'Other' user on log in screen

[Blujelly]

Is the ‘Other’ login still there?

Yes

 

[Weaselboy]

I think that Other login is caused by enabling the root user and might be unrelated to this adware issue.

In Spotlight start typing Directory Utility then launch it when it comes up. Then click the unlock at the bottom and enter your password, them look at this screen and where this screen says Enable Root User... does yours say Disable Root User??

 

[Blujelly]

I think that Other login is caused by enabling the root user and might be unrelated to this adware issue.

In Spotlight start typing Directory Utility then launch it when it comes up. Then click the unlock at the bottom and enter your password, them look at this screen and where this screen says Enable Root User... does yours say Disable Root User??

View attachment 650275

No

 

[Weaselboy]

No

Hmm... just for grins... try to enable it then disable it after.

Just from searching around I see a lot of posts from people who had that Other login appear after they enabled the root user.

 

[Blujelly]

Hmm... just for grins... try to enable it then disable it after.

Just from searching around I see a lot of posts from people who had that Other login appear after they enabled the root user.

Enabled chose a password, disabled and done a restart. Still there

 

[Weaselboy]

Enabled chose a password, disabled and done a restart. Still there

Gah! Maybe @KALLT can come up with another idea.

 

[thomasareed]

I recall Mr Reed (@thomasareed) saying MWB would kill this adware, but I can't remember if he said it would remove that hidden account.

At this time, it won't remove the hidden account. There's no easy way to detect an account by itself as being malicious. We do have some plans for how we can trigger more complex actions when certain threat files are encountered, which could do things like remove a hidden account. However, I can't comment on when that might be ready.

As for removing everything, if the suspicious launch daemons are gone, the malware is for all intents and purposes disabled. If there are any remaining components somewhere, they're inert at this point.

The hidden user is not a particular danger, except in the fact that every hidden user created by this malware has the same password... so it could potentially give someone with physical access to your computer the ability to log in, if they're familiar with VSearch (aka Pirrit) and know you were infected with it. That's a pretty big "if," but nonetheless, the user should be removed.

If the Other user on the login screen is gone, that hidden user should be gone at this point. If it's still there, let us know.
[doublepost=1473631673][/doublepost]Missed the second page of this topic... sounds like the hidden user is still there.

I notice, though, that the daemon user appears to be gone... that is a user that is supposed to be there, and I'm not sure what the implications of removing that might be. I'm also not sure exactly what has been done at this point and what state your system is in. That makes me reluctant to suggest any further steps to take, as that could simply dig you into a deeper hole.

I'd recommend you contact Apple for help at this point, though I suspect you'll need to escalate your case. I'm not confident that an entry-level tech will know what to do about the daemon user being missing.

 

[KALLT]

I am also at my wit’s end. Lets try something different, if you still want to, and find out which account might be hidden there. We’ve already excluded the root account.

1. Make sure that no server is specified under System Preferences → Users & Groups → Login Options → Network Account Server. The button should say ‘Join...’, not ‘Edit...’
   
   
2. When the key ‘Hide500Users’ in com.apple.loginwindow is set, then it should hide only those user accounts with a UniqueID below 500. You can disable this setting temporarily to see whether this caused a specific user to be hidden.
   

   sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool false

   
   
3. Check which accounts have the ‘IsHidden’ key set. On my El Capitan installation this is only set for _mbsetupuser. You can get a list of users that have this key with this command:
   

   dscl . -list /Users IsHidden

   
   
4. The user shell of your accounts should not be /usr/bin/false (they will be completely hidden otherwise). On my system, these accounts are: my user account, _mbsetupuser, Guest and root. You can check which accounts have this with this command:
   

   dscl . -list /Users UserShell | egrep -v '/usr/bin/false|/usr/sbin/uucico'

   
   
5. User accounts with a password set are likely to be present on the login screen as well. Try these commands to see which accounts have one or have other authentication information:
   

   dscl . -list /Users Password | egrep -v '\s+\*$'

   dscl . -list /Users AuthenticationAuthority

_mbsetupuser seems to be set up on any El Capitan installation, so I don’t believe that this is what is hidden under the ‘Other…’ field. For science, I installed Sophos to have a look myself and I still could not reproduce this issue.

As for the missing daemon account, I cannot say what caused the removal. No command suggested in this thread did, so it might have been a program you used. Maybe Sophos? Can you try this command to see whether the account is really not there?

id 1

I can give you instructions for recreating the account, but given the suspicious nature of the disappearance and the impossibility (for us) to tell what other things are broken or missing, I recommend you reinstall OS X El Capitan over your current installation either by rebooting into Recovery or by downloading El Capitan from the App Store and installing it over your Macintosh HD partition. In both cases only system directories, applications and global configurations are overwritten, your personal files remain intact. You can also upgrade to macOS Sierra next week, which should have the same effect.

