-
All replies
-
Helpful answers
-
Oct 15, 2014 12:01 PM in response to GordonMacManby GordonMacMan,It happened again on my 15" MBP. The database file names are: Cache.db, Cache.db-shm and Cache.db-wal.
Regards,
Gordon
-
Mar 8, 2015 9:40 PM in response to GordonMacManby Haydude,Have you found an answer to this problem? I have found it happens in Safari > Preferences > Privacy. When you click on the Privacy icon header, instantly the 3 .db files appear and re-arrange all my files into alphabetical arrangement on my root directory (Mac Pro SSD). It will also behave this way when you choose "Reset Safari" from the drop down Safari menu.
Regards,
Haydude
-
Apr 10, 2016 12:37 AM in response to Haydudeby AppleNofaith,Either of you found any answers to this? I'm quite possibly battling some sort of persistent malware that withstands clean installs from factory disk, and I'm sifting through everything trying to identify the difference between data corruption, ram corruption, hard drive corruption, or just encrypted files that look like jibber jabber such as the following file found in .fseventsd folder on my main hard drive and any external device I plug in. I'm hoping this is just unencrypted data from mac or something.
’∏ºJ'ÇÔi´Ó\≈^•˜ÅW≥™ÆFW%:|•≠yãÖëáŒGg∆síî¶øg÷mú;̶ɿwAı§9Zw–ˇÄØ¥ç∆ Vé”_°3’~¢’°5pf”Û¯£Ùt¶#fiÈ∞ÙQtÊà≥VºÙyä–ã∏úAJÅoˆd—√G6≤æTÀGu‰uu¿xŸ∞ì>ã\«a$>d+‰«\s; nıı£∫”…∫∑¬≤∑vdNéP¸#4UôùÅü¸Jw˛KÿÚ˙¨^2øÄ•/È√|∆YH-/[¡sMòt mnäÙdc–äÊWÈdcx:Ùu‰u5ÊpàÍIJ˘˛g‰zmçfiÇ<WS≤ñ¥8È»uÙ›µÅHß"_èÖÆµ≥RyÆñK#w≤D/FÆcUXÌ%ãÙz d#g)∂Éu∫ı∫¬-˙r€Å5K§E≤Q‰ΩÂxÇ\»sUT+≈ÑLøC6vZº‘§CœG6*a&Í¢ü"_èr∆%‰úîAfi®fiñTËì»u‘z˝à©O7 !Ø9}e¥⁄∂ÉlZ√|°GœÅ6∆:Õzêfiç|=≈;“còÎÍ∂/{>˚®#[¨s˝∏N\˸+a„‡‘%Gmk∞l›À`_fÊdq∫ö∫Sáı`€¥ o¢?ãûk5æfl –…E¸,v˙f€mÃü
-
Apr 10, 2016 6:25 AM in response to AppleNofaithby BobHarris,If it is a clean install and you did not install anything else, then it is very unlikely to be malware.
By 'root' directory, I'm assuming you mean the top level directory, which in the Unix world is called /
Using the Terminal see the 'hidden' flag is properly set on the offending files
Applications -> Utilities -> Terminal
/bin/ls -aleO@ /
Here is the output from my root directory. Yours will NOT look exactly the same, but it should have many similar points.
total 101 drwxr-xr-x 38 root wheel - 1360 Apr 8 09:50 . drwxr-xr-x 38 root wheel - 1360 Apr 8 09:50 .. -rw-rw-r-- 1 root admin - 6148 Mar 24 22:07 .DS_Store d--x--x--x 9 root wheel - 306 Mar 26 11:35 .DocumentRevisions-V100 drwx------ 7 me staff - 238 Jan 6 20:28 .IABootFiles -rw-r--r-- 1 me staff - 305 Jan 6 20:28 .IAProductInfo drwx------ 5 root wheel - 170 Jan 7 10:18 .Spotlight-V100 drwxrwxrwt@ 3 root wheel hidden 102 Mar 3 2015 .TemporaryItems com.apple.FinderInfo 32 d-wx-wx-wt 2 root wheel hidden 68 Jan 7 20:15 .Trashes srwxrwxrwx 1 root wheel - 0 Mar 26 11:36 .dbfseventsd ---------- 1 root admin - 0 Sep 15 2015 .file drwx------ 128 root staff - 4352 Apr 10 08:47 .fseventsd drwxr-xr-x@ 2 root wheel hidden 68 Jan 7 20:27 .vol com.apple.FinderInfo 32 drwxrwxr-x+ 127 root admin sunlnk 4318 Apr 10 08:41 Applications 0: group:everyone deny delete drwxrwxr-x@ 16 root wheel - 544 Mar 9 2014 Developer com.apple.FinderInfo 32 0: user:_spotlight inherited allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit drwxr-xr-x+ 66 root wheel sunlnk 2244 Jan 7 21:16 Library 0: group:everyone deny delete drwxr-xr-x@ 2 root wheel hidden 68 Aug 22 2015 Network com.apple.FinderInfo 32 drwxr-xr-x@ 4 root wheel restricted 136 Jan 19 13:25 System com.apple.rootless 0 0: group:everyone deny delete lrwxr-xr-x 1 root wheel - 60 Jan 7 11:38 User Guides And Information -> /Library/Documentation/User Guides and Information.localized drwxr-xr-x 9 root admin - 306 Jan 7 21:07 Users drwxrwxrwt@ 4 root admin hidden 136 Apr 10 08:42 Volumes com.apple.FinderInfo 