MyMacAroon

I know that I sound like a crazy person, but I can tell you that I think Webroot is picking up on activities in the files that are malicious. My NetBois is active, at all times, if I take my computer out of safe boot, telnet, NetBIOS and a ton of other stuff is going on. My devices are calling out to whomever is doing this. I’ve had to file reports with both AWS and Microsoft WINS.

About a year ago, my small business had started taking off, and I had a networking person come in, set up a VPN router, and update all of my computers. About 6 months later, I started to notice that my computers where acting weird, constant crashes, files being moved around, super slow etc. I had the networking guy come and take a look at everything and he wasn’t able to find the cause of the issues. I backed up all of info, had my computers wiped, all of the software reinstalled, did the Big Sur update, he came out again, and took a look at my logs and noted that my computers where netbooting, and that my VPN was being rerouted from Express VPNS servers to a local address (but as the logs say, not locally bound) - ExpressVPN has direct tunneling, and it wasn’t doing that. I spoke to Apple, and some a tech screenshared, he had me open up my activity monitor and saw some of the same things from my attachments today- except today I started my computer in safe mode. - We then went to console, where he wasn’t concerned bc my computer wasn’t reporting any crashes, while on the screen, he noted that “Super User” was doing something or another- he asked if my root was enabled (I don’t speak Spanish so I didn’t even know what he was talking about) - My networking guy handled all of my computer stuff because I was afraid of messing something up- he then had me go to directory utility where a SMB server was active, he tried to help me unbind from the server but my computer wasn’t having it. My root was enabled, which my networking person said he didn’t do, I changed the root password thinking that would solve the problem. I then took it to Apple where one of the guys confirmed that there was a web server attached and that the computer wasn’t removing an embedded profile that couldn’t be removed (like the computer was MDM managed at some point, but it wasn’t, I bought it from Frys a year or two prior) - this was on both my 2017 MacBook and my 2018 iMac, I traded the MacBook in for an iPad, i brought the iPad home, fresh out of the box it was on, and after set up a pop up says “this device is using Voiceover are you sure you would like to use this iPad” or something like that. Moving on, the same thing is happening, I contact my ISP, and they find a configuration for routing my traffic though an HTTP server - a Vlan, which later I realize that I’m not even connecting to my router, I mean I am, but I’m not, the Mac addresses don’t match- I was using the netgear XR1000, I had some problems logging into the app, but I was able to get in finally, and there are two routers- one is on and active the other is offline, I had Bitdefender on my router- and the MAC address for my router was the one that was offline. I really don’t touch my setting on any of my devices- including my phones private address. When looking at the map of devices the WAN was LAN, and LAN was on the WAN side. My devices where being added as Networks vs devices. - Mac Address Spoofing at its best, right? I decide to have all of my devices wiped again, and change isp’s - I do that, I move away from VPN’s because a VPN uses a subnet… During the course of this here are some of the things I experienced FYI - you’ll actually think I need meds for this next part but when my iMac was crashing, my XS Max started downloading- Apple Scripts, the weather app (but not the weather app- it was “Something Proxy” - Console, and others- - Someone tried to withdraw/ transfer $10k out of my business banking account - Every single one of my cards where Compromised. - Every-time I logon “Unix” or “cloud” login with me - I had family sharing set up with my 12 year old, he shared his location with me, but I didn’t share mine with his, I traded out my iPhone 8+ (I have two phones) for his iPhone 7, bc he was having battery problems with his, when I was about to transfer all of the data to his new phone- I went to turn off “find my phone” and saw that he had access to all of my devices… that where showing as “online” when I hadn’t had the MacBook in months and the iMac was sitting in my office unplugged- on top of this, I had changed the email address on that Apple ID- I lost access to that gmail account. - Just last night my iPad mini (currently activation locked out of somehow) - attached it’s self to the Internet while it was off. It has connected before, but never while it was off. 😅 - my devices pair without prompt, I even get calls on my other phone as if they have the same Apple ID. - Spelling and grammatical errors when my devices are prompting me for my password. - My iCloud was backing up an app called “Wish” but not like the shopping wish but something else it had a feather in the picture. - My URL’s are constantly redirected. - even after a fresh install, my filing system is a complete mess - and disk are formatted to be Case Sensitive (which has cause a filing nightmare) - Opening up my brand new M1 RemoteServices.Apple.com needed to add a configuration to my M1 - I WAS LEGIT MDM LOCKED OUT OF MY M1. these are just a few. this is just to name a few. I encourage everyone to press the “?” On the network settings, it even shows a photo that the NetBIOS name is not in use.. I would also like to mention that my computer names and NetBois Names don’t match.

