Jump to content

RootKit hell


Recommended Posts

  • Staff

None of that answers the question I asked. What specific symptoms are you seeing that lead you to believe you're infected? Nothing that has been posted so far tells a clear story or provides actionable information about what might be causing the problem.

What I would strongly advise is that you do the following:

  1. Download and run our Malwarebytes Support Tool (which, it appears, you've already done)
  2. Start a support ticket, as recommended by Porthos
  3. Provide a succinct description of the symptoms you are seeing. Be detailed, but clear. From everything that's been posted here, I have absolutely no idea what you're actually seeing.
  4. Provide relevant screenshots. The old adage about a picture being worth 1,000 words is absolutely false here, if we don't know why you attached a particular screenshot. (For most of the ones above, I'm completely mystified as to why they were included.) Use the screenshots to support and supplement your story, but be sure you've provided a description of what you believe that screenshot shows.
  5. Attach the output from the Support Tool (the MWB_Info.zip file) to the support ticket. This is not information you probably want to post publicly, thus the reason for starting a support ticket.

This will give us the information we need to evaluate what's going on.

Link to post
Share on other sites

54 minutes ago, treed said:

None of that answers the question I asked. What specific symptoms are you seeing that lead you to believe you're infected? Nothing that has been posted so far tells a clear story or provides actionable information about what might be causing the problem.

What I would strongly advise is that you do the following:

  1. Download and run our Malwarebytes Support Tool (which, it appears, you've already done)
  2. Start a support ticket, as recommended by Porthos
  3. Provide a succinct description of the symptoms you are seeing. Be detailed, but clear. From everything that's been posted here, I have absolutely no idea what you're actually seeing.
  4. Provide relevant screenshots. The old adage about a picture being worth 1,000 words is absolutely false here, if we don't know why you attached a particular screenshot. (For most of the ones above, I'm completely mystified as to why they were included.) Use the screenshots to support and supplement your story, but be sure you've provided a description of what you believe that screenshot shows.
  5. Attach the output from the Support Tool (the MWB_Info.zip file) to the support ticket. This is not information you probably want to post publicly, thus the reason for starting a support ticket.

This will give us the information we need to evaluate what's going on.

I really hope you don't work for Malwarebytes, this forum has you listed as a staff member. I am absolutely positive that the screenshots of an active/ un-autherized web server, rerouted VPN's and a different anti-virus picking up threats in the root file, would be enough for anyone to go - Oh maybe there is something wrong- you on the other hand seem to think a unix socket listening in is a normal part of Mac's networking? 

I have reached out to the support team, and considering how mystified you are, I'm not surprised that I havent heard anything back. They probably don't know what they're looking at either. 

References for future correspondence with customers: 

https://www.softwaretestinghelp.com/unix-introduction/ Kernel subsystems may include process management, file management, memory management, network management and others. 

https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn 

https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_web_server

Google Search: https://www.google.com/search?q=how+to+be+helpful+instead+of+critical&client=safari&rls=en&ei=fdLkYNj_H6KuqtsP5c-OsAs&start=10&sa=N&ved=2ahUKEwiYss_muM_xAhUil2oFHeWnA7YQ8tMDegQIARA5&biw=1324&bih=925 (Yes this was typing in How to be helpful instead of critical - client=safari&rls=en&ei=fdLkYNj_H6KuqtsP5c-OsAs&start=10&sa=N&ved=2ahUKEwiYss_muM_xAhUil2oFHeWnA7YQ8tMDegQIARA5&biw=1324&bih=925 I don't think is apart of the standard search bar.. You should see it when I'm trying to login to my email. Thats fun. 

 

If anyone would like to actually be helpful, I'm all ears. 

