MyMacAroon

July 8, 2021

5 minutes ago, MyMacAroon said:

I know that I sound like a crazy person, but I can tell you that I think Webroot is picking up on activities in the files that are malicious. My NetBois is active, at all times, if I take my computer out of safe boot, telnet, NetBIOS and a ton of other stuff is going on. My devices are calling out to whomever is doing this. I’ve had to file reports with both AWS and Microsoft WINS.

July 8, 2021

14 minutes ago, MyMacAroon said:

About a year ago, my small business had started taking off, and I had a networking person come in, set up a VPN router, and update all of my computers. About 6 months later, I started to notice that my computers where acting weird, constant crashes, files being moved around, super slow etc.

I had the networking guy come and take a look at everything and he wasn’t able to find the cause of the issues. I backed up all of info, had my computers wiped, all of the software reinstalled, did the Big Sur update, he came out again, and took a look at my logs and noted that my computers where netbooting, and that my VPN was being rerouted from Express VPNS servers to a local address (but as the logs say, not locally bound) - ExpressVPN has direct tunneling, and it wasn’t doing that.

I spoke to Apple, and some a tech screenshared, he had me open up my activity monitor and saw some of the same things from my attachments today- except today I started my computer in safe mode. - We then went to console, where he wasn’t concerned bc my computer wasn’t reporting any crashes, while on the screen, he noted that “Super User” was doing something or another- he asked if my root was enabled (I don’t speak Spanish so I didn’t even know what he was talking about) - My networking guy handled all of my computer stuff because I was afraid of messing something up- he then had me go to directory utility where a SMB server was active, he tried to help me unbind from the server but my computer wasn’t having it. My root was enabled, which my networking person said he didn’t do, I changed the root password thinking that would solve the problem.

I then took it to Apple where one of the guys confirmed that there was a web server attached and that the computer wasn’t removing an embedded profile that couldn’t be removed (like the computer was MDM managed at some point, but it wasn’t, I bought it from Frys a year or two prior) - this was on both my 2017 MacBook and my 2018 iMac, I traded the MacBook in for an iPad, i brought the iPad home, fresh out of the box it was on, and after set up a pop up says “this device is using Voiceover are you sure you would like to use this iPad” or something like that.

Moving on, the same thing is happening, I contact my ISP, and they find a configuration for routing my traffic though an HTTP server - a Vlan, which later I realize that I’m not even connecting to my router, I mean I am, but I’m not, the Mac addresses don’t match- I was using the netgear XR1000, I had some problems logging into the app, but I was able to get in finally, and there are two routers- one is on and active the other is offline, I had Bitdefender on my router- and the MAC address for my router was the one that was offline. I really don’t touch my setting on any of my devices- including my phones private address. When looking at the map of devices the WAN was LAN, and LAN was on the WAN side. My devices where being added as Networks vs devices. - Mac Address Spoofing at its best, right?

I decide to have all of my devices wiped again, and change isp’s - I do that, I move away from VPN’s because a VPN uses a subnet…

During the course of this here are some of the things I experienced

FYI - you’ll actually think I need meds for this next part but when my iMac was crashing, my XS Max started downloading- Apple Scripts, the weather app (but not the weather app- it was “Something Proxy” - Console, and others-

- Someone tried to withdraw/ transfer $10k out of my business banking account

- Every single one of my cards where Compromised.

- Every-time I logon “Unix” or “cloud” login with me

- I had family sharing set up with my 12 year old, he shared his location with me, but I didn’t share mine with his, I traded out my iPhone 8+ (I have two phones) for his iPhone 7, bc he was having battery problems with his, when I was about to transfer all of the data to his new phone- I went to turn off “find my phone” and saw that he had access to all of my devices… that where showing as “online” when I hadn’t had the MacBook in months and the iMac was sitting in my office unplugged- on top of this, I had changed the email address on that Apple ID- I lost access to that gmail account.

