncing EtreCheck icon in the Dock.

“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.


Click “Share Report” button in the toolbar, select “Copy to Clipboard” .

Paste it into the reply.

Posted on

Page content loaded

Question marked as Solved

May 15, 2018 4:30 AM in response to RonEdwards In response to RonEdwards

Run and post a diagnostic report.


Please run EtreCheck and post the report here.

https://etrecheck.com

Click “Free Download” button, open Downloads folder, click on it to open, and then select ”Open”.

Click on the bouncing EtreCheck icon in the Dock.

“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.


Click “Share Report” button in the toolbar, select “Copy to Clipboard” .

Paste it into the reply.

May 15, 2018 4:30 AM

Reply Helpful (1)

May 15, 2018 6:19 PM in response to dominic23 In response to dominic23

Thanks Dominic. You know what - I didn't even think about etrecheck - I have it, but only used it once. Blow me down, it found the malware immediately and allowed me to get rid - how is it that malwarebytes and bitdefender couldn't do that?!?!


I also found a couple of other minor things, so thanks for the suggestion - I also bought a license, well worth it!


Thanks!

May 15, 2018 6:19 PM

Reply Helpful

May 15, 2018 7:38 PM in response to dominic23 In response to dominic23

Hello,


I have the same issue here. Malwarebytes couldn't find anything. I used Sophos and it detected and blocked the malware but couldn't fix it for good - every time I restarted my laptop, Sophos would report the problem again and I had to click "Clean".


EtreCheck was able to point out mshelper and here it is:


Top Processes by CPU:

Process (count)

Source

% of CPU

mshelper

?

292

installd

Apple

106

shove

Apple

61

kernel_task

Apple

15

WindowServer

Apple

12


Top Processes by Memory:

Process (count)

Source

RAM usage

kernel_task

Apple

1.16 GB

Safari

Apple

508 MB

mdworker (18)

Apple

358 MB

SophosScanD

?

307 MB

Adobe (4)

?

253 MB


Top Processes by Network Use:

Process

Source

Input

Output

mDNSResponder

Apple

34 KB

32 KB

SophosMcsAgentD

10 KB

43 KB

Mail

Apple

17 KB

6 KB

apsd

Apple

10 KB

13 KB

SophosEventMonitor

6 KB

2 KB


Top Processes by Energy Use:

Process (count)

Source

Energy usage (0-100)

mshelper

?

145

WindowServer

Apple

2

Activity Monitor

Apple

1

Mail

Apple

1

Adobe (4)

?

1

Yet, it didn't show me how to fix it. Do I have to purchase the license?


@RonEdwards I am glad that you managed to get rid of it but I am still stuck here. How did you do it?


I would greatly appreciate your help. This has been very frustrating ):

May 15, 2018 7:38 PM

Reply Helpful

May 15, 2018 7:59 PM in response to Eric Root In response to Eric Root

My bad. Here is the full report. Sorry I don't know how to get it other than copying the whole thing.


EtreCheck version: 4.3 (4D007)

Report generated: 2018-05-15 19:07:30

Download EtreCheck from https://etrecheck.com

Runtime: 3:52

Performance: Good


Problem:Other problem

Description:


Major Issues:

Anything that appears on this list needs immediate attention.


No Time Machine backup- Time Machine backup not found.

Heavy CPU usage- Some processes are using an unusually high amount of CPU.

More than one antivirus app- This machine has multiple antivirus apps installed.


Minor Issues:

These issues do not need immediate attention but they may indicate future problems.


Unsigned files- There is unsigned software installed. They appear to be legitimate but should be reviewed.

Encrypting- A drive is currently encrypting. The computer may run more slowly than normal until the encryption finishes.

32-bit Apps- This machine has 32-bits apps that may have problems in the future.

Abnormal shutdown- Your machine shut down abnormally.


Hardware Information:

MacBook Pro (Retina, 15-inch, Mid 2015)

MacBook Pro Model: MacBookPro11,4

1 2.2 GHz Intel Core i7 (i7-4770HQ) CPU: 4-core

16 GB RAM - Not upgradeable

BANK 0/DIMM0 - 8 GB DDR3 1600 ok

BANK 1/DIMM0 - 8 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 504


Video Information:

Intel Iris Pro - VRAM: 1536 MB

Color LCD


Drives:

disk0 - APPLE SSD SM0256G 251.00 GB (Solid State - TRIM: Yes)

Internal PCI 8.0 GT/s x4 Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 250.14 GB

disk1s1 - Macintosh HD (APFS) 250.14 GB (171.15 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] 250.14 GB (21 MB used)

disk1s3 - Recovery (APFS) [Recovery] 250.14 GB (518 MB used)

disk1s4 - VM (APFS) [APFS VM] 250.14 GB (1.07 GB used)


