OS X "launchd" maxing out upload bandwidth

Question

I had an issue on my Mac mini with a DDOS Unix virus which was saturating the upload bandwidth and bringing my internet down, ClamXav and Avast found all the parts of it (it never showed up in activity monitor or in the network stack feedback) after deleting things returned to normal.

Now a few months later i'm having the same issue, but all virus scans are coming back clear and I find nothing erroneous in any of the locations previously. I am though running iStat and in its network reporting its showing "launchd" as using up all the upload bandwidth on the network. Yet if I open Activity Monitor, launchd is reported as using no bandwidth at all?!

Launchd here in iStat using 37 KB/s upload, our internet maxes out at about 140KB/s and it jumps up to that quite regularly. Its the only thing being reported as using the upload so its the only thing I can consider that is saturating the internet.

Here is Activity Monitor showing launchd as using no bandwidth...

Anyone any ideas? I can't find any reports for this online anywhere.

Answer 1

I'm just curious if you open a terminal and try sudo top, do you see the errant process?

Regardless, you should use launchctl to check out the 5 different config files that launchd uses:

• ~/Library/LaunchAgents (Per-user agents provided by the user)
• /Library/LaunchAgents (Per-user agents provided by the administrator)
• /Library/LaunchDaemons (System-wide daemons provided by the administrator)
• /System/Library/LaunchAgents (Per-user agents provided by Apple)
• /System/Library/LaunchDaemons (System-wide daemons provided by Apple)

One or more of these may be where the errant process is lurking. Also, I hope you reformatted and reinstalled after your virus incident. It's not required but it's what I would do and what I recommend to friends who've been bitten.