- Just last night my iPad mini (currently activation locked out of somehow) - attached it’s self to the Internet while it was off. It has connected before, but never while it was off. 😅

- my devices pair without prompt, I even get calls on my other phone as if they have the same Apple ID.

- Spelling and grammatical errors when my devices are prompting me for my password.

- My iCloud was backing up an app called “Wish” but not like the shopping wish but something else it had a feather in the picture.

- My URL’s are constantly redirected.

- even after a fresh install, my filing system is a complete mess - and disk are formatted to be Case Sensitive (which has cause a filing nightmare)

- Opening up my brand new M1 RemoteServices.Apple.com needed to add a configuration to my M1

- I WAS LEGIT MDM LOCKED OUT OF MY M1.

these are just a few.

this is just to name a few. I encourage everyone to press the “?” On the network settings, it even shows a photo that the NetBIOS name is not in use.. I would also like to mention that my computer names and NetBois Names don’t match.

image.jpeg.b24fa6b4048f54ef35d92624de51f7f9.jpeg

July 8, 2021

27 minutes ago, treed said:

The point here is not proving you wrong, it's about trying to understand each other. We cannot help without understanding the problem, and what has been posted so far is not helping us understand the problem.

What I understand so far is that you're looking at some things in the system that you don't understand, and you're drawing the wrong conclusions. This appears to have been precipitated, at least in part, by a tech from Best Buy who, I believe, gave you some bad information, and installed Webroot. Webroot itself appears to be erroneously flagging a number of legitimate files as malicious.

The items shown as being flagged by Webroot in your screenshot (shown below) are, as others have pointed out, legitimate parts of the system. The item being detected in /System/Library/Frameworks/QuickLook.framework resides on a read-only, cryptographically-sealed system volume, and there is no known way for malware to tamper with such a file.

The netbiosd and wirelessproxd files in /usr/sbin/ are also legitimate, and are protected by a feature of macOS called System Integrity Protection (SIP). On the system you're running, there is no known way for malware to tamper with these files, as long as SIP is enabled, and SIP is enabled on your system.

If I am correct, and your concerns stem from an interaction with a Best Buy tech, plus the detections from Webroot, please be aware:

Best Buy technicians are generally not well respected in the Mac community. Although I'm sure there are exceptions, in general they don't know Macs very well.

Neither Best Buy technicians nor Apple "Geniuses" (or other support representatives) are knowledgeable about Mac malware or security issues. I'm often astounded by stories from people who have been told outlandish, fanciful, and outright wrong things about Mac security by these techs. (Again, I'm sure there are exceptions.)

Webroot is not well respected in the Mac security community. I don't know anything about how good it is on Windows, but your story here is very clear testimony that it's badly defective on macOS.

I say all this not to prove you wrong, but to try to help you understand the things I'm seeing in your posts. Also, I'm hoping that I can convince you to take a step back and give us a more concise story about what precise symptoms you have seen that lead you to be concerned. Unfortunately, if you are not able or willing to provide that information, nobody here will be able to help you.

About a year ago, my small business had started taking off, and I had a networking person come in, set up a VPN router, and update all of my computers. About 6 months later, I started to notice that my computers where acting weird, constant crashes, files being moved around, super slow etc.

I had the networking guy come and take a look at everything and he wasn’t able to find the cause of the issues. I backed up all of info, had my computers wiped, all of the software reinstalled, did the Big Sur update, he came out again, and took a look at my logs and noted that my computers where netbooting, and that my VPN was being rerouted from Express VPNS servers to a local address (but as the logs say, not locally bound) - ExpressVPN has direct tunneling, and it wasn’t doing that.

I spoke to Apple, and some a tech screenshared, he had me open up my activity monitor and saw some of the same things from my attachments today- except today I started my computer in safe mode. - We then went to console, where he wasn’t concerned bc my computer wasn’t reporting any crashes, while on the screen, he noted that “Super User” was doing something or another- he asked if my root was enabled (I don’t speak Spanish so I didn’t even know what he was talking about) - My networking guy handled all of my computer stuff because I was afraid of messing something up- he then had me go to directory utility where a SMB server was active, he tried to help me unbind from the server but my computer wasn’t having it. My root was enabled, which my networking person said he didn’t do, I changed the root password thinking that would solve the problem.

