'Other' user on log in screen

Discussion in 'macOS' started by Blujelly, Sep 11, 2016.

  1. Blujelly macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #1
    Hi all,

    I logged in this morning and noticed there was a 'other' user on the home screen. Went to settings>user and couldn't see it there. I've created a random "test" account logged into it and then logged, then deleted to see if that would help.

    I've tried to enable the 'guest' account but it won't allow me to for some reason. It doesn't show up anywhere on any settings only the log in page. it also has a username and password which i'm not sure what that is?

    I haven't created an second account on this iMac only when testing to try and clear the 'other' account as shown.

    Any ideas?
     

    Attached Files:

  2. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #2
    What is the output of this Terminal command?
    Code:
    dscl . -list /Users | grep -v $(whoami)
     
  3. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #3
    Big list...
    _amavisd
    _appleevents
    _appowner
    _appserver
    _ard
    _assetcache
    _astris
    _atsserver
    _avbdeviced
    _calendar
    _ces
    _clamav
    _coreaudiod
    _coremediaiod
    _cvmsroot
    _cvs
    _cyrus
    _devdocs
    _devicemgr
    _displaypolicyd
    _distnote
    _dovecot
    _dovenull
    _dpaudio
    _eppc
    _ftp
    _gamecontrollerd
    _geod
    _iconservices
    _installassistant
    _installer
    _jabber
    _kadmin_admin
    _kadmin_changepw
    _krb_anonymous
    _krb_changepw
    _krb_kadmin
    _krb_kerberos
    _krb_krbtgt
    _krbfast
    _krbtgt
    _launchservicesd
    _lda
    _locationd
    _lp
    _mailman
    _mbsetupuser
    _mcxalr
    _mdnsresponder
    _mysql
    _netbios
    _netstatistics
    _networkd
    _nsurlsessiond
    _nsurlstoraged
    _ondemand
    _postfix
    _postgres
    _qtss
    _sandbox
    _screensaver
    _scsd
    _securityagent
    _serialnumberd
    _softwareupdate
    _sophos
    _spotlight
    _sshd
    _svn
    _taskgated
    _teamsserver
    _timezone
    _tokend
    _trustevaluationagent
    _update_sharing
    _usbmuxd
    _uucp
    _warmd
    _webauthserver
    _windowserver
    _www
    _wwwproxy
    _xserverdocs
    daemon
    Guest
    hyphomycete
    root
     
  4. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #4
    hyphomycete is one of your accounts? There are a couple of accounts that I don’t immediately recognise. The “Other” login prompt is usually shown only when there are hidden, enabled accounts.

    You can see which ones are enabled with this command.
    Code:
    dscl . -list /Users AuthenticationAuthority

    You should only see an entry for Guest and for your own account.
     
  5. Blujelly, Sep 11, 2016
    Last edited: Sep 11, 2016

    Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #5
    hyphomycete isn't one of mine. I only have 1 account which is my my own, and labelled as my name. This is the return i got from terminal
     
  6. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #6
    You should remove the hashes from your post. That hyphomycete account seems suspicious. I cannot find anything about it online with a superficial search. If it does not ring a bell, then maybe that is the reason for the problem.

    This should provide some more information about it:
    Code:
    dscl . -read /Users/hyphomycete UniqueID RecordName PrimaryGroupID UserShell NFSHomeDirectory
     
  7. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #7
    If I'm honest i've done the above terminal and haven't a clue what any of it means....
     
  8. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #8
    I think you may have installed "pirrit" adware. See post #18 in this thread.

    That adware makes a hidden account to run the adware from and uses a random name for the account. Use Malwarebytes to get rid of it.
     
  9. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #9
    It provides some records on that user account: its user ID, its primary group ID, its default shell and its home directory. It could give a hint about its purpose and whether you can remove it.

    You can of course try disabling it to see whether it solves your problem:
    Code:
    sudo dscl . -create /Users/hyphomycete UserShell /usr/bin/false
    @Weaselboy: I suspected as much. Does Malwarebytes recognise these random accounts?
     
  10. Blujelly, Sep 11, 2016
    Last edited: Sep 11, 2016

    Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #10
    Wouldn't even know where it would have come from. So i've downloaded Malware, it found 4 stupidly i didn't screenshot. I let it clear them out then restart the Mac. The account is still showing on the log in page....

    So when I ran
    dscl . -read /Users/hyphomycete UniqueID RecordName PrimaryGroupID UserShell NFSHomeDirectory

    This was the return
    -read /Users/hyphomycete UniqueID RecordName PrimaryGroupID UserShell NFSHomeDirectory

    RecordName: hyphomycete
    UserShell: /usr/bin/false
    No such key: NFSHomeDirectory
    No such key: PrimaryGroupID
    No such key: UniqueID

    Then i ran
    -create /Users/hyphomycete UserShell /usr/bin/false

    it didn't give me anything that I'm aware of.

    Side note:
    When i saw this account i downloaded Sophos, general google search of anti-virus for Mac (not sure if its any good) all good but it found the below and cleared them off.

