GuruGuy Posted July 8, 2021 ID:1468216 Share Posted July 8, 2021 6 hours ago, MAXBAR1 said: I confirm what was said by Al. My situation is the same regarding the WINS screen, and all the Mac users I know, not a lot to tell the truth, are like that. Having said that, I would just like to give, if I can, a suggestion, for what is useless, because everything is except an expert in corporate network configurations (or composed of several different operating systems) or Apple MDM (I always worked only on small LANs, on Windows, not consisting of a domain) Isn't that all these problems came to create because there is some conflict on the fact that two antimalware (Looking into the network what webroot is, of which I ignored the existence, it seems to me a product of the same class of malwarebytes business) in real time are running? From what I know it is never a good thing; Better to choose one, of which you trust most; Even in the case of Malwarebytes there are corporate solutions (I am neither a shareholder nor a staff member, but only a user who is very well with these products, even if only consumer) However, keep present, for what little I know, that if you try to remove system components, as already mentioned by Al , at least from Catalina, the OS is in a read-only partition Can you post a screenshot of your WINS and show all of us that it's blank. Would love to see that. Link to post Share on other sites More sharing options...
alvarnell Posted July 8, 2021 ID:1468217 Share Posted July 8, 2021 You mean something other than Post #1? Link to post Share on other sites More sharing options...
GuruGuy Posted July 8, 2021 ID:1468219 Share Posted July 8, 2021 15 minutes ago, alvarnell said: You mean something other than Post #1? Maxbar#1 is quoted and the question is directed to him. Link to post Share on other sites More sharing options...
Massimiliano Posted July 8, 2021 ID:1468223 Share Posted July 8, 2021 @GuruGuy sorry for the delay but I was away from home. Here are the screenshots. Link to post Share on other sites More sharing options...
GuruGuy Posted July 8, 2021 ID:1468224 Share Posted July 8, 2021 1 minute ago, MAXBAR1 said: @GuruGuy sorry for the delay but I was away from home. Here are the screenshots. Thanks for confirming. So your WINS is not blank as I thought and shows exactly as all Macs show... Your comment earlier was maybe worded wrong? "...My situation is the same regarding the WINS screen, and all the Mac users I know, not a lot to tell the truth, are like that..." Link to post Share on other sites More sharing options...
Massimiliano Posted July 8, 2021 ID:1468225 Share Posted July 8, 2021 Quote 9 hours ago, alvarnell said: I can assure you that 100% of Mac users have a NetBIOS Name displayed in the Network settings Advanced WINS tab. I confirm what was said by Al. My situation is the same regarding the WINS screen, and all the Mac users I know, not a lot to tell the truth, are like that. It is likely that there has been a misunderstanding (I am not in English mother tongue, and in the subject rasented as soon as enough - it was my worst grain at school) I wanted to indicate that my situation was that indicated by Al, not that of the author of the first post (with the name present on the screen, I apologize if I expressed myself unclear). I hope to have clarified; My mastery of the English language is almost 0 and use Google Translate every time Link to post Share on other sites More sharing options...
GuruGuy Posted July 8, 2021 ID:1468226 Share Posted July 8, 2021 1 minute ago, MAXBAR1 said: It is likely that there has been a misunderstanding (I am not in English mother tongue, and in the subject rasented as soon as enough - it was my worst grain at school) I wanted to indicate that my situation was that indicated by Al, not that of the author of the first post (with the name present on the screen, I apologize if I expressed myself unclear). I hope to have clarified; My mastery of the English language is almost 0 and use Google Translate every time Hahahaha. No problem, I thought as much but wanted clarity to prevent it being misconstrued. Link to post Share on other sites More sharing options...
alvarnell Posted July 8, 2021 ID:1468231 Share Posted July 8, 2021 (edited) I think what we have all been trying to say is that the Server box is blank, indicating that there are no WIN servers connected to our Macs. Edited July 8, 2021 by alvarnell Link to post Share on other sites More sharing options...
