Jump to content

Super suspicious activity on my mac


Recommended Posts

As you can see from my last posts... My Macbook Pro's been acting very weird since 2019 when I downloaded some pirated softwares as a stupid broke student (deleted in 2019 the same year but problems persists).

Despite having 'factory reset' my Macbook Pro 5-6 times, it hasn't been so successful. I even had some creepy German guys (who called me privately during their working hours to flirt while my Macbook Pro was in their hands) at the Apple certified repair shop help me factory reset my laptop with a bootable USB two years ago and still, it's noticeably slow.

If you take a look at the screenshot I took on DiskUtility, I wonder why they made so many compartments <<< I find this very suspicious.

I have not downloaded anything fishy at all since and been always very skeptical of pretty much everything that happens on my computer like emails, websites that I go onto etc.

Mind you, the spec of my laptop isn't bad at all. It's got 32 GB memory installed. The external hard drive, which I used to use it for backups is still sitting in the corner of my room and I'm reluctant to use it as it contains those old pirated softwares from 2019.

So my questions is:

- [2nd & 3rd Screenshot] What the heck is Python's kids?

- [2nd & 3rd Screenshot] Why can't I find "~/private/tmp/PKInstallSandbox.WRVNy3/tmp/Python/ Python3.framework/Versions/3.11/Resources/Python.app/Contents/MacOS/ Python" on Finder? This is a rootkit right?

- [1st Screenshot] Why is my iCloud Files on my iPhone in Chinese Mandarin (I don't speak/use Mandarin at all)?

Please help, I've been feeling paranoid for years.

 

IMG_05B1AB44C2A4-1.jpeg

Screenshot 2023-01-25 at 22.00.52.png

Screenshot 2023-01-30 at 01.28.02.png

Screenshot 2023-01-30 at 02.08.44.png

Screenshot 2023-01-30 at 02.11.08.png

Link to post
Share on other sites

1 hour ago, KYSH said:

If you take a look at the screenshot I took on DiskUtility, I wonder why they made so many compartments <<< I find this very suspicious.

"They" did not do that. The macOS installer has been doing that for several years now and there is nothing at all suspicious about it.

 

1 hour ago, KYSH said:

my questions is:

- [2nd & 3rd Screenshot] What the heck is Python's kids?

- [2nd & 3rd Screenshot] Why can't I find "~/private/tmp/PKInstallSandbox.WRVNy3/tmp/Python/ Python3.framework/Versions/3.11/Resources/Python.app/Contents/MacOS/ Python" on Finder? This is a rootkit right?

Looks to be Adobe Acrobat Updater running a Python script that decompresses downloaded files as part of an Acrobat update. I take it those screenshots are dialogs from RansomWhere?

Rootkits are all but non-existent with macOS and I can find no reference to one named "Python's kids."

You do have Adobe Acrobat installed, correct? If so, it will check for updates periodically and automatically download and install the updates. 

1 hour ago, KYSH said:

- [1st Screenshot] Why is my iCloud Files on my iPhone in Chinese Mandarin (I don't speak/use Mandarin at all)?

I don't put files on my iCloud, so don't have a clue about this. The only thing I can suggest is to check Settings->General->Language and Region preferences, but unless you are seeing Mandarin elsewhere, that isn't likely why you are seeing it.

 

Link to post
Share on other sites

Alright, I’ve been searching everywhere and apparently it is possible that your mac is infected with rootkits although it isn’t as common as with Windows OS.
 

I want to know how to completely resolve this issue rather than some vague answers that it doesn’t even exist in the first place! Because it isn’t true and my laptop is weird.
 

I didn’t spend $3000+ to spend 10 hours on creating some slides on Pages. That’s ridiculous. Also when my screen goes on & off every 5 seconds on Safe Mode, alternating error codes popping up while I try to factory reset my own computer at home. I know this isn’t normal at all.

AAE2E270-D914-48EE-AB38-8101B3ECF883.png

CD469BEE-CBDD-43CB-AC0F-65BBA95ED984.png

5C0DF0DA-1205-4666-816B-52709568B976.png

Link to post
Share on other sites

Yes, of course there have been macOS rootkits and I said that in my reply, but most are extinct (either patched to prevent or no longer in circulation) and those that are known to still exist would have been detected by Malwarebytes. The only other possibility is that there's a new zero-day out there that nobody knows about yet. Again, macOS rootkits are not only less common than the Windows variety, they are out-and-out "rare."

