Announcement: Get Ready for macOS Mojave


With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. Prepare for macOS Mojave > https://support.apple.com/macos/mojave

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: booklingUpd.plist

Hello, seeing 22+% (or ~100% on a single thread) processor usage by launchservicesd


Found this in the console log:


10/14/16 4:47:50.680 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

10/14/16 4:48:00.685 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

10/14/16 4:48:10.690 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

10/14/16 4:48:20.694 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

...

This goes on and on and on


Tried looking for it in launch control

launchctl list | grep book


and came up empty


Tried looking through the whole computer for booklingUpd.plist and also came up empty.


Anywhere else I can check to keep this thing from eating power/battery and cpu time?

MacBook Pro, OS X El Capitan (10.11.6)

Posted on

Reply
Question marked as Solved
Answer:
Answer:

Looks like I found it in /Library/LaunchDaemons/ and was able to remove it. I suspect it may have been related to a virus called: ucereng


10/14/16 5:07:31.267 PM sudo[580]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/Library/ucereng/ucereng.app/Contents/MacOS/ucereng

10/14/16 5:07:53.300 PM sudo[626]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 777 /var/tmp/in/install_injector.sh

10/14/16 5:07:53.313 PM sudo[628]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/var/tmp/in/install_injector.sh Aa865780bfe3e8a8f-0-FS-US 0 //aa9d046aab36af4ff182f097f840430d51.com http://google.com 99999999

10/14/16 5:07:53.323 PM sudo[630]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/grep -rnw /etc -l -e rdr pass

10/14/16 5:07:53.900 PM sudo[641]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist name disroost

10/14/16 5:07:53.921 PM sudo[643]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist pref com.disroost.preferences.plist

10/14/16 5:07:53.940 PM sudo[645]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist service_pref com.disroost.service.plist

10/14/16 5:07:53.959 PM sudo[647]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/mkdir disroost

10/14/16 5:07:53.981 PM sudo[649]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp ai disroost

10/14/16 5:07:53.993 PM sudo[651]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp -r disroost /Library

10/14/16 5:07:54.006 PM sudo[653]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/rm -r disroost

10/14/16 5:07:54.018 PM sudo[655]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp run_app.sh /etc

10/14/16 5:07:54.031 PM sudo[657]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/sbin/chown root /etc/run_app.sh

10/14/16 5:07:54.046 PM sudo[659]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 755 /etc/run_app.sh

10/14/16 5:07:54.057 PM sudo[661]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod -R 755 /Library/disroost

10/14/16 5:07:54.069 PM sudo[663]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/mv /Library/disroost/ai /Library/disroost/disroost

10/14/16 5:07:54.081 PM sudo[665]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod a+rwx /Library/disroost/disroost

10/14/16 5:07:54.093 PM sudo[667]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

10/14/16 5:07:54.129 PM sudo[672]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist dist_channel_id Aa865780bfe3e8a8f-0-FS-US

10/14/16 5:07:54.148 PM sudo[674]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist machine_id BA8BEC95-54B7-580B-A07E-5B2FF0FF3E4D

10/14/16 5:07:54.168 PM sudo[676]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist click_id 0

10/14/16 5:07:54.188 PM sudo[678]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist domain //aa9d046aab36af4ff182f097f840430d51.com

10/14/16 5:07:54.207 PM sudo[680]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist url 'http://google.com'

10/14/16 5:07:54.226 PM sudo[682]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist delay 99999999

10/14/16 5:07:54.252 PM sudo[684]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/plutil -convert xml1 /Library/Preferences/com.disroost.preferences.plist

10/14/16 5:07:54.281 PM sudo[686]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp com.pref.service-preferences.plist /Library/LaunchDaemons/com.disroost.service.plist

10/14/16 5:07:54.291 PM sudo[688]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 755 /Library/LaunchDaemons/com.disroost.service.plist

10/14/16 5:07:54.302 PM sudo[690]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/launchctl load -w /Library/LaunchDaemons/com.disroost.service.plist


I was able to remove this manually with a lot of sudo rm's and with the help of malwarebytes.