Staff treed Posted July 8, 2021 Staff ID:1468237 Share Posted July 8, 2021 11 hours ago, MyMacAroon said: I’m not sure what it’s going to take for you or anyone else to help me, but I know I’m willing to do what it takes. If you tell me what you need to prove me wrong or what you need to help me, I’ll make it happen. The point here is not proving you wrong, it's about trying to understand each other. We cannot help without understanding the problem, and what has been posted so far is not helping us understand the problem. What I understand so far is that you're looking at some things in the system that you don't understand, and you're drawing the wrong conclusions. This appears to have been precipitated, at least in part, by a tech from Best Buy who, I believe, gave you some bad information, and installed Webroot. Webroot itself appears to be erroneously flagging a number of legitimate files as malicious. The items shown as being flagged by Webroot in your screenshot (shown below) are, as others have pointed out, legitimate parts of the system. The item being detected in /System/Library/Frameworks/QuickLook.framework resides on a read-only, cryptographically-sealed system volume, and there is no known way for malware to tamper with such a file. The netbiosd and wirelessproxd files in /usr/sbin/ are also legitimate, and are protected by a feature of macOS called System Integrity Protection (SIP). On the system you're running, there is no known way for malware to tamper with these files, as long as SIP is enabled, and SIP is enabled on your system. If I am correct, and your concerns stem from an interaction with a Best Buy tech, plus the detections from Webroot, please be aware: Best Buy technicians are generally not well respected in the Mac community. Although I'm sure there are exceptions, in general they don't know Macs very well. Neither Best Buy technicians nor Apple "Geniuses" (or other support representatives) are knowledgeable about Mac malware or security issues. I'm often astounded by stories from people who have been told outlandish, fanciful, and outright wrong things about Mac security by these techs. (Again, I'm sure there are exceptions.) Webroot is not well respected in the Mac security community. I don't know anything about how good it is on Windows, but your story here is very clear testimony that it's badly defective on macOS. I say all this not to prove you wrong, but to try to help you understand the things I'm seeing in your posts. Also, I'm hoping that I can convince you to take a step back and give us a more concise story about what precise symptoms you have seen that lead you to be concerned. Unfortunately, if you are not able or willing to provide that information, nobody here will be able to help you. 1 Link to post Share on other sites More sharing options...
MyMacAroon Posted July 8, 2021 Author ID:1468258 Share Posted July 8, 2021 27 minutes ago, treed said: The point here is not proving you wrong, it's about trying to understand each other. We cannot help without understanding the problem, and what has been posted so far is not helping us understand the problem. What I understand so far is that you're looking at some things in the system that you don't understand, and you're drawing the wrong conclusions. This appears to have been precipitated, at least in part, by a tech from Best Buy who, I believe, gave you some bad information, and installed Webroot. Webroot itself appears to be erroneously flagging a number of legitimate files as malicious. The items shown as being flagged by Webroot in your screenshot (shown below) are, as others have pointed out, legitimate parts of the system. The item being detected in /System/Library/Frameworks/QuickLook.framework resides on a read-only, cryptographically-sealed system volume, and there is no known way for malware to tamper with such a file. The netbiosd and wirelessproxd files in /usr/sbin/ are also legitimate, and are protected by a feature of macOS called System Integrity Protection (SIP). On the system you're running, there is no known way for malware to tamper with these files, as long as SIP is enabled, and SIP is enabled on your system. If I am correct, and your concerns stem from an interaction with a Best Buy tech, plus the detections from Webroot, please be aware: Best Buy technicians are generally not well respected in the Mac community. Although I'm sure there are exceptions, in general they don't know Macs very well. Neither Best Buy technicians nor Apple "Geniuses" (or other support representatives) are knowledgeable about Mac malware or security issues. I'm often astounded by stories from people who have been told outlandish, fanciful, and outright wrong things about Mac security by these techs. (Again, I'm sure there are exceptions.) Webroot is not well respected in the Mac security community. I don't know anything about how good it is on Windows, but your story here is very clear testimony that it's badly defective on macOS. I say all this not to prove you wrong, but to try to help you understand the things I'm seeing in your posts. Also, I'm hoping that I can convince you to take a step back and give us a more concise story about what precise symptoms you have seen that lead you to be concerned. Unfortunately, if you are not able or willing to provide that information, nobody here