How can I remove malware trying to phone home?

amamik wrote:

I’m still in the dark about what I should do

Nothing.

r3.o.lencr.org is most likely malware.

It is not.

Maybe a bit extreme but I’m wondering whether I should uninstall my browser and start from scratch?!

No.

See if you have unknown Profiles.

To remove a configuration profile in macOS:

1. From the Apple menu, select System Preferences....
2. From the View menu in System Preferences, select Profiles.Note:
3. Profiles won't be visible until you have at least one profile installed.
4. Select the profile you want to remove, and then press the - (minus) button. Click Remove to remove the profile.

EtreCheck is a simple little diagnostic tool to display the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to help people help you with your Mac. It will not display any personal info.

https://www.etrecheck.com/

Pastebin is a good place to paste the whole report if you capture the URL while there…

https://pastebin.com/

Workable but harder for me to work with...the Note tool on the bottom of this editor's toolbar, as shown in the image, to copy and paste the output from EtreCheck. In a Reply before you click post, look for this to add longer texts...

BDAqua wrote:

With R3.o.lencr.org I get...

Not secure warning in Brave browser.

Yes. That domain is used for certificate validation. If it used a secure protocol itself, then that would need to be validated too. And if that connection was secure, it would need validation, etc., etc., ad infinitum.

Secure certificates are used for two purposes:

1) to encrypt the data being transferred,

2) to guarantee the authenticity of the site.

For certificate verification, there is little need for encryption. The certificates you might be validating are not going to reveal any personal information. Certificates are, by their nature, public documents. There is a chain of trust that goes back to the certificate authority and this guarantees the validity of the certificate itself.

For any other data that you might transmit, the certificate is used to establish an encrypted channel so that neither your evil coffeeshop barista, nor government spies at an internet exchange point, can see the content of your web site. Strong browser controls will prevent mixing of insecure, http, content with secure content so that your evil baristas/spies don't even know what Javascript frameworks you are using. Let's Encrypt provides this level of protection.

Secure certificates can also be used to ensure that www.apple.com, or www.my-apple.com or www.apple-corp.com are actually Apple websites (only one of those actually is). For $300, you can pay someone to do some basic research and to call you and ask if you really own Apple, Inc. That will give you a fancy certificate. If you click on the padlock in the address bar, it will say something like this:

Let's Encrypt, even on their own site, doesn't have that second sentence there.

A couple of years ago, those fancy certificates would also turn the address bar green, but Apple and the other web browsers stopped doing that. Personally, I think that was a mistake. Of course, that doesn't stop some vendors of security certificates from advertising that green address bar that no longer exists. You still get the second sentence with your EV certificate, but no one ever checks that.

I need the full etrecheck report, no personally identifiable info is included.

That 2nd site is not to be trusted...

Your connection is not private

Attackers might be trying to steal your information from computerhealthguides.com (for example, passwords, messages, or credit cards). Learn moreNET::ERR_CERT_AUTHORITY_INVALID

ClamXAV may be interfering, I used to use it myself, but last version I tested was terrible and incredibly complicated to remove all of it's files.

Nord VPN may be involved also.

Giving etrecheck full disk access may give us more clues.

Well, here it reports...

This site can’t be reached

r3.o.lancer.org’s DNS address could not be found. Diagnosing the problem.DNS_PROBE_POSSIBLE

Though https://www.r3-0.org/about-us/ works, yet no reason to go there on it's own.

amamik wrote:

The only possible issues that showed up in EtreCheck > Major Issues were a number of unsigned software files. Only one looked like it could be problematic (pfloggerd) but when I looked into it I found that it was part of the firewall I use (Murus). I’ve had this software installed on my machine for years and the company seems to be sound; lines 15-19

The next major version of EtreCheck will allow you to hide those unsigned files. I'm going to have to dramatically increase EtreCheck's malware detection and that will require better management of these kinds of user scripts.