Posted on

Page content loaded

Question marked as Solved

Oct 14, 2016 2:27 PM in response to jimmyjimbo In response to jimmyjimbo

Looks like I found it in /Library/LaunchDaemons/ and was able to remove it. I suspect it may have been related to a virus called: ucereng


10/14/16 5:07:31.267 PM sudo[580]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/Library/ucereng/ucereng.app/Contents/MacOS/ucereng

10/14/16 5:07:53.300 PM sudo[626]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 777 /var/tmp/in/install_injector.sh

10/14/16 5:07:53.313 PM sudo[628]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/var/tmp/in/install_injector.sh Aa865780bfe3e8a8f-0-FS-US 0 //aa9d046aab36af4ff182f097f840430d51.com http://google.com 99999999

10/14/16 5:07:53.323 PM sudo[630]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/grep -rnw /etc -l -e rdr pass

10/14/16 5:07:53.900 PM sudo[641]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist name disroost

10/14/16 5:07:53.921 PM sudo[643]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist pref com.disroost.preferences.plist

10/14/16 5:07:53.940 PM sudo[645]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist service_pref com.disroost.service.plist

10/14/16 5:07:53.959 PM sudo[647]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/mkdir disroost

10/14/16 5:07:53.981 PM sudo[649]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp ai disroost

10/14/16 5:07:53.993 PM sudo[651]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp -r disroost /Library

10/14/16 5:07:54.006 PM sudo[653]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/rm -r disroost

10/14/16 5:07:54.018 PM sudo[655]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp run_app.sh /etc

10/14/16 5:07:54.031 PM sudo[657]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/sbin/chown root /etc/run_app.sh

10/14/16 5:07:54.046 PM sudo[659]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 755 /etc/run_app.sh

10/14/16 5:07:54.057 PM sudo[661]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod -R 755 /Library/disroost

10/14/16 5:07:54.069 PM sudo[663]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/mv /Library/disroost/ai /Library/disroost/disroost

10/14/16 5:07:54.081 PM sudo[665]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod a+rwx /Library/disroost/disroost

10/14/16 5:07:54.093 PM sudo[667]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

10/14/16 5:07:54.129 PM sudo[672]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist dist_channel_id Aa865780bfe3e8a8f-0-FS-US

10/14/16 5:07:54.148 PM sudo[674]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist machine_id BA8BEC95-54B7-580B-A07E-5B2FF0FF3E4D

10/14/16 5:07:54.168 PM sudo[676]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist click_id 0

10/14/16 5:07:54.188 PM sudo[678]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist domain //aa9d046aab36af4ff182f097f840430d51.com

10/14/16 5:07:54.207 PM sudo[680]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist url 'http://google.com'

10/14/16 5:07:54.226 PM sudo[682]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist delay 99999999

10/14/16 5:07:54.252 PM sudo[684]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/plutil -convert xml1 /Library/Preferences/com.disroost.preferences.plist

10/14/16 5:07:54.281 PM sudo[686]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp com.pref.service-preferences.plist /Library/LaunchDaemons/com.disroost.service.plist

10/14/16 5:07:54.291 PM sudo[688]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 755 /Library/LaunchDaemons/com.disroost.service.plist

10/14/16 5:07:54.302 PM sudo[690]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/launchctl load -w /Library/LaunchDaemons/com.disroost.service.plist


I was able to remove this manually with a lot of sudo rm's and with the help of malwarebytes.

Oct 14, 2016 2:27 PM

Reply Helpful

Oct 29, 2016 11:38 PM in response to jimmyjimbo In response to jimmyjimbo

I think I am dealing with the same thing you found. It is definitely malware and keeps generating new names and starting processes. it takes over all outbound network traffic on port 80 using pfctl. not sure what else it's doing yet. Have you been able to fully eradicate it?

Oct 29, 2016 11:38 PM

Reply Helpful

Oct 31, 2016 7:37 AM in response to miked531 In response to miked531

You are infected with malware that the current version of Malwarebytes Anti-Malware for Mac is having trouble dealing with. Fortunately, we have a new version of Malwarebytes Anti-Malware for Mac in beta testing right now, which should be able to deal with this malware. You can get more information and download the beta here:


https://forums.malwarebytes.org/topic/188888-announcing-anti-malware-for-mac-125 -beta/


If that doesn't work, please let me know.


Fair disclosure: Note that I work for Malwarebytes, and the link I've provided goes to the Malwarebytes website, which contains pages that promote our products. There is no need to purchase anything to deal with this problem.


Thomas Reed

Director of Mac Offerings, Malwarebytes

Oct 31, 2016 7:37 AM

Reply Helpful
User profile for user: jimmyjimbo

Question: booklingUpd.plist