Concern regarding my Launch list

Question

Level 1

52 points

Concern regarding my Launch list

Hi. I've been having some concerns about my launch list(Sudo Launchctl list). I am not that experienced in the UNIX system but this seems like an awfully lot of launchers if that sounds correct. I am looking for some professional help or just someone who can point out something suspicious, or even just exclude everything that is necessary for the machine to just run.

My concern is being hacked threw either a daemon launcher or something in that matter.

Thank you in advance.

Sincerely JJ

MacBook Pro Retina

Posted on May 31, 2020 4:16 AM

Reply

Answer 1

Top-ranking reply

etresoft

Level 9

56,912 points

May 31, 2020 9:11 AM in response to JK213

JK213 wrote:

Thank you for your response.

Which other two sections are you mentioning? Within the launchctl list or from another command?

Use this command to print information from the system domain:

launchctl print system/

This command from the "gui" domain:

launchctl print gui/<uid>

Your <uid> will probably be 501, but it could be 502 or something else.

And finally, the "user" domain:

launchctl print user/<uid>

It is not necessary to use sudo.

You can get a list of all users with uids using:

dscl . -list /Users UniqueID

Most will be system users with an underscore prefix. Real users are at the end. If you have some kind of managed machine, all bets are off.

Another thing, which command would you recommend dumping the output from for best results regarding malware hunting?

LOL! That's a loaded question. Apple recently changed the Apple Support Communities Use Agreement to forbid me from posting a link to my own app, EtreCheck. Maybe someone else will post it.

These commands list only identifiers. You would have to explore each one further to find more information, like so:

launchctl print gui/502/com.druide.AgentConnectix

But as I said before, there is no restriction on identifiers. Anybody can install software and identify themselves as "com.apple.privacyguard.agent" or something like that. How would you know it was fake? You would have to query that individual identifier, find the executable that is associated with it, and check its signature. You can do that with:

spctl -vv -a /path/to/top-most/bundle/of/executable

In my example above, you would get a response like so:

/Applications/Antidote/Connectix 10.app: accepted

source=Notarized Developer ID

origin=Developer ID Application: Druide informatique inc. (4EJSV8E65Y)

This means that this app is a legitimate, signed, and notarized 3rd party app. An Apple app, and only Apple apps, would say something like this:

/Applications/Safari.app: accepted

source=Apple System

origin=Software Signing

EtreCheck will do all of this for you and highlight anything that looks out of place.

Can I ask why you are asking? "Security" is a highly-charged and immediately suspicious area. You've gone where truth, facts, and reason go to die. That may sound like a bad joke, but I'm not kidding in the slightest. I am taking your question as an opportunity post a little ad for EtreCheck. But in doing so, I likely raise the suspicions of the Apple moderators. Your question raises my suspicions about other factors.

Reply

Answer 2

May 31, 2020 8:58 AM in response to JK213

JK213 wrote:

Intego is the antivirus installed.

Here's the link for it just in case.

https://www.intego.com

Thanks for you reply.

We know that, and you should completely uninstall it. Barney is right, it does not protect you at all, conflicts with the built-in system security, wastes system resources, and may give you a misguided sense of security, while making your mac be less secure.

Reply

Answer 3

etresoft

Level 9

56,912 points

May 31, 2020 5:51 AM in response to JK213

I wouldn’t recommend just dumping the output from that command. For one thing, it is an obsolete command that is tricky to use. But even the modern, correct form is tricky too. The output is hard to read. It is easy to miss something. Sometimes malware uses a “com.apple” label too. There is no restriction on what label can be used. Plus, you missed two other big sections.

Reply

Answer 4

Barney-15E

Level 10

122,606 points

May 31, 2020 5:33 AM in response to JK213

The only thing suspicious I see is Intego. That malware is known to cripple macOS.

Reply

Answer 5

Barney-15E

Level 10

122,606 points

May 31, 2020 9:28 AM in response to JK213

Intego is the antivirus installed.

I know what it is. I described it accurately, before.

Here's EtreCheck.

Reply

Answer 6

Barney-15E

Level 10

122,606 points

May 31, 2020 11:47 AM in response to JK213

Well I paid for it and it wasn't exactly cheap

You paid to cripple your own Mac?

Whatever problems you think you are experiencing, they might be caused by Intego.

