Catch and remove daemons and launch agents
EtreCheck (free for the first five reports)
Open the Activity Monitor app, and choose View -> All Processes. At the top are two main processes:
launchd, with process ID (PID) 0 and 1 respectively.
launchd is the primary parent process when the system starts.
It is also the last process to exit when the system shuts down. Do NOT remove it.
The core responsibility of
launchd is to launch other processes or jobs on a scheduled or on-demand basis. These
processes come in two flavours: LaunchDaemons and LaunchAgents.
LaunchDaemons typically run as root, and can be found in
/System/Library/LaunchDaemons(native macOS processes) and
/Library/LaunchDaemons(installed third-party apps).
LaunchAgents start when a user logs in. They can access the user interface and display information, and can be found in
Library/LaunchAgents(all user accounts),
~/Library/LaunchAgents(user account), and
Before logging in,
launchd runs services and other components specified in
.plist files from the LaunchDaemons
folder. After logging in,
launchd runs services and components defined in
.plist files from the LaunchAgents
folders. Those in
/System/Library are all part of macOS and protected by System Integrity Protection.
.plist files follow the standard reverse domain naming system: company name, followed by an application identifier,
and ending with the property list file extension (.plist). For example,
The public LaunchDaemon and LaunchAgent folders are open to both legitimate and illegitimate apps. You can monitor these folders with Folder Actions.
Open the AppleScript Editor app.
Click Preferences and choose General -> Show Script menu in menu bar
Click the Script Menu icon and choose Folder Actions -> Enable Folder Actions
Select Attach Script to Folder in that same menu
A dialog box will pop up. Select add - new item alert
Click OK to open a Finder window.
Select the user LaunchDaemon folder and click Choose
Repeat the procedure for every LaunchAgents folder. Then:
Open Finder and click Go > Go to Folder
~/Library/LaunchAgentsand click Go
Right-click the LaunchAgents folder, and choose Services -> Folder Actions Setup to bind the new item alert script to each folder.
In the dialog box that pops up, you’ll see the list of folders in the left column and script in the right column. If there are no scripts, click the plus (+) button and add new item alert.scpt.
Now macOS will show an alert popup whenever a new item is added to one of these folders, allowing you to immediately know when illegitimate apps try to inject themselves into the system in the background.
Be careful. Not all third-party
.plist files are malicious. They can be:
Components of legitimate installed apps
Remnants of old apps you no longer use
Leftovers from previous macOS upgrades
Migration Assistant leftovers
PUPs (potentially unwanted programs), adware, and malware
DO NOT delete any components of installed apps. To remove remnants of old apps, leftovers from previous macOS upgrades,
PUP’s, adware and malware, just delete the
.plist file and reboot.