Mounted Volumes:

disk1s1 - Macintosh HD 250.14 GB (77.68 GB free)

APFS

Mount point: /

Encrypting: 11% done


disk1s4 - VM [APFS VM] 250.14 GB (77.68 GB free)

APFS

Mount point: /private/var/vm


Network:

Interface en4: iPhone

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

One IPv4 address

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

iCloud Quota: 401 MB available


System Software:

macOS High Sierra 10.13.4 (17E202)

Time since boot: Less than an hour

System Load: 8.95 (1 min ago) 5.84 (5 min ago) 2.53 (15 min ago)


Security:

System

Status

Gatekeeper

Mac App Store and identified developers

System Integrity Protection

Enabled


Unsigned Files:

Launchd: /Library/LaunchDaemons/com.adobe.SwitchBoard.plist

Executable: /Library/Application Support/Adobe/SwitchBoard/SwitchBoard.app/Contents/MacOS/launch.switchboard

Details: Exact match found in the whitelist - probably OK

Launchd: ~/Library/LaunchAgents/com.valvesoftware.steamclean.plist

Executable: /Users/***/Library/Application Support/Steam/SteamApps/steamclean

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.pplauncher.plist

Executable: /Library/Application Support/pplauncher/pplauncher

Details: Domain name invalid - possibly adware

Launchd: /Library/LaunchDaemons/com.macpaw.CleanMyMac3.Agent.plist

Executable: /Library/PrivilegedHelperTools/com.macpaw.CleanMyMac3.Agent

Details: Exact match found in the whitelist - probably OK


32-bit Applications:

16 32-bit apps


Kernel Extensions:

/Library/Extensions

[Loaded] Soundflower.kext (MATT INGALLS, 2.0b2 - SDK 10.10)

[Loaded] MB_MBAM_Protection.kext (Malwarebytes Corporation, 3.3 - SDK 10.13)

[Loaded] SophosFileProtection.kext (Sophos, 9.7.4 - SDK 10.12)

[Loaded] SophosFileMonitor.kext (Sophos, 9.7.4 - SDK 10.12)

[Loaded] SophosWebProtection.kext (Sophos, 9.7.4 - SDK 10.12)


System Launch Agents:

[Not Loaded]

8 Apple tasks

[Loaded]

172 Apple tasks

[Running]

112 Apple tasks

[Other]

One Apple task


System Launch Daemons:

[Not Loaded]

34 Apple tasks

[Loaded]

176 Apple tasks

[Running]

125 Apple tasks


Launch Agents:

[Loaded]

com.microsoft.update.agent.plist (Microsoft Corporation - installed 2018-04-11)

[Not Loaded]

com.adobe.AAM.Updater-1.0.plist (? ffb65062 - installed 2016-01-03)

[Running]

com.sophos.home.ui.plist (Sophos - installed 2018-05-15)

[Loaded]

com.google.keystone.agent.plist (Google, Inc. - installed 2018-02-03)

[Other]

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist (Adobe Systems, Inc. - installed 2018-02-13)

[Running]

com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2018-05-02)

[Running]

com.sophos.agent.plist (Sophos - installed 2018-05-15)


Launch Daemons:

[Loaded]

com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2018-02-13)

[Running]

com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2018-05-02)

[Loaded]

com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2018-04-11)

[Running]

com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2018-05-02)

[Running]

com.pplauncher.plist (? 3245cf65 - installed 2018-04-20)

[Loaded]

com.adobe.SwitchBoard.plist (? 68cad67 - installed 2016-01-03)

[Loaded]

com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2018-04-28)

[Loaded]

com.macpaw.CleanMyMac3.Agent.plist (? 7f4ba9a8 - installed 2016-07-06)

[Loaded]

com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2018-02-13)

[Loaded]

com.google.keystone.daemon.plist (Google, Inc. - installed 2018-03-05)

[Loaded]

com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2017-09-02)

[Running]

com.sophos.common.servicemanager.plist (Sophos - installed 2018-05-15)


User Launch Agents:

[Running]

com.spotify.webhelper.plist (Spotify - installed 2018-05-03)

[Loaded]

com.valvesoftware.steamclean.plist (? 0 - installed 2018-04-04)

[Loaded]

com.skype.skype.shareagent.plist (Skype Communications S.a.r.l - installed 2018-02-10)

[Loaded]

com.adobe.AAM.Updater-1.0.plist (? 0 - installed 2016-01-03)


User Login Items:

\com.adobe.SwitchBoard.monitor.plist MachInit (?)