Reply

Answer 7

JK213 Author

Level 1

52 points

May 31, 2020 4:28 AM in response to JK213

PID Status Label

- 0 com.apple.storedownloadd.daemon

382 0 com.apple.CoreAuthentication.daemon

184 0 com.apple.coreservicesd

348 0 com.apple.touchbarserver

509 0 com.apple.deleted_helper

- 0 com.apple.avbdeviced

352 0 com.apple.cvmsServ

- 0 com.apple.FontWorker

- 0 com.apple.applessdstatistics

- 0 com.apple.hdiejectd

- 0 com.apple.corestorage.corestoraged

375 0 com.apple.storagekitd

- 0 com.apple.EmbeddedOSInstallService

- 0 com.apple.storereceiptinstaller

448 0 com.apple.mobileactivationd

772 0 com.apple.seld

- 0 com.apple.emond

467 0 com.apple.iconservices.iconservicesagent

- 0 com.apple.logkextloadsd

- 0 com.apple.bluetoothReporter

107 0 com.apple.syslogd

252 0 com.apple.WindowServer

- 0 com.apple.NetworkSharing

- 0 com.apple.afpfs_checkafp

1065 0 com.apple.systemstats.microstackshot_periodic

300 0 com.apple.driverkit.AppleUserHIDEventDriver.dfrv2-(0x100000616)

152 0 com.apple.securityd

153 0 com.apple.auditd

322 0 com.apple.nesessionmanager

- 0 com.apple.cfnetwork.cfnetworkagent

- 0 com.apple.recoverylogd

997 0 com.apple.ocspd

248 0 com.apple.symptomsd

160 0 com.apple.autofsd

- 0 com.apple.MapKit.SnapshotService

108 0 com.apple.UserEventAgent-System

- 0 com.apple.Kerberos.kadmind

401 0 com.apple.coresymbolicationd

- 0 com.apple.PerfPowerServicesExtende

661 0 com.apple.suhelperd

- 0 com.apple.commerce

- 0 com.apple.RFBEventHelper

- 0 com.apple.racoon

- 0 com.apple.bosreporter

- 0 com.apple.metadata.mds.scan

Reply

Answer 8

JK213 Author

Level 1

52 points

May 31, 2020 4:35 AM in response to JK213

175 0 com.apple.AirPlayXPCHelper

115 0 com.intego.WashingMachine.service

116 0 com.apple.mediaremoted

- 0 com.apple.mbusertrampoline

- 0 com.apple.RemoteDesktop.PrivilegeProxy

- 0 com.apple.datastored

969 0 com.apple.sysdiagnose

516 0 com.apple.installd

519 0 com.apple.system_installd

- 0 com.apple.dvdplayback.setregion

- 0 com.apple.SafeEjectGPUStartupDaemon

218 0 com.apple.nehelper

- 0 com.apple.boswatcher

126 0 com.apple.logd

182 0 com.apple.tccd.system

- 0 com.apple.accessoryd

- 0 com.apple.appleseed.fbahelperd

- 0 com.apple.IFCStart

- 0 com.intego.virusbarrier.daemon.emlparser

- 0 com.apple.mdmclient.daemon

474 0 com.apple.ctkd

224 0 com.apple.icloud.searchpartyd

- 0 com.apple.fpsd.arcadeservice

- 0 com.apple.xpc.roleaccountd

260 0 com.apple.nsurlsessiond_privileged

255 0 com.apple.awdd

212 0 com.apple.contextstored

253 0 com.apple.mDNSResponderHelper.reloaded

- 0 com.apple.diagnosticextensions.osx.wifi.helper

- 0 com.apple.periodic-monthly

- 0 com.apple.findmymacmessenger

288 0 com.apple.driverkit.AppleUserUSBHostHIDDevice0-(0x100000587)

- 0 com.adobe.ARMDC.Communicator

- 0 com.apple.security.authhost.00000000-0000-0000-0000-0000000186A6

- 0 com.apple.CSCSupportd

319 0 com.apple.secinitd

- 0 com.apple.kuncd

- 0 com.apple.corecaptured

- 0 com.apple.scsid

- 0 com.apple.IOAccelMemoryInfoCollector

- 0 com.apple.nfrestore

- 0 com.apple.msrpc.lsarpc

169 0 com.apple.KernelEventAgent

183 0 com.apple.aslmanager

- 0 com.apple.taskgated-helpe

343 0 com.apple.cmio.registerassistantservice

172 0 com.apple.hidd

- 0 com.apple.RemotePairTool

1100 0 com.apple.fpsd

301 0 com.apple.runningboardd

112 0 com.apple.kextd

- 0 com.apple.tzlinkd

366 0 com.apple.coreservices.appleevents

119 0 com.apple.systemstats.analysis

- 0 com.apple.diagnosticd

528 0 com.apple.AssetCacheTetheratorService

986 0 com.apple.driverkit.AppleUserUSBHostHIDDevice0-(0x100000eb7)

