2 Guest Users?

[shoot123456]

My mac is slow, had an error in the system that asked to press any key, when restarted it was like this. What is this? Hacker? Whats happening? https://imgur.com/a/z0nDF

 

[shoot123456]

MacBook Pro (Retina, 15-inch, Late 2013)
macOS High Serra

I identified through TinkerTool a user group called _guest, this "Guest" user had exclusive access to all the folders within him. In the public folder I could see a folder called "DropBox", I could not (even through TinkerTool) change user permissions to have access, but it was possible to identify that "Downloads" had 1 file.

I deactivated through the system preferences the guest user, even so while running the command "dscl .list / users" existed a Guest user. After some time the command started to appear the following error: "Can not open remote host, error: DSOpenDirServiceErr"

So I used the "ls -lha / Users /"

Total 0
drwxr-xr-x 6 root admin 192B Nov 8 14:29.
drwxr-xr-x 30 root wheel 960B Nov 8 13:34 ..
-rw -r-r-- 1 root wheel 0B Jul 15 17:35 .localized
drwxr-xr-x + 12 201 _guest 384B Nov 8 11:38 Guest
drwxrwxrwt 9 root wheel 288B Nov 8 15:24 Shared
drwxr-xr-x + 19 tor staff 608B Nov 8 14:07 tor

Now the command "dscl .list / users" has returned and the user has disappeared, even from the login area.

dscl. List / Users | grep -v '^ _'

daemon
nobody
root
tor

dscl . list /Users

_amavisd

_analyticsd

_appleevents

_applepay

_appowner

_appserver

_appstore

_ard

_assetcache

_astris

_atsserver

_avbdeviced

_calendar

_captiveagent

_ces

_clamav

_cmiodalassistants

_coreaudiod

_coremediaiod

_ctkd

_cvmsroot

_cvs

_cyrus

_datadetectors

_devdocs

_devicemgr

_displaypolicyd

_distnote

_dovecot

_dovenull

_dpaudio

_eppc

_findmydevice

_fpsd

_ftp

_gamecontrollerd

_geod

_hidd

_iconservices

_installassistant

_installer

_jabber

_kadmin_admin

_kadmin_changepw

_krb_anonymous

_krb_changepw

_krb_kadmin

_krb_kerberos

_krb_krbtgt

_krbfast

_krbtgt

_launchservicesd

_lda

_locationd

_lp

_mailman

_mbsetupuser

_mcxalr

_mdnsresponder

_mobileasset

_mysql

_netbios

_netstatistics

_networkd

_nsurlsessiond

_nsurlstoraged

_ondemand

_postfix

_postgres

_qtss

_sandbox

_screensaver

_scsd

_securityagent

_serialnumberd

_softwareupdate

_spotlight

_sshd

_svn

_taskgated

_teamsserver

_timed

_timezone

_tokend

_trustevaluationagent

_unknown

_update_sharing

_usbmuxd

_uucp

_warmd

_webauthserver

_windowserver

_www

_wwwproxy

_xcsbuildagent

_xcscredserver

_xserverdocs

daemon

nobody

root

tor

The code got too long so I threw it in the pastebin

dscacheutil -q user

dscacheutil -q user |
paste -d " " - - - - - - - - |
sed 's/^name: //;s/ [^[:space:]]*: /:/g'

https://pastebin.com/78nZ7Q7K



I used Malwarebytes to scan but nothing was found, the same with MacScan.
Sorry for the bad English, google translate.