User profile for user: amamik
amamik Author
User level: Level 1
18 points

How can I remove malware trying to phone home?

Hi,

I’m not sure when this started, but I noticed today that Firefox and Thunderbird try to connect to a known malware site. When I start either of these apps, Little Snitch shows an outgoing connection to R3.o.lencr.org. I did a search and found quite a few sites talking of R3.o.lencr.org as being malware, although most of the advice for removal was for Windows users. Here is what one said ...


R3.o.lencr.org can be deemed as a redirect virus. It is injected on your web browser by a potentially unwanted program (PUP) which generates numerous ads on most webpages you open. You should be on alert when you encounter endless R3.o.lencr.org popup or ads redirection. It is an obvious sign of virus infection.


What I’ve tried ...

- ran 3 different anti-virus apps (Malwarebytes, ClamXAV and Combo Cleaner), but none of them showed any sign of a virus or other abnormalities.

- disabled addons in Firefox using Troubleshoot Mode. Despite this R3.o.lencr.org still tries to connect until I block it with L/Snitch. (Path: /Applications/Firefox.app/Contents/MacOS/firefox)


I am slightly concerned because I was contacted by my credit card company last week to say that someone had fraudulently used my card on a now-disappeared website. My card details were stolen online.


So my question is, does anyone know how I might verify whether my computer is infected and, if so, how to locate and delete the thing? If this is not the case then why would these 2 apps (and possibly other browsers) try to connect to a known malware site?


Thanks


Note: I downloaded Thunderbird from Mozilla only yesterday and didn’t add any addons, so I was surprised to see the connection to lencr.org.


Mac 10.14.6, Mac Mini


Mac mini, macOS 10.14

Posted on May 2, 2021 7:54 AM

Reply
Question marked as Top-ranking reply
User profile for user: BDAqua
BDAqua
User level: Level 10
250,253 points

Posted on May 2, 2021 6:55 PM

See if you have unknown Profiles.

To remove a configuration profile in macOS:

  1. From the Apple menu, select System Preferences....
  2. From the View menu in System Preferences, select Profiles.Note:
  3. Profiles won't be visible until you have at least one profile installed.
  4. Select the profile you want to remove, and then press the - (minus) button. Click Remove to remove the profile.


EtreCheck is a simple little diagnostic tool to display the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to help people help you with your Mac. It will not display any personal info.

https://www.etrecheck.com/


Pastebin is a good place to paste the whole report if you capture the URL while there…

https://pastebin.com/


Workable but harder for me to work with...the Note tool on the bottom of this editor's toolbar, as shown in the image, to copy and paste the output from EtreCheck. In a Reply before you click post, look for this to add longer texts...

View in context

Similar questions

18 replies

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How can I remove malware trying to phone home?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up