291 0 com.apple.driverkit.AppleUserUSBHostHIDDevice0-(0x10000058d)

122 0 com.apple.powerd

208 0 com.apple.authd

- 0 com.apple.driver.ethcheck

983 0 com.apple.driverkit.AppleUserUSBHostHIDDevice1-(0x100000eb1)

- 0 com.apple.DumpPanic

- 0 com.apple.vsdbutil

- 0 com.apple.nfsd

271 0 com.apple.airportd

220 0 com.apple.audio.coreaudiod

364 0 com.apple.akd

130 0 com.apple.watchdogd

- 0 com.apple.pf

135 0 com.apple.iconservices.iconservicesd

- 0 com.apple.InstallerProgress

- 0 com.apple.AXMediaUtilitiesService

- 0 com.apple.nlcd

- 0 com.apple.systemkeychain

317 0 com.apple.netbiosd

- 0 com.apple.SCHelper

- 0 com.apple.softwareupdate_firstrun_tasks

- 0 com.apple.periodic-weekly

984 0 com.apple.driverkit.AppleUserUSBHostHIDDeviceKB-(0x100000eaf)

598 0 com.apple.nsurlstoraged

- 0 com.apple.preferences.timezone.admintool

- 0 com.apple.statd.notify

- 0 org.cups.cupsd

147 0 com.intego.netbarrier.daemon

1010 0 com.apple.noticeboard.state

268 0 com.apple.lsd

308 0 com.apple.metadata.mds.index

149 0 com.apple.timed

277 0 com.intego.virusbarrier.daemon.realtime

151 0 com.apple.usbmuxd

- 0 com.apple.IOBluetoothUSBDFU

346 0 com.apple.biokitaggdd

530 0 com.apple.CrashReporterSupportHelper

- 0 com.apple.DumpGPURestart

161 0 com.apple.displaypolicyd

- 0 com.apple.wifip2pd

385 0 com.apple.securityd_service

1013 0 com.apple.periodic-daily

165 0 com.apple.PerfPowerServices

328 0 com.apple.alf

- 0 com.apple.dspluginhelperd

167 0 com.apple.logind

171 0 com.apple.bluetoothd

- 0 com.apple.msrpc.netlogon

- 0 com.apple.diagnosticextensions.osx.spotlight.helper

114 0 com.intego.commonservices.daemon.taskmanager

- 0 com.apple.TrustEvaluationAgent.system

- 0 com.apple.newsyslog

- 0 com.apple.MRTd

- 0 com.apple.taskgated

378 0 com.apple.GSSCred

415 0 com.apple.audio.systemsoundserverd

120 0 com.apple.configd

338 0 com.apple.captiveagent

Reply

Answer 9

JK213 Author

Level 1

52 points

May 31, 2020 4:41 AM in response to JK213

- 0 com.apple.diagnosticextensions.osx.getmobilityinfo.helper

374 0 com.apple.AccountPolicyHelper

- 0 com.apple.fontmover

- 0 com.apple.audio.toolbox.reporting.service

- 0 com.apple.ManagedClient.mechanism

- 0 com.apple.UserNotificationCenter

344 0 com.apple.icloud.findmydeviced

- 0 com.apple.speech.speechsynthesisd

298 0 com.apple.driverkit.AppleUserUSBHostHIDDevice0-(0x100000598)

- 0 com.apple.AppleQEMUGuestAgent

- 0 com.apple.security.authtrampoline

- 0 com.apple.rpcbind

139 0 com.apple.coreduetd

- 0 Adobe_Genuine_Software_Integrity_Service

- 0 com.apple.DesktopServicesHelper

- 0 com.apple.ucupdate.plist

- 0 com.apple.sysdiagnose_helper

- 0 com.apple.securechanneld

- 0 com.apple.ManagedClient.enroll

757 0 com.apple.timezoneupdates.tzd

518 0 com.apple.AssetCache.builtin

320 0 com.apple.multiversed

- 0 com.apple.siri.acousticsignature

155 0 com.apple.locationd

674 0 com.apple.rtcreportingd

- 0 com.apple.Kerberos.kcm

- 0 com.apple.coreservices.sharedfilelistd

982 0 com.apple.driverkit.AppleTopCase-(0x100000eac)