 

[Blujelly]

I am also at my wit’s end. Lets try something different, if you still want to, and find out which account might be hidden there. We’ve already excluded the root account.

1. Make sure that no server is specified under System Preferences → Users & Groups → Login Options → Network Account Server. The button should say ‘Join...’, not ‘Edit...’
   
   
2. When the key ‘Hide500Users’ in com.apple.loginwindow is set, then it should hide only those user accounts with a UniqueID below 500. You can disable this setting temporarily to see whether this caused a specific user to be hidden.
   

   sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool false

   
   
3. Check which accounts have the ‘IsHidden’ key set. On my El Capitan installation this is only set for _mbsetupuser. You can get a list of users that have this key with this command:
   

   dscl . -list /Users IsHidden

   
   
4. The user shell of your accounts should not be /usr/bin/false (they will be completely hidden otherwise). On my system, these accounts are: my user account, _mbsetupuser, Guest and root. You can check which accounts have this with this command:
   

   dscl . -list /Users UserShell | egrep -v '/usr/bin/false|/usr/sbin/uucico'

   
   
5. User accounts with a password set are likely to be present on the login screen as well. Try these commands to see which accounts have one or have other authentication information:
   

   dscl . -list /Users Password | egrep -v '\s+\*$'

   dscl . -list /Users AuthenticationAuthority

_mbsetupuser seems to be set up on any El Capitan installation, so I don’t believe that this is what is hidden under the ‘Other…’ field. For science, I installed Sophos to have a look myself and I still could not reproduce this issue.

As for the missing daemon account, I cannot say what caused the removal. No command suggested in this thread did, so it might have been a program you used. Maybe Sophos? Can you try this command to see whether the account is really not there?

id 1

I can give you instructions for recreating the account, but given the suspicious nature of the disappearance and the impossibility (for us) to tell what other things are broken or missing, I recommend you reinstall OS X El Capitan over your current installation either by rebooting into Recovery or by downloading El Capitan from the App Store and installing it over your Macintosh HD partition. In both cases only system directories, applications and global configurations are overwritten, your personal files remain intact. You can also upgrade to macOS Sierra next week, which should have the same effect.

Thanks for your help on this one, and everyone involved.

Luckily i have backup from last week (at this point the account wasn't there). Should i just restore from that point? I want be loosing anything major as its either in the cloud, or something i general don't care about if it disappears.

 

[Blujelly]

Contacted Apple all sorted (i hope) the 'other' account was the root user, they got me to create a password for it. I then typed user name as 'root' then the password that i chose for it, which then allowed me to log in, in the top right corner it said 'system admin' i believe.

Then logged out and logged into my account and disabled the 'root user', logged out and 'other' had disappeared. Bit odd though as over night 'other' turned into 'Guest Account' which was off yet still appearing on the log in page and the fast user switch. I was then told to enable guest user, log off and then log back in, this was still showing my account and the guest. Then disabled the guest user and logged off again, the guest user had gone.

Seems to be working in order now and no random accounts. Can I check that all the user that should be there are there? i.e my account, random apple accounts that are made to be there for system purposes?

 

[Carlanga]

IMO just reinstall the operating system from scratch. Copy all your documents to a usb and wipe it clean and start again. Then upgrade to the new OS on the 20th and then reinstall your applications.

 

[KALLT]

Contacted Apple all sorted (i hope) the 'other' account was the root user, they got me to create a password for it. I then typed user name as 'root' then the password that i chose for it, which then allowed me to log in, in the top right corner it said 'system admin' i believe.

Then logged out and logged into my account and disabled the 'root user', logged out and 'other' had disappeared. Bit odd though as over night 'other' turned into 'Guest Account' which was off yet still appearing on the log in page and the fast user switch. I was then told to enable guest user, log off and then log back in, this was still showing my account and the guest. Then disabled the guest user and logged off again, the guest user had gone.

This sounds like an oddly specific solution, presumably a workaround for a bug. Under no circumstances would I log in with the root user. I am kind of baffled that they suggested this. At least the problem has gone away.

Can I check that all the user that should be there are there? i.e my account, random apple accounts that are made to be there for system purposes?

I believe that reinstalling OS X (see what I wrote above) or upgrading to Sierra should resolve this, though I am not sure. Other than that, you’d have to perform a complete reinstallation and import your data using Migration Assistant. I would recommend this as last resort.

It is not really practical to check each account and it is probably better to use a more thorough solution.