Deleted "service accounts"

[AhDeleve]

Hi guys, I'm having a difficult problem here. An acquaintance of mine came to me for help because her Mac had apparently been hacked. I found out that, before she spoke to me, she turned to some people on the internet who, in my opinion, tricked her.
Basically, they told her to put the command dscl . list /Users into the terminal. After the users appeared, they asked her to delete the following:

_accessoryupdater
_amavisd
_analyticsd
_appinstalld
_appowner
_avphidbridge
_backgroundassets
_biome
_cyrus
_darwindaemon
_datadetectors
_demod
_diskimagesiod
_ftp
_iconservices
_installer
_jabber
_svn

When I was presented with the problem, I discovered that these are "service accounts" - used to establish a special user to run certain applications (I believe).
Is there any way of recovering these "users"? Is the damage irreversible? A backup has already been made, but she's still very reluctant to restart the computer, as I've warned that serious damage could be done.

OS is Ventura 13.5

Anyway, thank you very much!

 

[MacsBug]

Hi, and welcome to the forums.

If you have her download the full installer for macOS Ventura, and reinstall it. It will recreate all of the services that are needed.

You can download the full installer from the app store at this link.. https://apps.apple.com/us/app/macos-ventura/id1638787999

After she downloads it, it will automatically launch. Just have her install it and it will repair any issues with the OS while leaving all of her data intact.

 

[AhDeleve]

I've tried your solution, but i couldnt get it to work because you need internet to re-install the OS. The problem is that the computer had access to the internet, until she deleted the service accounts - the computer connects to the wifi, but when you try to connect to a specific website you get the following error: "DNS_PROBE_FINISHED_NO_INTERNET". I think I've tried every solution on the internet (from changing the DNS server to trying to reset the SMC), so I think the problem of not having internet connection really has to do with the fact that the services have been deleted (this is something I can confirm - she inserted a script to delete the service accounts, and, after checking again with dscl . list /Users, they were not there anymore).

My idea was to reinstall the OS, but doing the following steps:

1. startup to recovery
2. delete drive using disk utility
3. install macOS
4. setup as new.

The problem is that I'm afraid I won't be able to connect to the internet in the middle of the installation (from what I've seen, it's impossible to install the OS without an internet connection), which means that the PC could be permanently out of action.

 

[MacsBug]

Hi there,

If her computer is a 2018 or later that has a T2 security chip, then it may need an internet connection to install the OS unless you reduce the security settings on the Mac.

You have 2 options on how to proceed from here.

The easiest way around this is to just use the recovery to reinstall the OS without reformatting the drive. It will just reinstall the OS without losing any data. The same as if you ran the installer as described in my previous post.

Or, if you have a slow internet connection and have downloaded the installer already, you can lower the security settings to allow the installer to run. To do this, restart the computer into recovery and then when you see the option to reinstall the OS, look in the menubar and under the Utilites menu select Startup Security Utility.

In the Startup Security Utility select No Security and then restart the Mac. The installer that you had used prior will be able to run without an internet connection.