I then took it to Apple where one of the guys confirmed that there was a web server attached and that the computer wasn’t removing an embedded profile that couldn’t be removed (like the computer was MDM managed at some point, but it wasn’t, I bought it from Frys a year or two prior) - this was on both my 2017 MacBook and my 2018 iMac, I traded the MacBook in for an iPad, i brought the iPad home, fresh out of the box it was on, and after set up a pop up says “this device is using Voiceover are you sure you would like to use this iPad” or something like that.

Moving on, the same thing is happening, I contact my ISP, and they find a configuration for routing my traffic though an HTTP server - a Vlan, which later I realize that I’m not even connecting to my router, I mean I am, but I’m not, the Mac addresses don’t match- I was using the netgear XR1000, I had some problems logging into the app, but I was able to get in finally, and there are two routers- one is on and active the other is offline, I had Bitdefender on my router- and the MAC address for my router was the one that was offline. I really don’t touch my setting on any of my devices- including my phones private address. When looking at the map of devices the WAN was LAN, and LAN was on the WAN side. My devices where being added as Networks vs devices. - Mac Address Spoofing at its best, right?

I decide to have all of my devices wiped again, and change isp’s - I do that, I move away from VPN’s because a VPN uses a subnet…

During the course of this here are some of the things I experienced

FYI - you’ll actually think I need meds for this next part but when my iMac was crashing, my XS Max started downloading- Apple Scripts, the weather app (but not the weather app- it was “Something Proxy” - Console, and others-

- Someone tried to withdraw/ transfer $10k out of my business banking account

- Every single one of my cards where Compromised.

- Every-time I logon “Unix” or “cloud” login with me

- I had family sharing set up with my 12 year old, he shared his location with me, but I didn’t share mine with his, I traded out my iPhone 8+ (I have two phones) for his iPhone 7, bc he was having battery problems with his, when I was about to transfer all of the data to his new phone- I went to turn off “find my phone” and saw that he had access to all of my devices… that where showing as “online” when I hadn’t had the MacBook in months and the iMac was sitting in my office unplugged- on top of this, I had changed the email address on that Apple ID- I lost access to that gmail account.

- Just last night my iPad mini (currently activation locked out of somehow) - attached it’s self to the Internet while it was off. It has connected before, but never while it was off. 😅

- my devices pair without prompt, I even get calls on my other phone as if they have the same Apple ID.

- Spelling and grammatical errors when my devices are prompting me for my password.

- My iCloud was backing up an app called “Wish” but not like the shopping wish but something else it had a feather in the picture.

- My URL’s are constantly redirected.

- even after a fresh install, my filing system is a complete mess - and disk are formatted to be Case Sensitive (which has cause a filing nightmare)

- Opening up my brand new M1 RemoteServices.Apple.com needed to add a configuration to my M1

- I WAS LEGIT MDM LOCKED OUT OF MY M1.

these are just a few.

this is just to name a few. I encourage everyone to press the “?” On the network settings, it even shows a photo that the NetBIOS name is not in use.. I would also like to mention that my computer names and NetBois Names don’t match.

July 8, 2021

1 hour ago, MAXBAR1 said:

I confirm what was said by Al.
My situation is the same regarding the WINS screen, and all the Mac users I know, not a lot to tell the truth, are like that.

