I would consider it highly suspect.
The only thing I'm aware of in recent months (and that March creation date would tally) that placed files in /Users/ is the Flashback malware. I don't recognise the filename from that episode, but others have tested it more thoroughly than I, so may be able to offer an opinion.
Ideally, go to Applications > Utilities > Java Prefences and uncheck the two boxes for Java SE6.
If you were seriously compromised, I think you would probably have had problems with Safari freezing or crashing, but better to be safe and do the checks.
We don't use \ in file paths on Mac, it's /. \ is used as an escape character in Terminal commands etc.
Hi. i found today, casually, an unknown folder in \Users\ , named "jmoar", containing only the "Documents" folder and one file inside it named "InstallerTest.rtf".
I opened it from terminal with nano and it doesn't appear suspicious, it only contains a string "installer test". i've searched for unusual users via dscl but i have not found any "jmoar". It seems that the folder has been created 03-27-2012. i'm worrying about which program or who could have created it. what should i do more than delete the folder?
Although I agree with noondaywitch that it looks suspicious, it doesn't match any known variant of Flashback that I'm aware of. Only the System (root) should be able to create such a folder in /Users/ as Admin's don't have write access to it. Flashback was able to create invisible files in /Users/Shared/ which is open to all.
Do you have any sharing options turned on? Are you on a WiFi network with less than WPA2 password access? Could anyone have had physical access to your computer? Is your Firewall enabled with Stealth Mode on? If Firewall logging is turned on check your appfirewall.log for anything suspicious on that date.
Uses the finder's Find (command-F) command to search for kind filename or use Find Any File for the following strings (one at a time):
I woudn't worry about it. Nothing is certainly going to be harmed by a warard rtf file and installers have been know to "accidentially" leave crap lying around from the authors testing. That's where I think that stuff came from.