Where did folder 愮敧n嬀条 come from?


I'm running MacOSX 10.6.4, and today I noticed an empty folder in my home directory named "愮敧n嬀条". I certainly don't know where this came from. Google translation tools don't say much useful stuff, apparently the translation from chinese to english reads "N Gui Yao Ji article". A google search for the original or translated terms doesn't find anything useful.

According to Finder the folder was last modified on the 3rd of July at 13:22. According to python's os.stat() on the file, the creation date is the same, which means that I run something yesterday at that point in time which created the folder.

I have a Time Machine backup made a few hours before, at 11:21 of the same day, and when I open this backup the mysterious directory doesn't exist there.

I searched for all modified files on the 3rd of July with the spotlight keyword search date:3/07/10-3/07/10. That shows I did run Steam and browsed some indie games. From my browsing I did run the demo of Chains and tried to run under wine the demos of FiNCK and Saira without much success, since they refused to run.

Other than that I didn't run any other suspicious software. Does somebody know if this means I have a trojan running on the machine? Running ps ax doesn't reveal anything suspicious and I don't know what I can do to troubleshoot further the issue.

Grzegorz Adam Hankiewicz

Posted 2010-07-04T09:03:28.857

Reputation: 1 029

When you restore the system before the folder has created, the folder shows up again if you open Steam? – Matan Eldan – 2010-07-04T09:32:49.500

5I am a chinese and this certainly do not look anything meaningful for all sort of encoding i've tried. (Big5, GB, GBK, Shift-JIS, for traditional chinese, simplified chinese and japanese respectively) – bubu – 2010-07-04T10:04:13.953



Everything is cleared now, thanks for the advice.

I did check the logs of /var/log/system.log.0.bz2 and found the following interesting lines:

Jul  3 13:22:44 amber UnmountAssistant[433]: Volume unmounted successfully
Jul  3 13:22:48 amber SIMBL Agent[297]: warning: failed to get scripting definition from /Users/gradha/Desktop/ChainsDemo.app; it may not be scriptable.
Jul  3 13:22:48 amber Agenoria[434]: Performance: Please update this scripting addition to supply a value for ThreadSafe for each event handler: "/Users/gradha/Library/ScriptingAdditions/SpiceShaker.osax"

The binary of the Chains demo is named Agenoria, and that's the same timestamp of the strange directory. I decided to create a test user account and run the demo from it. Just as expected, the first screen greeted me a file error which I didn't remember and there was the directory. Possibly the program is trying to create some .binary directory where it wants to save stuff and fails.

I'll send the report to the authors so they can solve this bug and tell other users. As far as I can see I have no trojan, the other programs (Steam, etc) didn't have anything to do, and just in case I installed MacScan which reported zero problems after a full scan.

Here's a screenshot of the user session where I recreated the mistake:

enter image description here

Grzegorz Adam Hankiewicz

Posted 2010-07-04T09:03:28.857

Reputation: 1 029


It could be malware, but without any content and no valid name it doesn't seem so.

My guess is some sort of data corruption.

Additionally, because the characters are all valid Unicode, chances are that it was data corruption in a program that represents data internally as utf-32 or utf-16. A game ported from Windows maybe? You mention Python and it uses ucs-2 which is a variant of utf-16. If you use Python a lot I would blame a bug there.

Corruption creating valid yet meaningless utf-8 strings is very unlikely.


Posted 2010-07-04T09:03:28.857

Reputation: 63