Having said that, I would just like to give, if I can, a suggestion, for what is useless, because everything is except an expert in corporate network configurations (or composed of several different operating systems) or Apple MDM (I always worked only on small LANs, on Windows, not consisting of a domain)

Isn't that all these problems came to create because there is some conflict on the fact that two antimalware (Looking into the network what webroot is, of which I ignored the existence, it seems to me a product of the same class of malwarebytes business) in real time are running? From what I know it is never a good thing; Better to choose one, of which you trust most; Even in the case of Malwarebytes there are corporate solutions (I am neither a shareholder nor a staff member, but only a user who is very well with these products, even if only consumer)

However, keep present, for what little I know, that if you try to remove system components, as already mentioned by Al , at least from Catalina, the OS is in a read-only partition

Hello! Thanks for your message, before all of this started I was using Malwarebytes and I stuck to my guns, but given the circumstances (Apple even pulling my logs and confirming that my computer shouldn’t be “In use” by netbois), being MDM LOCKED OUT OF MY BRAND NEW M1, and etc) I still have people telling me this is “normal” I’m super confused.

Regardless, I don’t keep them both running, just the one at this time, Webroot. Apple recommended Malwarebytes so I figured they must be the best, but it seems clear to me that Webroot is picking up something that MB isn’t, as they’re at least trying to stop the “user added” to my NetBois.

A rep from MB reached out today and said (and I quote, “

“Melody,

This looks like an issue with the VPN you are using, ExpressVPN you may want to reach out to them and see if they are pushing the wins server on your network.
our application would not touch it unless you are using our VPN.

Thank you for choosing Malwarebytes!”

I stopped using my VPN months ago. It’s a subnet (HTTP) that my computers are calling out for. 🤷🏼‍♀️ (I attached a few screenshots for reference)

July 8, 2021

4 minutes ago, alvarnell said:

Sorry, no. I see no evidence in any of your photos that NetBIOS is active. Are they the one's your are PMing me?

Webroot stopped the NetBois temporary of course because it crashed shortly there after.

July 8, 2021

14 minutes ago, alvarnell said:

Sorry, where did you cover an Apache server? macOS comes with its own built-in web server that the user can activate. There are several articles on how that can be done such as: https://tech-cookbook.com/2020/11/14/setting-up-your-local-web-server-on-macos-big-sur-11-0-1-2020-mamp-macos-apache-mysql-php/. You can find it in /Library/WebServer/.

Yeah, they use it for the open source code (Airport and etc, however, mine also has Cloudfront, which according to the networking guy said means that it isn’t the standard- I’m going to PM you some photos-

but regardless of this, as you can see from my photos, taken today, NetBois is very active.

July 8, 2021

14 hours ago, alvarnell said:

Normally, MDM's are established using Profiles. On a Mac they can be found listed on System Preferences->Profiles. If you don't have any there won't be such a preference listed. I doubt that you can remove them yourself, as they are controlled by whatever put them there. On iPhones they are in Settings->General->Profiles (right under VPN).

I have a similar problem in that my iMac is Refurbished and apparently used to belong to MaryKay. Apparently my Serial Number is listed in the Apple Device Enrollment Program (which has been replaced by a program). Luckily the Profile was removed by Apple during refurbishment, but it's still listed on an Apple Server as owned by MaryKay. The only annoyance was that every time I rebooted I got a notice to contact MaryKay IT department. That was easy enough to eliminate by using my Little Snitch Firewall to block all connections to that server. I contacted both MaryKay and Apple, both telling me it was the other organizations problem. I feel quite certain that Mary Kay needs to remove it, but can't contact the correct person there that knows how to do that. I realize that none of what I've just said is going to help you even a little bit and that it's tiny compared to your issues. Just know you aren't alone in having to solve these mysterious issues.

I wish I could help you with WebRoot, but that's one set of A-V software I've never touched. It does sound strange for it to arbitrarily be deleting .Trash and Caches. You are right that doing so isn't that big a deal, but the user should always control what's in their Trash and for how long. You may change your mind or find you have accidentally trashed something, so need to restore it before emptying. Cache will be replaced, but it will slow down your computer while it does restore it. I know we all wish we had seen the log of all those things it found in the first run, but that's water over the dam now.