    [​IMG]
    PUA cleaned up: 'Pirrit' at '/Library/ightem'
    THREATSEP 11, 2016 2:51:57 PM
    [​IMG]
    PUA detected: 'Pirrit' at '/Library/ightem'
    THREATSEP 11, 2016 2:51:10 PM
    [​IMG]
    PUA cleaned up: 'Pirrit' at '/Library/ShanghaiUpd/Contents/MacOS/ShanghaiUpd'
    THREATSEP 10, 2016 11:43:54 PM
    [​IMG]
    PUA cleaned up: 'Pirrit' at '/Library/jargonesque/Contents/MacOS/jargonesque'
    THREATSEP 10, 2016 11:43:52 PM
    [​IMG]
    PUA detected: 'Pirrit' at '/Library/jargonesque/Contents/MacOS/jargonesque'
     
  11. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #11
    I recall Mr Reed (@thomasareed) saying MWB would kill this adware, but I can't remember if he said it would remove that hidden account. Might be good for OP to check and see if the account is still there after running MWB.
     
  12. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #12
    Well MWB has got rid of something i know that.

    When I ran
    dscl . -list /Users | grep -v $(whoami)

    There were users (I'm guessing) at the bottom which were
    daemon - not a clue
    Guest - guest account, which isn't active but makes sense to be there
    hyphomycete - not a clue
    root - not a clue, but when trying to found out about this, I'm pretty sure this is an OS thing and is meant to be there?

    Daemon isn't on that list anymore, so process of elimination means hypomycete is the one creating this 'other' account?
     
  13. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #13
    Ninja'd :)

    Looks like you killed pirrit. Now run this to get rid of the hidden account. daemon and root are normal.

    Code:
    sudo dscl . delete /Users/hyphomycete
     
  14. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #14
    Should i be worried that daemon isn't there now?

    I've ran the command, its asked for my password but nothing in response.... just about to restart to see what happens...
    --- Post Merged, Sep 11, 2016 ---


    @Weaselboy Yeah restarted and the 'other' account is still showing on the log in screen :(

    @KALLT I've ran it and got the below:
    -read /Users/hyphomycete

    <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
     
  15. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #15
    That’s normal. Command-line programs rarely provide feedback. You can indeed restart to see whether it worked or verify whether the account still exists:
    Code:
    dscl . -read /Users/hyphomycete

    Deleting the account should hopefully take care of it. Daemon should still be there:
    Code:
    dscl . -read /Users/daemon
     
  16. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #17
    Ok so i've run both of them again and got the below:

    -read /Users/daemon

    <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)

    -read /Users/hyphomycete

    <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)

    Also restarted the iMac again and it's still showing on the log in page.

    Side note again:
    Running
    dscl . -list /Users | grep -v $(whom)

    These are the only 2 (users?) at the bottom of the return....
    Guest

    root
     
  17. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #18
    Code:
    dscl . -list /Users | grep -v $(whoami)
    What does this show you now? Looks like hyphomycete is gone at least.
     
  18. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #19
    Do you want the full list?
     
  19. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #20
    Just that last several lines that shows the accounts.
     
  20. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #21
    Hmm. I have a feeling that I am missing something bloody obvious. Further troubleshooting. Try these commands and tell us the results:
    Code:
    defaults read /Library/Preferences/com.apple.loginwindow
    dscl . -read /Users/_mbsetupuser UniqueID IsHidden
    dscl . -read /Users/_sophos UniqueID IsHidden
    

    o_O

    That is... odd.
     
  21. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #22
    Is the below enough?

    _timezone
    _tokend
    _trustevaluationagent
    _update_sharing
    _usbmuxd
    _uucp
    _warmd
    _webauthserver
    _windowserver
    _www
    _wwwproxy
    _xserverdocs
    Guest
    root

    Ok and the below for you :)

    defaults read /Library/Preferences/com.apple.loginwindow

    GuestEnabled = 0;
    Hide500Users = 1;
    OptimizerLastRunForBuild = 31882624;
    OptimizerLastRunForSystem = 168494592;
    RetriesUntilHint = 3;
    SHOWFULLNAME = 0;
    "SHOWOTHERUSERS_MANAGED" = 1;
    lastUser = loggedIn;
    lastUserName = Gary;

    -read /Users/_mbsetupuser UniqueID IsHidden

    dsAttrTypeNative:IsHidden: YES
    UniqueID: 248

    -read /Users/_sophos UniqueID IsHidden

    UniqueID: 502
    No such key: IsHidden
     
  22. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #23
    Alright, that is indeed useful. There are several things that could be causing this, I’m afraid you have to try them. My best guess is this one:
    Code:
    sudo defaults delete /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED
     
  23. Blujelly thread starter macrumors 65816

    Blujelly

    Joined:
    Sep 2, 2012
    Location:
    South East England
    #24
    Ok so i ran the above, it asked for my password and that was it, nothing happened or was added on.

    Noob questions here, what other will i have to try?
     
  24. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #25
    Is the ‘Other’ login still there?
     

Share This Page