Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
Hi all,

I logged in this morning and noticed there was a 'other' user on the home screen. Went to settings>user and couldn't see it there. I've created a random "test" account logged into it and then logged, then deleted to see if that would help.

I've tried to enable the 'guest' account but it won't allow me to for some reason. It doesn't show up anywhere on any settings only the log in page. it also has a username and password which i'm not sure what that is?

I haven't created an second account on this iMac only when testing to try and clear the 'other' account as shown.

Any ideas?
 

Attachments

  • Desktop Log In.png
    Desktop Log In.png
    100.6 KB · Views: 374
  • Other 2.png
    Other 2.png
    270.4 KB · Views: 253
  • Other 1.png
    Other 1.png
    297.3 KB · Views: 206

KALLT

macrumors 603
Sep 23, 2008
5,372
3,394
What is the output of this Terminal command?
Code:
dscl . -list /Users | grep -v $(whoami)
 
  • Like
Reactions: 997440

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
What is the output of this Terminal command?
Code:
dscl . -list /Users | grep -v $(whoami)

Big list...
_amavisd
_appleevents
_appowner
_appserver
_ard
_assetcache
_astris
_atsserver
_avbdeviced
_calendar
_ces
_clamav
_coreaudiod
_coremediaiod
_cvmsroot
_cvs
_cyrus
_devdocs
_devicemgr
_displaypolicyd
_distnote
_dovecot
_dovenull
_dpaudio
_eppc
_ftp
_gamecontrollerd
_geod
_iconservices
_installassistant
_installer
_jabber
_kadmin_admin
_kadmin_changepw
_krb_anonymous
_krb_changepw
_krb_kadmin
_krb_kerberos
_krb_krbtgt
_krbfast
_krbtgt
_launchservicesd
_lda
_locationd
_lp
_mailman
_mbsetupuser
_mcxalr
_mdnsresponder
_mysql
_netbios
_netstatistics
_networkd
_nsurlsessiond
_nsurlstoraged
_ondemand
_postfix
_postgres
_qtss
_sandbox
_screensaver
_scsd
_securityagent
_serialnumberd
_softwareupdate
_sophos
_spotlight
_sshd
_svn
_taskgated
_teamsserver
_timezone
_tokend
_trustevaluationagent
_update_sharing
_usbmuxd
_uucp
_warmd
_webauthserver
_windowserver
_www
_wwwproxy
_xserverdocs
daemon
Guest
hyphomycete
root
 

KALLT

macrumors 603
Sep 23, 2008
5,372
3,394
hyphomycete is one of your accounts? There are a couple of accounts that I don’t immediately recognise. The “Other” login prompt is usually shown only when there are hidden, enabled accounts.

You can see which ones are enabled with this command.
Code:
dscl . -list /Users AuthenticationAuthority


You should only see an entry for Guest and for your own account.
 
  • Like
Reactions: 997440

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
hyphomycete isn't one of mine. I only have 1 account which is my my own, and labelled as my name. This is the return i got from terminal
 
Last edited:

KALLT

macrumors 603
Sep 23, 2008
5,372
3,394
You should remove the hashes from your post. That hyphomycete account seems suspicious. I cannot find anything about it online with a superficial search. If it does not ring a bell, then maybe that is the reason for the problem.

This should provide some more information about it:
Code:
dscl . -read /Users/hyphomycete UniqueID RecordName PrimaryGroupID UserShell NFSHomeDirectory
 

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
You should remove the hashes from your post. That hyphomycete account seems suspicious. I cannot find anything about it online with a superficial search. If it does not ring a bell, then maybe that is the reason for the problem.

This should provide some more information about it:
Code:
dscl . -read /Users/hyphomycete UniqueID RecordName PrimaryGroupID UserShell NFSHomeDirectory
If I'm honest i've done the above terminal and haven't a clue what any of it means....
 

KALLT

macrumors 603
Sep 23, 2008
5,372
3,394
If I'm honest i've done the above terminal and haven't a clue what any of it means....

It provides some records on that user account: its user ID, its primary group ID, its default shell and its home directory. It could give a hint about its purpose and whether you can remove it.