I also checked out the website lencr.org (R3.o.lencr.org). It seems to be a legit site dealing with internet certificates and so on, but I don't know for sure. From their home page:

lencr.org is a domain owned by Let’s Encrypt. We use it to host OCSP, CRLs, and issuer certificates: all the URLs that show up in certificates.

Let's Encrypt can be a bit complicated. It is nice that they have that documentation site that explains it. The site is definitely owned by Let's Encrypt and any access to it should not automatically be assumed to be malicious.

That being said, you should not consider Let's Encrypt certificates to be a guarantee of authenticity. They are a guarantee of a secure connection to "a site", but anyone can get a Let's Encrypt certificate for a site. A Let's Encrypt certificate should make one less trusting of a site, not more trusting. Sometimes I've used Let's Encrypt certificates myself for testing and setting up new sites. But they are a hassle and I can't imagine why anyone would want to use one long-term for any real, production web site.

If they are what they claim to be then that would explain the outgoing connections. But then again, I’m a bit puzzled as to why there are so many anti-virus web sites saying that R3.o.lencr.org is malware. For example:

How to remove R3.o.lencr.org redirect virus

R3.o.lencr.org Malware Removal Steps

I strongly advise people to avoid doing their own security research on the internet. Virtually every hit you will get in your results will be malicious. If you don't already know which sites are legitimate and which are malicious, then you won't be able to tell the difference on your own. You are more likely to actually install new malware than remove any.

Not sure whether I should keep it permanently blocked in Little Snitch or not. If it weren’t for the recent credit card theft it wouldn’t bother me.

Little Snitch is another big annoyance. It is absolutely impossible for anyone to use Little Snitch to identify malicious internet sites. Everyone on the internet, from legitimate companies to malware developers, all use the same internet services. In many cases, they are using the same physical machines and sharing IP addresses. And of course, everyone wants their connections to be secure, and therefore encrypted.

You can use Little Snitch to block all network activity from a malicious app, but that's it. It is either all or nothing. More often, people use Little Snitch to selectively block activity from legitimate apps, to prevent them from "phoning home" and tracking the user, or validating a license code.

Hi there,

I'd ran into this issue today. Macbook Early 2015 does not have this happening, running Little Snitch 4.

But, my 2020 MacBook Air M1, Little Snitch 5, which has not even been on the internet until a few days ago, it does. Pretty much any time it makes a request to the internet, a few seconds later I get a pop up for r3.o.lencr.org.

I'm somewhere between your two opinions. :) While the only pages I could find on the internet were poorly worded late 90s looking web pages talking in circles and trying to get you to 'try' this piece of software to see if it can help... so it seemed more that they were trying to get someone to run that program and then REALLY put a virus/malware on.

It did seem weird that it comes up on the MacBook Air, but I've never seen it on the 2015 and that's been my daily driver, and I drive a lot. But the explanation here makes me feel a lot better about things, especially since my new baby's only been on the internet a few days.

Now I get to go double check that for the first 50 websites before forgetting all about it.

My big concern is, after 6 years of hiding this 2015 away from Apple grabby hands, I had to open everything up just to log into this bloody site. (Must have Apple product, in your current possession, so you can log into your Apple account, or you can't come on here... even if you're offering help and not looking for it, and have it open so we can take that data you've been hiding from us, which is yours and not ours.) Seriously, I logged in, put my walls up, while I typed this out and it said my session had expired and had to do it all again.

No other company in the world has the audacity to literally force you to configure it the way they want you to. It's be like buying a car from Porsche and then they tell you that you have to drive it backwards and you're not allowed to paint it and only polka music plays on the stereo.

R3.o.lencr.org is a browser-redirecting app that attaches itself to the main browser in the computer and takes control over some of its settings. R3.o.lencr.org aims to bring different ads to the user’s screen and to promote certain sites by page-redirecting the browser to them.

There is a free Malwarebytes which may take care of it...

https://www.malwarebytes.com/mac/

Glad to see etresoft reply here. :)

With R3.o.lencr.org I get...

Not secure warning in Brave browser.