Removing login items you do not recognise can break legitimate software — research unknown names before deleting. Malware sometimes masquerades as “helper” or “updater” processes.
What you will achieve
Audit everything that launches when you log into macOS — login items, background apps, and allow-in-background entries — and remove unknown or unwanted starters that may indicate malware persistence or leftover trial software.
1) Open Login Items and Extensions
Go to System Settings → General → Login Items. macOS Ventura and later splits this into:
- Open at Login — apps that launch a visible window at login.
- Allow in the Background — agents and daemons that run without a dock icon.
Review both sections — malware and abandoned trials often hide in Background, not Open at Login.
2) Identify suspicious entries
Red flags: names you never installed, misspellings of known apps (“Google Updater” vs random strings), items with no publisher info, or duplicates of the same updater. Legitimate entries include Dropbox, Microsoft AutoUpdate, and antivirus you chose to install.
Right-click or use the minus button to remove items you do not want. macOS may prompt for admin password — expected for system-level agents.
3) Check Login Items per user
Login items are per user account. Repeat the audit on each account if the Mac is shared. A compromised Standard user account can still run persistence in that profile without affecting others.
4) Inspect LaunchAgents and LaunchDaemons (advanced)
Persistent malware sometimes survives GUI removal by living in:
~/Library/LaunchAgents//Library/LaunchAgents//Library/LaunchDaemons/(system-wide, requires admin)
Do not delete plist files blindly. Search unknown filenames online or use Apple’s malware removal guidance. When in doubt, create a test user — if the mystery process does not appear there, the plist lives in your home folder or was installed for your user only.
5) Apple Silicon vs Intel
Both architectures use the same Login Items UI. Apple Silicon may show more “Allow in Background” entries from iPhone/iPad apps installed via Mac App Store. Intel Macs running older 32-bit helpers are rare on modern macOS — any “Intel”-only background item on Apple Silicon deserves scrutiny unless you run Rosetta-dependent corporate tools.
6) After malware cleanup
Removing login items alone does not remove installed malware binaries. Follow full removal steps: delete the app from Applications if present, remove related LaunchAgents, change passwords if keyloggers were suspected, and enable FileVault plus Stolen Device Protection if supported.
7) Prevent re-addition
Some free apps re-add login items on launch. Deny when prompted, or uninstall properly. MDM-managed Macs may re-deploy corporate agents — do not remove IT-mandated entries without approval.
Verify
Reboot, log in, and confirm removed items stay gone. Activity Monitor → CPU tab at idle should not show unknown high-CPU processes within minutes of login.