Launch shut down

[Cronk]

Hi there,

My computer is barely a week old and is already very laggy at times, and doing a couple of odd things. Anyway, I tried to log in this morning, and it lagged for about 30 seconds after I used my TouchID, which made me suspicious so to see what was going on I opened the console to see the system log and what caught my eye was that Malwarebytes was attempting to launch a process, but kept getting shut down by the kernel. When set alongside the fact the wifi was on when it shouldn't, there was a live remote connection and a few other things, I got a little alarmed and shut it down. But somehow the system shutdown was overridden by a crash and restart, so while I thought it had been successfully shut down it had been birring away awake with the lid down. 

Attached are any mentions of Malwarebytes from the system log. I'd be happy for any advice.

THANKS!

MWB.pdf

[Massimiliano]

I think it would be helpful to support if you indicate Mac model, macOS version, Malwarebytes version

[alvarnell]

Your attachment is unavailable and probably should be as it may contain privacy information. I suspect you will need to provide it along with other diagnostics to customer support by submitting a Support Ticket here.

But first make certain that you have properly Installed Malwarebytes for Mac to include giving Full Disk Access to Malwarebytes Protection.

[Cronk]

Hello, and thank you for replying.

 

I removed the private information from what I posted, but I see you say that won't make any difference.

 

I am running the latest version of Malwarebytes on a MacBook Air running Big Sur 11.0.1, and it has full disk access.

The recurring syslog entry that grabbed my attention was: 

Dec 6 04:27:15-MacBook-Air com.apple.xpc.launchd[1]

(com.malwarebytes.mbam.rtprotection.daemon[3912]): Service exited due to SIGKILL | sent

by kernel_task[0]

Does this help at all?

[treed]

I'd just like to confirm what version of Malwarebytes for Mac you're using. Can you open the Malwarebytes app, then choose About Malwarebytes from the Malwarebytes menu, and let me know what version of the software you have? Since you're using Big Sur, this is important, as some older versions of the software are not compatible with Big Sur.

[Cronk]

Hi, thanks for replying. 
 

it’s 4.6.12

[Cronk]

I just started looking through the plists. Some of them don't look too, erm, healthy.

 The Bluetooth list in particular was a doozy. I have attached it. While I was writing this message I got logged out and could only see the screensaver when I logged back in. I was unable to access it for about 20 seconds and when I got back in something closed in the bar at the bottom of my screen.

1I was told I didn't have permission to open apsd.plist

alf.plist:

& '78EEXE ^loggingenabledZexceptionsWversion_allowsignedenabled]explicitauths[globalstateXfirewall^stealthenabled]loggingoption\applications^firewallunload_allowdownloadsignedenabled© "“TpathUstate_/usr/libexec/configd“_/usr/sbin/mDNSResponder“_/usr/sbin/racoon“_/usr/bin/nmblookup“_Q/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig“_/usr/libexec/discoveryd“_/usr/libexec/bootpd“!_/usr/libexec/xartstorageremoted”#$%Xbundleid_r/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/_"com.apple.EmbeddedOSInstallServiceS1.6ß(+-/135—)*Rid_org.python.python.app—),^com.apple.ruby—).]com.apple.a2p—)0_com.apple.javajdk16.cmd—)2]com.apple.php—)4\com.apple.nc—)6]com.apple.kshŸ9:;<=>?@ABGIKMOQSU_Personal Web Sharing_Printer Sharing_Remote Apple EventsZFTP Access_Personal File Sharing_Remote Login - SSH]Samba Sharing_Apple Remote DesktopXODSAgent“CDEFUstateTprocUhttpd“CDEHUcupsd“CDEJXAEServer“CDELTftpd“CDEN_AppleFileServer“CDEP_sshd-keygen-wrapper“CDERTsmbd“CDET^AppleVNCServer”VDCWAE_servicebundleid_com.apple.ODSAgent¢Ya‘Z[\]^_`EXbundleidWreqdataUaliasUstate_com.apple.WebKit.NetworkingO8˙fi8com.apple.WebKit.NetworkingOE<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<data>
AAAAAAHgAAIAAQxNYWNpbnRvc2ggSEQAAAAAAAAAAAAAAAAAAAAAAAAAQkQAAf////8fY29tLmFw
cGxlLldlYktpdC5OZXR3b3JraW5nLnhwYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
/////wAAAAAAAAAAAAAAAP////8AAAogY3UAAAAAAAAAAAAAAAAAC1hQQ1NlcnZpY2VzAAACAGQv
OlN5c3RlbTpMaWJyYXJ5OkZyYW1ld29ya3M6V2ViS2l0LmZyYW1ld29yazpWZXJzaW9uczpBOlhQ
Q1NlcnZpY2VzOmNvbS5hcHBsZS5XZWJLaXQuTmV0d29ya2luZy54cGMvAA4AQAAfAGMAbwBtAC4A
YQBwAHAAbABlAC4AVwBlAGIASwBpAHQALgBOAGUAdAB3AG8AcgBrAGkAbgBnAC4AeABwAGMADwAa
AAwATQBhAGMAaQBuAHQAbwBzAGgAIABIAEQAEgBhU3lzdGVtL0xpYnJhcnkvRnJhbWV3b3Jrcy9X
ZWJLaXQuZnJhbWV3b3JrL1ZlcnNpb25zL0EvWFBDU2VydmljZXMvY29tLmFwcGxlLldlYktpdC5O
ZXR3b3JraW5nLnhwYwAAEwABLwD//wAA
</data>
</plist>
”\[]bcEO1<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<data>
AAAAAAESAAIAAAxNYWNpbnRvc2ggSEQAAAAAAAAAAAAAAAAAAAAAAAAAQkQAAf////8IcmFwcG9y
dGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
/////wAAAAAAAAAAAAAAAP////8AAAogY3UAAAAAAAAAAAAAAAAAB2xpYmV4ZWMAAAIAFi86dXNy
OmxpYmV4ZWM6cmFwcG9ydGQADgASAAgAcgBhAHAAcABvAHIAdABkAA8AGgAMAE0AYQBjAGkAbgB0
AG8AcwBoACAASABEABIAFHVzci9saWJleGVjL3JhcHBvcnRkABMAAS8A//8AAA==
</data>
</plist>
O0˙fi0com.apple.rapportd!0;CXfr{äò•¥—”›‚ÁÌ%*=BW\∞µœ‘ÍÔ!ñªø« Õ¢˙%(69FIWYlÉï´∂Œ„Ò!#).49BGLQch~Éàçú£µ Õ÷flÁÌÛLïú

AppleFileServer.plist:

bplist00—_kerberosPrincipal_oafpserver/LKDC:SHA1.2426BE228AAFDB3D0892F91BA700DF8CE4753EF4@LKDC:SHA1.2426BE228AAFDB3D0892F91BA700DF8CE4753EF4 ë

 

Bluetooth plist.pdf

[Cronk]

This is what was happening when the I was logged out, according to the log:

 

