Screen Sharing, Linux and an EtreCheck Report

All macOS computers have a long list of system users that run various low-level tasks. These tools have their own accounts for security reasons. That way, the tool cannot access any user data or any data from any other tool. It only has access to only that which it needs.

Your EtreCheck report shows no security problems of any kind.

I recommend you have your attorney focus on other issues.

I didn't notice anything particularly alarming in your Etrecheck report, other than app crashes.

I can offer the following suggestions, and others may offer additional ones:

• Check to see if your user profile is the Administrator on your Mac. (System Settings-->Users and Groups). If you are, you can delete those unknown users.
• You're running MacOS Ventura, and should update to MacOS Sonoma.
• Disk4s3 appears to be absolutely full. Not sure what this is used for (others here may know) but a disk with virtually no available space is never good.
• No Time Machine backups have been created. I recommend using an external drive to create one.
• You might try booting into Safe Mode, being patient as it can take up to 5 minutes or so to fully load. Check and see if anything's changed in this mode. This Apple Support article describes how to boot into Safe Mode: Start up your Mac in safe mode - Apple Support
• Do you have any virtual drives set up on this Mac? It appears you might (maybe for Linux?). What do you see when you're in Disk Utility? (Applications-->Utilities-->Disk Utility. Post a screen shot of what the Disk Utility screen looks like.
• 8GB RAM is the bare minimum to operate a Mac...unfortunately, this can't be upgraded.

Not sure if any of this is helpful or not, as you didn't fully describe the current issues and/or faults you're seeing on your Mac.

mutsu_ambrosia wrote:

No the user names appeared in the activity monitor and device utility(? - sorry) windows. I’m attempting to wipe everything now and then I can redownload the screenshots I have so you can get a better idea :) I know I’m not very helpful with words right now lol.

Do you mean process names – like kernel_task, bluetoothd, launchservicesd, nurlsessiond, powerd, sharingd, locationd, mDNSResponder, and coreservicesd – to name a few?

Or user names – like root, _spotlight, _nsurlsessiond, and _locationd?

All of these particular examples are normal parts of macOS. Many background processes have names that end with 'd' – the 'd' stands for 'daemon' (background task). It's a naming convention that goes back to BSD Unix. Often the rest of the name is a hint as to what the process does, e.g. bluetoothd is related to BlueTooth.

As far as the user names go, 'root' is the Unix superuser, who "owns" the entire system. 'root' always has full privileges, and macOS normally disables interactive logins to that account. But a lot of system processes run in that context. The other user names probably reflect efforts by Apple to carve off some parts of the system and run them as less-privileged ordinary "users" for security or stability reasons.

mutsu_ambrosia wrote:

From what I’ve gathered someone using Linux made it so they were the root or su user and had override capabilities over me, the admin. And no, I do not have any virtual drives. There was a ton of remote access software installed. It looks like they turned off any proxy servers and I’m getting constant notifications that I’ve been logged into a new device from Gmail and my appleID.

For sure, you'll want to change the passwords to your Gmail and AppleID accounts. Here's how to change your AppleID password: Change your Apple ID password - Apple Support. And here is how to change your Gmail password: How To Change Your Gmail Password.

Regarding the user accounts etresoft mentioned. This is correct, but they wouldn't appear as users in System Settings-->Users and Groups. You didn't say if those other users appear in System Settings?

I believe that System Settings > Users & Groups is designed to

• Hide the root account, at least when interactive logins to it are disabled.
• Hide all of the user accounts with names like _locationd, _networkd, or _windowserver that macOS is using internally, for security or stability purposes, but that are not meant to be logged into interactively.

I would not be surprised if the Mac now reserves all user names beginning with "_" for itself, at least in the GUI. Then the Users & Groups code could just hide any user name beginning with "_".

mutsu_ambrosia wrote:

I’m attempting to wipe everything now and then I can redownload the screenshots I have so you can get a better idea :)

You don't need to do that. You don't need to do anything. Nothing is wrong.

https://www.pocketlyrics.com/2022/01/paranoia-strikes-deep-into-your-heart-it-will-creep-lyrics.html

"Paranoia Strikes Deep ...... " A favorite old song of mine.