I think you might be a genus! That was actually extraordinarily helpful! I’m looking into purchasing right now! Maybe it could help me determine what server it is beyond Apache 👏🏻

July 8, 2021

11 minutes ago, alvarnell said:

I can assure you that 100% of Mac users have a NetBIOS Name displayed in the Network settings Advanced WINS tab. It's based on the Computer Name displayed in the Sharings Prefs. Not sure what you mean by documentation, but if you mean that should be blank then feel free to pass that Feedback on to Apple. As long as you don't see anything in the "WINS Servers:" box, I'm confident that nothing is accessing your NetBIOS Name.

Hello again,

It says that my name is currently in use… I would also like to mention that on both my iMac and my M1, my NetBois name isn’t the same as my computer name. The MacAroon part is correct, and I am a “Ms” that wasn’t my computer name.

I’m not sure what it’s going to take for you or anyone else to help me, but I know I’m willing to do what it takes.

If you tell me what you need to prove me wrong or what you need to help me, I’ll make it happen.

July 7, 2021

6 hours ago, treed said:

I'm sorry that you feel offended by what I said, as that was not my intent, but I nonetheless stand by what I said.

If I'm understanding correctly, you're referring to the WINS setting shown in the very first screenshot on this thread as an active web server, but that's absolutely not what it is. WINS stands for Windows Internet Name System, and it's a legacy system for mapping a NetBIOS name to an IP address. This is a normal setting on all macOS systems that enables them to function in such legacy environments. Shown below is a screenshot of the same panel from my own system. This is not an indication of a web server running or of any malicious activity.

I don't understand what you're seeing that you believe indicates that your VPN has been rerouted, or exactly what you mean by that. I also, as I mentioned, cannot comment on anything Webroot detected without knowing what it detected. However, I can say that Webroot is generally not something that is commonly used by Mac users, and it definitely appears to be doing some very questionable things.

As for Unix processes listening on a network port... yes, that is absolutely a normal part of macOS, which consists of numerous Unix processes communicating over the network at all times. For example, the rapportd process is currently listening on port 57703 on my Mac, and that's entirely normal. On my personal machine, I have multiple processes listening, all of which are normal. I'm unclear exactly what process is concerning to you.

Again, in order for anyone here to be able to help you, we need you to take a step back and give us a clear story. What specific behaviors are you seeing on your system that you believe are indications of an infection?

Hello, I would love to have your vast amount of knowledge on my side. While I disagree at this time, if your open to it, I am willing to send you whatever logging or other information that you may need, but I can confirm 100% that this is not as cut and dry as you or I would like it to be.

Nor should the WINS be active. I would prefer if that documentation wasn’t publicly published.

please advise,

July 7, 2021

9 minutes ago, alvarnell said:

Thomas certainly isn't known here for being rude. Full disclosure, he has been a friend and colleague of mine since around the time he started thesafemac.com about a decade ago, so won't dwell on that point.

Sorry I haven't commented on NetBoot/netbios aspects. I completely agree that it's not at all normal to have to use such things and it's almost unheard of for a home environment. Since I'm not current on what it takes to be a Mac Enterprise IT these days (I only performed that for a short period back in the 90's) I know very little on how one can suddenly have all computers and devices could possibly be put under Mobile Device Management (MDM). I know even less about the Windows environment and how such a server could have accomplished this.

As far as it being a "networking" issue, I would have to agree that it does appear to be, but not the network involving your ISP, rather it seems that your router has been compromised, probably because it allowed itself to be configured from the Internet, which has impacted the local network inside your home. It's not all that uncommon and for several years now users have been cautioned to make certain that all their electronic devices be updated with the latest firmware and that all routers be disabled from being controlled from the WAN (Internet) side so that only you can change any settings. I know there are some ISP's that feel they have a need to be able to access their routers, but that doesn't apply to most these days. If I'm correct and it is your router, then nothing you do with all your other devices that depend on it can be fixed until you rid yourself of the hacked router situation and unenroll them from MDM.

