Deleted "service accounts"

[AhDeleve]

Hi guys, I'm having a difficult problem here. An acquaintance of mine came to me for help because her Mac had apparently been hacked. I found out that, before she spoke to me, she turned to some people on the internet who, in my opinion, tricked her.
Basically, they told her to put the command dscl . list /Users into the terminal. After the users appeared, they asked her to delete the following:
_accessoryupdater
_amavisd
_analyticsd
_appinstalld
_appowner
_avphidbridge
_backgroundassets
_biome
_cyrus
_darwindaemon
_datadetectors
_demod
_diskimagesiod
_ftp
_iconservices
_installer
_jabber
_svn

When I was presented with the problem, I discovered that these are "service accounts" - used to establish a special user to run certain applications (I believe).
Is there any way of recovering these "users"? Is the damage irreversible? A backup has already been made, but she's still very reluctant to restart the computer, as I've warned that serious damage could be done.

Btw, OS is Ventura, 13.5

Anyway, thank you very much!

 

[Bigwaff]

If you have a backup of her user data, why not just reinstall macOS from Recovery.

How to reinstall macOS - Apple Support

You can use macOS Recovery, your computer's built-in recovery system, to reinstall the Mac operating system. Reinstalling macOS doesn't remove your personal data.

support.apple.com

 

[hobowankenobi]

Yep. And yes, tons of invisible service accounts in the OS.

Reinstall the OS. If you don't erase first...and just reinstall, all user accounts, and data should be right where it was before. Apple has made it very easy and safe these days. Backing up important data first is always wise.

I would not be surprised if the Mac was not even "hacked" in the first place.

 

[Fishrrman]

I would:

1. Back up her personal data
2. Boot to internet recovery (command-OPTION-R), or from a USB flash drive installer
3. Use disk utility to wipe the internal drive, completely
4. Install a fresh copy of the OS
and finally,
5. Restore her personal data from a backup.

And tell her to NOT trust "people on the internet" no mo' ...

 

[Expos of 1969]

I would:

1. Back up her personal data
2. Boot to internet recovery (command-OPTION-R), or from a USB flash drive installer
3. Use disk utility to wipe the internal drive, completely
4. Install a fresh copy of the OS
and finally,
5. Restore her personal data from a backup.

And tell her to NOT trust "people on the internet" no mo' ...

and what magical communication wavelength are you on giving her advice

 

[bogdanw]

Basically, they told her to put the command dscl . list /Users into the terminal. After the users appeared, they asked her to delete the following:
_accessoryupdater
_amavisd
_analyticsd
_appinstalld
_appowner
_avphidbridge
_backgroundassets
_biome
_cyrus
_darwindaemon
_datadetectors
_demod
_diskimagesiod
_ftp
_iconservices
_installer
_jabber
_svn

How do you delete any of those with dscl?
delete requires a path
https://ss64.com/osx/dscl.html
The story sounds more like a tech support scam then a hack.
But a clean install is always good

 

[chrfr]

Hi guys, I'm having a difficult problem here. An acquaintance of mine came to me for help because her Mac had apparently been hacked. I found out that, before she spoke to me, she turned to some people on the internet who, in my opinion, tricked her.
Basically, they told her to put the command dscl . list /Users into the terminal. After the users appeared, they asked her to delete the following:
_accessoryupdater
_amavisd
_analyticsd
_appinstalld
_appowner
_avphidbridge
_backgroundassets
_biome
_cyrus
_darwindaemon
_datadetectors
_demod
_diskimagesiod
_ftp
_iconservices
_installer
_jabber
_svn

When I was presented with the problem, I discovered that these are "service accounts" - used to establish a special user to run certain applications (I believe).
Is there any way of recovering these "users"? Is the damage irreversible? A backup has already been made, but she's still very reluctant to restart the computer, as I've warned that serious damage could be done.

Btw, OS is Ventura, 13.5

Anyway, thank you very much!

There's no legitimate reason to delete any of these, and doing so is going to break a lot of things, if it's even possible. I agree that this sounds like a tech support scam with fake popups that told your acquaintance their computer had been hacked.

 

[AhDeleve]

Yep. And yes, tons of invisible service accounts in the OS.

Reinstall the OS. If you don't erase first...and just reinstall, all user accounts, and data should be right where it was before. Apple has made it very easy and safe these days. Backing up important data first is always wise.

I would not be surprised if the Mac was not even "hacked" in the first place.

I've tried this solution, but i couldnt get it to work because you need internet to re-install the OS. The problem is that the computer had access to the internet, until she deleted the service accounts - the computer connects to the wifi, but when you try to connect to a specific website you get the following error: "DNS_PROBE_FINISHED_NO_INTERNET". I think I've tried every solution on the internet (from changing the DNS server to trying to reset the SMC), so I think the problem of not having internet connection really has to do with the fact that the services have been deleted (this is something I can confirm - she inserted a script to delete the service accounts, and, after checking again with dscl . list /Users, they were not there anymore).

My idea was to reinstall the OS, but doing the following steps:

1. startup to recovery
2. delete drive using disk utility
3. install macOS
4. setup as new.

The problem is that I'm afraid I won't be able to connect to the internet in the middle of the installation (from what I've seen, it's impossible to install the OS without an internet connection), which means that the PC could be permanently out of action.

 

[Queen6]

Use your Mac to reset by using Configurator 2 via Apple's own IPSW Firmware restore files. No connection required on your friends Mac.

Or via USB

If the Mac has been tampered with it has to be wiped to be safe...

Q-6

 

[Bigwaff]

Using Recovery or USB installer doesn’t use the installed system. These are self-contained system versions which are able to connect to networks.

 

[hobowankenobi]

Using Recovery or USB installer doesn’t use the installed system. These are self-contained system versions which are able to connect to networks.

This.

One can always install an OS...even with no OS, as long as you can get on wired or wifi internet.

Same for the re-install without wiping the drive.