You can of course try disabling it to see whether it solves your problem:
Code:
sudo dscl . -create /Users/hyphomycete UserShell /usr/bin/false

@Weaselboy: I suspected as much. Does Malwarebytes recognise these random accounts?
 

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
I think you may have installed "pirrit" adware. See post #18 in this thread.

That adware makes a hidden account to run the adware from and uses a random name for the account. Use Malwarebytes to get rid of it.

Wouldn't even know where it would have come from. So i've downloaded Malware, it found 4 stupidly i didn't screenshot. I let it clear them out then restart the Mac. The account is still showing on the log in page....

It provides some records on that user account: its user ID, its primary group ID, its default shell and its home directory. It could give a hint about its purpose and whether you can remove it.

You can of course try disabling it to see whether it solves your problem:
Code:
sudo dscl . -create /Users/hyphomycete UserShell /usr/bin/false

So when I ran
dscl . -read /Users/hyphomycete UniqueID RecordName PrimaryGroupID UserShell NFSHomeDirectory

This was the return
-read /Users/hyphomycete UniqueID RecordName PrimaryGroupID UserShell NFSHomeDirectory

RecordName: hyphomycete
UserShell: /usr/bin/false
No such key: NFSHomeDirectory
No such key: PrimaryGroupID
No such key: UniqueID

Then i ran
-create /Users/hyphomycete UserShell /usr/bin/false

it didn't give me anything that I'm aware of.

Side note:
When i saw this account i downloaded Sophos, general google search of anti-virus for Mac (not sure if its any good) all good but it found the below and cleared them off.

ico_event_threat_low-32ef2b56c51b93c764300ce43d387ee5.png

PUA cleaned up: 'Pirrit' at '/Library/ightem'
THREATSEP 11, 2016 2:51:57 PM
ico_event_threat_medium-972967c6a6528cb2353951c2a1bf80ed.png

PUA detected: 'Pirrit' at '/Library/ightem'
THREATSEP 11, 2016 2:51:10 PM
ico_event_threat_low-32ef2b56c51b93c764300ce43d387ee5.png

PUA cleaned up: 'Pirrit' at '/Library/ShanghaiUpd/Contents/MacOS/ShanghaiUpd'
THREATSEP 10, 2016 11:43:54 PM
ico_event_threat_low-32ef2b56c51b93c764300ce43d387ee5.png

PUA cleaned up: 'Pirrit' at '/Library/jargonesque/Contents/MacOS/jargonesque'
THREATSEP 10, 2016 11:43:52 PM
ico_event_threat_medium-972967c6a6528cb2353951c2a1bf80ed.png

PUA detected: 'Pirrit' at '/Library/jargonesque/Contents/MacOS/jargonesque'
 
Last edited:

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
I recall Mr Reed (@thomasareed) saying MWB would kill this adware, but I can't remember if he said it would remove that hidden account. Might be good for OP to check and see if the account is still there after running MWB.
Well MWB has got rid of something i know that.

When I ran
dscl . -list /Users | grep -v $(whoami)

There were users (I'm guessing) at the bottom which were
daemon - not a clue
Guest - guest account, which isn't active but makes sense to be there
hyphomycete - not a clue
root - not a clue, but when trying to found out about this, I'm pretty sure this is an OS thing and is meant to be there?

Daemon isn't on that list anymore, so process of elimination means hypomycete is the one creating this 'other' account?
 

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
Ninja'd :)

Looks like you killed pirrit. Now run this to get rid of the hidden account. daemon and root are normal.

Code:
sudo dscl . delete /Users/hyphomycete
Should i be worried that daemon isn't there now?

I've ran the command, its asked for my password but nothing in response.... just about to restart to see what happens...
[doublepost=1473610708][/doublepost]

@Weaselboy Yeah restarted and the 'other' account is still showing on the log in screen :(

@KALLT I've ran it and got the below:
-read /Users/hyphomycete

<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
 

KALLT

macrumors 603
Sep 23, 2008
5,372
3,394
Should i be worried that daemon isn't there now?

I've ran the command, its asked for my password but nothing in response.... just about to restart to see what happens...