 

Link to post
Share on other sites

On 7/2/2021 at 5:19 PM, MyMacAroon said:

I have an active WINS server, it seems that whatever malware this is, it has crept in to every app, so I have added just one of them Apple has reset my Macs multiple times and doesnt seem to care that the gatekeeper failed, even on my brand new M1, iPhone 12 Pro, and more, I lost my small business trying to get everything back to normal, but even in the apple store directly after reinstall, the netbois was active. I was MDM locked out of my 2 week old computer. Best Buy said its a Rootkit, but legit, I'm losing my mind, because my media changes, Anti virus isn't picking up on the problem, but as you can see from the photo below there is an obvious issue, this is just one of the many photos. 

Screen Shot 2021-07-02 at 4.06.23 PM.png

Script Editor.zipUnavailable

I haven't seen anyone comment on the active wins server portion of Melody's comments and I for one don't see an issue with that either.  Every Mac I've seen or setup has this entry in it.  It's typically the user's name and "workgroup" and in use.  Poster (Melody) has a username on this forum as MyMacAroon and her Mac is name "ms-macarron".  Appear to be the same but the spelling is off....regardless.  Nothing is wrong with this either.....

 

As Thomas said, this is all very hard to follow and confusing with all the screenshots and whatnot posted.  Nothing has been said why you believe you've been infected.  Was it someone at Best Buy?  Definitely listen to Thomas (treed) and follow his advice on here and supply the requested info.

Edited by GuruGuy
.
Link to post
Share on other sites

12 hours ago, MyMacAroon said:

I really appreciate you looking into that, however, that isn’t my photo on the left.

I didn't say that was your photo, I said it was your Malwarebytes.app that you uploaded here. The screengrabs are mine to compare it to the one I downloaded from the Malwarebytes site. Since they are identical in size, I concluded that the one you uploaded is unchanged from what Malwarebytes distributes to Mac users. I'll ask again, what proof do you have that the version you uploaded has been modified?

Link to post
Share on other sites

18 minutes ago, alvarnell said:

I didn't say that was your photo, I said it was your Malwarebytes.app that you uploaded here. The screengrabs are mine to compare it to the one I downloaded from the Malwarebytes site. Since they are identical in size, I concluded that the one you uploaded is unchanged from what Malwarebytes distributes to Mac users. I'll ask again, what proof do you have that the version you uploaded has been modified?

Hello all, 

it looks like my post was flagged for malware… or at least the links in it. A staff member has finally reached out.  I appreciate everyone’s time and assistance. 
 

Two things, for those of you genuinely trying to be helpful, thank you, for those of you here to bully, and be rude because someone doesn’t know exactly what to look for, bite me. 
 

I apologize for the confusion with the screenshots, it was not my intention to confuse anyone- only to show you with your own eyes what I was seeing. 
 


 

 

10B70965-EBF9-4D59-A995-69E1C1D92F0D.png

9E3AF888-9CDF-43DA-BBB5-678B4951BA46.png

Link to post
Share on other sites

11 minutes ago, MyMacAroon said:

Hello all, 

it looks like my post was flagged for malware… or at least the links in it. A staff member has finally reached out.  I appreciate everyone’s time and assistance. 
 

Two things, for those of you genuinely trying to be helpful, thank you, for those of you here to bully, and be rude because someone doesn’t know exactly what to look for, bite me. 
 

I apologize for the confusion with the screenshots, it was not my intention to confuse anyone- only to show you with your own eyes what I was seeing. 
 


 

 

10B70965-EBF9-4D59-A995-69E1C1D92F0D.png

9E3AF888-9CDF-43DA-BBB5-678B4951BA46.png

Thomas is The developer.  I really think you’re off your meds…

Link to post
Share on other sites

48 minutes ago, GuruGuy said:

Thomas is The developer.  I really think you’re off your meds…

I wish I had meds for the legit hell I’ve been though here lately. 
 

Regardless of his position, he was rude, I have a lot of respect for people who comment with the intention of be helpful, or to tell me I’m wrong for a valid reason. He, wasn’t helpful, he was mystified by my trying to get help. 

Just FYI, Netbois is not “normal”, unless you use those services. If you would like to see this for yourself, go into settings ->network -> and press the “?” In the bottom left. 

