Jump to content

Recommended Posts

Hi,

I think my Macbook Pro is infected and that Malware bytes don't detect the infection. How can i verify that my computer is uninfected?

Please help me, maybe I am just paranoid? But strange things happen and according to Little Snitch my computer contacts many weird web locations.

/Mattias

Link to post
Share on other sites

Sorry, but you haven't given us much of anything to go by. Certainly the fact that LS tells you about web sites that may seem weird to you isn't unusual. All of us who use LS see many contacts that weren't predictable, but what do you mean by weird and give us some examples, please. And what are these strange things happening? 

Malwarebytes for Mac is very good at picking up currently known malware, so there's very little chance that your MBP is infected unless it's something new. Even after giving us the details of what's going on, it's much easier to diagnose problems by getting physical access to it, so I strongly recommend you take it to your nearest Apple Store or authorized repair facility.

Link to post
Share on other sites

Hi,

I erased everything from terminal in recovery mode, and a couple of times and I think it solved it but not the first time. 

The only thing left that I am suspicious about is the disk utility setup with snapshots looking like this. I don't now why there are three Redrum Volumes, but I believe its because I have a Macbook with T2 Intel setup. I would appreciate if you could verify that its correct or if it is something wrong?

Best regards 

Mattias

772129172_Skrmavbild2022-02-08kl_18_42_30.thumb.png.287cff758b7ef45f2cae56f4e12ab7ef.png

 

Link to post
Share on other sites

All quite normal. The Malwarebytes.app in your Applications folder is actually just a small stub app to open the GUI interface. The various processes used are contained in the Engine.bundle.

Link to post
Share on other sites

I ran an Etrecheck rapport and this is how it turned out, do you find anything suspisious in it?

I don't understand why i have so many drives? And what is "disk1s1 - R***********a (APFS) [APFS Virtual drive] (Shared - 112.59 GB used)"???

 

EtreCheck version: 5.7.2 (5247)

Report generated: 2022-02-09 20:39:31

Download EtreCheck from https://etrecheck.com

Runtime: 2:40

 

Performance: Excellent

Sandbox: Enabled

Full drive access: Enabled

 

Problem: Other problem

Description:

Strange things is happening!!

 

Major Issues:

    Anything that appears on this list needs immediate attention.

 

    No Time Machine backup - Time Machine backup not found.

    Runaway process - A process is using a large percentage of your CPU.

 

Minor Issues:

    These issues do not need immediate attention but they may indicate future problems or opportunities for improvement.

 

    Heavy network usage - This computer has recently restarted and has high network usage.

    Apps with heavy CPU usage - There have been numerous cases of apps with heavy CPU usage.

    Heavy I/O usage - Your system is under heavy I/O use. This will reduce your performance.

 

Hardware Information:

    MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)

    MacBook Pro Model: MacBookPro15,4

    1,4 GHz Quad-Core Intel Core i5 (i5-8257U) CPU: 4-core

    8 GB RAM - Not upgradeable

        BANK 0/ChannelA-DIMM0 - 4 GB LPDDR3 2133

        BANK 2/ChannelB-DIMM0 - 4 GB LPDDR3 2133

    Battery: Health = Normal - Cycle count = 53

 

Video Information:

    Intel Iris Plus Graphics 645 - VRAM: 1536 MB

        Color LCD (built-in) 2880 x 1800

 

Drives:

    disk0 - APPLE SSD AP0256N 251.00 GB (Solid State - TRIM: Yes)

    Internal PCI-Express 8.0 GT/s x4 NVM Express

        disk0s1 - EFI [EFI] 315 MB

        disk0s2 [APFS Container] 250.69 GB

            disk1 [APFS Virtual drive] 250.69 GB (Shared by 6 volumes)

                disk1s1 - R***********a (APFS) [APFS Virtual drive] (Shared - 112.59 GB used)

                disk1s2 - Preboot (APFS) [APFS Preboot] (Shared - 273 MB used)

                disk1s3 - Recovery (APFS) [Recovery] (Shared)

                disk1s4 - VM (APFS) [APFS VM] (Shared - 1.07 GB used)

                disk1s5 (APFS) [APFS Container] (Shared)

                    disk1s5s1 - R****m (APFS) [APFS Snapshot] (Shared - 15.75 GB used)

                disk1s6 - Update (APFS) (Shared - 717 KB used)

 

Mounted Volumes:

    disk1s1 - R***********a [APFS Virtual drive]

        250.69 GB (Shared - 112.59 GB used, 146.88 GB available, 119.77 GB free)

        APFS

        Mount point: /System/Volumes/Data

        Encrypted

 

    disk1s2 - Preboot [APFS Preboot]

