What is mshelper?

softwater wrote:

Etrecheck flags everything it doesn't already know about as possible adware.

No. That is false.

Other, more responsible, software only flags something that it can positively identify as a threat as a threat.

That isn't being "more responsible". That is being standard, run-of-the-mill 3rd party anti-virus software. Ask the people in this thread how well that software worked out for them.

Etrecheck's philosophy is a strength for anyone who is running nothing but well-known, commercial-like software. It's a false positive nightmare for anyone who isn't.

"False positives" are what 3rd party antivirus software generates. Because EtreCheck is not antivirus or security software, "false positive" are impossible.

As a convenience for users, EtreCheck does have the same kind of basic adware detection that some 3rd party security apps provide. But ultimately EtreCheck isn't looking for adware or malware. EtreCheck is looking for anything that might be a problem. Any software in 2018 that still doesn't have a digital signature is a potential problem. It is impossible to say anything definitive about software that doesn't have a digital signature. EtreCheck will try to make a guess. As can be seen in the EtreCheck report above:

Unsigned Files:

Launchd: /Library/LaunchDaemons/com.adobe.SwitchBoard.plist

Executable: /Library/Application Support/Adobe/SwitchBoard/SwitchBoard.app/Contents/MacOS/launch.switchboard

Details: Exact match found in the whitelist - probably OK

Launchd: ~/Library/LaunchAgents/com.valvesoftware.steamclean.plist

Executable: /Users/***/Library/Application Support/Steam/SteamApps/steamclean

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.pplauncher.plist

Executable: /Library/Application Support/pplauncher/pplauncher

Details: Domain name invalid - possibly adware

Launchd: /Library/LaunchDaemons/com.macpaw.CleanMyMac3.Agent.plist

Executable: /Library/PrivilegedHelperTools/com.macpaw.CleanMyMac3.Agent

Details: Exact match found in the whitelist - probably OK

32-bit Applications:

16 32-bit apps

Kernel Extensions:

/Library/Extensions

[Loaded] Soundflower.kext (MATT INGALLS, 2.0b2 - SDK 10.10)

[Loaded] MB_MBAM_Protection.kext (Malwarebytes Corporation, 3.3 - SDK 10.13)

[Loaded] SophosFileProtection.kext (Sophos, 9.7.4 - SDK 10.12)

[Loaded] SophosFileMonitor.kext (Sophos, 9.7.4 - SDK 10.12)

[Loaded] SophosWebProtection.kext (Sophos, 9.7.4 - SDK 10.12)

sometimes EtreCheck guesses are better than "more responsible" antivirus software.

Yeah I know that. I’d never used these programs and only resorted to them then in desperation ): I knew CleanMyMac was pretty much a scam but I just came across a post about using it to get rid of “mshelper” so I gave it a try.

Anyway, thank you so much for the very thorough advice.

So the last bit of info that nobody seems to know yet, is how these files came to be installed on your computer, apparently back on 2018-04-20. I thought maybe EtreCheck could give us some clues, but doesn't seem to include recently installed apps.

Can you please hold down the <Option>-key and select "System Information..." from the Apple menu then go down to Software->Installations. Click on the "Install Date" column header a couple of times to bring most recent to the top and see what you installed around the 20th of last month. Not everything is registered there, but most is.

Malwarebytes will detect this now.

There are three pieces to this malware installed on your Mac, which have all been discussed here.

/Library/Application Support/pplauncher/pplauncher

This is the launcher. Its sole job is to extract and launch the mshelper file.

/Library/LaunchDaemons/com.pplauncher.plist

This keeps the launcher running at all times.

/tmp/mshelper/mshelper

This is the cryptominer, which uses lots of CPU power to mine Monero cryptocurrency (similar to Bitcoin).

All of these must be removed. Malwarebytes will remove them all.

What I haven't been able to locate yet is the "dropper," which is the installer that infected your machine with the malware. I'm very curious about that. Do you have any idea what you installed recently, and where it came from? There doesn't seem to be any subtlety about this malware - it will start hammering your CPU as soon as it starts running, so it should be fairly easy to correlate the last thing you installed with when this started happening.

If you can identify that dropper, I'd be very interested in seeing it. You can't post it here, but you can upload it to VirusTotal:

https://virustotal.com

Once VirusTotal has finished analyzing it, post a link to the VirusTotal analysis page here.

This may show up under the "Unsigned Files" catagory like shown below.

Go to Safari Preferences/Extensions and turn all extensions off. Test. If okay, turn the extensions on one by one until you figure out what extension is causing the problem.

Please post the entire Etrecheck report.

Wow, worked like a charm.

Thank you so much. This is such a great relief.

Best info I have is that it's in installed to /tmp/mshelper/mshelper and is most probably this.