MyMacAroon Posted July 2, 2021 ID:1467104 Share Posted July 2, 2021 I have an active WINS server, it seems that whatever malware this is, it has crept in to every app, so I have added just one of them Apple has reset my Macs multiple times and doesnt seem to care that the gatekeeper failed, even on my brand new M1, iPhone 12 Pro, and more, I lost my small business trying to get everything back to normal, but even in the apple store directly after reinstall, the netbois was active. I was MDM locked out of my 2 week old computer. Best Buy said its a Rootkit, but legit, I'm losing my mind, because my media changes, Anti virus isn't picking up on the problem, but as you can see from the photo below there is an obvious issue, this is just one of the many photos. Script Editor.zip 1 Link to post Share on other sites More sharing options...
Porthos Posted July 2, 2021 ID:1467116 Share Posted July 2, 2021 (edited) I'd recommend submitting a support ticket with details about your concerns and any issues you're seeing, along with the output of our Mac support tool: https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac Edited July 2, 2021 by Porthos Link to post Share on other sites More sharing options...
alvarnell Posted July 3, 2021 ID:1467145 Share Posted July 3, 2021 We've started a long weekend, so staff won't be back at work until Tuesday. They were running a week or so behind before now due to the pandemic and other factors, so it might be some time before you receive a response to what @Porthos has suggested. I'm guessing that the file you tried to update was the Script Editor app, but it's not available to us here. Perhaps this discussion can be better handled in the Newest Mac Threat forum where uploads are available to a few Malware Hunter users. Not sure what you mean by Gateway failure, but until the most recent versions of macOS, Gateway only checks new applications the first time they are launched. Would be useful to know what macOS you are running. Link to post Share on other sites More sharing options...
Porthos Posted July 3, 2021 ID:1467147 Share Posted July 3, 2021 Just now, alvarnell said: uploads are available to a few Malware Hunter users. It seems to have been deleted by the user or staff. Link to post Share on other sites More sharing options...
alvarnell Posted July 3, 2021 ID:1467153 Share Posted July 3, 2021 42 minutes ago, Porthos said: It seems to have been deleted by the user or staff. Yes, the probably thought it was malicious and might possibly be. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 3, 2021 Author ID:1467262 Share Posted July 3, 2021 I removed the other attachment (I didn’t realize that others would be able to open it and I don’t want to be responsible for anyone else ever going though this). All of my computers are suppose to be running 11.4, but my devices still will only NetBoot, when downloading the version is different, my sons Acer picked up Mutuodo (spyware) with MS defender. My macs though, have been a mess- My VPNS are rerouted, preinstalled apps won’t “install” because they weren’t downloaded from the App Store. After 6 months of trying to figure out how to fix this- apple still hasn’t helped at all. I reached out to Malwarebytes Customer Support- I lost access to my previous email when they were helping me, so I reached out again with a new one and it’s been about 2 weeks. I’m at a complete loss. Link to post Share on other sites More sharing options...
alvarnell Posted July 4, 2021 ID:1467350 Share Posted July 4, 2021 17 hours ago, MyMacAroon said: I removed the other attachment (I didn’t realize that others would be able to open it and I don’t want to be responsible for anyone else ever going though this). As I mentioned earlier, you can safely upload that file to the Newest Mac Threat forum if you would like selected users and the staff to analyze it for you. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 4, 2021 Author ID:1467457 Share Posted July 4, 2021 Please see attached, how accurate the zip files are though is debatable. Contacts.zip Calendar.zip Link to post Share on other sites More sharing options...
MyMacAroon Posted July 4, 2021 Author ID:1467458 Share Posted July 4, 2021 Malwarebytes.zip Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467656 Share Posted July 6, 2021 I installed Webroot, 142 threats (probably more), during its first run, seconds later (I cleared the logs) 17 more, my M1 stopped working- I went into recovery mode and got this error, I shut down and now it just tells me to contact apple support after I erased my Macintosh HD disk. Internet recovery is acting like a local recovery and everything else is “localized strings” even my Mac addresses Link to post Share on other sites More sharing options...
alvarnell Posted July 6, 2021 ID:1467657 Share Posted July 6, 2021 On 7/4/2021 at 3:40 PM, MyMacAroon said: Please see attached Unsure why you uploaded those here and what it is you want us to see? As I keep saying, if you think they may be malicious you need to upload them to a different forum where normal users cannot download therm: https://forums.malwarebytes.com/forum/193-newest-mac-threats/ Link to post Share on other sites More sharing options...
