What is mshelper?

Run and post a diagnostic report.

Please run EtreCheck and post the report here.

https://etrecheck.com

Click “Free Download” button, open Downloads folder, click on it to open, and then select ”Open”.

Click on the bouncing EtreCheck icon in the Dock.

“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.

Click “Share Report” button in the toolbar, select “Copy to Clipboard” .

Paste it into the reply.

Run EtreCheck again.

Scroll up the sidebar and click the "Security" button.

Normally EtreCheck will show you the adware files.

Click the "Remove" button.

Button color may have changed from green to blue.

Most posters recommend not using cleaning programs. They can destroy normal computer operations.

CleanMyMac3 Uninstall

Check for any remaining associated files using these programs.

EasyFind – Spotlight Replacement

Find Any File

I would uninstall Sophos. It tends to interfere with the computer's operation while providing minimal to no benefit unless you work with Windows files. Most long time posters recommend not using antivirus software or cleaning software such as CleanMyMac.

Sophos Un-install

Hello,

I have the same issue here. Malwarebytes couldn't find anything. I used Sophos and it detected and blocked the malware but couldn't fix it for good - every time I restarted my laptop, Sophos would report the problem again and I had to click "Clean".

EtreCheck was able to point out mshelper and here it is:

Top Processes by CPU:

Top Processes by Memory:

Top Processes by Network Use:

Top Processes by Energy Use:

Yet, it didn't show me how to fix it. Do I have to purchase the license?

@RonEdwards I am glad that you managed to get rid of it but I am still stuck here. How did you do it?

I would greatly appreciate your help. This has been very frustrating ):

My bad. Here is the full report. Sorry I don't know how to get it other than copying the whole thing.

EtreCheck version: 4.3 (4D007)

Report generated: 2018-05-15 19:07:30

Download EtreCheck from https://etrecheck.com

Runtime: 3:52

Performance: Good

Problem:Other problem

Description:

Major Issues:

Anything that appears on this list needs immediate attention.

No Time Machine backup- Time Machine backup not found.

Heavy CPU usage- Some processes are using an unusually high amount of CPU.

More than one antivirus app- This machine has multiple antivirus apps installed.

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Unsigned files- There is unsigned software installed. They appear to be legitimate but should be reviewed.

Encrypting- A drive is currently encrypting. The computer may run more slowly than normal until the encryption finishes.

32-bit Apps- This machine has 32-bits apps that may have problems in the future.

Abnormal shutdown- Your machine shut down abnormally.

Hardware Information:

MacBook Pro (Retina, 15-inch, Mid 2015)

MacBook Pro Model: MacBookPro11,4

1 2.2 GHz Intel Core i7 (i7-4770HQ) CPU: 4-core

16 GB RAM - Not upgradeable

BANK 0/DIMM0 - 8 GB DDR3 1600 ok

BANK 1/DIMM0 - 8 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 504

Video Information:

Intel Iris Pro - VRAM: 1536 MB

Color LCD

Drives:

disk0 - APPLE SSD SM0256G 251.00 GB (Solid State - TRIM: Yes)

Internal PCI 8.0 GT/s x4 Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 250.14 GB

disk1s1 - Macintosh HD (APFS) 250.14 GB (171.15 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] 250.14 GB (21 MB used)

disk1s3 - Recovery (APFS) [Recovery] 250.14 GB (518 MB used)

disk1s4 - VM (APFS) [APFS VM] 250.14 GB (1.07 GB used)

Mounted Volumes:

disk1s1 - Macintosh HD 250.14 GB (77.68 GB free)

APFS

Mount point: /

Encrypting: 11% done

disk1s4 - VM [APFS VM] 250.14 GB (77.68 GB free)

APFS

Mount point: /private/var/vm

Network:

Interface en4: iPhone

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

One IPv4 address

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

iCloud Quota: 401 MB available

System Software:

macOS High Sierra 10.13.4 (17E202)

Time since boot: Less than an hour

System Load: 8.95 (1 min ago) 5.84 (5 min ago) 2.53 (15 min ago)

Security:

Unsigned Files:

Launchd: /Library/LaunchDaemons/com.adobe.SwitchBoard.plist

Executable: /Library/Application Support/Adobe/SwitchBoard/SwitchBoard.app/Contents/MacOS/launch.switchboard

Details: Exact match found in the whitelist - probably OK

Launchd: ~/Library/LaunchAgents/com.valvesoftware.steamclean.plist

Executable: /Users/***/Library/Application Support/Steam/SteamApps/steamclean

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.pplauncher.plist

Executable: /Library/Application Support/pplauncher/pplauncher

Details: Domain name invalid - possibly adware

Launchd: /Library/LaunchDaemons/com.macpaw.CleanMyMac3.Agent.plist

Executable: /Library/PrivilegedHelperTools/com.macpaw.CleanMyMac3.Agent

Details: Exact match found in the whitelist - probably OK

32-bit Applications:

16 32-bit apps

Kernel Extensions:

/Library/Extensions

[Loaded] Soundflower.kext (MATT INGALLS, 2.0b2 - SDK 10.10)

[Loaded] MB_MBAM_Protection.kext (Malwarebytes Corporation, 3.3 - SDK 10.13)

[Loaded] SophosFileProtection.kext (Sophos, 9.7.4 - SDK 10.12)

[Loaded] SophosFileMonitor.kext (Sophos, 9.7.4 - SDK 10.12)

[Loaded] SophosWebProtection.kext (Sophos, 9.7.4 - SDK 10.12)

System Launch Agents:

System Launch Daemons:

Launch Agents:

Launch Daemons:

User Launch Agents:

User Login Items:

\com.adobe.SwitchBoard.monitor.plist MachInit (?)