Thank you for your message, while I agree that it’s a networking issue, I’ve changed, ISP’s, wiped all of my devices, have even replaced them, including routers, I’ve tried the Orbi, XR1000, the ISP routers, Eero, I could start a store 😣. I wish I knew how to remove the MDM, I was locked out of my M1 for 2 weeks before Apple helped me, it was a month old laptop that thought it was intel based.

I don’t know Thomas, nor did I hear his tone, but given his messages… they didn’t seem nice. Maybe I am wrong and he was sincere but it really didn’t seem that way.

I just need help, I don’t know what to do. I lost my small business, and have two children to provide for.

Apple isn’t help, anti-virus hasn’t been any help, networking people, and etc… Im at a complete loss, like do I just swear off the internet for the rest of my life?

July 7, 2021

48 minutes ago, GuruGuy said:

Thomas is The developer. I really think you’re off your meds…

I wish I had meds for the legit hell I’ve been though here lately.

Regardless of his position, he was rude, I have a lot of respect for people who comment with the intention of be helpful, or to tell me I’m wrong for a valid reason. He, wasn’t helpful, he was mystified by my trying to get help.

Just FYI, Netbois is not “normal”, unless you use those services. If you would like to see this for yourself, go into settings ->network -> and press the “?” In the bottom left.

I didn’t get on this post because I think it’s fun, it’s because I need help. I have a masters in business administration, not tech.

A rep from Malwarebytes reached out already and told me I wasn’t nuts, Apple did the same, but told me it was a “networking” issue and that only my isp could help me.

I apologize for not being as well versed in this and not knowing what to look for, only knowing that something is wrong.

legit though, I don’t appreciate being patronized or belittled by anyone, especially if you won’t even take the time to look over the things I posted.

thanks again!

July 7, 2021

18 minutes ago, alvarnell said:

I didn't say that was your photo, I said it was your Malwarebytes.app that you uploaded here. The screengrabs are mine to compare it to the one I downloaded from the Malwarebytes site. Since they are identical in size, I concluded that the one you uploaded is unchanged from what Malwarebytes distributes to Mac users. I'll ask again, what proof do you have that the version you uploaded has been modified?

Hello all,

it looks like my post was flagged for malware… or at least the links in it. A staff member has finally reached out. I appreciate everyone’s time and assistance.

Two things, for those of you genuinely trying to be helpful, thank you, for those of you here to bully, and be rude because someone doesn’t know exactly what to look for, bite me.

I apologize for the confusion with the screenshots, it was not my intention to confuse anyone- only to show you with your own eyes what I was seeing.

July 6, 2021

54 minutes ago, treed said:

None of that answers the question I asked. What specific symptoms are you seeing that lead you to believe you're infected? Nothing that has been posted so far tells a clear story or provides actionable information about what might be causing the problem.

What I would strongly advise is that you do the following:

Download and run our Malwarebytes Support Tool (which, it appears, you've already done)
https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac

Start a support ticket, as recommended by Porthos
https://support.malwarebytes.com/hc/en-us/requests/new

Provide a succinct description of the symptoms you are seeing. Be detailed, but clear. From everything that's been posted here, I have absolutely no idea what you're actually seeing.

Provide relevant screenshots. The old adage about a picture being worth 1,000 words is absolutely false here, if we don't know why you attached a particular screenshot. (For most of the ones above, I'm completely mystified as to why they were included.) Use the screenshots to support and supplement your story, but be sure you've provided a description of what you believe that screenshot shows.

Attach the output from the Support Tool (the MWB_Info.zip file) to the support ticket. This is not information you probably want to post publicly, thus the reason for starting a support ticket.

This will give us the information we need to evaluate what's going on.

I really hope you don't work for Malwarebytes, this forum has you listed as a staff member. I am absolutely positive that the screenshots of an active/ un-autherized web server, rerouted VPN's and a different anti-virus picking up threats in the root file, would be enough for anyone to go - Oh maybe there is something wrong- you on the other hand seem to think a unix socket listening in is a normal part of Mac's networking?

I have reached out to the support team, and considering how mystified you are, I'm not surprised that I havent heard anything back. They probably don't know what they're looking at either.