        250.69 GB (Shared - 273 MB used, 119.77 GB free)

        APFS

        Mount point: /System/Volumes/Preboot

 

    disk1s4 - VM [APFS VM]

        250.69 GB (Shared - 1.07 GB used, 119.77 GB free)

        APFS

        Mount point: /System/Volumes/VM

 

    disk1s5s1 - R****m [APFS Snapshot]

        250.69 GB (Shared - 15.75 GB used, 146.88 GB available, 119.77 GB free)

        APFS

        Mount point: /

        Read-only: Yes

 

    disk1s6 - Update

        250.69 GB (Shared - 717 KB used, 119.77 GB free)

        APFS

        Mount point: /System/Volumes/Update

 

Network:

    Interface en0: Wi-Fi

        802.11 a/b/g/n/ac

    Interface bridge0: Thunderbolt Bridge

 

System Software:

    12.2 12.2 (21D49)

    Time since boot: About an hour

 

Notifications:

 

    EtreCheck.app

        one notification

    Little Snitch Agent.app

        5 notifications

 

Security:

    Gatekeeper: Enabled

    System Integrity Protection: Enabled


    Antivirus software: Apple and Malwarebytes

 

System Extensions:

    [Running] Little Snitch Network Extension - version 5.3.2 (Objective Development Software GmbH - 2021-11-16)
        Application: /Applications/Little Snitch.app - version 5.3.2 (Objective Development Software GmbH - 2021-11-16)

        Description: This system extension enables Little Snitch to filter network traffic.

 

    [Running] Little Snitch Endpoint Security - version 5.3.2 (Objective Development Software GmbH - 2021-11-16)
        Application: /Applications/Little Snitch.app - version 5.3.2 (Objective Development Software GmbH - 2021-11-16)

        Description: Little Snitch Endpoint Security

 

System Launch Agents:

    [Not Loaded] 15 Apple tasks

    [Loaded] 206 Apple tasks

    [Running] 128 Apple tasks

    [Other] One Apple task

 

System Launch Daemons:

    [Not Loaded] 37 Apple tasks

    [Loaded] 190 Apple tasks

    [Running] 149 Apple tasks

    [Other] One Apple task

 

Launch Agents:

    [Running] at.obdev.littlesnitch.agent.plist (Objective Development Software GmbH - installed 2022-02-07)

    [Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2022-02-07)

 

Launch Daemons:

    [Running] at.obdev.littlesnitch.daemon.plist (Objective Development Software GmbH - installed 2022-02-07)

    [Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2022-02-08)

    [Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2022-02-07)

    [Running] net.mullvad.daemon.plist (Amagicom AB - installed 2022-02-07)

    [Loaded] us.zoom.ZoomDaemon.plist (Zoom Video Communications, Inc. - installed 2022-02-08)

 

User Login Items:

    [Not Loaded] Bitwarden Login Helper (App Store - installed 2022-02-07)

        Modern Login Item

        /Applications/Bitwarden.app/Contents/Library/LoginItems/Bitwarden Login Helper.app

 

    [Running] Malwarebytes Browser Guard Updater (App Store - installed 2022-02-07)

        Modern Login Item

        /Applications/Malwarebytes Browser Guard.app/Contents/Library/LoginItems/Malwarebytes Browser Guard Updater.app

 

    [Not Loaded] Micro Snitch Open At Login Helper (App Store - installed 2022-02-07)

        Modern Login Item

        /Applications/Micro Snitch.app/Contents/Library/LoginItems/Micro Snitch Open At Login Helper.app

 

    [Not Loaded] LaunchAtLoginHelper (App Store - installed 2022-02-07)

        Modern Login Item

        /Applications/TextSniper.app/Contents/Library/LoginItems/LaunchAtLoginHelper.app

 

Backup:

    Time Machine Not Configured!

 

Performance:

    System Load: 5.72 (1 min ago) 7.91 (5 min ago) 5.90 (15 min ago)

    Nominal I/O speed: 35.29 MB/s

    File system: 40.96 seconds

    Write speed: 1230 MB/s

    Read speed: 1522 MB/s

 

CPU Usage Snapshot:

    Type Overall

    System: 8 %

    User: 9 %

    Idle: 83 %

 

Top Processes Snapshot by CPU:

    Process (count) CPU (Source - Location)

    Other processes 122.39 % (?)

