can't find script that runs at login???

Discussion in 'OS X El Capitan (10.11)' started by Sumleilmus, Feb 3, 2016.

  1. Sumleilmus, Feb 3, 2016
    Last edited: Feb 3, 2016

    Sumleilmus macrumors member

    Sumleilmus

    Joined:
    Nov 6, 2011
    Location:
    /
    #1
    When I boot my MacBook Pro, I can see in the menu bar the name of a slow script running at login. However, when I look in System Preferences>Users>MyUser>login items, I see no such script or app. I have used Spotlight, EasyFind, and
    Code:
    $ find / "name_of_script"
    .

    None of these finds the script. How can I find the script and get rid of it, or find other code such as launchctl daemons (I really don't understand these, but I know they exist, if I called them by the right name) that could be causing this to happen?

    I find nothing useful at /System/Library/LaunchDaemons or at /Library/LaunchDaemons

    I'm especially puzzled by why I can't find the script or app whose name I can clearly see?

    [​IMG]
     
  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
    Try looking in all these folders for launch items.

    ~/Library/LaunchAgents
    /Library/LaunchAgents
    /Library/LaunchDaemons
    /Library/StartupItems

    That ~ is your users folder. If you are not sure how to get there, just triple click the line below to select, then right click and in the Services menu select Reveal in Finder and that will open Finder to that folder.

    Code:
    ~/Library/LaunchAgents
     
  3. JohnDS macrumors 65816

    Joined:
    Oct 25, 2015
    #3
    Also, download and run the free MalwareBytes for Mac: https://www.malwarebytes.org/antimalware/mac/
    --- Post Merged, Feb 6, 2016 ---
    You could also open Console.app and check to see what messages were generated at the time the script launched. That may give you the location of the script.
     
  4. Partron22 macrumors 68000

    Partron22

    Joined:
    Apr 13, 2011
    Location:
    Yes
    #4
    You'll likely want to look at the invisible files, those that start with a '.', too.
    I use this little Applescript for that:
    Code:
    set buttonpressed to button returned of (display dialog "Show Hidden Files?" buttons {"Yes", "No"})
    try
        if the buttonpressed is "No" then do shell script "defaults write com.apple.finder AppleShowAllFiles OFF"
        if the buttonpressed is "Yes" then do shell script "defaults write com.apple.finder AppleShowAllFiles ON"
        do shell script "killall Finder"
    end try
    
     
  5. Sumleilmus, Apr 2, 2016
    Last edited: Apr 3, 2016

    Sumleilmus thread starter macrumors member

    Sumleilmus

    Joined:
    Nov 6, 2011
    Location:
    /
    #5
    Weaselboy: nothing in any of those places

    JohnDS: nothing in Console. I'm not sure about using a malware hunting tool. The script in question is one that I wrote long ago and saved as an app. It appears that it is still running at startup, or trying to run.

    Partron22: thanks for the script, but I have Finder Services that do the same thing, probably based on the same or similar scripts. Using the GUI to look for hidden files in those locations only showed me some .DS files at the root of any given directory.
     
  6. mag01, Apr 2, 2016
    Last edited: Apr 2, 2016

    mag01 macrumors regular

    Joined:
    Apr 10, 2011
    #6
    Do any of these show any output?
    Code:
    sudo defaults read com.apple.loginwindow LoginHook
    Code:
    ls -la /Library/Security/SecurityAgentPlugins
    Code:
    defaults read loginwindow AutoLaunchedApplicationDictionary
    defaults read /Library/Preferences/loginwindow AutoLaunchedApplicationDictionary
    Code:
    defaults read com.apple.loginitems
    or
    Code:
    osascript -e 'tell application "System Events" to get the name of every login item'
    Also you may try this nice app to view all such items in a consolidated manner: https://objective-see.com/products/knockknock.html
     
  7. Sumleilmus thread starter macrumors member

    Sumleilmus

    Joined:
    Nov 6, 2011
    Location:
    /
    #7
    Code:
    The domain/default pair of (com.apple.loginwindow, LoginHook) does not exist
    Code:
    total 0
    drwxr-xr-x  2 root  wheel   68 Nov 17 01:33 .
    drwxr-xr-x  4 root  wheel  136 Feb 15 08:59 ..
    Code:
    The domain/default pair of (/Users/ruser/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist
    Code:
    2016-04-08 09:05:41.209 defaults[795:10205] 
    
    The domain/default pair of (/Users/ruser/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist
    This shows a lot of output, the defaults for the login items listed in System Preferences>Users & Groups>Registered User>Login Items. One of them is an Apple Script (.app) that does a thing similar to the one that runs at login that I can't find. I have looked carefully at that script, and it has a different name. Could it be running at login and displaying another name owing to some corruption in its tiny dessicated heart?


    Code:
    osascript: OpenScripting.framework - scripting addition "/Library/ScriptingAdditions/LCC Scroll Enhancer Loader.osax" cannot be used with the current OS because it has no OSAXHandlers entry in its Info.plist.
    smcFanControl, Growl, SMARTReporter, Dropbox, Google Drive, OneDrive, AdobeResourceSynchronizer, DiskWarriorDaemonStarter, CCC User Agent, Unmt_Swink92W_n_WeDi_heard_n_RecoHDW
    If this just does what I just did, what would be the advantage?

    Thank you very much for your suggestions.
     
  8. mag01, Apr 9, 2016
    Last edited: Apr 9, 2016

    mag01 macrumors regular

    Joined:
    Apr 10, 2011
    #8
    The Unmt_Swink92W_n_WeDi_heard_n_RecoHDW entry in your last output is suspicious. Also its name is similar (though not identical) to what's on that screenshot in your OP.
    It should be also visible in the output of "defaults read com.apple.loginitems" for which you mentioned one suspicious item (which is probably the same thing).

    If you try
    Code:
    osascript -e 'tell application "System Events" to get the properties of login item "Unmt_Swink92W_n_WeDi_heard_n_RecoHDW"'
    it should show where is it launched from, if it's set as hidden (not visible in the regular view of login items in system preferences - if that's the case then it's even more suspicious) etc. Then try to examine what it is.

    To delete it, you can use something like:
    Code:
    osascript -e 'tell application "System Events" to delete login item "Unmt_Swink92W_n_WeDi_heard_n_RecoHDW"'
     

Share This Page