References for future correspondence with customers:

https://www.softwaretestinghelp.com/unix-introduction/ Kernel subsystems may include process management, file management, memory management, network management and others.

https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn

https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_web_server

Google Search: https://www.google.com/search?q=how+to+be+helpful+instead+of+critical&client=safari&rls=en&ei=fdLkYNj_H6KuqtsP5c-OsAs&start=10&sa=N&ved=2ahUKEwiYss_muM_xAhUil2oFHeWnA7YQ8tMDegQIARA5&biw=1324&bih=925 (Yes this was typing in How to be helpful instead of critical - client=safari&rls=en&ei=fdLkYNj_H6KuqtsP5c-OsAs&start=10&sa=N&ved=2ahUKEwiYss_muM_xAhUil2oFHeWnA7YQ8tMDegQIARA5&biw=1324&bih=925 I don't think is apart of the standard search bar.. You should see it when I'm trying to login to my email. Thats fun.

If anyone would like to actually be helpful, I'm all ears.

July 6, 2021

July 6, 2021

4 hours ago, treed said:

I'm not able to follow any of this. We need to reset to zero and start from the beginning. What specific behaviors are you seeing that you believe indicate that your Mac is infected?

A few specific points:

The copies of Contacts and Calendar that you posted are unmodified copies of the legit versions of these apps from macOS Big Sur 11.4. I don't understand why these were posted.

The copy of Malwarebytes for Mac is an unmodified copy of the legit app. Again, I don't understand why this was posted.

The echo command is a legitimate Unix shell command.

The screenshots where you've highlighted things found in the script-mbst-log.txt file are normal. This file is a log of what our support tool has done, and is in no way an indication of malicious activity

I can't comment on anything that Webroot might have detected or removed without details, but your screenshot showed it (?) deleting .Trash and Caches, and neither of these are malicious, nor should they be deleted.

Hello,

Thank you for taking the time to respond. Honestly, for the most part I have no idea what it is that caused, or what to look for here.

1.) In the first photo, I have a WINS server attached to my devices- I have attached a few screenshots from my VPN’s logs for additional reference on how my devices are communicating.

2.) the logs are for the most part very standard stuff- however, Unix is used in Cpanels, and I don’t have DDNS for a domain. The Unix socket is also the same socket for my root container (root user is not enabled), I don’t have Apache, Google, Firefox etc installed on my computers. Webroot also mentioned a treat in the /Var/root/path file that it was unable to resolve. Echo is a legit command, but as I mentioned, I don’t have a Cpanel for my home, furthermore, the logs indicate that C++ is coding language, 2 group containers, a subsystem and LDAP V3 that is hidden. - the logs also mention an IOreg - almost like the built in beta has been activated without my approval.

3.) Cache and cookies are temporary files, and can be deleted from time to time (to either reset your falcon cookie like I was trying to do- or just for performance Cookie signings with AWS or even WINS is a real thing.)

4.) my devices are pairing with one another without prompt. My Apple TV, phones, computers, iPads and etc (all of which have different Apple ID’s)

If you have any insight into what to do, or how to remove this sever, I am all ears and seriously need help, I’m losing my *****. I’ve had all of my devices wiped and or replaced, I’ve changed ISP’s, and I still can’t seem to get rid of whatever this is.

July 6, 2021

I am not a techy person, what I do know I learned in the past 6 months going though all this- I could send you screenshots all day of the weird things that happen, like not being able to download standard apps that are built into the OS, however I would be wasting your time.

- All of my computers NetBoot

- Per the first photo I posted, I have an active web server.
- Per Webroot, over 100+ issues, IO Reg, and wasn’t able to remove an issue in the root container.

if anyone can help with telling me what they would need to determine what do, that would be awesome.

