can't find script that runs at login???

[Sumleilmus]

When I boot my MacBook Pro, I can see in the menu bar the name of a slow script running at login. However, when I look in System Preferences>Users>MyUser>login items, I see no such script or app. I have used Spotlight, EasyFind, and

$ find / "name_of_script"

.

None of these finds the script. How can I find the script and get rid of it, or find other code such as launchctl daemons (I really don't understand these, but I know they exist, if I called them by the right name) that could be causing this to happen?

I find nothing useful at /System/Library/LaunchDaemons or at /Library/LaunchDaemons

I'm especially puzzled by why I can't find the script or app whose name I can clearly see?

 

[Weaselboy]

Try looking in all these folders for launch items.

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems

That ~ is your users folder. If you are not sure how to get there, just triple click the line below to select, then right click and in the Services menu select Reveal in Finder and that will open Finder to that folder.

~/Library/LaunchAgents

 

[JohnDS]

Also, download and run the free MalwareBytes for Mac: https://www.malwarebytes.org/antimalware/mac/
[doublepost=1454769388][/doublepost]You could also open Console.app and check to see what messages were generated at the time the script launched. That may give you the location of the script.

 

[Partron22]

Try looking in all these folders for launch items.

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems
...

You'll likely want to look at the invisible files, those that start with a '.', too.
I use this little Applescript for that:

set buttonpressed to button returned of (display dialog "Show Hidden Files?" buttons {"Yes", "No"})
try
    if the buttonpressed is "No" then do shell script "defaults write com.apple.finder AppleShowAllFiles OFF"
    if the buttonpressed is "Yes" then do shell script "defaults write com.apple.finder AppleShowAllFiles ON"
    do shell script "killall Finder"
end try

 

[Sumleilmus]

Weaselboy: nothing in any of those places

JohnDS: nothing in Console. I'm not sure about using a malware hunting tool. The script in question is one that I wrote long ago and saved as an app. It appears that it is still running at startup, or trying to run.

Partron22: thanks for the script, but I have Finder Services that do the same thing, probably based on the same or similar scripts. Using the GUI to look for hidden files in those locations only showed me some .DS files at the root of any given directory.

 

[mag01]

Do any of these show any output?

sudo defaults read com.apple.loginwindow LoginHook

ls -la /Library/Security/SecurityAgentPlugins

defaults read loginwindow AutoLaunchedApplicationDictionary
defaults read /Library/Preferences/loginwindow AutoLaunchedApplicationDictionary

defaults read com.apple.loginitems

or

osascript -e 'tell application "System Events" to get the name of every login item'

Also you may try this nice app to view all such items in a consolidated manner: https://objective-see.com/products/knockknock.html

 

[Sumleilmus]

Do any of these show any output?

sudo defaults read com.apple.loginwindow LoginHook

The domain/default pair of (com.apple.loginwindow, LoginHook) does not exist

ls -la /Library/Security/SecurityAgentPlugins

total 0
drwxr-xr-x  2 root  wheel   68 Nov 17 01:33 .
drwxr-xr-x  4 root  wheel  136 Feb 15 08:59 ..

defaults read loginwindow AutoLaunchedApplicationDictionary

The domain/default pair of (/Users/ruser/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist

defaults read /Library/Preferences/loginwindow AutoLaunchedApplicationDictionary

2016-04-08 09:05:41.209 defaults[795:10205] 

The domain/default pair of (/Users/ruser/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist

defaults read com.apple.loginitems

This shows a lot of output, the defaults for the login items listed in System Preferences>Users & Groups>Registered User>Login Items. One of them is an Apple Script (.app) that does a thing similar to the one that runs at login that I can't find. I have looked carefully at that script, and it has a different name. Could it be running at login and displaying another name owing to some corruption in its tiny dessicated heart?

osascript -e 'tell application "System Events" to get the name of every login item'

osascript: OpenScripting.framework - scripting addition "/Library/ScriptingAdditions/LCC Scroll Enhancer Loader.osax" cannot be used with the current OS because it has no OSAXHandlers entry in its Info.plist.
smcFanControl, Growl, SMARTReporter, Dropbox, Google Drive, OneDrive, AdobeResourceSynchronizer, DiskWarriorDaemonStarter, CCC User Agent, Unmt_Swink92W_n_WeDi_heard_n_RecoHDW

Also you may try this nice app to view all such items in a consolidated manner: https://objective-see.com/products/knockknock.html

If this just does what I just did, what would be the advantage?

Thank you very much for your suggestions.

 

[mag01]

The Unmt_Swink92W_n_WeDi_heard_n_RecoHDW entry in your last output is suspicious. Also its name is similar (though not identical) to what's on that screenshot in your OP.
It should be also visible in the output of "defaults read com.apple.loginitems" for which you mentioned one suspicious item (which is probably the same thing).

If you try

osascript -e 'tell application "System Events" to get the properties of login item "Unmt_Swink92W_n_WeDi_heard_n_RecoHDW"'

it should show where is it launched from, if it's set as hidden (not visible in the regular view of login items in system preferences - if that's the case then it's even more suspicious) etc. Then try to examine what it is.

To delete it, you can use something like:

osascript -e 'tell application "System Events" to delete login item "Unmt_Swink92W_n_WeDi_heard_n_RecoHDW"'