invisible files starting with .pbz.qriba in prefs folder

Because I am a curius person and rather concerned for my privacy, I regulary check for unknown processes, check the Application Support folder, use Little Snitch and VirusBarrier, use GPG, to give you an idea were I come from.

The last two days I have been looking for an invisible file that begins with .pbz for example .pbz.qriba-grpuabybtvrf.guvaxceb2

On the web I can find almost nothing, but now I stumbled across something. Every time I sync Devonthink (via Dropbox and Direct Connection) a file beginning with .pbz.qriba- is created.

It is a XML file containing email addresses, in some cases I checked the domains from the emails checked in the file, in two cases VirusBarrier warned me a webthreat is being downloaded to my computer.

Are there more people here that have these XML files in their preferences AND Application Support folders ?

<?xml version="1.0" encoding="UTF-8"?> 3562c5cfad8sa9 0 jk3q45mnsadf98 0.0 sj45embvc8alqz 2013-08-08T18:11:00Z w4j56bn45nbasf 9630-EFBg-10iE330-B6Q0-634B B013-Q99E-116E613-90E0-3ES4 0607-7FSx-1BF4407-i6F4-43x4 xSSi-g10F-11g6BSi-9S31-1QE9 xBS6-gi0B-11g6SS6-SB76-iFB3 0QEB-7Z66-1Q3xiEB-iQ1B-FSii Z0Q0-i94g-190gZQ0-7033-gZg0 64BF-1g3i-1x39EBF-444Q-0E4g xE69-g7E4-147S669-9EgS-iF63 xE6x-g7E7-147S66x-BEEB-7xB4 B7Bg-QE30-1Z04BBg-S70E-QF6F 964S-EFQZ-16F9Q4S-S6Q9-xEi6 Sg0S-F4SZ-171Q40S-BgBB-1Q49 iZF1-ZQ7Q-1gS9ZF1-1Z40-Bg0g iS3B-gZQ7-1i4Z63B-0SQB-F773 096i-70EF-1F4i96i-i96B-3ZSF 0SxQ-71i1-0xFE4xQ-3S1F-Zi69 0BxS-7iiZ-0xFE7xS-iBZS-BFF3 0SxQ-71i1-0BFE4xQ-3S1F-xB94 0BxS-7iiZ-0BFE7xS-iBZS-460E gx7g-x3F0-013E37g-FxS9-04xi 4SFE-3173-0SBFiFE-6S0E-S77S F0BZ-S93S-03606BZ-E034-F63F F0B6-S93B-03606B6-Q007-x7gg 64E6-1g6B-0x1QiE6-Z4ZZ-SZ7B 67Ei-1E6F-0x1Q1Ei-471i-S9B0 3iiQ-4Bx1-0ESZxiQ-1igF-40i6 104F-69Qi-0QB1B4F-30BQ-S3BF 134F-6xQi-0QB1S4F-33BF-g6Q6 S74B-FEQ6-0ZxSQ4B-B7FS-9ggx S74F-FEQi-0ZxSQ4F-x7BQ-S7xx BSZi-Q1gF-06SxEZi-9Sxi-134x Sg3B-F4B6-067Fi3B-xgQB-xEBF 0Sgg-71Z0-0Ei9Zgg-3S6E-ZxZi xZ71-gQFQ-04F9471-9ZQi-S7QB 61Zx-1Sg7-0SS7FZx-41xx-1SEx Q3Q0-Bx4g-0iF47Q0-E334-BS7F S1x6-FSiB-06x63x6-x1ZZ-S93x Sg3B-F4B6-06ZFi3B-xgQB-gQFx 303g-49B0-0gB493g-10QE-611E S67B-FFF6-06EB97B-x6SB-QES1 3gg0-44Zg-0g1x9g0-1gi3-SSE6 Qx7B-B3F6-0i7FZ7B-ExSS-x0EZ F4g9-SgZ4-0196Eg9-E4ZS-FZ91 F6gx-SFZ7-0196Qgx-Q669-1B03 FZgE-SQZ3-0196FgE-gZiE-409i QQZS-BZgZ-0i3g0ZS-EQxB-BSE3 6SB3-113E-0SS9FB3-4S40-760x ZxZ9-i3g4-0Bg47Z9-7xx9-i7gx 3i67-4BEx-0g71167-1i97-B3xi BSgB-Q1Z6-04Fi7gB-9SiS-FE1B BSZi-Q1gF-0BBxEZi-9Sxi-ES99 40F9-3974-040FgF9-6009-iEF0 99Z3-E0gE-0B7SEZ3-B9x7-gxS7 QZi0-BQxg-0EQxZi0-FZ93-i1iF 0xE6-736B-0iBxQE6-3xZ7-iEE9 3gx1-44iQ-0Z9gSx1-1gZZ-33x6

EDIT: Removed email addresses. Please don’t post personal information on public forums, even of suspected pirates. :slight_smile:

In my experience, Little Snitch and Virus Barrier are more likely to cause problems on a Mac than to help protect it. :slight_smile:

I have no issues with VirusBarrier nor Little Snitch, they can cause problems I know.
The files are definitely created by DevonThink, paste the file name in the Cypher field of this site : “pbz.qriba-grpuabybtvrf.guvaxceb2” and tell me what you see.

Guvf vf qrsvavgryl abg n Yvggyr Favgpu be IvehfOneevre eryngrq vffhr.

I have the same file with the same content in ~/Library/Application Support. It’s modification date changes each time I quit DEVONthink Pro Office. (No synk running here.)

The file is the indeed in the Application Support folder as well, I was very relieved to find out DT was the culprit. I was really terrified these email addresses where used by another process, a process sending out information from my computer.
Call me paranoid, but I don’t understand why these email addresses belong on my mac.
Do you have the same list in that folder ?

Yes, as said, same file, same content. But as it comes from DEVONThink, I don’t worry.

There may also be at least some ~/Library/.rdb.* and /Library/Application\ Support/.htr.* files that Dtech software creates and uses.

Glancing casually, this seems to contain a list of strings similar to DEVONthink license numbers. I’m guessing they correspond to pirated license numbers found on the 'tubes and the emails of people distributing them.

Nothing to see here, move along.