Running your Mac in safe mode will always result in strange occupancies, especially graphics, some more than others due to hardware differences. As described, Safe mode disables not only 3rd party software and services, but only loads those Apple services absolutely necessary to allow it to boot-up. Ask any other Mac user to check their compared and they will confirm this is perfectly normal. Has been with every one of the dozen or so Macs I've owned or operated since the late 1980's.

I'll have to refresh my memory on your Pages problem....

You didn't answer my question about Adobe Acrobat.

Link to post
Share on other sites

I went back an reviewed all the previous postings and can't find anything about your Pages problem, but did notice that you did apparently have an issue with at least one Adobe product in the past. @treed suggested then that you uninstall your Adobe software and reinstall it. There is an app that is supposed to help with that which you might find useful at https://www.macparc.ch/apps/accRemover/.

Link to post
Share on other sites

None of my anti-malware software identifies it as PUP/PUA/Malware and examining it's contents, it does appear to have all the right contents for finding all Adobe files. I can't examine the script as it was compiled as run only.

I ran it myself with no obvious issues.

  • Thanks 1
Link to post
Share on other sites

  • Staff

A few comments:

  • The screenshots from RansomWhere? mean that processes launched by Python (this is what "Python's kids" means) are encrypting files. In this case, it looks like Acrobat is using that to encrypt form data of some kind. This does not look in any way like malware activity.
  • PLEASE do not ask ChatGPT questions and expect a truthful answer. ChatGPT will give you wrong or incomplete answers with supreme confidence. This is just general advice, not specific to this particular reply.
  • There are a variety of definitions of "rootkit," and some still could exist. However, be aware that there is no malware for Mac, of any kind, that would survive wiping the hard drive, unless it were to be copied back onto the system as part of restoring from backups.
  • There is absolutely no reason to believe that the Python item in /private/tmp (NOT, you should note, ~/private/tmp, which does not exist) is a rootkit, or any other type of malware. This is probably Acrobat installing Python for some specific task, since Python is not installed by default on macOS any longer.
  • I can't tell you why some files are showing with Chinese characters on an iPhone in your first screenshot. What app are you viewing those files in?
  • None of what you've posted so far gives any reason to believe your Mac is infected with malware.
  • Like 1
  • Thanks 1
Link to post
Share on other sites

Hello, @alvarnell and @treed. First I want to thank you both for walking through problems with some facts.
 

As @alvarnell had suggested, I used macparc to wipe out Adobe completely and my Macbook Pro’s finally handling Pages like a Pro. I’m glad I don’t have to go through another process of factory resetting again and suffer in pain with those tenacious Adobe leftovers. 
 

I will answer @treed’s questions.

  1. I have Python 3 installed on my laptop! I looked up rootkits and learnt about EvilOSX how it can replicate a software and infiltrate users’ Mac and personal data once it’s given the permission to be installed… this is what I did basically in 2019. Somebody had a remote access on my laptop and played with my YouTube comments (editing HTML? No idea) to have a brief interaction. Heard that’s also rare but a lot of people use torrents so still, can happen.
  2. For the file descriptions in Chinese Mandarin, it’s not a downloaded software. It’s a root app developed by Apple called Files (iCloud). You can open documents, read, write and move… and so on, like Finder + Adobe Acrobat on iPhone. I don’t know why it’s in Mandarin though. The person who was interacting with me on YouTube comments said his name is Le Lu, though. I doubt he’s the guy but Le Lu (Chinese name) is one of software engineering Google Scholars. 
Link to post
Share on other sites

  • Staff

You'd need to talk to Adobe support about what they're doing with Python. There's no indication from the information you've provided that this is malicious activity.

Regarding that app, that screenshot does not match anything I can duplicate in the Files app. I'm guessing you may be running an old version of iOS, so my first suggestion would be to update to the latest version of iOS and see if the problem continues.

Link to post
Share on other sites

I correctly guessed that the screenshots showing Mandarin were from Files and couldn't replicate your findings with any of the files "On my iPhone" but again, don't have any iCloud files. I'm up-to-date on iOS version.

Did you open those .pdfs to verify they are not Chinese?

I also installed Python 3 on my Mac to support a couple of apps that now require it.

For @treed, RansomWhere? cannot seem to tell the difference between encrypting and decrypting a file. I often get warnings when an app is self-updating itself having downloaded the update and needing to decrypt/expand it during the update process. /private/tmp/ is commonly used during that process. But I don't have Adobe Acrobat installed, only Reader.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.