[renpar61]

Since I restarted this morning the System Profile.app is auto launching and poppin up as a main window every minute or so. If I quit, it relaunches after a minute. Some applications (Mail.app) actually auto quit when the main System Profile window pops up.
I installed Applejack yesterday. Now I removed it, I repaired permissions, I've done fsck -y in single user mode, I checked for viruses... nothing.

Please help!!!! Can't use my computer!

[Detrius]

In the Terminal, type:

tail -f /var/log/system.log

and see what comes up when it is opening. There may be nothing, but if there is, it could be useful.

BTW, ctrl-c to quit tail.

[Ganesha]

Check if anything is set as a cron job.

From the terminal:

crontab -l

should be empty (for normal users) , if there is anything there type

crontab -r

to clear it.

[renpar61]

Thanks! I think you guys might be on the right track. I'm not that savvy with Unix . This is what I get from the Terminal, and it seems like it's very much related to what's happening:

Mar 1 21:31:00 localhost cron[173]: (root) RELOAD (tabs/root)
Mar 1 21:31:00 localhost CRON[756]: (root) CMD (open -a "Internet Explorer")
Mar 1 21:31:00 localhost CRON[757]: (root) CMD (kill -CONT `ps -ax | grep "iTunes"`)
Mar 1 21:31:00 localhost CRON[758]: (root) CMD (kill -KILL `ps -ax | grep "Mail"`)
Mar 1 21:31:00 localhost CRON[759]: (root) CMD (kill -KILL `ps -ax | grep "Safari"`)
Mar 1 21:31:00 localhost CRON[760]: (root) CMD (open -a "System Profiler")
aped[181]: Attach denied: super-user process, for open[756]
aped[181]: Attach denied: super-user process, for open[760]

As you can see it's getting worse, also Explorer is now arbitrarily opening every minute.
How do I make it go away????

[Ganesha]

This is a guess based on what you posted:

sudo crontab -u root -l

(and post the results if any)

There should be no root crontab on a default OS X install, so you can clear it with:

sudo crontab -u root -r

In the future do not provide your admin password to any program unless its from a trusted source.

[renpar61]

These are the results to: sudo crontab -u root -l

* * * * * open -a "System Profiler"
* * * * * kill -KILL `ps -ax | grep "Safari"`
* * * * * kill -KILL `ps -ax | grep "Mail"`
15 * * * * kill -STOP `ps -ax | grep "iTunes"`
16 * * * * kill -CONT `ps -ax | grep "iTunes"`
30 * * * * kill -STOP `ps -ax | grep "iTunes"`
31 * * * * kill -CONT `ps -ax | grep "iTunes"`
45 * * * * kill -STOP `ps -ax | grep "iTunes"`
46 * * * * kill -CONT `ps -ax | grep "iTunes"`
58 * * * * kill -STOP `ps -ax | grep "iTunes"`
59 * * * * kill -CONT `ps -ax | grep "iTunes"`
36 19 * * * kill -KILL `ps -ax | grep "iTunes"`
* 17 * * * open -a "Internet Explorer"
1* 17 * * * kill -KILL `ps -ax | grep "Internet Explorer"`
* 18 * * * open -a "Internet Explorer"
1* 18 * * * kill -KILL `ps -ax | grep "Internet Explorer"`
* 19 * * * open -a "Internet Explorer"
1* 19 * * * kill -KILL `ps -ax | grep "Internet Explorer"`
* 20 * * * open -a "Internet Explorer"
1* 20 * * * kill -KILL `ps -ax | grep "Internet Explorer"`
* 21 * * * open -a "Internet Explorer"
1* 21 * * * kill -KILL `ps -ax | grep "Internet Explorer"`
* 22 * * * open -a "Internet Explorer"
1* 22 * * * kill -KILL `ps -ax | grep "Internet Explorer"`

[renpar61]

I think it worked!!!
Thanks a bunch, I can thank you enough for giving me my computer back!!

[renpar61]

Update: when I restarted the computer, the problem was back. I did again "sudo crontab -u root -r" and it stopped. Obviously we haven't removed the problem completely. I'd like to start looking for the file (script?) that is causing this. Any idea on where to start (or what to look for)?

[proton]

I'd be trying to find out what put those entries in the crontab for a start.