July 6, 2021

5 minutes ago, MyMacAroon said:

I really appreciate you looking into that, however, that isn’t my photo on the left. The photo that I posted says 658kb on the finder tab and what I uploaded to be 642kb, mine wasn’t in military time, and that wasn’t the background of my upload. I took a screenshot of my post and attached it here. I don’t even know if any of this matters, but I do know that I there is an active, unsolicited web server.

May I ask what you think it might be in your experience? I definitely haven’t signed up for any web servers, nor do I have any idea what it is that I should be trying to do to remove it. My old isp found a HTTP server adding a configuration to my router, and my current one found the same, without a doubt there is an issue and I don’t know what to do about it.

This is assuming that you didn’t open up the attachment and create a new finder screenshot for the one I posted/ change your time format, and add a “?” Next to the name. Because mine was also in zip format. (It didn’t occur to me until now that is probably what your screenshot is) 😅

July 6, 2021

24 minutes ago, alvarnell said:

Is there something in all those screenshots that attempts to prove that? Finder seems to think they are both exactly 821,852 bytes. That's yours on the left:

I really appreciate you looking into that, however, that isn’t my photo on the left. The photo that I posted says 658kb on the finder tab and what I uploaded to be 642kb, mine wasn’t in military time, and that wasn’t the background of my upload. I took a screenshot of my post and attached it here. I don’t even know if any of this matters, but I do know that I there is an active, unsolicited web server.

May I ask what you think it might be in your experience? I definitely haven’t signed up for any web servers, nor do I have any idea what it is that I should be trying to do to remove it. My old isp found a HTTP server adding a configuration to my router, and my current one found the same, without a doubt there is an issue and I don’t know what to do about it.

July 6, 2021

I realized that I was sharing my full name in a lot of the photos, I deleted and have reattached.

July 6, 2021

10 minutes ago, alvarnell said:

All three downloaded files match your figures, so I wouldn't worry at all that the Forum server is displaying them as smaller files. Was there something else you need evaluated about these files?

I guess the concern is that when I was running the support app for Malwarebytes, it stated to specifically exclude those files.

When talking with apple, a lot of my files would be either removed or changed, for instance, my M1 “remoteServices.apple.com” would need to add a “configuration” fresh out of the box- Bestbuy called it a rootkit and Webroot can’t resolve some issue in /Var/path/root (I say path bc I would need to reference the photo) along with this- “Cloud” logins on my banking app, “Unix” logins on my Microsoft account, the list just goes on and on- I don’t fully open the files, I change them into “read only” and then I view them in quick look - as you can see from the photos “echo”- echo is a tool used in plain txt document by hackers for scripting- it’s an interactive/ accidental scripting by the user- all of which falls in line with what I’ve been experiencing. Like, 6 months ago, I didn’t even know that my computer had a MAC address- nor did I care. (Big mistake)

July 6, 2021

5 minutes ago, alvarnell said:

The Malwarebytes 4.10 that you uploaded yesterday is identical in size to what I get when I download it from Malwarebytes and passes all the tests for signature and hidden executables, so I have to conclude it's not been modified.

Ours my look like the same size but I can assure you that they’re not.

July 6, 2021

Hello,

I uploaded 3 zips yesterday, today I uploaded the photos of Webroot finding 17 + “malicious“ files (as previously stated it was more but I cleared the logs), along with this, my M1 stating that in internet recovery mode that it couldn’t download Big Sur because I didn’t have a firmware recovery partition.

I also provided screenshots of the size differences from what I was uploading vs actual file size….

Am I missing something?

July 6, 2021

I installed Webroot, 142 threats (probably more), during its first run, seconds later (I cleared the logs) 17 more, my M1 stopped working- I went into recovery mode and got this error, I shut down and now it just tells me to contact apple support after I erased my Macintosh HD disk. Internet recovery is acting like a local recovery and everything else is “localized strings” even my Mac addresses

July 4, 2021

Malwarebytes.zip

July 4, 2021

Please see attached, how accurate the zip files are though is debatable.

Contacts.zip Calendar.zip

Events

Profiles

Forums

Posts posted by MyMacAroon

Important Information