(/etc/mach_init_per_user.d/com.adobe.SwitchBoard.monitor.plist)


Internet Plug-ins:

FlashPlayer-10.6: 29.0.0.171 (installed 2018-05-10)

QuickTime Plugin: 7.7.3 (installed 2018-03-30)

AdobePDFViewerNPAPI: 17.012.20098 (installed 2018-03-09)

AdobePDFViewer: 18.011.20038 (installed 2018-03-09)

o1dbrowserplugin: 5.41.3.0 (installed 2016-09-02)

Flash Player: 29.0.0.171 (installed 2018-05-10)

googletalkbrowserplugin: 5.41.3.0 (installed 2015-12-11)

JavaAppletPlugin: 15.0.1 (installed 2016-01-03)


Safari Extensions:

Adblock Plus.safariextz - Eyeo GmbH - https://adblockplus.org/ (installed 2016-12-21)


3rd Party Preference Panes:

Flash Player (installed 2018-04-28)


Time Machine:

Time Machine Not Configured!


Top Processes by CPU:

Process (count)

Source

% of CPU

mshelper

?

292

installd

Apple

106

shove

Apple

61

kernel_task

Apple

15

WindowServer

Apple

12


Top Processes by Memory:

Process (count)

Source

RAM usage

kernel_task

Apple

1.16 GB

Safari

Apple

508 MB

mdworker (18)

Apple

358 MB

SophosScanD

?

307 MB

Adobe (4)

?

253 MB


Top Processes by Network Use:

Process

Source

Input

Output

mDNSResponder

Apple

34 KB

32 KB

SophosMcsAgentD

?

10 KB

43 KB

Mail

Apple

17 KB

6 KB

apsd

Apple

10 KB

13 KB

SophosEventMonitor

?

6 KB

2 KB


Top Processes by Energy Use:

Process (count)

Source

Energy usage (0-100)

mshelper

?

145

WindowServer

Apple

2

Activity Monitor

Apple

1

Mail

Apple

1

Adobe (4)

?

1


Virtual Memory Information:

Available RAM

10.61 GB

Free RAM

2.19 GB

Used RAM

5.39 GB

Cached files

8.42 GB

Swap Used

0 B



Diagnostics Information (past 7 days):

2018-05-15 19:02:02 Last Shutdown Cause: 3 - Hard shutdown


2018-05-15 10:35:21 MacKeeper.app Crash

/Applications/MacKeeper.app

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSURL initFileURLWithPath:]: nil string parameter'

terminating with uncaught exception of type NSException

abort() called


2018-05-15 08:40:55 SophosScanD.app CPU

/Library/Sophos Anti-Virus/SophosScanD.app


2018-05-15 07:05:37 com.avast.daemon CPU (2 times)

/Library/Application Support/Avast/*/com.avast.daemon


End of report

May 15, 2018 7:59 PM

Reply Helpful

May 15, 2018 9:42 PM in response to RonEdwards In response to RonEdwards

Hey @lohnguyen it looks similar in parts to mine as it was! If you spend the $20 and buy it makes it easier, but as it shows you where it is, you could just delete it also!


Launchd: /Library/LaunchDaemons/com.pplauncher.plist

Executable: /Library/Application Support/pplauncher/pplauncher

Details: Domain name invalid - possibly adware


I'd cough up though as it showed me a whole bunch of other stuff and it makes it easier to remove all of those things. I'm seriously impressed with etrecheck and how good it is!!

May 15, 2018 9:42 PM

Reply Helpful (1)

May 15, 2018 11:43 PM in response to lohnguyen In response to lohnguyen

Yeah, same, pretty good huh!


I still wonder why those anti virus checkers don't fix it!! Maybe the stop it from occurring in the first place (I was using a different one, but it was clashing with DropBox, so I removed it and hadn't replaced)

May 15, 2018 11:43 PM

Reply Helpful

May 16, 2018 12:33 AM in response to RonEdwards In response to RonEdwards

Before seeing your post, I actually did intensive research online and there wasn’t that much information about mshelper. If there was any, it’d be recent as well. My guess is that this malware is very new so the anti-virus or malware programs are yet to be able to regconize or fix it.

May 16, 2018 12:33 AM

Reply Helpful

May 16, 2018 9:58 PM in response to RonEdwards In response to RonEdwards

Hi guys! I really need help. I have the 'mshelper' issue too. Ran the etrecheck and got the same results as you guys. I went into my library but can't seem to find /Library/LaunchDaemons/com.pplauncher.plist and /Library/Application Support/pplauncher/pplauncher.


What else can i do now? Please help!


Thank you.

May 16, 2018 9:58 PM

Reply Helpful

May 16, 2018 10:56 PM in response to RonEdwards In response to RonEdwards

Ok I can't seem to purchase the license... it says that "EtreCheck cannot communicate with its license server. If you are using an internet firewall or filter such as “Little Snitch”, please disable it or allow EtreCheck to contact its servers." I am not using little snitch... Any clue?

May 16, 2018 10:56 PM

Reply Helpful (1)
User profile for user: RonEdwards

Question: What is mshelper?