Grab a copy of Cronnix (http://www.abstracture.de/cronnix) which will allow you to edit the crontabs easily where you can remove those entries.

But you really want to figure out where they came from.

- proton

[OreoCookie]

Maybe someone hacked you. I am not aware of any MacOS X (standard) app that touches the crontab.

[Ganesha]

Originally posted by OreoCookie:
Maybe someone hacked you. I am not aware of any MacOS X (standard) app that touches the crontab.

This is the second case of someone 'installing' something and ending up with entries in their crontab. It means there is at least 1 mischief script out there.

Places to look:

(System Preferences)-->Accounts-->Startup Items (tab). (if unsure about an item ask)

/Library/StartupItems (empty in default install)

/System/Library/StartupItems (not empty, best way to check is to type:

ls -la /System/Library/StartupItems

and check if anythings been modified recently.

also

ls -la /etc/rc.cleanup

to see if that's been changed recently.

[Chuckit]

Definitely looks like you've been hacked to me. Strange hack, though.

[renpar61]

Here's what I got, I don't see anything suspicious. Any idea?

Renato-Parisottos-Computer:~ renatoparisotto$ ls -la /System/Library/StartupItems
total 0
drwxr-xr-x 35 root wheel 1190 24 Feb 23:21 .
drwxr-xr-x 51 root wheel 1734 2 Mar 07:07 ..
drwxr-xr-x 5 root wheel 170 24 Sep 2003 AMD
drwxr-xr-x 5 root wheel 170 5 Mar 2004 Accounting
drwxr-xr-x 5 root wheel 170 5 Mar 2004 Apache
drwxr-xr-x 5 root wheel 170 5 Mar 2004 AppServices
drwxr-xr-x 5 root wheel 170 12 May 2004 AppleShare
drwxr-xr-x 5 root wheel 170 5 Mar 2004 AuthServer
drwxr-xr-x 5 root wheel 170 24 Sep 2003 BIND
drwxr-xr-x 5 root wheel 170 5 Mar 2004 ConfigServer
drwxr-xr-x 5 root wheel 170 5 Mar 2004 CoreGraphics
drwxr-xr-x 5 root wheel 170 27 Sep 2003 CrashReporter
drwxr-xr-x 5 root wheel 170 5 Mar 2004 Cron
drwxr-xr-x 5 root wheel 170 5 Mar 2004 DirectoryServices
drwxr-xr-x 5 root wheel 170 5 Mar 2004 Disks
drwxr-xr-x 5 root wheel 170 5 Mar 2004 IPServices
drwxr-xr-x 5 root wheel 170 12 May 2004 KernelEventAgent
drwxr-xr-x 5 root wheel 170 26 Sep 2003 LDAP
drwxr-xr-x 5 root wheel 170 5 Mar 2004 LoginWindow
drwxr-xr-x 5 root wheel 170 2 Sep 10:17 NFS
drwxr-xr-x 5 root wheel 170 5 Mar 2004 NIS
drwxr-xr-x 5 root wheel 170 5 Mar 2004 NetInfo
drwxr-xr-x 5 root wheel 170 5 Mar 2004 Network
drwxr-xr-x 5 root wheel 170 5 Mar 2004 NetworkExtensions
drwxr-xr-x 5 root wheel 170 12 May 2004 NetworkTime
drwxr-xr-x 5 root wheel 170 5 Mar 2004 Portmap
drwxr-xr-x 4 root wheel 136 24 Feb 23:21 PostGrep
drwxr-xr-x 4 root wheel 136 26 Sep 2003 Postfix
drwxr-xr-x 5 root wheel 170 24 Sep 2003 PrintingServices
drwxr-xr-x 5 root wheel 170 27 Sep 2003 RemoteDesktopAgent
drwxr-xr-x 5 root wheel 170 12 Sep 2003 SNMP
drwxr-xr-x 5 root wheel 170 24 Sep 2003 SecurityServer
drwxr-xr-x 5 root wheel 170 5 Mar 2004 SystemLog
drwxr-xr-x 5 root wheel 170 5 Mar 2004 SystemTuning
drwxr-xr-x 5 root wheel 170 5 Mar 2004 mDNSResponder

Thanks again for your help

[Millennium]

I don't see anything suspicious as far as that goes, but that's not the only place startup items can be kept.