I didn’t get on this post because I think it’s fun, it’s because I need help. I have a masters in business administration, not tech. 

A rep from Malwarebytes reached out already and told me I wasn’t nuts, Apple did the same, but told me it was a “networking” issue and that only my isp could help me. 
 

I apologize for not being as well versed in this and not knowing what to look for, only knowing that something is wrong. 
 

legit though, I don’t appreciate being patronized or belittled by anyone, especially if you won’t even take the time to look over the things I posted.
 

thanks again!   

Link to post
Share on other sites

Thomas certainly isn't known here for being rude. Full disclosure, he has been a friend and colleague of mine since around the time he started thesafemac.com about a decade ago, so won't dwell on that point.

Sorry I haven't commented on NetBoot/netbios aspects. I completely agree that it's not at all normal to have to use such things and it's almost unheard of for a home environment. Since I'm not current on what it takes to be a Mac Enterprise IT these days (I only performed that for a short period back in the 90's) I know very little on how one can suddenly have all computers and devices could possibly be put under Mobile Device Management (MDM). I know even less about the Windows environment and how such a server could have accomplished this. 

As far as it being a "networking" issue, I would have to agree that it does appear to be, but not the network involving your ISP, rather it seems that your router has been compromised, probably because it allowed itself to be configured from the Internet, which has impacted the local network inside your home. It's not all that uncommon and for several years now users have been cautioned to make certain that all their electronic devices be updated with the latest firmware and that all routers be disabled from being controlled from the WAN (Internet) side so that only you can change any settings. I know there are some ISP's that feel they have a need to be able to access their routers, but that doesn't apply to most these days. If I'm correct and it is your router, then nothing you do with all your other devices that depend on it can be fixed until you rid yourself of the hacked router situation and unenroll them from MDM.

Link to post
Share on other sites

9 minutes ago, alvarnell said:

Thomas certainly isn't known here for being rude. Full disclosure, he has been a friend and colleague of mine since around the time he started thesafemac.com about a decade ago, so won't dwell on that point.

Sorry I haven't commented on NetBoot/netbios aspects. I completely agree that it's not at all normal to have to use such things and it's almost unheard of for a home environment. Since I'm not current on what it takes to be a Mac Enterprise IT these days (I only performed that for a short period back in the 90's) I know very little on how one can suddenly have all computers and devices could possibly be put under Mobile Device Management (MDM). I know even less about the Windows environment and how such a server could have accomplished this. 

As far as it being a "networking" issue, I would have to agree that it does appear to be, but not the network involving your ISP, rather it seems that your router has been compromised, probably because it allowed itself to be configured from the Internet, which has impacted the local network inside your home. It's not all that uncommon and for several years now users have been cautioned to make certain that all their electronic devices be updated with the latest firmware and that all routers be disabled from being controlled from the WAN (Internet) side so that only you can change any settings. I know there are some ISP's that feel they have a need to be able to access their routers, but that doesn't apply to most these days. If I'm correct and it is your router, then nothing you do with all your other devices that depend on it can be fixed until you rid yourself of the hacked router situation and unenroll them from MDM.

Thank you for your message, while I agree that it’s a networking issue, I’ve changed, ISP’s, wiped all of my devices, have even replaced them, including routers, I’ve tried the Orbi, XR1000, the ISP routers, Eero, I could start a store 😣. I wish I knew how to remove the MDM, I was locked out of my M1 for 2 weeks before Apple helped me, it was a month old laptop that thought it was intel based. 
 

I don’t know Thomas, nor did I hear his tone, but given his messages… they didn’t seem nice. Maybe I am wrong and he was sincere but it really didn’t seem that way. 
 

I just need help, I don’t know what to do. I lost my small business, and have two children to provide for. 
 

Apple isn’t help, anti-virus hasn’t been any help, networking people, and etc… Im at a complete loss, like do I just swear off the internet for the rest of my life? 