alvarnell Posted July 6, 2021 ID:1467658 Share Posted July 6, 2021 The Malwarebytes 4.10 that you uploaded yesterday is identical in size to what I get when I download it from Malwarebytes and passes all the tests for signature and hidden executables, so I have to conclude it's not been modified. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467660 Share Posted July 6, 2021 Hello, I uploaded 3 zips yesterday, today I uploaded the photos of Webroot finding 17 + “malicious“ files (as previously stated it was more but I cleared the logs), along with this, my M1 stating that in internet recovery mode that it couldn’t download Big Sur because I didn’t have a firmware recovery partition. I also provided screenshots of the size differences from what I was uploading vs actual file size…. Am I missing something? Link to post Share on other sites More sharing options...
alvarnell Posted July 6, 2021 ID:1467662 Share Posted July 6, 2021 1 minute ago, MyMacAroon said: I also provided screenshots of the size differences from what I was uploading vs actual file size…. All three downloaded files match your figures, so I wouldn't worry at all that the Forum server is displaying them as smaller files. Was there something else you need evaluated about these files? Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467663 Share Posted July 6, 2021 5 minutes ago, alvarnell said: The Malwarebytes 4.10 that you uploaded yesterday is identical in size to what I get when I download it from Malwarebytes and passes all the tests for signature and hidden executables, so I have to conclude it's not been modified. Ours my look like the same size but I can assure you that they’re not. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467664 Share Posted July 6, 2021 10 minutes ago, alvarnell said: All three downloaded files match your figures, so I wouldn't worry at all that the Forum server is displaying them as smaller files. Was there something else you need evaluated about these files? I guess the concern is that when I was running the support app for Malwarebytes, it stated to specifically exclude those files. When talking with apple, a lot of my files would be either removed or changed, for instance, my M1 “remoteServices.apple.com” would need to add a “configuration” fresh out of the box- Bestbuy called it a rootkit and Webroot can’t resolve some issue in /Var/path/root (I say path bc I would need to reference the photo) along with this- “Cloud” logins on my banking app, “Unix” logins on my Microsoft account, the list just goes on and on- I don’t fully open the files, I change them into “read only” and then I view them in quick look - as you can see from the photos “echo”- echo is a tool used in plain txt document by hackers for scripting- it’s an interactive/ accidental scripting by the user- all of which falls in line with what I’ve been experiencing. Like, 6 months ago, I didn’t even know that my computer had a MAC address- nor did I care. (Big mistake) Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467665 Share Posted July 6, 2021 I realized that I was sharing my full name in a lot of the photos, I deleted and have reattached. Link to post Share on other sites More sharing options...
alvarnell Posted July 6, 2021 ID:1467722 Share Posted July 6, 2021 No, it says to ignore Contacts and Calendar access, if prompted, not the files themselves. I was not prompted when I ran the script. Can't comment on M1 configuration as I haven't purchased one yet. I would not accept any explanation from BestBuy based on previous experience. Rootkits are extremely uncommon with regard to macOS and have been made eincreaingly more so with the introduction of SIP and separate macOS volumes in Big Sur and all but impossible in Monterey. It's way past bedtime and I can't begin to sort out what you are trying to show with all those quicklook snaps. I'll just note that "echo" is a command to display what follows to the user and the few I noted don't resemble anything malicious. Link to post Share on other sites More sharing options...