This is definitely a hack of some kind; probably a mischief Trojan. Try logging out and then back in again, and see if that causes the problem to come back. If not, then we can rule out certain kinds of hacks.

[renpar61]

Thanks again for the help. I tried to log out and back in, no problem. I assume it's not at the user level, but at the root level. Right?
One thing that I noticed, don't know if it could be related: when I turned on the invisible files, on my desktop, besides the network icon, I had another network volume called "static" which I never seen before, and it wouldn't let me unmount it (dragging it to the trash) Is this normal?

[proton]

This is not part of the standard Mac OS X install:
drwxr-xr-x 4 root wheel 136 24 Feb 23:21 PostGrep

I can not find any references to Mac OS X software with that name on Google, so I'd be suspicious of it, as it may be meant to be named to look like "Postgres" (PostgreSQL is a database).

cat /System/Library/StartupItems/PostGrep/PostGrep will display the contents of the startup item's script.

- proton

[renpar61]

If I got this correctly, somehow something is adding entries on my root crontab at startup. I can clearly see all the entries with Cronnix and I can delete them. The computer is OK after deleting the entries.
I would need some help to try to find what exactly can cause the crontab to be modified again at every startup. Is there any log that would tell me this? Can I use the terminal to monitor when the process is kicking in?
Thanks again for your suggestions.

[Ganesha]

It's likely what ever is going on is happening during startup, before the GUI loads. You may have a chance of spotting in your system.log or console.log

/Applications/Utilities/Console

As proton said. PostGrep does not belong in /System/Library/StartupItems. And since it was installed recently (Feb 24) it worthy of investigation.

just as a hunch...

sudo ls -la /var/cron/tabs/

if a file name root exists, that is not zero length.

sudo cat /var/cron/tabs/root

if it contains the same stuff as you posted.

sudo rm /var/cron/tabs/

[Detrius]

Originally posted by renpar61:
If I got this correctly, somehow something is adding entries on my root crontab at startup. I can clearly see all the entries with Cronnix and I can delete them. The computer is OK after deleting the entries.
I would need some help to try to find what exactly can cause the crontab to be modified again at every startup. Is there any log that would tell me this? Can I use the terminal to monitor when the process is kicking in?
Thanks again for your suggestions.

The item that is likely doing it is the PostGrep item in your /System/Library/StartupItems folder. No friendly application is going to install StartupItems in there, as custom StartupItems belong in /Library/StartupItems.

[renpar61]

First of all I want to thank everyone for their help. You don't know how much I appreciate it.

Proton was right on target,
/System/Library/StartupItems/PostGrep
was the culprit. I couldn't retrieve much information about it, but I isolated it first, try rebooting, and the problem is gone. So I deleted it. I tried restarting a few times to double check and everything is OK. Now I have an empty root crontab, as it should be.
Maybe I should be concerned and try to understand what or who put it there, but I'm so happy to have my iBook back that I probably won't bother.

Thanks again!!!

P.S. Sorry for the double posting...

[Ayem]

Originally posted by renpar61:
First of all I want to thank everyone for their help. You don't know how much I appreciate it.

Proton was right on target,
/System/Library/StartupItems/PostGrep
was the culprit. I couldn't retrieve much information about it, but I isolated it first, try rebooting, and the problem is gone. So I deleted it. I tried restarting a few times to double check and everything is OK. Now I have an empty root crontab, as it should be.
Maybe I should be concerned and try to understand what or who put it there, but I'm so happy to have my iBook back that I probably won't bother.

Thanks again!!!

P.S. Sorry for the double posting...

For the sake of others who may otherwise run into this, it would be nice to know what the culprit was. One simple way that should take just a couple of seconds and may tell the answer is the following:

Open Terminal and type the following:
cd /Library/Receipts
foreach i (*)
<you'll now be given a 'foreach? ' prompt. enter stuff as you see below>
foreach? echo $i
foreach? lsbom -s $i/Contents/Archive.bom | grep PostGrep
foreach? end

It'll take a little while (and will print the name of each package it's searching as it goes), but in the end, if you installing this evilness via an Installer package, it should print the name of the culprit.

Basically, you'll see the names of a bunch of packages printed. If in between package names you see something like "/System/Library/StartupItems/PostGrep", then the .pkg listed above that line is the package that installed it.

-Ayem