Finder.dat files in frequently used folders

[Guest]

[XP]

Hello,

I found several "Finder.dat" files on my XP Computer. They where to be found in frequently used folders but instantly disappeared, when I goggled for the files. As I have nerver ever been connected to a Mac and dont use Linux I don´t know, how these hidden files came to my computer. Could it be that a MAc user did spy on me and did leave his tracks on my PC?

[eXPerience]

Hi,

I doubt that this is actually an infection, but we better be safe than sorry.

Please try What to do if you're infected - eXPerience Rev.3.
After you are finished, please provide us with the A-Squared and Hijack This logs and the name(s) of the found virus(es).
This will give us the information we need to help you further, if needed.

eXPerience

[XP]

Thanks,

I´ll runn the scans,
but is it save to post ones logs to this relative large public?

[eXPerience]

Hi,

AFAIK the logs are just informative and do not give any personal information (except the useraccount name you're using)

eXPerience

[XP]

Hi,

I´m experiencing difficulties posting this message. first of all the HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01:40, on 6.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\COMODO\COMODO Internet Security\cmdagent.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Avira\AntiVir Desktop\sched.exe
F:\Programme\a-squared Free\a2service.exe
F:\Programme\Avira\AntiVir Desktop\avguard.exe
F:\Programme\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Programme\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\Apoint2K\Apoint.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Programme\Apoint2K\Apntex.exe
F:\WINDOWS\system32\wbem\wmiapsrv.exe
F:\Programme\HPQ\Quick Launch Buttons\EabServr.exe
F:\WINDOWS\system32\dla\tfswctrl.exe
F:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\WINDOWS\system32\hphmon05.exe
F:\Programme\Lexmark X74-X75\lxbbbmgr.exe
F:\Programme\FreePDF_XP\fpassist.exe
F:\Programme\Avira\AntiVir Desktop\avgnt.exe
F:\Programme\Lexmark X74-X75\lxbbbmon.exe
F:\Programme\Java\jre6\bin\jusched.exe
F:\Programme\COMODO\COMODO Internet Security\cfp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\system32\rundll32.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - F:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HopSurf toolbar - {E9FAB13D-4600-49E1-90D1-EE961C859D39} - F:\Programme\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] F:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "F:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Cpqset] F:\Programme\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] F:\Programme\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [dla] F:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHUPD05] F:\Programme\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] F:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Programme\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [FreePDF Assistant] F:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [avgnt] "F:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "F:\Programme\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "F:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = F:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [at]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HopSurf - {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - F:\Programme\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247826948570
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:    F:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Programme\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Unknown owner - F:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - F:\Programme\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - F:\Programme\HPQ\SHARED\HPQWMI.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - F:\Programme\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7646 bytes

[XP]

The other engines did only find cookies. What wonders me, is that a2, having been run in third order, did find 50 additional cookies.
As you suggested not to delete anything with a2, I left them all. They´re in the same folders as the following two examples taken from the log:

Trace.TrackingCookie.ad.yieldmanager.com!A2
F:\Dokumente und Einstellungen\Y\Anwendungsdaten\Mozilla\Firefox\Profiles\lcefst0i.default\cookies.sqlite:1254815694375000    gefunden: Trace.TrackingCookie.ads.heias.com!A2

F:\Dokumente und Einstellungen\Y\Cookies\y[at]rubiconproject[2].txt    gefunden: Trace.TrackingCookie.rub!A2

[eXPerience]

The other engines did only find cookies. What wonders me, is that a2, having been run in third order, did find 50 additional cookies.
As you suggested not to delete anything with a2, I left them all. They´re in the same folders as the following two examples taken from the log:

Trace.TrackingCookie.ad.yieldmanager.com!A2
F:\Dokumente und Einstellungen\Y\Anwendungsdaten\Mozilla\Firefox\Profiles\lcefst0i.default\cookies.sqlite:1254815694375000    gefunden: Trace.TrackingCookie.ads.heias.com!A2

F:\Dokumente und Einstellungen\Y\Cookies\y[at]rubiconproject[2].txt    gefunden: Trace.TrackingCookie.rub!A2

Hi,

most of the times, you don't need cookies at all, so you can delete them using Ccleaner, or the Comodo system Cleaner.
I've looked at your hijackthis log and can't see anything unusual. You're computer should be safe.

I have no idea why all these finder.dat files are on your pc, but are you running any indexing software or so ?  Perhaps they use it ?

best regards,

eXPerience

[XP]

Hi experience,

thank you for answering.
I don´t think I use any sort of indexing software. What really made me nervous was that I just found these files ones and only in folders I had in frequent use. Once I searches on Google for "Finder.dat" they were gone and never appeared again. So I suspected someone spying at me and when he or she found out I had switched "show hidden files" and I googled for it, immediatly deleted everything.

[eXPerience]

Hi experience,

thank you for answering.
I don´t think I use any sort of indexing software. What really made me nervous was that I just found these files ones and only in folders I had in frequent use. Once I searches on Google for "Finder.dat" they were gone and never appeared again. So I suspected someone spying at me and when he or she found out I had switched "show hidden files" and I googled for it, immediatly deleted everything.

Hi,

I've also been searching on the net and can't seem to find anything about it either. You should keep a close eye on it.

Are you running CIS ? If so, you can try blocking it to be certain ?

eXPerience

[XP]

Hi, thank you eXPerience.

As far as I can see you can only block files when you know the folder, path etc.. As the Finder.dat appeared (from my point of view) randomly, I don´t know how to block it for certain.

Best regards

[EricJH]

A picture sometimes tells more than a thousands words. Don't forget to push the + button to add to the list.

Can anybody confirm whether the wildcard I suggest is right?.

[XP]

  Perfect! Thank you!

But I really doubt finder.dat was the cause. I´ll keep an eye on my connections and try to find out if there´s more behind it.

Anyway, thank you for your help  

To ask you one more question, on the HJT log was nothing suspiciuos to be found?

[XP]

couplate ( sorry for this expression)

while I´m surfing the comodo forum I notice someone has turned my CIS off !!!!!!!!!

[EricJH]

couplate ( sorry for this expression)

while I´m surfing the comodo forum I notice someone has turned my CIS off !!!!!!!!!

Please don't hijack somebody else's topic. What do you mean with CIS turned off? Can you be more specific?

[Tags:]