Hello! Thanks for your message, before all of this started I was using Malwarebytes and I stuck to my guns, but given the circumstances (Apple even pulling my logs and confirming that my computer shouldn’t be “In use” by netbois), being MDM LOCKED OUT OF MY BRAND NEW M1, and etc) I still have people telling me this is “normal” I’m super confused. Regardless, I don’t keep them both running, just the one at this time, Webroot. Apple recommended Malwarebytes so I figured they must be the best, but it seems clear to me that Webroot is picking up something that MB isn’t, as they’re at least trying to stop the “user added” to my NetBois. A rep from MB reached out today and said (and I quote, “ “Melody, This looks like an issue with the VPN you are using, ExpressVPN you may want to reach out to them and see if they are pushing the wins server on your network.our application would not touch it unless you are using our VPN. Thank you for choosing Malwarebytes!” I stopped using my VPN months ago. It’s a subnet (HTTP) that my computers are calling out for. 🤷🏼‍♀️ (I attached a few screenshots for reference)

Webroot stopped the NetBois temporary of course because it crashed shortly there after.

Yeah, they use it for the open source code (Airport and etc, however, mine also has Cloudfront, which according to the networking guy said means that it isn’t the standard- I’m going to PM you some photos- but regardless of this, as you can see from my photos, taken today, NetBois is very active.

I think you might be a genus! That was actually extraordinarily helpful! I’m looking into purchasing right now! Maybe it could help me determine what server it is beyond Apache 👏🏻

Hello again, It says that my name is currently in use… I would also like to mention that on both my iMac and my M1, my NetBois name isn’t the same as my computer name. The MacAroon part is correct, and I am a “Ms” that wasn’t my computer name. I’m not sure what it’s going to take for you or anyone else to help me, but I know I’m willing to do what it takes. If you tell me what you need to prove me wrong or what you need to help me, I’ll make it happen.

Hello, I would love to have your vast amount of knowledge on my side. While I disagree at this time, if your open to it, I am willing to send you whatever logging or other information that you may need, but I can confirm 100% that this is not as cut and dry as you or I would like it to be. Nor should the WINS be active. I would prefer if that documentation wasn’t publicly published. please advise,

Thank you for your message, while I agree that it’s a networking issue, I’ve changed, ISP’s, wiped all of my devices, have even replaced them, including routers, I’ve tried the Orbi, XR1000, the ISP routers, Eero, I could start a store 😣. I wish I knew how to remove the MDM, I was locked out of my M1 for 2 weeks before Apple helped me, it was a month old laptop that thought it was intel based. I don’t know Thomas, nor did I hear his tone, but given his messages… they didn’t seem nice. Maybe I am wrong and he was sincere but it really didn’t seem that way. I just need help, I don’t know what to do. I lost my small business, and have two children to provide for. Apple isn’t help, anti-virus hasn’t been any help, networking people, and etc… Im at a complete loss, like do I just swear off the internet for the rest of my life?

I wish I had meds for the legit hell I’ve been though here lately. Regardless of his position, he was rude, I have a lot of respect for people who comment with the intention of be helpful, or to tell me I’m wrong for a valid reason. He, wasn’t helpful, he was mystified by my trying to get help. Just FYI, Netbois is not “normal”, unless you use those services. If you would like to see this for yourself, go into settings ->network -> and press the “?” In the bottom left. I didn’t get on this post because I think it’s fun, it’s because I need help. I have a masters in business administration, not tech. A rep from Malwarebytes reached out already and told me I wasn’t nuts, Apple did the same, but told me it was a “networking” issue and that only my isp could help me. I apologize for not being as well versed in this and not knowing what to look for, only knowing that something is wrong. legit though, I don’t appreciate being patronized or belittled by anyone, especially if you won’t even take the time to look over the things I posted. thanks again!

Hello all, it looks like my post was flagged for malware… or at least the links in it. A staff member has finally reached out. I appreciate everyone’s time and assistance. Two things, for those of you genuinely trying to be helpful, thank you, for those of you here to bully, and be rude because someone doesn’t know exactly what to look for, bite me. I apologize for the confusion with the screenshots, it was not my intention to confuse anyone- only to show you with your own eyes what I was seeing.

I really hope you don't work for Malwarebytes, this forum has you listed as a staff member. I am absolutely positive that the screenshots of an active/ un-autherized web server, rerouted VPN's and a different anti-virus picking up threats in the root file, would be enough for anyone to go - Oh maybe there is something wrong- you on the other hand seem to think a unix socket listening in is a normal part of Mac's networking? I have reached out to the support team, and considering how mystified you are, I'm not surprised that I havent heard anything back. They probably don't know what they're looking at either. References for future correspondence with customers: https://www.softwaretestinghelp.com/unix-introduction/ Kernel subsystems may include process management, file management, memory management, network management and others. https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_web_server Google Search: https://www.google.com/search?q=how+to+be+helpful+instead+of+critical&client=safari&rls=en&ei=fdLkYNj_H6KuqtsP5c-OsAs&start=10&sa=N&ved=2ahUKEwiYss_muM_xAhUil2oFHeWnA7YQ8tMDegQIARA5&biw=1324&bih=925 (Yes this was typing in How to be helpful instead of critical - client=safari&rls=en&ei=fdLkYNj_H6KuqtsP5c-OsAs&start=10&sa=N&ved=2ahUKEwiYss_muM_xAhUil2oFHeWnA7YQ8tMDegQIARA5&biw=1324&bih=925 I don't think is apart of the standard search bar.. You should see it when I'm trying to login to my email. Thats fun. If anyone would like to actually be helpful, I'm all ears.

