You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

.rserv wants to connect to cuojshtbohnt.com

I have the message:


.rserv wants to connect to cuojshtbohnt.com


what is .rserv? I googled it and couldn't locate anything ligitimate.


thanks

MacBook Pro, Mac OS X (10.6.8)

Posted on Mar 31, 2012 3:18 PM

Reply
Question marked as Top-ranking reply

Posted on Mar 31, 2012 6:21 PM

I have the same thing happening. Isn't it odd that it's on the same day? Google it now and every entry is from today, within the last 2 hours.


😮


I'll do a text level search of the whole drive and report back if I find something.


GL

228 replies

Mar 31, 2012 8:21 PM in response to sthej

So it also tells you the pathname to the process requesting the connection. Mouse over the "wants to connect" message and a "Show Details" button will appear. Click it and you will see the pathname ("Established by"). What is that pathname? Note you can select that pathname in the LS window and copy/paste it to your post.


If it were me I would block it, see if anything critical fails (I doubt it), and if you really decide you need it, unblock it later.

Mar 31, 2012 8:38 PM in response to trungson

I had the same experience tonight. Lil Snitch blocked it. The guilty application is Splashtop Streamer. I am going to delete it.


ps ax | grep -i rserv


53 ?? Ss 0:00.05 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon

196 ?? S 0:00.06 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent

468 s000 S+ 0:00.00 grep -i rserv

Mar 31, 2012 8:40 PM in response to sthej

sthej wrote:


I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?


I don't know why you reinstalled at all if you blocked it. If you had looked at the pathname like I described you could have just removed the offending software if it isn't system software.


I also assume that if you blocked it before you reverted your system from the backup it is no longer blocked so you will still get a chance to check the pathname should it occur in the future. And if you somehow blocked it after reverting the system then open LS and uncheck the checkbox next to the blocking rule so that you get the LS dialog again when a call attempt is made. Then you can again still get a chance for getting the pathname.

Mar 31, 2012 8:47 PM in response to trungson

trungson wrote:


I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm


It? You never said what "it" was so I cannot comment one way or another what "it" is.


Is "it" Splashtop Streamer" that bgw1 reported?

Mar 31, 2012 9:16 PM in response to X423424X

Little Snitch details:


".rserv"

wants to connect to cuojshtbohnt.com on TCP port 80 (http)


IP Address 72.215.225.9

Reverse DNS Name ip72-215-225-9.at.at.cox.net

Established by /Users/EirUser/.rserv

User EirUser (UID: 502)


Process ID 514


I looked at Process 514 in Activity Monitor. It was running out of dyld cache. Unfortunately it terminated while I was checking something else before I could copy the text.


Whois says the IP address is related to one of these:


NS3.THEMADDENSHOME.COM

NS2.XVIDSPOT.COM

NS1.XVIDSPOT.COM

PRODIIS.INTERNETRTI.COM


Mar 31, 2012 9:19 PM in response to bgw1

bgw1 wrote:


I am going to delete it.

Guys. You may be on to something here. Don't rush to delete stuff before we know what it is.

The guilty application is Splashtop Streamer.

No, it's not. The two processes listed as belonging to Splashtop Streamer would show up as "SRServiceDaemon" and "SRServiceAgent", not as ".rserv". They are caught because grep was case-insensitively searching for "rserv", and their names do contain the string "RServ". If it doesn't show up, it means it wasn't active when you ran ps.


This is definitely worth digging into. I find the process name ".rserv" extremely suspicious because it begins with a dot. The two sites mentioned as trying to link to are also extremely suspicious. You need to get its full information, including path, from Little Snitch. Also, use Find File or Find Any File and search your whole hard drive for any file containing the string "rserv". A file name like ".rserv" would hide it from the casual user, which makes it even more suspicious, but both FF and FAF should find it.

.rserv wants to connect to cuojshtbohnt.com

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.