Recently I've noticed that a lot of mysterious .tar.gz and executable files have spawned inside my Shared folder, and by a lot I mean 466 total.
/Users/Shared $ ls | wc -l
466
I'm the only user on my Macbook Pro and out of the 466, I only recognized 6 of them being folders with an installed application name (CleanMyMac, Renewed Vision Media, etc) so those are not the problem. As for the rest, they look horrific:
ls -l /Users/Shared
total 824456
drwxrwxr-x 5 root wheel 160 Feb 12 14:38 Adobe
drwxrwxrwx 2 root wheel 64 Aug 10 2018 AdobeInstalledCodecs
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 12 10:02 App_01D422FE-C147-4010-9A44-D4358E33D212-1210-0000006734D5E80A
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 17 10:32 App_01D422FE-C147-4010-9A44-D4358E33D212-1210-0000006734D5E80A.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_02966A96-E2BC-48F1-A082-387BFD2559A6-1246-0000005E71CF0D2B
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Jan 31 20:29 App_02966A96-E2BC-48F1-A082-387BFD2559A6-1246-0000005E71CF0D2B.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Dec 2 00:44 App_041C25CA-E276-4BBD-87FF-1AAF42FB62CF-1199-0000004DE163A3E6
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 2 00:44 App_041C25CA-E276-4BBD-87FF-1AAF42FB62CF-1199-0000004DE163A3E6.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:29 App_05BDF17A-375B-45DA-B054-D77F0BBA7061-1166-000000502FEEE31D
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Dec 28 16:51 App_05BDF17A-375B-45DA-B054-D77F0BBA7061-1166-000000502FEEE31D.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Nov 26 13:54 App_070BFBA2-26D0-448F-9123-DADD3A2ECB49-1218-0000007FCF9E349B
-rw-r--r-- 1 jonathanfilbert wheel 331578 Nov 26 13:54 App_070BFBA2-26D0-448F-9123-DADD3A2ECB49-1218-0000007FCF9E349B.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_0977FD4D-5953-4F70-BE63-FD750A3BF6DC-1231-0000005027783E91
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Jan 11 12:44 App_0977FD4D-5953-4F70-BE63-FD750A3BF6DC-1231-0000005027783E91.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_0A03682C-6DB4-4908-B386-A6BB644D3C74-1276-0000005B2AD5C511
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Jan 17 11:10 App_0A03682C-6DB4-4908-B386-A6BB644D3C74-1276-0000005B2AD5C511.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_0A8D9DBD-BAA7-444B-9E85-87972AF665EF-1216-0000005A3907D09A
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Dec 23 15:53 App_0A8D9DBD-BAA7-444B-9E85-87972AF665EF-1216-0000005A3907D09A.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Dec 9 19:22 App_0ABFFC9E-731F-46BD-B117-17A76FBCA084-1236-0000004ED1B99385
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 9 19:22 App_0ABFFC9E-731F-46BD-B117-17A76FBCA084-1236-0000004ED1B99385.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Mar 23 16:59 App_0C6FC480-EF97-4009-BF39-96F58799E7ED-1192-0000005E9FC8FC9F
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 12 21:02 App_0C6FC480-EF97-4009-BF39-96F58799E7ED-1192-0000005E9FC8FC9F.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Dec 15 00:01 App_0DAD0990-45B0-4F11-A37A-DC9F8784C3C9-1185-000000610AEAD23D
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 15 00:01 App_0DAD0990-45B0-4F11-A37A-DC9F8784C3C9-1185-000000610AEAD23D.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Nov 30 21:13 App_0F3DAB99-B214-4DBF-BBE4-A51C779F6987-1153-0000006B23FCBCB3
-rw-r--r-- 1 jonathanfilbert wheel 331578 Nov 30 21:13 App_0F3DAB99-B214-4DBF-BBE4-A51C779F6987-1153-0000006B23FCBCB3.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Dec 5 08:53 App_126A36AB-A0C5-4D4C-A23A-113EA6E7C970-1806-0000009535B1B6CB
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 5 08:53 App_126A36AB-A0C5-4D4C-A23A-113EA6E7C970-1806-0000009535B1B6CB.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 21 15:40 App_12E3E8A1-9788-4ABF-915A-F199A0C6143C-1221-000000541C12C17A
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 16 14:36 App_12E3E8A1-9788-4ABF-915A-F199A0C6143C-1221-000000541C12C17A.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_12EBEA64-5051-4122-89DF-9FB8DADAA41B-1275-00000063D967AF8B
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Jan 11 23:07 App_12EBEA64-5051-4122-89DF-9FB8DADAA41B-1275-00000063D967AF8B.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Nov 19 15:51 App_149EDAB5-6A58-40F6-9FC8-B3E4F3279538-1218-0000006CC5FF38F4
-rw-r--r-- 1 jonathanfilbert wheel 331578 Nov 19 15:51 App_149EDAB5-6A58-40F6-9FC8-B3E4F3279538-1218-0000006CC5FF38F4.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_16277D4A-ACA9-4730-8929-892500D29B19-1132-000000503FDB731F
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Dec 31 14:57 App_16277D4A-ACA9-4730-8929-892500D29B19-1132-000000503FDB731F.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Nov 8 20:18 App_16A18583-FD97-4644-BF06-137B0FFD35E1-1204-0000006A2372C7CA
-rw-r--r-- 1 jonathanfilbert wheel 331578 Nov 8 20:18 App_16A18583-FD97-4644-BF06-137B0FFD35E1-1204-0000006A2372C7CA.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_175B9F9E-2372-4165-AA2B-F0123E12ABEB-1895-00000095CD045C8F
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Jan 17 19:50 App_175B9F9E-2372-4165-AA2B-F0123E12ABEB-1895-00000095CD045C8F.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_17D25F31-21C7-4C55-97B4-278F3EF29F8B-1295-0000004E3FCB237E
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Dec 25 00:10 App_17D25F31-21C7-4C55-97B4-278F3EF29F8B-1295-0000004E3FCB237E.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Nov 21 18:27 App_18987876-EDA5-44F8-839D-9D0ED9E85C10-1225-00000058DFD63585
-rw-r--r-- 1 jonathanfilbert wheel 331578 Nov 21 18:27 App_18987876-EDA5-44F8-839D-9D0ED9E85C10-1225-00000058DFD63585.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Dec 5 19:01 App_18CFA5BA-85C7-4EC0-930C-73A0847EA055-1197-00000056895B3D96
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 5 19:01 App_18CFA5BA-85C7-4EC0-930C-73A0847EA055-1197-00000056895B3D96.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_18E54EEA-52A5-4EE5-BC99-1D112C18A214-1352-00000051E2111EC0
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Jan 7 15:44 App_18E54EEA-52A5-4EE5-BC99-1D112C18A214-1352-00000051E2111EC0.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:29 App_1AB67930-C1CE-46E9-AB02-B6E24E0385B7-1223-00000051EB8F1D18
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Feb 2 18:25 App_1AB67930-C1CE-46E9-AB02-B6E24E0385B7-1223-00000051EB8F1D18.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_1AC8F899-D2AA-4AB9-9BF1-35BE98ED1EDE-16157-000006E2D274F110
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Dec 21 19:17 App_1AC8F899-D2AA-4AB9-9BF1-35BE98ED1EDE-16157-000006E2D274F110.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Feb 6 15:28 App_1F263B6A-077E-482C-94FF-3C3D6892F2B9-1324-0000005F3A9C6E56
-rw-r--r-- 1 jonathanfilbert wheel 4660684 Jan 26 12:39 App_1F263B6A-077E-482C-94FF-3C3D6892F2B9-1324-0000005F3A9C6E56.tar.gz
drwxr-xr-x 3 jonathanfilbert wheel 96 Dec 5 19:34 App_221EA77C-0E38-421F-9BF6-D5465E75EE63-2756-000000D9B2A9FFF6
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 5 19:34 App_221EA77C-0E38-421F-9BF6-D5465E75EE63-2756-000000D9B2A9FFF6.tar.gz
drwxr-xr-x 2 jonathanfilbert wheel 64 Mar 23 16:59 App_22BBCFA5-1384-4B28-9688-C5463795FD48-1143-0000006521EDAAE0
-rw-r--r-- 1 jonathanfilbert wheel 331578 Dec 17 23:39 App_22BBCFA5-1384-4B28-9688-C5463795FD48-1143-0000006521EDAAE0.tar.gz
Here is the ls -l results for some of the directories
-rwxrwxrwx 1 jonathanfilbert wheel 244928 Jan 13 20:41 a_0058AB63-F619-42E5-BBA5-86532551CFA3-1193-00000054FCB20168
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Dec 23 15:51 a_0153215B-DE1E-47B0-B4DF-961804DB2CB2-1216-00000057AE7086FB
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Dec 17 13:00 a_01BDBE1A-5EDC-413E-BE41-33A611EF871F-1134-000000754A4E692A
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Jan 2 11:33 a_01F076CE-B02D-4C1F-8058-A4A832333CE7-1291-0000004D445928B5
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Dec 19 14:09 a_02B73853-967A-4723-98BA-D81553A2D7FE-1189-0000004EACDB9D9C
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Nov 11 15:30 a_036B3671-AF44-4439-9BA5-1B31232B6CE1-1243-0000004FA1CF7311
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Nov 17 19:08 a_06AEA1F5-2958-4AAB-A9FE-741837F4FCA9-1206-0000004E458C7071
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Dec 1 23:56 a_0880EF4F-ADF4-4DF5-A0F7-C5689828D5DC-9985-0000041F7999B6FA
-rwxrwxrwx 1 jonathanfilbert wheel 244928 Jan 16 18:15 a_0898EB66-62FE-4D6A-8D60-E4EC2A2489E4-1178-000000541561A81E
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Dec 8 17:32 a_0ABD7D94-04C0-40FC-A637-01DB09630972-1233-0000004D07EB2930
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Dec 5 12:22 a_0D32C0E7-A993-47B1-A7C6-4D41C2B691E1-1160-0000005194510DAA
-rwxrwxrwx 1 jonathanfilbert wheel 183456 Dec 25 00:10 a_0D3F7A43-9BB0-4D09-9811-6953AD28AE4D-1295-00000051353554A9
-rwxrwxrwx 1 jonathanfilbert wheel 244928 Jan 29 21:33 a_0D5D220A-C3C0-49B7-A64B-49C64E3DD865-6976-000000680ED5309B
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Nov 10 23:11 a_1288DB46-490B-49D4-840F-3E725AF6F4AE-1243-0000006C70925320
-rwxrwxrwx 1 jonathanfilbert wheel 244928 Jan 11 23:08 a_132D252F-B372-468B-A748-D084AEE5E355-1275-0000006BA6ED0EBA
-rwxrwxrwx 1 jonathanfilbert wheel 244928 Jan 17 19:50 a_141E730D-6CE1-470B-86B9-8CABEF1F4A4C-1895-0000009B37EC280A
-rwxrwxrwx 1 jonathanfilbert wheel 210848 Nov 25 23:53 a_1817CEF5-03C3-4968-8CA9-03F5D24540BF-1330-0000006C576DC205
My question is, aside from the 6 recognized folders, is it safe to delete those things? As they take up quite a lot of space, and recently, I found a malicious file named SystemExtr residing inside one of the folders, and deleted it, but somehow it returned.
Best Answer
Note: this doesn't answer your question directly but is advice and some further steps to troubleshoot.
If your computer has been reported as being affected my malware, you are likely better off long-term to back up your personal data (i.e user directory etc), note the apps you have installed, and start over with a nuke & repave. A few hours spent doing this is better than rescuing a system with unquantified levels of malware -- it could be just 'SystemExtr' or it could be a whole heap of other things -- and the nature of some malware means it can't be 100% removed.
In the meantime:
And for ongoing homework: learn a bit about hard drive space management and reduce reliance on the whizzy apps (especially the free ones) that do all this for you. Some are reputable, some are junk. Using a disk viewer like Grand Perspective will give you better visibility into what's going on inside your hard drive, and give you more control overall.