Link to post
Share on other sites

Regarding the WINS server, as I said it IS normal to see that there.  There are no actual servers in your screenshot, it's not doing anything.  (The name in there will actually change based on what your Mac is named in your router; change it in the router and go back in the WINS settings and it will have changed to the new name.  Sometimes you'll see the default ending in the last two digits of your Mac address).

 

Do you have file sharing on?  Turn it off if you want to be absolutely sure the Netbios (wins server) is not doing anything and give you more peace of mind.

If Sharing > File Sharing > Options > Share files and folders using SMB (Windows) is unchecked than those NETBIOS settings are just place holders and not active.

 

You mentioned that apple has been of no help.  Have you actually went into an apple store and had a genius appointment?  You need to get some expert help - in person, not telephone, not internet.  In person.  Someone competent.

 

Edited by GuruGuy
sp
Link to post
Share on other sites

7 hours ago, MyMacAroon said:

I wish I knew how to remove the MDM, I was locked out of my M1 for 2 weeks before Apple helped me, it was a month old laptop that thought it was intel based. 

Normally, MDM's are established using Profiles. On a Mac they can be found listed on System Preferences->Profiles. If you don't have any there won't be such a preference listed. I doubt that you can remove them yourself, as they are controlled by whatever put them there. On iPhones they are in Settings->General->Profiles (right under VPN).

I have a similar problem in that my iMac is Refurbished and apparently used to belong to MaryKay. Apparently my Serial Number is listed in the Apple Device Enrollment Program (which has been replaced by a program). Luckily the Profile was removed by Apple during refurbishment, but it's still listed on an Apple Server as owned by MaryKay. The only annoyance was that every time I rebooted I got a notice to contact MaryKay IT department. That was easy enough to eliminate by using my Little Snitch Firewall to block all connections to that server. I contacted both MaryKay and Apple, both telling me it was the other organizations problem. I feel quite certain that Mary Kay needs to remove it, but can't contact the correct person there that knows how to do that. I realize that none of what I've just said is going to help you even a little bit and that it's tiny compared to your issues. Just know you aren't alone in having to solve these mysterious issues.

I wish I could help you with WebRoot, but that's one set of A-V software I've never touched. It does sound strange for it to arbitrarily be deleting .Trash and Caches. You are right that doing so isn't that big a deal, but the user should always control what's in their Trash and for how long. You may change your mind or find you have accidentally trashed something, so need to restore it before emptying. Cache will be replaced, but it will slow down your computer while it does restore it. I know we all wish we had seen the log of all those things it found in the first run, but that's water over the dam now.

Link to post
Share on other sites

  • Staff
18 hours ago, MyMacAroon said:

I really hope you don't work for Malwarebytes, this forum has you listed as a staff member. I am absolutely positive that the screenshots of an active/ un-autherized web server, rerouted VPN's and a different anti-virus picking up threats in the root file, would be enough for anyone to go - Oh maybe there is something wrong- you on the other hand seem to think a unix socket listening in is a normal part of Mac's networking? 

I'm sorry that you feel offended by what I said, as that was not my intent, but I nonetheless stand by what I said.

If I'm understanding correctly, you're referring to the WINS setting shown in the very first screenshot on this thread as an active web server, but that's absolutely not what it is. WINS stands for Windows Internet Name System, and it's a legacy system for mapping a NetBIOS name to an IP address. This is a normal setting on all macOS systems that enables them to function in such legacy environments. Shown below is a screenshot of the same panel from my own system. This is not an indication of a web server running or of any malicious activity.

I don't understand what you're seeing that you believe indicates that your VPN has been rerouted, or exactly what you mean by that. I also, as I mentioned, cannot comment on anything Webroot detected without knowing what it detected. However, I can say that Webroot is generally not something that is commonly used by Mac users, and it definitely appears to be doing some very questionable things.

As for Unix processes listening on a network port... yes, that is absolutely a normal part of macOS, which consists of numerous Unix processes communicating over the network at all times. For example, the rapportd process is currently listening on port 57703 on my Mac, and that's entirely normal. On my personal machine, I have multiple processes listening, all of which are normal. I'm unclear exactly what process is concerning to you.