- 0 com.apple.efilogin-helper

- 0 com.apple.loginwindow

- 0 com.apple.ReportMemoryException

327 0 com.apple.sysextd

- 0 com.apple.cmio.iOSScreenCaptureAssistant

- 0 com.apple.rapportd

176 0 com.apple.notifyd

- 0 com.apple.managedconfiguration.teslad

- 0 com.apple.wifiFirmwareLoader

113 0 com.apple.fseventsd

- 0 com.apple.Kerberos.digest-service

- 0 com.apple.systempreferences.cacheAssistant

- 0 com.apple.automountd

- 0 com.apple.applefileutil

- 0 com.vix.cron

325 0 com.apple.thermald

274 0 com.apple.FileCoordination

- 0 com.apple.eapolcfg_auth

- 0 com.apple.audio.RemoteProcessingBlockRegistrar

281 0 com.apple.audio.AudioComponentRegistrar

- 0 com.apple.AssetCacheLocatorService

- 0 com.apple.InstallerDiagnostics.installerdiagd

660 0 com.apple.softwareupdated

- 0 com.apple.systemadministration.writeconfig

- 0 com.apple.MobileAccessoryUpdater

- 0 com.apple.diskmanagementstartup

- 0 com.apple.signpost.signpost_reporter

- 0 com.apple.postfix.master

- 0 com.apple.emond.aslmanager

- 0 com.apple.ckdiscretionaryd

331 0 com.apple.SubmitDiagInfo

368 0 com.apple.bootinstalld

- 0 com.apple.mbsystemadministration

289 0 com.apple.driverkit.AppleUserUSBHostHIDDevice0-(0x100000589)

- 0 com.apple.cmio.AppleCameraAssistant

- 0 com.apple.msrpc.mdssvc

- 0 com.apple.dpd

- 0 com.apple.security.agent.login.00000000-0000-0000-0000-0000000186A6

145 0 com.intego.netupdate.daemon

- 0 com.apple.corestorage.corestoragehelperd

293 0 com.apple.ReportCrash.Root

219 0 com.apple.trustd

- 0 com.apple.cmio.IIDCVideoAssistant

- 78 com.apple.metrickitd

181 0 com.apple.security.syspolicy

345 0 com.apple.biometrickitd

324 0 com.apple.usbd

178 0 com.apple.distnoted.xpc.daemon

246 0 com.apple.mDNSResponder.reloaded

330 0 com.apple.bridgeOSUpdateProxy

- 0 com.apple.bsd.dirhelper

299 0 com.apple.driverkit.AppleUserHIDEventDriver-(0x1000005eb)