Dec  9 17:44:26 MacBook-Air Google Chrome Helper[2159]: Libnotify: notify_register_coalesced_registration failed with code 9 on line 2835
Dec  9 17:45:02-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.06000000-0400-0000-0000-000000000000[3632]): Service exited due to SIGKILL | sent by mds[95]
Dec  9 17:45:06-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.08000000-0700-0000-0000-000000000000[3633]): Service exited due to SIGKILL | sent by mds[95]
Dec  9 17:45:08-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.09000000-0500-0000-0000-000000000000[3631]): Service exited due to SIGKILL | sent by mds[95]
Dec  9 17:45:21-MacBook-Air com.apple.xpc.launchd[1]: Coalition Cache Evicted: app<application.com.apple.keychainaccess.1152921500311979487.1152921500311979492(501)> [506]
Dec  9 17:45:22-MacBook-Air ScreenSaverEngine[3636]: getattrlist failed for /System/Library/Frameworks/OpenGL.framework/Resources//GLRendererFloat.bundle/GLRendererFloat: #2: No such file or directory
Dec  9 17:45:22-MacBook-Air com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.user.501): Service "com.apple.xpc.launchd.unmanaged.loginwindow.139" tried to register for endpoint "com.apple.tsm.uiserver" already registered by owner: com.apple.TextInputMenuAgent
Dec  9 17:45:26 --- last message repeated 1 time ---
Dec  9 17:45:26-MacBook-Air Google Chrome Helper[2159]: Libnotify: notify_register_coalesced_registration failed with code 9 on line 2835
Dec  9 17:45:30-MacBook-Air com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.user.501): Service "com.apple.xpc.launchd.unmanaged.loginwindow.139" tried to register for endpoint "com.apple.tsm.uiserver" already registered by owner: com.apple.TextInputMenuAgent
Dec  9 17:46:00 --- last message repeated 7 times ---
Dec  9 17:46:02-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mediaanalysisd): Service only ran for 5 seconds. Pushing respawn out by 5 seconds.
Dec  9 17:46:14-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.10000000-0500-0000-0000-000000000000[3634]): Service exited due to SIGKILL | sent by mds[95]
Dec  9 17:46:18-MacBook-Air Google Chrome Helper[531]: Libnotify: notify_register_coalesced_registration failed with code 9 on line 2835
Dec  9 17:46:26-MacBook-Air Google Chrome Helper[2159]: Libnotify: notify_register_coalesced_registration failed with code 9 on line 2835
Dec  9 17:46:29-MacBook-Air WiFiAgent[393]: DEPRECATED USE in libdispatch client: dispatch source activated with no event handler set; set a breakpoint on _dispatch_bug_deprecated to debug
Dec  9 17:46:32-MacBook-Air WiFiAgent[393]: DEPRECATED USE in libdispatch client: Setting timer interval to 0 requests a 1ns timer, did you mean FOREVER (a one-shot timer)?; set a breakpoint on _dispatch_bug_deprecated to debug
Dec  9 17:46:57-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.09000000-0600-0000-0000-000000000000[3645]): Service exited due to SIGKILL | sent by mds[95]
Dec  9 17:47:11-MacBook-Air Google Chrome Helper[531]: Libnotify: notify_register_coalesced_registration failed with code 9 on line 2835
Dec  9 17:47:26 ---last message repeated 1 time ---
Dec  9 17:47:26-MacBook-Air Google Chrome Helper[2159]: Libnotify: notify_register_coalesced_registration failed with code 9 on line 2835
Dec  9 17:47:45-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.06000000-0500-0000-0000-000000000000[3655]): Service exited due to SIGKILL | sent by mds[95]
Dec  9 17:48:26-MacBook-Air Google Chrome Helper[2159]: Libnotify: notify_register_coalesced_registration failed with code 9 on line 2835
Dec  9 17:48:27-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.10000000-0600-0000-0000-000000000000[3653]): Service exited due to SIGKILL | sent by mds[95]
Dec  9 17:48:27-MacBook-Air com.apple.xpc.launchd[1] (com.apple.mdworker.shared.09000000-0700-0000-0000-000000000000[3657]): Service exited due to SIGKILL | sent by mds[95]

[treed]

I'm not sure exactly what you're looking at, but I'd strongly recommend that you not poke around at random .plist files on your computer, and especially that you not post their contents here. You never know when something - like the base64-encoded data in your com.apple.alf.plist file - might contain sensitive information.

As to the Malwarebytes issue, please collect data from your system using the script here:

https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac

This will create a file named MWB_Info.zip on your desktop. Do not post that here! Instead, either send it to me directly via a private message, or start a support case and attach the file there.

https://support.malwarebytes.com/hc/en-us/requests/new

[Cronk]

Already done. Waiting for a response. Thanks!