Again, in order for anyone here to be able to help you, we need you to take a step back and give us a clear story. What specific behaviors are you seeing on your system that you believe are indications of an infection?

 

1691936791_ScreenShot2021-07-07at12_51_24PM.thumb.png.a2a907b352932b96670fc1ac38a9c51b.png

Link to post
Share on other sites

6 hours ago, treed said:

I'm sorry that you feel offended by what I said, as that was not my intent, but I nonetheless stand by what I said.

If I'm understanding correctly, you're referring to the WINS setting shown in the very first screenshot on this thread as an active web server, but that's absolutely not what it is. WINS stands for Windows Internet Name System, and it's a legacy system for mapping a NetBIOS name to an IP address. This is a normal setting on all macOS systems that enables them to function in such legacy environments. Shown below is a screenshot of the same panel from my own system. This is not an indication of a web server running or of any malicious activity.

I don't understand what you're seeing that you believe indicates that your VPN has been rerouted, or exactly what you mean by that. I also, as I mentioned, cannot comment on anything Webroot detected without knowing what it detected. However, I can say that Webroot is generally not something that is commonly used by Mac users, and it definitely appears to be doing some very questionable things.

As for Unix processes listening on a network port... yes, that is absolutely a normal part of macOS, which consists of numerous Unix processes communicating over the network at all times. For example, the rapportd process is currently listening on port 57703 on my Mac, and that's entirely normal. On my personal machine, I have multiple processes listening, all of which are normal. I'm unclear exactly what process is concerning to you.

Again, in order for anyone here to be able to help you, we need you to take a step back and give us a clear story. What specific behaviors are you seeing on your system that you believe are indications of an infection?

 

1691936791_ScreenShot2021-07-07at12_51_24PM.thumb.png.a2a907b352932b96670fc1ac38a9c51b.png

Hello, I would love to have your vast amount of knowledge on my side. While I disagree at this time, if your open to it, I am willing to send you whatever logging or other information that you may need, but I can confirm 100% that this is not as cut and dry as you or I would like it to be. 
 

Nor should the WINS be active. I would prefer if that documentation wasn’t publicly published. 
 

please advise, 

  • Like 1
Link to post
Share on other sites

2 hours ago, MyMacAroon said:

Nor should the WINS be active. I would prefer if that documentation wasn’t publicly published. 

I can assure you that 100% of Mac users have a NetBIOS Name displayed in the Network settings Advanced WINS tab. It's based on the Computer Name displayed in the Sharings Prefs. Not sure what you mean by documentation, but if you mean that should be blank then feel free to pass that Feedback on to Apple. As long as you don't see anything in the "WINS Servers:" box, I'm confident that nothing is accessing your NetBIOS Name.

Edited by alvarnell
Link to post
Share on other sites

11 minutes ago, alvarnell said:

I can assure you that 100% of Mac users have a NetBIOS Name displayed in the Network settings Advanced WINS tab. It's based on the Computer Name displayed in the Sharings Prefs. Not sure what you mean by documentation, but if you mean that should be blank then feel free to pass that Feedback on to Apple. As long as you don't see anything in the "WINS Servers:" box, I'm confident that nothing is accessing your NetBIOS Name.

Hello again, 

It says that my name is currently in use… I would also like to mention that on both my iMac and my M1, my NetBois name isn’t the same as my computer name. The MacAroon part is correct, and I am a “Ms” that wasn’t my computer name. 
 

I’m not sure what it’s going to take for you or anyone else to help me, but I know I’m willing to do what it takes. 
 

If you tell me what you need to prove me wrong or what you need to help me, I’ll make it happen. 

F46E66FF-0DC5-4D2A-A8AD-A6B6CB03863C.jpeg

055B5CA3-7127-4A11-BC5D-43B10CB7DAA4.jpeg

E79D54AC-8195-41F7-97C3-79E097D14305.jpeg

  • Thanks 1
Link to post
Share on other sites

14 hours ago, alvarnell said:

Normally, MDM's are established using Profiles. On a Mac they can be found listed on System Preferences->Profiles. If you don't have any there won't be such a preference listed. I doubt that you can remove them yourself, as they are controlled by whatever put them there. On iPhones they are in Settings->General->Profiles (right under VPN).