will be able to help you. About a year ago, my small business had started taking off, and I had a networking person come in, set up a VPN router, and update all of my computers. About 6 months later, I started to notice that my computers where acting weird, constant crashes, files being moved around, super slow etc. I had the networking guy come and take a look at everything and he wasn’t able to find the cause of the issues. I backed up all of info, had my computers wiped, all of the software reinstalled, did the Big Sur update, he came out again, and took a look at my logs and noted that my computers where netbooting, and that my VPN was being rerouted from Express VPNS servers to a local address (but as the logs say, not locally bound) - ExpressVPN has direct tunneling, and it wasn’t doing that. I spoke to Apple, and some a tech screenshared, he had me open up my activity monitor and saw some of the same things from my attachments today- except today I started my computer in safe mode. - We then went to console, where he wasn’t concerned bc my computer wasn’t reporting any crashes, while on the screen, he noted that “Super User” was doing something or another- he asked if my root was enabled (I don’t speak Spanish so I didn’t even know what he was talking about) - My networking guy handled all of my computer stuff because I was afraid of messing something up- he then had me go to directory utility where a SMB server was active, he tried to help me unbind from the server but my computer wasn’t having it. My root was enabled, which my networking person said he didn’t do, I changed the root password thinking that would solve the problem. I then took it to Apple where one of the guys confirmed that there was a web server attached and that the computer wasn’t removing an embedded profile that couldn’t be removed (like the computer was MDM managed at some point, but it wasn’t, I bought it from Frys a year or two prior) - this was on both my 2017 MacBook and my 2018 iMac, I traded the MacBook in for an iPad, i brought the iPad home, fresh out of the box it was on, and after set up a pop up says “this device is using Voiceover are you sure you would like to use this iPad” or something like that. Moving on, the same thing is happening, I contact my ISP, and they find a configuration for routing my traffic though an HTTP server - a Vlan, which later I realize that I’m not even connecting to my router, I mean I am, but I’m not, the Mac addresses don’t match- I was using the netgear XR1000, I had some problems logging into the app, but I was able to get in finally, and there are two routers- one is on and active the other is offline, I had Bitdefender on my router- and the MAC address for my router was the one that was offline. I really don’t touch my setting on any of my devices- including my phones private address. When looking at the map of devices the WAN was LAN, and LAN was on the WAN side. My devices where being added as Networks vs devices. - Mac Address Spoofing at its best, right? I decide to have all of my devices wiped again, and change isp’s - I do that, I move away from VPN’s because a VPN uses a subnet… During the course of this here are some of the things I experienced FYI - you’ll actually think I need meds for this next part but when my iMac was crashing, my XS Max started downloading- Apple Scripts, the weather app (but not the weather app- it was “Something Proxy” - Console, and others- - Someone tried to withdraw/ transfer $10k out of my business banking account - Every single one of my cards where Compromised. - Every-time I logon “Unix” or “cloud” login with me - I had family sharing set up with my 12 year old, he shared his location with me, but I didn’t share mine with his, I traded out my iPhone 8+ (I have two phones) for his iPhone 7, bc he was having battery problems with his, when I was about to transfer all of the data to his new phone- I went to turn off “find my phone” and saw that he had access to all of my devices… that where showing as “online” when I hadn’t had the MacBook in months and the iMac was sitting in my office unplugged- on top of this, I had changed the email address on that Apple ID- I lost access to that gmail account. - Just last night my iPad mini (currently activation locked out of somehow) - attached it’s self to the Internet while it was off. It has connected before, but never while it was off. 😅 - my devices pair without prompt, I even get calls on my other phone as if they have the same Apple ID. - Spelling and grammatical errors when my devices are prompting me for my password. - My iCloud was backing up an app called “Wish” but not like the shopping wish but something else it had a feather in the picture. - My URL’s are constantly redirected. - even after a fresh install, my filing system is a complete mess - and disk are formatted to be Case Sensitive (which has cause a filing nightmare) - Opening up my brand new M1 RemoteServices.Apple.com needed to add a configuration to my M1 - I WAS LEGIT MDM LOCKED OUT OF MY M1. these are just a few. this is just to name a few. I encourage everyone to press the “?” On the network settings, it even shows a photo that the NetBIOS name is not in use.. I would also like to mention that my computer names and NetBois Names don’t match. 1 Link to post Share on other sites More sharing options...