Hello, Thank you for taking the time to respond. Honestly, for the most part I have no idea what it is that caused, or what to look for here. 1.) In the first photo, I have a WINS server attached to my devices- I have attached a few screenshots from my VPN’s logs for additional reference on how my devices are communicating. 2.) the logs are for the most part very standard stuff- however, Unix is used in Cpanels, and I don’t have DDNS for a domain. The Unix socket is also the same socket for my root container (root user is not enabled), I don’t have Apache, Google, Firefox etc installed on my computers. Webroot also mentioned a treat in the /Var/root/path file that it was unable to resolve. Echo is a legit command, but as I mentioned, I don’t have a Cpanel for my home, furthermore, the logs indicate that C++ is coding language, 2 group containers, a subsystem and LDAP V3 that is hidden. - the logs also mention an IOreg - almost like the built in beta has been activated without my approval. 3.) Cache and cookies are temporary files, and can be deleted from time to time (to either reset your falcon cookie like I was trying to do- or just for performance Cookie signings with AWS or even WINS is a real thing.) 4.) my devices are pairing with one another without prompt. My Apple TV, phones, computers, iPads and etc (all of which have different Apple ID’s) If you have any insight into what to do, or how to remove this sever, I am all ears and seriously need help, I’m losing my *****. I’ve had all of my devices wiped and or replaced, I’ve changed ISP’s, and I still can’t seem to get rid of whatever this is.

I am not a techy person, what I do know I learned in the past 6 months going though all this- I could send you screenshots all day of the weird things that happen, like not being able to download standard apps that are built into the OS, however I would be wasting your time. - All of my computers NetBoot - Per the first photo I posted, I have an active web server. - Per Webroot, over 100+ issues, IO Reg, and wasn’t able to remove an issue in the root container. if anyone can help with telling me what they would need to determine what do, that would be awesome.

This is assuming that you didn’t open up the attachment and create a new finder screenshot for the one I posted/ change your time format, and add a “?” Next to the name. Because mine was also in zip format. (It didn’t occur to me until now that is probably what your screenshot is) 😅

I really appreciate you looking into that, however, that isn’t my photo on the left. The photo that I posted says 658kb on the finder tab and what I uploaded to be 642kb, mine wasn’t in military time, and that wasn’t the background of my upload. I took a screenshot of my post and attached it here. I don’t even know if any of this matters, but I do know that I there is an active, unsolicited web server. May I ask what you think it might be in your experience? I definitely haven’t signed up for any web servers, nor do I have any idea what it is that I should be trying to do to remove it. My old isp found a HTTP server adding a configuration to my router, and my current one found the same, without a doubt there is an issue and I don’t know what to do about it.

I realized that I was sharing my full name in a lot of the photos, I deleted and have reattached.

I guess the concern is that when I was running the support app for Malwarebytes, it stated to specifically exclude those files. When talking with apple, a lot of my files would be either removed or changed, for instance, my M1 “remoteServices.apple.com” would need to add a “configuration” fresh out of the box- Bestbuy called it a rootkit and Webroot can’t resolve some issue in /Var/path/root (I say path bc I would need to reference the photo) along with this- “Cloud” logins on my banking app, “Unix” logins on my Microsoft account, the list just goes on and on- I don’t fully open the files, I change them into “read only” and then I view them in quick look - as you can see from the photos “echo”- echo is a tool used in plain txt document by hackers for scripting- it’s an interactive/ accidental scripting by the user- all of which falls in line with what I’ve been experiencing. Like, 6 months ago, I didn’t even know that my computer had a MAC address- nor did I care. (Big mistake)

Ours my look like the same size but I can assure you that they’re not.

Hello, I uploaded 3 zips yesterday, today I uploaded the photos of Webroot finding 17 + “malicious“ files (as previously stated it was more but I cleared the logs), along with this, my M1 stating that in internet recovery mode that it couldn’t download Big Sur because I didn’t have a firmware recovery partition. I also provided screenshots of the size differences from what I was uploading vs actual file size…. Am I missing something?

I installed Webroot, 142 threats (probably more), during its first run, seconds later (I cleared the logs) 17 more, my M1 stopped working- I went into recovery mode and got this error, I shut down and now it just tells me to contact apple support after I erased my Macintosh HD disk. Internet recovery is acting like a local recovery and everything else is “localized strings” even my Mac addresses

Malwarebytes.zip

Please see attached, how accurate the zip files are though is debatable. Contacts.zip Calendar.zip