Remove osascript starting after boot and get to know what it does
I am new to Mac and I have the following problem. After I log in after boot/restart, there is always a tab saying osascript wants to make changes which wants my password. I do not want to run this and clicking Cancel or killing this process in Activity monitor helps for the session. I am also able to see the details of it in Activity monitor. But regardless of what I do, after another start, the pop up menu appears again... How can I kill this script or remove it or disable it forever?
Related to that, how do I get to know what exactly is it trying to do? I tried to hit the Sample button in the menu in Activity monitor which gave me a text file of many things starting with the dirs and identifiers of the script and continuing with a lot of information which I don't know how to read/interpret (see below). As I said, I'm new to Mac so any help including the super basics is very welcomed :).
Thank you.
EDIT:
Following the comments:
Both cd Library/LaunchAgents; grep 'osascript' *.plist and cd /Library/LaunchAgents; grep 'osascript' *.plist output nothing. When I go to the process in Activity monitor and go to the Open files and ports, I get the following:
cwd
/
txt
/usr/bin/osascript
txt
/Library/Preferences/Logging/.plist-cache.xq4DHtYC
txt
/private/var/db/analyticsd/events.whitelist
txt
/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree
txt
/System/Library/Components/AppleScript.component/Contents/MacOS/AppleScript
txt
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
txt
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc
txt
/private/var/db/mds/messages/502/se_SecurityMessages
txt
/usr/share/icu/icudt64l.dat
txt
/private/var/db/timezone/tz/2020a.1.0/icutz/icutz44l.dat
txt
/System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Resources/AppleKeyboardLayouts-L.dat
txt
/System/Library/Caches/com.apple.IntlDataCache.le.kbdx
txt
/System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/StandardAdditions
txt
/usr/lib/dyld
0
/dev/null
1
/dev/null
2
/dev/null
3
/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree
4
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
5
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc
If needed, I also have clicked the Sample button. That gives this followed by Call graph section (not shown here):
Sampling process 680 for 3 seconds with 1 millisecond of run time between samples
Sampling completed, processing symbols...
Analysis of sampling osascript (pid 680) every 1 millisecond
Process: osascript [680]
Path: /usr/bin/osascript
Load Address: 0x1019b7000
Identifier: osascript
Version: 395.1
Code Type: X86-64
Parent Process: bash [508]
Date/Time: 2020-10-22 10:14:04.108 +0300
Launch Time: 2020-10-22 08:27:11.218 +0300
OS Version: Mac OS X 10.15.7 (19H2)
Report Version: 7
Analysis Tool: /usr/bin/sample
Physical footprint: 4844K
Physical footprint (peak): 5056K
The output for:
ps auxwww | grep '[o]sascript'
when the pop up window is still active (presumably what you mean by it running) is:
jan 680 0.0 0.0 5765928 9756 ?? S 8:27AM 0:00.15 osascript -e do shell script "/Library/Scripts/WIS/tmp/Scripts/startup.sh" with administrator privileges
Is this the script what it is calling? What does it do?
As the parent process of osascript is 'bash', that suggests that a command line script is calling AppleScript.
/Library/Scripts/WIS/tmp/Scripts/startup.sh
is very likely the culprit.
Have you installed anything that this might relate to?
If not, I would delete it, and download Malwarebytes to check for malware.