MyMacAroon Posted July 8, 2021 Author ID:1468265 Share Posted July 8, 2021 14 minutes ago, MyMacAroon said: About a year ago, my small business had started taking off, and I had a networking person come in, set up a VPN router, and update all of my computers. About 6 months later, I started to notice that my computers where acting weird, constant crashes, files being moved around, super slow etc. I had the networking guy come and take a look at everything and he wasn’t able to find the cause of the issues. I backed up all of info, had my computers wiped, all of the software reinstalled, did the Big Sur update, he came out again, and took a look at my logs and noted that my computers where netbooting, and that my VPN was being rerouted from Express VPNS servers to a local address (but as the logs say, not locally bound) - ExpressVPN has direct tunneling, and it wasn’t doing that. I spoke to Apple, and some a tech screenshared, he had me open up my activity monitor and saw some of the same things from my attachments today- except today I started my computer in safe mode. - We then went to console, where he wasn’t concerned bc my computer wasn’t reporting any crashes, while on the screen, he noted that “Super User” was doing something or another- he asked if my root was enabled (I don’t speak Spanish so I didn’t even know what he was talking about) - My networking guy handled all of my computer stuff because I was afraid of messing something up- he then had me go to directory utility where a SMB server was active, he tried to help me unbind from the server but my computer wasn’t having it. My root was enabled, which my networking person said he didn’t do, I changed the root password thinking that would solve the problem. I then took it to Apple where one of the guys confirmed that there was a web server attached and that the computer wasn’t removing an embedded profile that couldn’t be removed (like the computer was MDM managed at some point, but it wasn’t, I bought it from Frys a year or two prior) - this was on both my 2017 MacBook and my 2018 iMac, I traded the MacBook in for an iPad, i brought the iPad home, fresh out of the box it was on, and after set up a pop up says “this device is using Voiceover are you sure you would like to use this iPad” or something like that. Moving on, the same thing is happening, I contact my ISP, and they find a configuration for routing my traffic though an HTTP server - a Vlan, which later I realize that I’m not even connecting to my router, I mean I am, but I’m not, the Mac addresses don’t match- I was using the netgear XR1000, I had some problems logging into the app, but I was able to get in finally, and there are two routers- one is on and active the other is offline, I had Bitdefender on my router- and the MAC address for my router was the one that was offline. I really don’t touch my setting on any of my devices- including my phones private address. When looking at the map of devices the WAN was LAN, and LAN was on the WAN side. My devices where being added as Networks vs devices. - Mac Address Spoofing at its best, right? I decide to have all of my devices wiped again, and change isp’s - I do that, I move away from VPN’s because a VPN uses a subnet… During the course of this here are some of the things I experienced FYI - you’ll actually think I need meds for this next part but when my iMac was crashing, my XS Max started downloading- Apple Scripts, the weather app (but not the weather app- it was “Something Proxy” - Console, and others- - Someone tried to withdraw/ transfer $10k out of my business banking account - Every single one of my cards where Compromised. - Every-time I logon “Unix” or “cloud” login with me - I had family sharing set up with my 12 year old, he shared his location with me, but I didn’t share mine with his, I traded out my iPhone 8+ (I have two phones) for his iPhone 7, bc he was having battery problems with his, when I was about to transfer all of the data to his new phone- I went to turn off “find my phone” and saw that he had access to all of my devices… that where showing as “online” when I hadn’t had the MacBook in months and the iMac was sitting in my office unplugged- on top of this, I had changed the email address on that Apple ID- I lost access to that gmail account. - Just last night my iPad mini (currently activation locked out of somehow) - attached it’s self to the Internet while it was off. It has connected before, but never while it was off. 😅 - my devices pair without prompt, I even get calls on my other phone as if they have the same Apple ID. - Spelling and grammatical errors when my devices are prompting me for my password. - My iCloud was backing up an app called “Wish” but not like the shopping wish but something else it had a feather in the picture. - My URL’s are constantly redirected. - even after a fresh install, my filing system is a complete mess - and disk are formatted to be Case Sensitive (which has cause a filing nightmare) - Opening up my brand new M1 RemoteServices.Apple.com needed to add a configuration to my M1 - I WAS LEGIT MDM LOCKED OUT OF MY M1. these are just a few. this is just to name a few. I encourage everyone to press the “?” On the network settings, it even shows a photo that the NetBIOS name is not in use.. I would also like to mention that my computer names and NetBois Names don’t match. Link to post Share on other sites More sharing options...