(/etc/mach_init_per_user.d/com.adobe.SwitchBoard.monitor.plist)

Internet Plug-ins:

FlashPlayer-10.6: 29.0.0.171 (installed 2018-05-10)

QuickTime Plugin: 7.7.3 (installed 2018-03-30)

AdobePDFViewerNPAPI: 17.012.20098 (installed 2018-03-09)

AdobePDFViewer: 18.011.20038 (installed 2018-03-09)

o1dbrowserplugin: 5.41.3.0 (installed 2016-09-02)

Flash Player: 29.0.0.171 (installed 2018-05-10)

googletalkbrowserplugin: 5.41.3.0 (installed 2015-12-11)

JavaAppletPlugin: 15.0.1 (installed 2016-01-03)

Safari Extensions:

3rd Party Preference Panes:

Flash Player (installed 2018-04-28)

Time Machine:

Time Machine Not Configured!

Top Processes by CPU:

Top Processes by Memory:

Top Processes by Network Use:

Top Processes by Energy Use:

Virtual Memory Information:

Diagnostics Information (past 7 days):

2018-05-15 19:02:02 Last Shutdown Cause: 3 - Hard shutdown

2018-05-15 10:35:21 MacKeeper.app Crash

/Applications/MacKeeper.app

2018-05-15 08:40:55 SophosScanD.app CPU

/Library/Sophos Anti-Virus/SophosScanD.app

2018-05-15 07:05:37 com.avast.daemon CPU (2 times)

/Library/Application Support/Avast/*/com.avast.daemon

End of report

Before seeing your post, I actually did intensive research online and there wasn’t that much information about mshelper. If there was any, it’d be recent as well. My guess is that this malware is very new so the anti-virus or malware programs are yet to be able to regconize or fix it.

Hi guys! I really need help. I have the 'mshelper' issue too. Ran the etrecheck and got the same results as you guys. I went into my library but can't seem to find /Library/LaunchDaemons/com.pplauncher.plist and /Library/Application Support/pplauncher/pplauncher.

What else can i do now? Please help!

Thank you.

Ok I can't seem to purchase the license... it says that "EtreCheck cannot communicate with its license server. If you are using an internet firewall or filter such as “Little Snitch”, please disable it or allow EtreCheck to contact its servers." I am not using little snitch... Any clue?

Hello RonEdwards,

I'm happy that EtreCheck was able to help. However, I would like to clarify a couple of things.

You don't need to purchase a license to remove adware, or even something that might be adware. As dominic23 points out, you can just find the file in the "Security" section of your EtreCheck report and click the "Remove" button. No license purchase is required for this.

There are some operations in EtreCheck that are restricted to people who have purchased a license. Primarily, these are for safety considerations. I always advise people to stay out of hidden directories. I have seen too many cases where people go into those directories and just start deleting any file they don't recognize or understand. Before Apple added System Integrity Protection, a person could damage their operating system that way. It is still possible to damage installations of legitimate 3rd party software. Some of the "Reveal in Finder" buttons in EtreCheck will dump the user right into those hidden directories. In cases where these are Apple-provided folders for user-accessible files like plug-ins, EtreCheck will let anyone access the folder. But if the target is likely deep inside some 3rd party software bundle, I need to protect people from causing self-harm. Too often, people think they need to delete anything that they see listed in an EtreCheck report and I want to discourage that. So, some advanced features like this are restricted to more advanced users who have purchased a license.

This particular file is interesting. I would appreciate it if anyone who had saved an EtreCheck report with this file could send it to me via the "Report a Problem" feature. The "mshelper" name doesn't appear to be related to the "com.pplauncher.plist". But I have always expected malware developers to eventually start getting more clever about these things. I would really like to know where "mshelper" is installed in your system. I have an open issue in EtreCheck to show the full path for items listed only in one or more of the "top process" lists. I guess I need to finally get that implemented now.

It certainly does appear that "mshelper" is a bitcoin mining trojan. I don't doubt it is related to "com.pplauncher.plist".

Is there any reason you are running Sophos and Mac Keeper on your system?

Mac Keeper is considered by many here to be scam-ware at best, and 3rd party AV can interfere with OS X's ability to keep itself protected. Secondly it doesn't really work as you can see from lack of protection it provided with this incident.

AV Product developers that have legitimate Windows support often make a Mac client that has nothing to do with the development and research that went into their Windows counterparts; as a result they can cause more problems than they portend to fix.

Did you look in the global library folder or in your personal one? There are "LaunchAgents" and "Application Support" folders in both of them and LaunchDemons at least in the global library folder but sometimes in both, too.

It's fairly simple. Etrecheck flags everything it doesn't already know about as possible adware.

Other, more responsible, software only flags something that it can positively identify as a threat as a threat.

Etrecheck's philosophy is a strength for anyone who is running nothing but well-known, commercial-like software. It's a false positive nightmare for anyone who isn't.