Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jimmyjimbo
jimmyjimbo Author
User level: Level 1
4 points

booklingUpd.plist

Hello, seeing 22+% (or ~100% on a single thread) processor usage by launchservicesd


Found this in the console log:


10/14/16 4:47:50.680 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

10/14/16 4:48:00.685 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

10/14/16 4:48:10.690 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

10/14/16 4:48:20.694 PM com.apple.xpc.launchd[1]: (booklingUpd.plist) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

...

This goes on and on and on


Tried looking for it in launch control

launchctl list | grep book


and came up empty


Tried looking through the whole computer for booklingUpd.plist and also came up empty.


Anywhere else I can check to keep this thing from eating power/battery and cpu time?

MacBook Pro, OS X El Capitan (10.11.6)

Posted on Oct 14, 2016 1:58 PM

Reply
Question marked as Best reply
User profile for user: jimmyjimbo
jimmyjimbo Author
User level: Level 1
4 points

Posted on Oct 14, 2016 2:27 PM

Looks like I found it in /Library/LaunchDaemons/ and was able to remove it. I suspect it may have been related to a virus called: ucereng


10/14/16 5:07:31.267 PM sudo[580]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/Library/ucereng/ucereng.app/Contents/MacOS/ucereng

10/14/16 5:07:53.300 PM sudo[626]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 777 /var/tmp/in/install_injector.sh

10/14/16 5:07:53.313 PM sudo[628]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/var/tmp/in/install_injector.sh Aa865780bfe3e8a8f-0-FS-US 0 //aa9d046aab36af4ff182f097f840430d51.com http://google.com 99999999

10/14/16 5:07:53.323 PM sudo[630]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/grep -rnw /etc -l -e rdr pass

10/14/16 5:07:53.900 PM sudo[641]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist name disroost

10/14/16 5:07:53.921 PM sudo[643]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist pref com.disroost.preferences.plist

10/14/16 5:07:53.940 PM sudo[645]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist service_pref com.disroost.service.plist

10/14/16 5:07:53.959 PM sudo[647]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/mkdir disroost

10/14/16 5:07:53.981 PM sudo[649]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp ai disroost

10/14/16 5:07:53.993 PM sudo[651]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp -r disroost /Library

10/14/16 5:07:54.006 PM sudo[653]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/rm -r disroost

10/14/16 5:07:54.018 PM sudo[655]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp run_app.sh /etc

10/14/16 5:07:54.031 PM sudo[657]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/sbin/chown root /etc/run_app.sh

10/14/16 5:07:54.046 PM sudo[659]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 755 /etc/run_app.sh

10/14/16 5:07:54.057 PM sudo[661]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod -R 755 /Library/disroost

10/14/16 5:07:54.069 PM sudo[663]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/mv /Library/disroost/ai /Library/disroost/disroost

10/14/16 5:07:54.081 PM sudo[665]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod a+rwx /Library/disroost/disroost

10/14/16 5:07:54.093 PM sudo[667]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

10/14/16 5:07:54.129 PM sudo[672]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist dist_channel_id Aa865780bfe3e8a8f-0-FS-US

10/14/16 5:07:54.148 PM sudo[674]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist machine_id BA8BEC95-54B7-580B-A07E-5B2FF0FF3E4D

10/14/16 5:07:54.168 PM sudo[676]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist click_id 0

10/14/16 5:07:54.188 PM sudo[678]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist domain //aa9d046aab36af4ff182f097f840430d51.com

10/14/16 5:07:54.207 PM sudo[680]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist url 'http://google.com'

10/14/16 5:07:54.226 PM sudo[682]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.disroost.preferences.plist delay 99999999

10/14/16 5:07:54.252 PM sudo[684]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/usr/bin/plutil -convert xml1 /Library/Preferences/com.disroost.preferences.plist

10/14/16 5:07:54.281 PM sudo[686]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/cp com.pref.service-preferences.plist /Library/LaunchDaemons/com.disroost.service.plist

10/14/16 5:07:54.291 PM sudo[688]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/chmod 755 /Library/LaunchDaemons/com.disroost.service.plist

10/14/16 5:07:54.302 PM sudo[690]: root : TTY=unknown ; PWD=/private/var/tmp/in ; USER=root ; COMMAND=/bin/launchctl load -w /Library/LaunchDaemons/com.disroost.service.plist


I was able to remove this manually with a lot of sudo rm's and with the help of malwarebytes.

View in context
4 replies

There are no replies.

booklingUpd.plist

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up