32 0: group:everyone deny add_file,add_subdirectory,directory_inherit,only_inherit drwxr-xr-x@ 39 root wheel restricted,hidden 1326 Jan 19 13:24 bin com.apple.FinderInfo 32 com.apple.rootless 0 drwxrwxr-t@ 2 root admin hidden 68 Aug 22 2015 cores com.apple.FinderInfo 32 dr-xr-xr-x 3 root wheel hidden 4427 Mar 26 11:35 dev lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Jan 7 20:25 etc -> private/etc com.apple.FinderInfo 32 com.apple.rootless 0 dr-xr-xr-x 2 root wheel hidden 1 Mar 26 11:35 home -rw-r--r--@ 1 root wheel hidden 313 Aug 22 2015 installer.failurerequests com.apple.FinderInfo 32 dr-xr-xr-x 2 root wheel hidden 1 Mar 26 11:35 net -rw------- 1 root wheel - 7638 Nov 7 11:57 openvpn.log drwxr-xr-x@ 6 me staff hidden 204 Dec 31 15:36 opt com.apple.FinderInfo 32 0: user:_spotlight inherited allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit drwxr-xr-x@ 6 root wheel hidden 204 Jan 7 20:27 private com.apple.FinderInfo 32 drwxr-xr-x@ 59 root wheel restricted,hidden 2006 Jan 19 13:24 sbin com.apple.FinderInfo 32 com.apple.rootless 0 lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Jan 7 20:26 tmp -> private/tmp com.apple.FinderInfo 32 com.apple.rootless 0 drwxr-xr-x@ 12 root wheel restricted,hidden 408 Feb 3 11:35 usr com.apple.FinderInfo 32 com.apple.rootless 0 lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Jan 7 20:26 var -> private/var com.apple.FinderInfo 32 com.apple.rootless 0
If you see that I have the same offending files, then check if the 'hidden' flag is specified in your output. The Finder does NOT show files with this flag enabled, nor files that begin with a period. So in my output there are a lot of items that the Finder is NOT going to display. In fact, the Finder just displays 7 of the above, because they do not start with a period and do not have the 'hidden' flag.
If your Finder is displaying files with a leading period, then there is a good chance the Finder has been told to display hidden files. See:
<http://ianlunn.co.uk/articles/quickly-showhide-hidden-files-mac-os-x-mavericks/>
If it is files without the leading period, then there is a good chance the 'hidden' flag is no longer attached to the file. See:
<http://osxdaily.com/2012/01/06/hide-folders-mac/>
If this does not explain your situation, then please post the following information
Please take a screen shot of the offending folder. Command-Shift-4-Space, position your cursor over the window, click the mouse/trackpad button. A screen shot file should appear on your desktop. Drag and Drop that file into a reply to this thread. It will then be uploaded as part of your reply. If you wish to annotate or blot out anything in the screen shot, use Applications -> Preview -> Tools -> Annotate to draw circles, boxes, arrows, and insert text into the screen shot before you drag it to a reply.
Post the output from your /bin/ls -aleO@ / command
Post the output from EtreCheck so we can verify your configuration.
-
Apr 12, 2016 7:14 AM in response to AppleNofaithby AppleNofaith,***hoping this is just "encrypted" data....
-
Apr 12, 2016 7:27 AM in response to AppleNofaithby BobHarris,According to the 'file' command, the /.fseventsd directory contains mostly gzip files
file /.fseventsd/*
00000001cbb362ca: gzip compressed data, from Unix
00000001cbb578c3: gzip compressed data, from Unix
00000001cbb578c4: gzip compressed data, from Unix
00000001cc87222f: gzip compressed data, from Unix
...
A compressed file will look like giberish.
-
Apr 12, 2016 8:06 AM in response to GordonMacManby MrHoffman,The Cache files are usually Safari-related caching, and they're normally created in a folder rather deep down inside your Library > Caches folder.
The stuff in the fsevents folder is a log of file system activity, and entirely normal.