MyMacAroon Posted July 8, 2021 Author ID:1468266 Share Posted July 8, 2021 5 minutes ago, MyMacAroon said: I know that I sound like a crazy person, but I can tell you that I think Webroot is picking up on activities in the files that are malicious. My NetBois is active, at all times, if I take my computer out of safe boot, telnet, NetBIOS and a ton of other stuff is going on. My devices are calling out to whomever is doing this. I’ve had to file reports with both AWS and Microsoft WINS. Link to post Share on other sites More sharing options...
alvarnell Posted July 9, 2021 ID:1468388 Share Posted July 9, 2021 Quote - Every-time I logon “Unix” or “cloud” login with me I don't understand what logon "Unix" means. Why do you need to have two routers with one inactive (bridged)? Thanks for confirming that you have an unremovable MDM Profile. To me that makes me quite suspicious of that networking person that setl up your VPN, etc. Setting up an MDM almost has to be done within your LAN. It's normal to have the netbiosd running by the _netbios user, but your traffic count is much higher than mine (11KB sent, 7 KB Rcvd). Perhaps because I rebooted about 8 hours ago. Do you have a list of IP and MAC addresses of all you devices so you know what those connections are? DoS attacks are very very common. Hackers send streams of pings throughout the Internet to random IP addresses trying to find an open port that might be exploitable. Yours are several minutes, even days apart, so nothing like an attempt to overwhelm your network. Safe mode only loads those items that are absolutely essential for macOS to run and give you a UI, so not surprising that all those other processes run then. Link to post Share on other sites More sharing options...
Staff treed Posted July 9, 2021 Staff ID:1468399 Share Posted July 9, 2021 Unfortunately, there's a lot in that story that doesn't make sense and that I don't understand because of incorrect terminology being used. It sounds like there are multiple discrete events that you're putting under the umbrella of malware. Ultimately, I've reviewed the data from our Malwarebytes Support Tool that you sent via our support system, and I see absolutely no evidence of malware on the machine you collected that data from. I also do not see that there is an MDM profile installed. I see that you have had ExpressVPN installed at some point, but it appears to have been partially removed. You also have one other VPN app. You have CleanMyMac installed, but I strongly recommend not using so-called "cleaning" tools, as they are designed to delete things that don't actually need to be deleted, and they can cause more problems than they solve. There's really nothing I can see to support any claims of malware, on that particular Mac at least. Further, there's nothing described on this thread that sounds definitively like malware. Everything you've described has multiple alternate possible causes that are far more likely, or isn't an issue at all and is completely normal (like netbios). My advice: I don't think that you understand what's going on with your network. (That's not an insult, networking hardware and configuration isn't my strong suit either.) Own that, and talk to your networking guy about your concerns. If you don't fully understand the explanation, ask him to help you understand. If you feel you can't trust him, find someone else that you feel you can trust to look over things and give you another opinion. If you're able, make an appointment with the Genius Bar at an Apple Store and go talk to an Apple tech in person about some of your concerns. Take your devices with you, and show the Apple rep what concerns you. In person, they'll be able to help you far better than anyone can remotely. DO NOT call on the phone unless you are 100% sure you're actually talking to Apple. If you get an Apple support number from somewhere like Google, instead of from Apple's support site, you may get someone pretending to be Apple in order to scam you. (Such scams often involve trying to convince you that your machine is infected and that you need to pay them to fix it.) Any bank account and credit card issues are going to have a far less interesting cause than malware. I've never seen a confirmed case where Mac malware caused such issues. Work with your bank to ensure that your accounts are secure, including your online access. Change any passwords, and set up as strong two-factor authentication as your bank can provide (which, unfortunately, is often quite poor with banks, ironically). Be careful about who you give access to the information about those accounts. Link to post Share on other sites More sharing options...
Matty10209 Posted August 17, 2022 ID:1529003 Share Posted August 17, 2022 Aaron, I am experiencing the same thing you went through with the M1 Mac and am currently in month 3. I also have a small business and need to provide, and now know more about networking and packet analysis than I had ever hoped to learn. Was this resolved in the end? Link to post Share on other sites More sharing options...
Staff treed Posted August 17, 2022 Staff ID:1529006 Share Posted August 17, 2022 10 minutes ago, Matty10209 said: Aaron, I am experiencing the same thing you went through with the M1 Mac and am currently in month 3. I also have a small business and need to provide, and now know more about networking and packet analysis than I had ever hoped to learn. Was this resolved in the end? I would not recommend trying to glean anything from a threat that's over a year old and that never provided any evidence of malware. I'd recommend starting your own thread, and make sure to post details about what you're seeing. Screenshots and other such concrete details will be particularly useful. 3 Link to post Share on other sites More sharing options...
Recommended Posts