I have a similar problem in that my iMac is Refurbished and apparently used to belong to MaryKay. Apparently my Serial Number is listed in the Apple Device Enrollment Program (which has been replaced by a program). Luckily the Profile was removed by Apple during refurbishment, but it's still listed on an Apple Server as owned by MaryKay. The only annoyance was that every time I rebooted I got a notice to contact MaryKay IT department. That was easy enough to eliminate by using my Little Snitch Firewall to block all connections to that server. I contacted both MaryKay and Apple, both telling me it was the other organizations problem. I feel quite certain that Mary Kay needs to remove it, but can't contact the correct person there that knows how to do that. I realize that none of what I've just said is going to help you even a little bit and that it's tiny compared to your issues. Just know you aren't alone in having to solve these mysterious issues.

I wish I could help you with WebRoot, but that's one set of A-V software I've never touched. It does sound strange for it to arbitrarily be deleting .Trash and Caches. You are right that doing so isn't that big a deal, but the user should always control what's in their Trash and for how long. You may change your mind or find you have accidentally trashed something, so need to restore it before emptying. Cache will be replaced, but it will slow down your computer while it does restore it. I know we all wish we had seen the log of all those things it found in the first run, but that's water over the dam now.

I think you might be a genus! That was actually extraordinarily helpful! I’m looking into purchasing right now! Maybe it could help me determine what server it is beyond Apache  👏🏻

Link to post
Share on other sites

7 minutes ago, MyMacAroon said:

Maybe it could help me determine what server it is beyond Apache

Sorry, where did you cover an Apache server? macOS comes with its own built-in web server that the user can activate. There are several articles on how that can be done such as: https://tech-cookbook.com/2020/11/14/setting-up-your-local-web-server-on-macos-big-sur-11-0-1-2020-mamp-macos-apache-mysql-php/. You can find it in /Library/WebServer/.

 

Link to post
Share on other sites

14 minutes ago, alvarnell said:

Sorry, where did you cover an Apache server? macOS comes with its own built-in web server that the user can activate. There are several articles on how that can be done such as: https://tech-cookbook.com/2020/11/14/setting-up-your-local-web-server-on-macos-big-sur-11-0-1-2020-mamp-macos-apache-mysql-php/. You can find it in /Library/WebServer/.

 

14 minutes ago, alvarnell said:

Sorry, where did you cover an Apache server? macOS comes with its own built-in web server that the user can activate. There are several articles on how that can be done such as: https://tech-cookbook.com/2020/11/14/setting-up-your-local-web-server-on-macos-big-sur-11-0-1-2020-mamp-macos-apache-mysql-php/. You can find it in /Library/WebServer/.

 

Yeah, they use it for the open source code (Airport and etc, however, mine also has Cloudfront, which according to the networking guy said means that it isn’t the standard- I’m going to PM you some photos- 

 

but regardless of this, as you can see from my photos, taken today, NetBois is very active. 

  • Like 1
Link to post
Share on other sites

28 minutes ago, MyMacAroon said:

If you tell me what you need to prove me wrong or what you need to help me, I’ll make it happen.

Again you have posted some images without explaining what they are supposed to prove, so I can only guess. Looks like WebRoot is trying to delete /usr/sbin/wirelessproxd and failing. Not at all surprising that it can't delete something that is part of macOS. wirelessproxd is the Wireless Proxy Daemon. It's a service that handles certain networking functions, including, I believe, AirDrop. For instance, functions like AirDrop and handoff with your iPhone won't work if your computer can't be found.

Similarly netbiosd is part of macOS. You can read what it's for by typing

man netbiosd

into the Terminal application (found in /Applications/Utilities).