That’s normal. Command-line programs rarely provide feedback. You can indeed restart to see whether it worked or verify whether the account still exists:
Code:
dscl . -read /Users/hyphomycete


Deleting the account should hopefully take care of it. Daemon should still be there:
Code:
dscl . -read /Users/daemon
 
  • Like
Reactions: Weaselboy

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
That’s normal. Command-line programs rarely provide feedback. You can indeed restart to see whether it worked or verify whether the account still exists:
Code:
dscl . -read /Users/hyphomycete

Deleting the account should hopefully take care of it. Daemon should still be there:
Code:
dscl . -read /Users/daemon

Ok so i've run both of them again and got the below:

-read /Users/daemon

<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)

-read /Users/hyphomycete

<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)

Also restarted the iMac again and it's still showing on the log in page.

Side note again:
Running
dscl . -list /Users | grep -v $(whom)

These are the only 2 (users?) at the bottom of the return....
Guest

root
 

KALLT

macrumors 603
Sep 23, 2008
5,372
3,394
Yeah restarted and the 'other' account is still showing on the log in screen :(

Hmm. I have a feeling that I am missing something bloody obvious. Further troubleshooting. Try these commands and tell us the results:
Code:
defaults read /Library/Preferences/com.apple.loginwindow
dscl . -read /Users/_mbsetupuser UniqueID IsHidden
dscl . -read /Users/_sophos UniqueID IsHidden


-read /Users/daemon

<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)

o_O

That is... odd.
 
  • Like
Reactions: Weaselboy

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
Just that last several lines that shows the accounts.
Is the below enough?

_timezone
_tokend
_trustevaluationagent
_update_sharing
_usbmuxd
_uucp
_warmd
_webauthserver
_windowserver
_www
_wwwproxy
_xserverdocs
Guest
root

Hmm. I have a feeling that I am missing something bloody obvious. Further troubleshooting. Try these commands and tell us the results:
Code:
defaults read /Library/Preferences/com.apple.loginwindow
dscl . -read /Users/_mbsetupuser UniqueID IsHidden
dscl . -read /Users/_sophos UniqueID IsHidden

Ok and the below for you :)

defaults read /Library/Preferences/com.apple.loginwindow

GuestEnabled = 0;
Hide500Users = 1;
OptimizerLastRunForBuild = 31882624;
OptimizerLastRunForSystem = 168494592;
RetriesUntilHint = 3;
SHOWFULLNAME = 0;
"SHOWOTHERUSERS_MANAGED" = 1;
lastUser = loggedIn;
lastUserName = Gary;

-read /Users/_mbsetupuser UniqueID IsHidden

dsAttrTypeNative:IsHidden: YES
UniqueID: 248

-read /Users/_sophos UniqueID IsHidden

UniqueID: 502
No such key: IsHidden
 

KALLT

macrumors 603
Sep 23, 2008
5,372
3,394
defaults read /Library/Preferences/com.apple.loginwindow

GuestEnabled = 0;
Hide500Users = 1;
OptimizerLastRunForBuild = 31882624;
OptimizerLastRunForSystem = 168494592;
RetriesUntilHint = 3;
SHOWFULLNAME = 0;
"SHOWOTHERUSERS_MANAGED" = 1;
lastUser = loggedIn;
lastUserName = Gary;

-read /Users/_mbsetupuser UniqueID IsHidden

dsAttrTypeNative:IsHidden: YES
UniqueID: 248

-read /Users/_sophos UniqueID IsHidden

UniqueID: 502
No such key: IsHidden

Alright, that is indeed useful. There are several things that could be causing this, I’m afraid you have to try them. My best guess is this one:
Code:
sudo defaults delete /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED
 
  • Like
Reactions: Weaselboy

Blujelly

macrumors 65816
Original poster
Sep 2, 2012
1,275
477
South East England
Alright, that is indeed useful. There are several things that could be causing this, I’m afraid you have to try them. My best guess is this one:
Code:
sudo defaults delete /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED
Ok so i ran the above, it asked for my password and that was it, nothing happened or was added on.

Noob questions here, what other will i have to try?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.