Why daily download of "Net//DNS//RR//NIMLOC5.8.9.3pm" on MAc OSX 10.6.8 every day since April 7th

dbworker1
dbworker1 used Ask the Experts™
on
Mac OSX running OS version 10.6.8 is downloading  a file "Net//DNS//RR//NIMLOC5.8.9.3pm" every day on boot.

The command started running a few days ago on boot up. The screen also seems to flash a message that is un-compressing a file but the dialog flashes too fast to view the text.

It would appear that it is requesting a DNS resource record or something like that. However, I don't know how to trace it to its source.

The first few lines of the downloaded or results file are:
.\" Automatically generated by Pod::Man 2.12 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp



The last few lines are:
Returns the record's data section as binary data.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright (c) 1997\-2002 Michael Fuhr.
.PP
Portions Copyright (c) 2002\-2004 Chris Reinhardt.
.PP
All rights reserved.  This program is free software; you may redistribute
it and/or modify it under the same terms as Perl itself.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIperl\fR\|(1), Net::DNS, Net::DNS::Resolver, Net::DNS::Packet,
Net::DNS::Header, Net::DNS::Question, Net::DNS::RR,
draft\-ietf\-nimrod\-dns\-\fIxx\fR.txt

What triggers this and what does it do?

Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
No idea what it is. Maybe you could post more lines.

However check Startup Items in your account prefs to see if there is something in there set to download this file.

Commented:
have you checked for virus's
Check for the Flashback trojan: https://www.drweb.com/flashback/

Author

Commented:
Thanks for the replies. Had already checked for Flashback, no infection.

Item is listed in login items and and the selection cannot be hidden or removed.  Where is the list or files for the login items saved?

The full contents of the file is:

.\" Automatically generated by Pod::Man 2.12 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "Net::DNS::RR::NIMLOC 3"
.TH Net::DNS::RR::NIMLOC 3 "2009-01-26" "perl v5.8.9" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
Net::DNS::RR::NIMLOC \- DNS NIMLOC resource record
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\f(CW\*(C`use Net::DNS::RR\*(C'\fR;
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Class for \s-1DNS\s0 Nimrod Locator (\s-1NIMLOC\s0) resource records.
.SH "METHODS"
.IX Header "METHODS"
.Sh "rdlength"
.IX Subsection "rdlength"
.Vb 1
\&    print "rdlength = ", $rr\->rdlength, "\en";
.Ve
.PP
Returns the length of the record's data section.
.Sh "rdata"
.IX Subsection "rdata"
.Vb 1
\&    $rdata = $rr\->rdata;
.Ve
.PP
Returns the record's data section as binary data.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright (c) 1997\-2002 Michael Fuhr.
.PP
Portions Copyright (c) 2002\-2004 Chris Reinhardt.
.PP
All rights reserved.  This program is free software; you may redistribute
it and/or modify it under the same terms as Perl itself.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIperl\fR\|(1), Net::DNS, Net::DNS::Resolver, Net::DNS::Packet,
Net::DNS::Header, Net::DNS::Question, Net::DNS::RR,
draft\-ietf\-nimrod\-dns\-\fIxx\fR.txt
Did you try removing the item from the log on items by highlighting it and hitting the minus button at the bottom?  See screen shot. You may also have to click on the lock at the bottom left to unlock the preference panel

BTW, what was the log on item called?
Screen-Shot-2012-04-15-at-8.57.5.pdf
Also, if you right click on the item in the log on items panel, you will get a contextual menu for "show in finder", so you can find the file that is being loaded and simply delete it.

I would be interested to know the name of the file.

Author

Commented:
Thanks again for all the comments.

[-] on login items removed the item even though the lock was on.

The item was removed before I read the comment about the contextual menu to find in finder (a VERY useful feature, thanks). So I could not use this feature to see the file.

However, the name of the menu item was net//dns//rr  and the item was a compressed file.

Removing the item from the login items stopped the download of the file into the download folder.

Doing a find for a file name for net//dns/rr produces only the various downloaded files in the download directory.

It has been a while since I have run grep and I could probably run a search for "net//dns/rr" since it has to be somewhere on the HD. I'll have to find my Unix manuals.

My guess of the origin is Google Voice addon to Google Apps, but only a guess since it was installed and the issue started the following day on the next startup.

I would like to know just where this came from so I can "kill it" if it pops up again.
You might check for the DNSChanger Trojan as well:

http://www.dnschanger.com/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial