5

I am running OS X El Capitan, on an iMac (27-inch, Mid 2010). Using "top," I noticed that my systems was always running "ReportCrash"; I looked into the logs, and found:

1/25/18 12:32:51.464 PM com.apple.xpc.launchd[1]: (com.apple.MRTd) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
1/25/18 12:32:51.667 PM ReportCrash[3627]: Saved crash report for MRT[3630] version ??? to /Library/Logs/DiagnosticReports/MRT_2018-01-25-123251_ (truncated)
1/25/18 12:33:01.475 PM com.apple.xpc.launchd[1]: (com.apple.MRTd[3631]) Service exited due to signal: Trace/BPT trap: 5
1/25/18 12:33:01.475 PM com.apple.xpc.launchd[1]: (com.apple.MRTd) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
1/25/18 12:33:01.675 PM ReportCrash[3627]: Saved crash report for MRT[3631] version ??? to /Library/Logs/DiagnosticReports/MRT_2018-01-25-123301_ (truncated)
1/25/18 12:33:11.487 PM com.apple.xpc.launchd[1]: (com.apple.MRTd[3632]) Service exited due to signal: Trace/BPT trap: 5
1/25/18 12:33:11.487 PM com.apple.xpc.launchd[1]: (com.apple.MRTd) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
1/25/18 12:33:11.688 PM ReportCrash[3627]: Saved crash report for MRT[3632] version ??? to /Library/Logs/DiagnosticReports/MRT_2018-01-25-123311_ (truncated)

Looks like there is a problem with MRT, MRTd. Are those security thingies? I know very little…

User Diagnostic Report:

Process:               MRT [435]
Path:                  /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT
Identifier:            MRT
Version:               ???
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           MRT [435]
User ID:               501

Date/Time:             2018-01-18 10:55:33.061 -0500
OS Version:            Mac OS X 10.11.3 (15D21)
Report Version:        11
Anonymous UUID:        6F795E88-C579-6AF0-FE2D-8AB327D87AF0


Time Awake Since Boot: 60 seconds

System Integrity Protection: enabled

Crashed Thread:        0

Exception Type:        EXC_BREAKPOINT (SIGTRAP)
Exception Codes:       0x0000000000000002, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
dyld: launch, loading dependent libraries

Dyld Error Message:
  Symbol not found: _kSecCodeInfoCdHashes
  Referenced from: /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT
  Expected in: /System/Library/Frameworks/Security.framework/Versions/A/Security
 in /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT

System Diagnostic Report:

Process:               MRT [10146]
Path:                  /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT
Identifier:            MRT
Version:               ???
Code Type:             X86-64 (Native)
Parent Process:        launchd [1]
Responsible:           MRT [10146]
User ID:               0

Date/Time:             2018-01-28 08:29:59.001 -0500
OS Version:            Mac OS X 10.11.3 (15D21)
Report Version:        11
Anonymous UUID:        6F795E88-C579-6AF0-FE2D-8AB327D87AF0

Sleep/Wake UUID:       3A9407C1-4B2F-491E-A604-1DDFC61032DF

Time Awake Since Boot: 72000 seconds
Time Since Wake:       2000 seconds

System Integrity Protection: enabled

Crashed Thread:        0

Exception Type:        EXC_BREAKPOINT (SIGTRAP)
Exception Codes:       0x0000000000000002, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
dyld: launch, loading dependent libraries

Dyld Error Message:
  Symbol not found: _kSecCodeInfoCdHashes
  Referenced from: /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT
  Expected in: /System/Library/Frameworks/Security.framework/Versions/A/Security
 in /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT

Okay. I fiddled some more. . . .

cd /System/Library/CoreServices/MRT.app/Contents/MacOS/

./MRT

dyld: Symbol not found: _kSecCodeInfoCdHashes
  Referenced from: /System/Library/CoreServices/MRT.app/Contents/MacOS/./MRT
  Expected in: /System/Library/Frameworks/Security.framework/Versions/A/Security
 in /System/Library/CoreServices/MRT.app/Contents/MacOS/./MRT
Trace/BPT trap: 5

cd /System/Library/Frameworks/Security.framework/Versions/A/

ls

Headers PlugIns Security _CodeSignature MachServices Resources XPCServices

Okay. Now this is REALLY disturbing. . . .

codesign --verbose --verify --deep Security 

Security: a sealed resource is missing or invalid
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/Authorization.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/AuthorizationDB.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/AuthorizationPlugin.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/AuthorizationTags.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/AuthSession.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/certextensions.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/CipherSuite.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/CMSDecoder.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/CMSEncoder.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/CodeSigning.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/CSCommon.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssm.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmaci.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmapi.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmapple.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmcli.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmconfig.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmcspi.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmdli.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmerr.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmkrapi.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmkrspi.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmspi.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmtpi.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/cssmtype.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/eisl.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/emmspi.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/emmtype.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/mds.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/mds_schema.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/oids.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/oidsalg.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/oidsattr.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/oidsbase.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/oidscert.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/oidscrl.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecAccess.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecAccessControl.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecACL.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecAsn1Coder.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecAsn1Templates.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecAsn1Types.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecBase.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecCertificate.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecCertificateOIDs.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecCode.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecCodeHost.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecCustomTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecDecodeTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecDigestTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecEncodeTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecEncryptTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecIdentity.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecIdentitySearch.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecImportExport.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecKey.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecKeychain.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecKeychainItem.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecKeychainSearch.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecPolicy.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecPolicySearch.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecRandom.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecReadTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecRequirement.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecSignVerifyTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecStaticCode.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecTask.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecTransformReadTransform.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecTrust.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecTrustedApplication.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecTrustSettings.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecureDownload.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/SecureTransport.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/Security.h
file added: /System/Library/Frameworks/Security.framework/Versions/A/Headers/x509defs.h

I am also having some strange problems: The browser (Safari) keeps continuously loading new pages, on YouTube "you might be interested in-thingie" (individual ones, work fine). Also, Google Mail's "new interface," sometimes requires me to log in, multiple times. Otherwise, it goes goes back to the my original page, when I start the browser.

I am interested in not just fixing my problem, but in the integrity of my system.

user273763
  • 51
  • The crash logs in /Library/Logs/DiagnosticReports/MRT_2018-01-25-* might be informative. – Gordon Davisson Jan 25 '18 at 19:45
  • Process: MRT [4595] Path: /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT Identifier: MRT Version: ??? Code Type: X86-64 (Native) Parent Process: launchd [1] Responsible: MRT [4595] User ID: 0

    Date/Time: 2018-01-25 16:01:41.862 -0500 OS Version: Mac OS X 10.11.3 (15D21) Report Version: 11 Anonymous UUID: 6F795E88-C579-6AF0-FE2D-8AB327D87AF0

    Sleep/Wake UUID: AC01FFD9-46BB-49C2-942E-F7D6FF90A2C2

     – user273763 Jan 25 '18 at 21:07
  • I think I made some progress. I looked at "MRT" on my laptop---which is running fine. I made a tarball of each /System/Library/CoreServices/MRT.app---and looked for differences. The MRT executable, is different by an appreciable amount: -rwxr-xr-x 1 root wheel 927K Jan 13 01:24 MRT (for the Desktop), -rwxr-xr-x 1 johnstyers staff 693K Sep 28 18:50 MRT (for the Laptop). MRT has been corrupted??!!!! – user273763 Jan 27 '18 at 09:29
  • Are the laptop & iMac running the same version of macOS? Also, is the ownership by "johnstyers" a side effect of tarring it, or the actual ownership on the iMac? Finally, try codesign -vv --deep/System/Library/CoreServices/MRT.app on the iMac to see if it's been modified since Apple codesigned it (it should print "valid on disk" and "satisfies its Designated Requirement"). – Gordon Davisson Jan 27 '18 at 22:06
  • Gordon, thank you for helping me. I REALLY appreciate it. :) Version? Both are running El Capitan, but Desktop is 10.11.3; Laptop is 10.11.4. Ownership? Yes. That is an "artifact" of my tarring them---sorry. I checked, and both are "root", "wheel". I had to fiddle with the exact commands---"codesign -vv /System/Library/CoreServices/MRT.app/", but I got "/System/Library/CoreServices/MRT.app/: valid on disk" and "/System/Library/CoreServices/MRT.app/: satisfies its Designated Requirement". However "ls -al" on the executable yields "-rwxr-xr-x 1 root wheel 949456 Jan 13 01:24 MRT". – user273763 Jan 28 '18 at 04:02
  • I fiddled more. I used "codesign --verbose --verify --deep /System/Library/CoreServices/MRT.app/", and got: "/System/Library/CoreServices/MRT.app/: valid on disk" and "/System/Library/CoreServices/MRT.app/: satisfies its Designated Requirement". I love talkin' to guys like you---I learn more in five minutes, than I do in ten years, of frustration. ;) :) However, MRT will not run: "open /System/Library/CoreServices/MRT.app/", yields: "LSOpenURLsWithRole() failed with error -10810 for the file /System/Library/CoreServices/MRT.app." – user273763 Jan 28 '18 at 04:15
  • I get that same error trying to open MRT.app on my computer; I don't think it's supposed to run as a normal GUI app. From the codesign result, I'm pretty sure the iMac's copy of MRT.app is ok, just for some reason it's having trouble running. Can you add one of the DiagnosticReport logs to the question (in code format, so it's readable)? – Gordon Davisson Jan 28 '18 at 07:00
  • Okay. I was able to trace back the cause for MRT (malware removal tool?) not being able to run, to something in /System/Library/Frameworks/Security.framework/Versions/A/Security having "Security: a sealed resource is missing or invalid". I've added notes about this, to the original question (above). Now this is REALLY disturbing. . . . – user273763 Jan 31 '18 at 12:01
  • I just bit the bullet, and installed "Sierra." That fixed . . . EVERYTHING. I had to go through H-E-double toothpicks, to accomplish this. My AppleID wouldn't work. Thank you again, Gordon, for all you help. :) – user273763 Jan 31 '18 at 21:32
  • You're welcome. However, that's really weird, since System Integrity Protection should prevent changes in that directory. Installing Sierra should clean that out, but I'm a little worried that your system somehow got exploited and there may be remnants outside of the areas the installer will clean. I think I'd at least run a malwarebytes scan and see if it finds anything suspicious. – Gordon Davisson Jan 31 '18 at 22:39
  • Gordon, sorry for the slow response---life in "meatspace," threw me some curves. :P I installed Malwarebytes, ran a scan, and it told me "Congratulations, you are clean!". Again, thank you so much, for all your help. (!!) – user273763 Feb 20 '18 at 13:43

1 Answers1

1

A similar situation happened to me this month after a silent upgrade of MRT to version 1.68 (see this blog post for other people reporting the same problem. I'm on macOS 10.11.6.

After rebooting to the recovery partition and disabling SIP, I had deleted MRT.app, but that was not enough; after two weeks it got silently redownloaded and went again into this crazy crashing and respawning cycle. The trick seems to be to uncheck "Install system data files and security updates" in the App Store pane of System Preferences to prevent it from being downloaded again.

So, I was able to solve this problem with these steps:

  1. Reboot to the recovery partition and disable SIP (csrutil disable), then reboot to your affected system
  2. If you have a system backup dating from before the silent update of MRT, copy /System/Library/CoreServices/MRT.app from this backup to your desktop

3a. Delete the /System/Library/CoreServices/MRT.app from your affected system, then put the copy from your backup in its place. It's important to do it in two separate steps apparently.

3b. If you don't have a backup with a previous version of MRT, you can delete the app (or rename it, it seems to prevent it from being launched.)

  1. In the App Store pane of System Preferences, uncheck "Install system data files and security updates"
  2. Reboot to the recovery partition and reenable SIP (csrutil enable)

Note: eventually Apple should release a new, fixed version of MRT, which is actually a malware scanner, so you should eventually go back and check that box in System Preferences, so that the new version can be downloaded and installed. However, it's hard to know when Apple releases the new version as they don't announce MRT updates. The blog linked above is a good resource to stay in the know.

Note also that if you wish to avoid rebooting twice and do everything from the root Terminal when booted from the recovery partition, the path to MRT.app would be /Volumes/<your boot drive>/System/Library/CoreServices/MRT.app (since in that case /System/Library/CoreServices/ it the one from the recovery partition, which in fact does not contain MRT.app at all).

philb
  • 131