What Purged Files on My Wife's Hard Drive?

Joined
Aug 16, 2013
Messages
4
Reaction score
0
Points
1
I'm stumped. My wife's Documents folder was purged and her Desktop folder, almost so and in a strange way. Her Firefox bookmarks also were deleted. At first, I thought this was some kind of trojan horse. But, I can't find anyone else with a similar problem. If anyone has any advice, please help. Here is what I know:

1) She is in a vacation home in a small town with our kids and her extended family.
2) She had mistakenly connected to an open wireless network and not the password protected one that came with the house.
3) Her firewall was off. But, she was set up only for File Sharing and Screen Sharing
4) The Console shows no record of anyone connecting using either of those methods.
5) She had files in her Trash prior to the incident. Those files remain in her trash. The files removed from Desktop and Documents are not.
6) Our son had been using the computer earlier with his cousin. They had done some design work in Photoshop, turned on AirDrop, and installed some Minecraft mod files.
7) We ran ClamXAV on the drive. It only showed viruses attached to spamming emails, stuff she would not have opened.
8) Music, Movies, Sites etc remained untouched.
9) The strangest thing of all: Her Desktop is not completely empty. Previously it was loaded up with lots of stuff. Now, two folders remain in it. Each of those folders had lots of stuff. Now they each have only one folder. Each of those had previously had lots of stuff. Now they each only have one folder. And so on. There is a hierarchy of about seven levels like this until you get to the bottom and find a few files. It's almost as if a recursive deleting routine had run on the drive and had stopped before it had finished.

Any suggestions of how to look at this?

Thanks!

Gary
 

bobtomay

,
Retired Staff
Joined
Dec 22, 2006
Messages
26,561
Reaction score
677
Points
113
Location
Texas, where else?
Your Mac's Specs
15" MBP '06 2.33 C2D 4GB 10.7; 13" MBA '14 1.8 i7 8GB 10.11; 21" iMac '13 2.9 i5 8GB 10.11; 6S
Sounds like she changed her home folder name?
 
OP
N
Joined
Aug 16, 2013
Messages
4
Reaction score
0
Points
1
Sounds like she changed her home folder name?

Maybe. I can check with them. It doesn't sound like the kind of thing my son (who is fairly savvy) or my wife (who doesn't mess with things) would do. And, wouldn't that have affected her music and movies, too?

This screams trojan horse to me. But, I keep hearing that I don't need to worry about that on a mac. Others have said this has to be a person's doing. But, the untouched trash and the lack of file sharing log entries says otherwise to me.

We also just discovered that her Address Book had been purged of all of its entries. I can't see a person almost purging those Desktop directories and deleting some things in her user Library (if that's how, in fact, Firefox and Address Book were affected).

Are there any things I can look for in any logs for signs of some kind of intervention.
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
Are there any things I can look for in any logs for signs of some kind of intervention.

Let's wait and see what her or your son's answer is about the home folder name being changed. The name may have been changed accidentally which would cause all the things that you have so far mentioned.

And it's very unlikely that it's a trojan or some form of malware.
 
OP
N
Joined
Aug 16, 2013
Messages
4
Reaction score
0
Points
1
Let's wait and see what her or your son's answer is about the home folder name being changed. The name may have been changed accidentally which would cause all the things that you have so far mentioned.

Gotta love young teens. The response from my 14 year old and his cousin: "most likely not but maybe"

Let's say I wanted to test this happening and I didn't want to destroy my computer. Suppose I copy a large numbers of files to a dummy user ID on the computer and then, as that user, rename the home directory, and soon after name it back. Would that be both an accurate and safe test?

Any idea how long I would need to leave it with the bad name?

Naturally, I'll make sure I have a full backup before doing anything.

Thanks again!

Gary
 

bobtomay

,
Retired Staff
Joined
Dec 22, 2006
Messages
26,561
Reaction score
677
Points
113
Location
Texas, where else?
Your Mac's Specs
15" MBP '06 2.33 C2D 4GB 10.7; 13" MBA '14 1.8 i7 8GB 10.11; 21" iMac '13 2.9 i5 8GB 10.11; 6S
I believe you have to reboot after the name change - not sure since I've never personally tried it - but that's the report from most of those that have done it - they notice all their stuff missing after a reboot.

And gotta set those youngsters up with their own user account if they're going to be using any adults computer - a non-admin account. Learned that lesson the hard way myself many years ago.
 
OP
N
Joined
Aug 16, 2013
Messages
4
Reaction score
0
Points
1
This is getting crazier. I did two things over the weekend:

1) I took an old computer and tried renaming the home directory. Two things about this:

a) I had to go through quite a dance to make this happen (create users and granting authority to the primary user's folder, that or using sudo in command line to rename). It was unlikely anyone would have done this accidentally.

b) The result wasn't quite what my wife experienced. Upon returning to the primary user's account, I had a default set of unused folders. But, the original hierarchy was still there in the Users directory, just under the new name. In my wife's case, she has lost many, but not all files. Her Documents folder was cleared. Her Desktop folder was largely, but strangely, cleared. But, her Movies and Pictures were fine. And her Library was selectively cleared (Mail untouched. Browser, Address Book and probably others reset).

Accidentally renaming the home directory was an interesting idea. But, it's looking unlikely to me now.

2) I got the computer back and ran Data Rescue 3 against it. A Quick Scan found none of the deleted files. I ran a Deep Scan and grabbed all of the few Excel files it could find (and it should have found many). None of them were the one file she and I were exchanging. So, I'm not even finding the deleted files. She had over 1/4 of the drive free before this. So, I can't imagine they were written over in this period.

She has an SSD drive. Do they deal with deleted files differently?

Thanks!

Gary
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top