    EtreCheck 11.48 % (App Store)

    trustd 1.98 % (Apple)

    Malwarebytes Browser Guard 1.33 % (App Store)

    iconservicesagent 0.26 % (Apple)

 

Top Processes Snapshot by Memory:

    Process (count) RAM usage (Source - Location)

    EtreCheck 412 MB (App Store)

    Malwarebytes Browser Guard 60 MB (App Store)

    AppleSpell 50 MB (Apple)

    ControlCenter 38 MB (Apple)

    NotificationCenter 34 MB (Apple)

 

Top Processes Snapshot by Network Use:

    Process Input / Output (Source - Location)

    Other processes 3.65 GB / 745 MB (?)

    backgroundtaskmanagementagent 0 B / 0 B (Apple)

    UsageTrackingAgent 0 B / 0 B (Apple)

    mediaremoteagent 0 B / 0 B (Apple)

    cfprefsd 0 B / 0 B (Apple)

 

Virtual Memory Information:

    Physical RAM: 8 GB

 

    Free RAM: 62 MB

    Used RAM: 5.76 GB

    Cached files: 2.18 GB

 

    Available RAM: 2.24 GB

    Swap Used: 18 MB

 

Software Installs (past 30 days):

    Install Date Name (Version)

    2022-02-07 macOS 12.2 (12.2)

    2022-02-07 XProtectPlistConfigData (2155)

    2022-02-07 MRTConfigData (1.88)

    2022-02-07 Micro Snitch (1.5)

    2022-02-07 StopTheMadness (26.1)

    2022-02-07 TextSniper (1.7.0)

    2022-02-07 DaisyDisk (4.21.4)

    2022-02-07 Things (3.15.12)

    2022-02-07 EtreCheck (5.7.2)

    2022-02-07 DuckDuckGo Privacy Essentials (1.4.6)

    2022-02-07 Bitwarden (1.30.0)

    2022-02-07 Mullvad VPN (2021.6.0)

    2022-02-07 Malwarebytes Browser Guard (1.0.8)

    2022-02-07 Internet Access Policy Viewer (1.0)

    2022-02-07 PocketTube (11.0.9)

    2022-02-07 Numbers (11.2)

    2022-02-07 Pages (11.2)

    2022-02-07 Keynote (11.2)

    2022-02-08 Zoom (5.9.3.4239)

    2022-02-08 YubiKey Manager (1.2.4)

    2022-02-08 Malwarebytes for Mac (1.0)

 

Diagnostics Information (past 7-30 days):

    2022-02-09 16:20:47 photolibraryd - High CPU Use

        Executable: /System/Library/PrivateFrameworks/PhotoLibraryServices.framework/Versions/A/Support/photolibraryd

 

    2022-02-09 15:58:03 bird - High CPU Use (2 times)

        Executable: /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

 

    2022-02-09 15:14:01 OtherUsersStorageExtension - High CPU Use

        Executable: /System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension

 

    2022-02-09 14:18:39 WindowServer - High CPU Use

        Executable: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer

 

    2022-02-09 13:03:19 OBS.app - High CPU Use (3 times)

        Executable: /Applications/OBS.app

 

    2022-02-08 19:08:07 RTProtectionDaemon.app - High CPU Use (3 times)

        Executable: /Library/Application Support/Malwarebytes/*/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app

 

    2022-02-08 14:43:49 Safari.app - High CPU Use

        Executable: /Applications/Safari.app

 

    2022-02-08 04:08:10 cloudd - High CPU Use

        Executable: /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd

 

    2022-02-07 21:05:52 photoanalysisd - High CPU Use

        Executable: /System/Library/PrivateFrameworks/PhotoAnalysis.framework/Versions/A/Support/photoanalysisd

 

End of report

Link to post
Share on other sites

You still have not told us what "strangeness" you are seeing that caused you to feel your MBP was infected to begin with (other than Little Snitch reported connections), so I don't have a clue what to look for in that EtreCheck report. Did it tell you there were any major issues. At least now I know that you are running macOS Monterey so I can see that having a number of virtual drives/volumes is normal. I'm guessing you modified the name of that mystery drive and it ends in -Data which means it's the the volume that you have access to as opposed to the System volume that you do not.

  • Thanks 1
Link to post
Share on other sites

Strange things..

When I downloaded Malwarebytes to my download folder hidden files generated automaticly in the folder named something like .ignmwb and when I downloded firefox i couldn't go to malwarebytes.com. When I wanted to install homebrew it installed and then uninstalled itself and installed a sissy version. I lost sudo privileges and so on. When i tried to reinstall macOS it didn't contact apple but intstalled itself from a local partition hidden Volumes to reset all settings i had too erase everything from recovery terminal with dd command.

Okey "mystery drive and it ends in -Data" thanks then i understand that.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.