168 0 com.apple.revisiond

- 0 com.apple.smb.preferences

1377 0 com.apple.findmymacd

180 0 com.apple.cfprefsd.xpc.daemon

- 0 com.apple.xartstorageremoted

- 0 com.apple.unmountassistant.sysagent

- 0 com.apple.lskdd

111 0 com.apple.uninstalld

358 0 com.apple.colorsync.displayservices

286 0 com.apple.xpc.smd

- 0 com.apple.gkreport

266 0 com.intego.netbarrier.daemon.logger

121 0 com.apple.endpointsecurity.endpointsecurityd

360 0 com.apple.colorsyncd

- 0 com.apple.backupd

- 0 com.apple.eoshostd

- 0 com.apple.airport.wps

Reply

Answer 10

JK213 Author

Level 1

52 points

May 31, 2020 4:46 AM in response to JK213

195 0 com.apple.loginwindow.AA9141B0-CEE2-4B3B-9094-E998C067A956

179 0 com.apple.MobileFileIntegrity

- 0 com.apple.netauth.sys.auth

- 0 com.apple.testmanagerd

- 0 com.apple.nfsconf

127 0 com.apple.mobile.keybagd

- 0 com.apple.configureLocalKDC

820 0 com.apple.spindump

- 0 com.apple.lockd

134 0 com.apple.metadata.mds

- 0 com.apple.wwand

326 0 com.apple.cmio.VDCAssistant

- 0 com.apple.driver.eficheck

- 0 com.apple.printtool.daemon

- 0 com.apple.pfctl

- 0 com.apple.security.authhost

- 0 com.apple.CommCenterRootHelper

- 0 com.apple.security.agent.login

140 0 com.intego.Personal-Backup.daemon

- 0 com.apple.ionodecache

- 0 com.apple.gssd

- 0 com.apple.remotemanagementd

576 0 com.apple.CryptoTokenKit.ahp

819 0 com.apple.PerformanceAnalysis.animationperfd

- 0 com.apple.afpfs_afpLoad

148 0 com.apple.coreservices.launchservicesd

- 0 com.apple.dynamic_pager

156 0 com.intego.virusbarrier.daemon

- 0 com.adobe.ARMDC.SMJobBlessHelper

- 0 com.apple.csrutil.report

- 0 com.apple.iokit.ioserviceauthorized

162 0 com.intego.netbarrier.daemon.monitor

- 0 com.apple.Kerberos.kdc

- 0 com.apple.msrpc.srvsvc

- 0 com.apple.osanalytics.osanalyticshelper

- 0 com.apple.bnepd

- 0 com.apple.dpaudiothru

- 0 com.apple.familycontrols

- 0 com.apple.diagnosticextensions.osx.timemachine.helper

- 0 com.apple.kcproxy

- 0 com.adobe.acc.installer.v2

365 0 com.apple.adid

359 0 com.apple.AmbientDisplayAgent

- 0 com.apple.storeagent.daemon

492 0 com.apple.wifivelocityd

- 0 com.apple.installandsetup.systemmigrationd

- 0 com.apple.metadata.mds.spindump

- 0 com.apple.Kerberos.kpasswdd

449 0 com.apple.WirelessRadioManager

250 0 com.apple.mobileassetd

263 0 com.intego.virusbarrier.daemon.logger

- 0 com.apple.InstallerDiagnostics.installerdiagwatcher

- 0 com.apple.UpdateSettings

- 0 com.apple.msrpc.wkssvc

985 0 com.apple.driverkit.AppleUserUSBHostHIDDevice0-(0x100000eb5)

987 0 com.apple.driverkit.AppleUserHIDEventDriver.dfrv1-(0x100000ee8)

347 0 com.apple.nfcd

- 0 com.apple.warmd

269 0 com.intego.virusbarrier.daemon.scanner

- 0 com.apple.powerd.swd

- 0 com.apple.ManagedClient

- 0 com.apple.xpc.uscwoap

Reply

Answer 11

JK213 Author

Level 1

52 points

May 31, 2020 4:52 AM in response to JK213

136 0 com.apple.diskarbitrationd

829 0 com.apple.dprivacyd

278 0 com.apple.backupd-helper

- 0 com.apple.netauth.sys.gui

- 0 com.apple.postfix.newaliases

- 0 com.apple.systemstats.daily

- 0 com.apple.bluetoothaudiod

- 0 com.apple.startupdiskhelper

321 0 com.apple.ifdreader

144 0 com.apple.opendirectoryd

- 0 com.apple.appstored

479 0 com.apple.DataDetectorsSourceAccess

146 0 com.apple.apsd

- 0 com.apple.internal.aupbregistrarservice

150 0 com.intego.commonservices.daemon.integod

- 0 com.apple.ManagedClient.cloudconfigurationd

157 0 com.intego.Content-Barrier.daemon

- 0 com.apple.GameController.gamecontrollerd

323 0 com.apple.apfsd

163 0 com.apple.dasd

- 0 com.apple.sessionlogoutd

- 0 com.apple.AssetCacheManagerService

- 0 com.apple.xtyped

- 0 com.apple.storeaccountd.daemon

- 0 com.apple.cmio.AVCAssistant

209 0 com.apple.analyticsd

283 0 com.apple.diskmanagementd

307 0 com.apple.CodeSigningHelper

173 0 com.apple.sandboxd

341 0 com.apple.sysmond

174 0 com.apple.corebrightnessd

- 0 com.apple.tailspind

- 0 com.apple.storeassetd.daemon

Jamals-MacBook-Pro:~ jamalkorkaz$

Reply

Answer 12

JK213 Author

Level 1

52 points

May 31, 2020 8:25 AM in response to etresoft

Thank you for your response.

Which other two sections are you mentioning? Within the launchctl list or from another command?

Another thing, which command would you recommend dumping the output from for best results regarding malware hunting?

Thank you very much in advance I really appreciate your help.

Reply

Answer 13

JK213 Author

Level 1

52 points

May 31, 2020 12:26 PM in response to etresoft

Thank you so much.

I will keep you updated with a reply and paste my results following your instructions above when finished, now that it takes a little bit of time to complete.

The thread is just for the sake of self improvement within the UNIX system ''Security'' and the suspicion around unknown daemons/launchers and files taking in account the various malwares out there. I am basically PARANOID haha.

Be my guest to post an ad for Etrecheck if that is what you're asking me?

I will be back with the update buddy thank you for your reply!

- JJ

Reply