And quicklookd is the process that allows your to use  QuickLook on your Mac: https://support.apple.com/guide/mac-help/view-and-edit-files-with-quick-look-mh14119/mac.

These entries just reinforce my concerns that WebRoot could actually do more harm than good.

Link to post
Share on other sites

6 minutes ago, MyMacAroon said:

as you can see from my photos, taken today, NetBois is very active.

Sorry, no. I see no evidence in any of your photos that NetBIOS is active. Are they the one's your are PMing me?

Edited by alvarnell
Link to post
Share on other sites

1 hour ago, alvarnell said:

I can assure you that 100% of Mac users have a NetBIOS Name displayed in the Network settings Advanced WINS tab.

I confirm what was said by Al.
My situation is the same regarding the WINS screen, and all the Mac users I know, not a lot to tell the truth, are like that.

Having said that, I would just like to give, if I can, a suggestion, for what is useless, because everything is except an expert in corporate  network configurations (or composed of several different operating systems) or Apple MDM (I always worked only on small LANs, on Windows, not consisting of a domain)

Isn't that all these problems came to create because there is some conflict on the fact that two antimalware (Looking into the network what webroot is, of which I ignored the existence, it seems to me a product of the same class of malwarebytes business) in real time are running? From what I know it is never a good thing; Better to choose one, of which you trust most; Even in the case of Malwarebytes there are corporate solutions (I am neither a shareholder nor a staff member, but only a user who is very well with these products, even if only consumer)

However, keep present, for what little I know, that if you try to remove system components, as already mentioned by Al , at least from Catalina, the OS is in a read-only partition

Link to post
Share on other sites

1 hour ago, MAXBAR1 said:

I confirm what was said by Al.
My situation is the same regarding the WINS screen, and all the Mac users I know, not a lot to tell the truth, are like that.

Having said that, I would just like to give, if I can, a suggestion, for what is useless, because everything is except an expert in corporate  network configurations (or composed of several different operating systems) or Apple MDM (I always worked only on small LANs, on Windows, not consisting of a domain)

Isn't that all these problems came to create because there is some conflict on the fact that two antimalware (Looking into the network what webroot is, of which I ignored the existence, it seems to me a product of the same class of malwarebytes business) in real time are running? From what I know it is never a good thing; Better to choose one, of which you trust most; Even in the case of Malwarebytes there are corporate solutions (I am neither a shareholder nor a staff member, but only a user who is very well with these products, even if only consumer)

However, keep present, for what little I know, that if you try to remove system components, as already mentioned by Al , at least from Catalina, the OS is in a read-only partition

Hello! Thanks for your message, before all of this started I was using Malwarebytes and I stuck to my guns, but given the circumstances (Apple even pulling my logs and confirming that my computer shouldn’t be “In use” by netbois), being MDM LOCKED OUT OF MY BRAND NEW M1, and etc) I still have people telling me this is “normal” I’m super confused. 
 

Regardless, I don’t keep them both running, just the one at this time, Webroot. Apple recommended Malwarebytes so I figured they must be the best, but it seems clear to me that Webroot is picking up something that MB isn’t, as they’re at least trying to stop the “user added” to my NetBois. 
 

A rep from MB reached out today and said (and I quote, “

“Melody, 
 
This looks like an issue with the VPN you are using, ExpressVPN you may want to reach out to them and see if they are pushing the wins server on your network.
our application would not touch it unless you are using our VPN.

Thank you for choosing Malwarebytes!”

 

I stopped using my VPN months ago. It’s a subnet (HTTP) that my computers are calling out for. 🤷🏼‍♀️ (I attached a few screenshots for reference) 

 

 

2331D5CB-654B-4B47-A52C-4072BB3986CA.jpeg

48867D48-D9C3-4C1C-817A-547DDF1566F7.jpeg

Link to post
Share on other sites

4 hours ago, MyMacAroon said:

I attached a few screenshots for reference

The IP addresses listed (127.0.0.1) are loopback addresses used only on your Mac. The can't even go anywhere on your local network, let alone the Internet.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.