alvarnell Posted July 6, 2021 ID:1467723 Share Posted July 6, 2021 6 hours ago, MyMacAroon said: Ours my look like the same size but I can assure you that they’re not. Is there something in all those screenshots that attempts to prove that? Finder seems to think they are both exactly 821,852 bytes. That's yours on the left: Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467729 Share Posted July 6, 2021 24 minutes ago, alvarnell said: Is there something in all those screenshots that attempts to prove that? Finder seems to think they are both exactly 821,852 bytes. That's yours on the left: I really appreciate you looking into that, however, that isn’t my photo on the left. The photo that I posted says 658kb on the finder tab and what I uploaded to be 642kb, mine wasn’t in military time, and that wasn’t the background of my upload. I took a screenshot of my post and attached it here. I don’t even know if any of this matters, but I do know that I there is an active, unsolicited web server. May I ask what you think it might be in your experience? I definitely haven’t signed up for any web servers, nor do I have any idea what it is that I should be trying to do to remove it. My old isp found a HTTP server adding a configuration to my router, and my current one found the same, without a doubt there is an issue and I don’t know what to do about it. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467732 Share Posted July 6, 2021 5 minutes ago, MyMacAroon said: I really appreciate you looking into that, however, that isn’t my photo on the left. The photo that I posted says 658kb on the finder tab and what I uploaded to be 642kb, mine wasn’t in military time, and that wasn’t the background of my upload. I took a screenshot of my post and attached it here. I don’t even know if any of this matters, but I do know that I there is an active, unsolicited web server. May I ask what you think it might be in your experience? I definitely haven’t signed up for any web servers, nor do I have any idea what it is that I should be trying to do to remove it. My old isp found a HTTP server adding a configuration to my router, and my current one found the same, without a doubt there is an issue and I don’t know what to do about it. This is assuming that you didn’t open up the attachment and create a new finder screenshot for the one I posted/ change your time format, and add a “?” Next to the name. Because mine was also in zip format. (It didn’t occur to me until now that is probably what your screenshot is) 😅 Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467733 Share Posted July 6, 2021 I am not a techy person, what I do know I learned in the past 6 months going though all this- I could send you screenshots all day of the weird things that happen, like not being able to download standard apps that are built into the OS, however I would be wasting your time. - All of my computers NetBoot - Per the first photo I posted, I have an active web server. - Per Webroot, over 100+ issues, IO Reg, and wasn’t able to remove an issue in the root container. if anyone can help with telling me what they would need to determine what do, that would be awesome. 1 Link to post Share on other sites More sharing options...
Staff treed Posted July 6, 2021 Staff ID:1467783 Share Posted July 6, 2021 I'm not able to follow any of this. We need to reset to zero and start from the beginning. What specific behaviors are you seeing that you believe indicate that your Mac is infected? A few specific points: The copies of Contacts and Calendar that you posted are unmodified copies of the legit versions of these apps from macOS Big Sur 11.4. I don't understand why these were posted. The copy of Malwarebytes for Mac is an unmodified copy of the legit app. Again, I don't understand why this was posted. The echo command is a legitimate Unix shell command. The screenshots where you've highlighted things found in the script-mbst-log.txt file are normal. This file is a log of what our support tool has done, and is in no way an indication of malicious activity I can't comment on anything that Webroot might have detected or removed without details, but your screenshot showed it (?) deleting .Trash and Caches, and neither of these are malicious, nor should they be deleted. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467839 Share Posted July 6, 2021 4 hours ago, treed said: I'm not able to follow any of this. We need to reset to zero and start from the beginning. What specific behaviors are you seeing that you believe indicate that your Mac is infected? A few specific points: The copies of Contacts and Calendar that you posted are unmodified copies of the legit versions of these apps from macOS Big Sur 11.4. I don't understand why these were posted. The copy of Malwarebytes for Mac is an unmodified copy of the legit app. Again, I don't understand why this was posted. The echo command is a legitimate Unix shell command. The screenshots where you've highlighted things found in the script-mbst-log.txt file are normal. This file is a log of what our support tool has done, and is in no way an indication of malicious activity I can't comment on anything that Webroot might have detected or removed without details, but your screenshot showed it (?) deleting .Trash and Caches, and neither of these are malicious, nor should they be deleted. Hello, Thank you for taking the time to respond. Honestly, for the most part I have no idea what it is that caused, or what to look for here. 1.) In the first photo, I have a WINS server attached to my devices- I have attached a few screenshots from my VPN’s logs for additional reference on how my devices are communicating. 2.) the logs are for the most part very standard stuff- however, Unix is used in Cpanels, and I don’t have DDNS for a domain. The Unix socket is also the same socket for my root container (root user is not enabled), I don’t have Apache, Google, Firefox etc installed on my computers. Webroot also mentioned a treat in the /Var/root/path file that it was unable to resolve. Echo is a legit command, but as I mentioned, I don’t have a Cpanel for my home, furthermore, the logs indicate that C++ is coding language, 2 group containers, a subsystem and LDAP V3 that is hidden. - the logs also mention an IOreg - almost like the built in beta has been activated without my approval. 3.) Cache and cookies are temporary files, and can be deleted from time to time (to either reset your falcon cookie like I was trying to do- or just for performance Cookie signings with AWS or even WINS is a real thing.) 4.) my devices are pairing with one another without prompt. My Apple TV, phones, computers, iPads and etc (all of which have different Apple ID’s) If you have any insight into what to do, or how to remove this sever, I am all ears and seriously need help, I’m losing my *****. I’ve had all of my devices wiped and or replaced, I’ve changed ISP’s, and I still can’t seem to get rid of whatever this is. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 6, 2021 Author ID:1467840 Share Posted July 6, 2021 Link to post Share on other sites More sharing options...
Recommended Posts