.rserv wants to connect to cuojshtbohnt.com

MadMacs0 wrote:

etresoft wrote:

Here is what a reputable anti-virus company says about the situation: http://www.symantec.com/security_response/writeup.jsp?docid=2011-093016-1216-99

Not sure why you find Symantec any more reputable, but I'll accept it as a data point. Be interesting to know if they have changed any of the numbers since September.

My first compiler was Symantec's THINK Pascal back in 1987. It could do things even Xcode can't do today. They have been around for a long time. Kaspersky and Dr.Web are trying to use sensational reports to drum up new business. Symantec already has most of that business and has for many years. Their consumer-grade Norton products have a bad reputation, but their enterprise anti-virus software is very good. I have it on my work machine (although not by choice). So yes, I trust them more than Dr. Web.

WZZZ wrote:

Has anyone determined what mkeeper (MacKeeper) and com.zeobit (MacKeeper developer) are doing here?

There is one subversion of BackDoor.Flashback.39 which disguised as MacKeeper.

MadMacs0 wrote:

lytic wrote:

Submit your Mac UUID to this Express-check form.

Doctor Web will check if there was a connection from your computer to the botnet control server.

First I wanted to pass on my thanks for providing this service to the Mac Community. It should prove to be very useful. But I do want to also make some observations concerning feedback I'm getting on this site. Sorry to do so in such a public manner, but I don't know any other way of communicating with you.

I've had a couple of users get back to me saying that you did not find them in your database therefore they were clean and going about business as usual. If I understand the methodology you used correctly then your database may contain as little as 5% of the 600,000 you estimated were infected at the time. If that is correct I think you need to add emphasis on the site that users who are not identified in your database need to take further steps to check, such as downloading Dr.Mac Light.

Next, some of are paranoid about entering identity information on any site for any reason. Nowhere on the web site is there a link to your priavcy policy explaining to us what you will do with this information. Not a complete solution, but much better than nothing.

Also, it doesn't comfort us to find that the url given is not https: (i.e. using SSL) so our UUID is being broadcast to over the internet in the clear. I'm not aware of any way that such information can be exploited (other than what's currently going on with Flashback), nvertheless it's still identity information and sooner or later somebody will figure it out.

And when I attempt to force SSL I get this:

So if you can persuade the powers that be to update the site you'll turn a good service into a great one, IMHO.

Thanks for your advice! We don't have much time in last week. We will try to make the service better.

If you elect to block it with little snitch then block "Any connection", forever. But it is better to just delete the app entirely. In terminal:

rm -rf ~/.resrv

You should also delete the launch agent in your Library/LaunchAgents. But this thread has gone on so long I don't remember which launchagent that was at this point. If it wasn't mentioned (not going back 15 pages to find out) then copy/paste this in the terminal:

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

It will tell you which launch agent it is. The output should reference /Users/chadonline/.resrv.

Once you delete the launch agent, log out and back in. Then all this .resrv stuff will be history and you don't have to have the Little Snitch rule.

chadonline wrote:

If I understand correctly ".rserv" is a malware and should be blocked connecting to the websites? am I correct?

I tried to kill these process IDs for .rserv but they change and I can't get the correct ones. I also attached three screen shots which shows the websites it wants to connect (sites vary everyday)

Thanks for posting those as it verifies my latest theory that the process contacts a variety of servers either in rotation or at random. Also note that the IP's might even be the actual bad guys.

Waded back and found the LaunchAgent...it's "com.adobe.reader" with a lower case "R".

Thanks for hunting that down. Ok, so chadonline, here's both delete's to remove this stuff:

rm -rf ~/.resrv

rm -rf ~/Library/LaunchAgents/com.adobe.reader

Again, remember to logout and log back in after deleting the launch agent.

I don't see how having this value means I'm infected:

[mac]$ defaults read ~/.MacOSX/environment

{

PATH = "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/opt/local/bin:/usr/ local/git/bin";

}

seems to be just a path variable...

Whoever said having that implied you were infected?

By any chance do you use BBEdit? I just read that BBEdit utilized the environment.plist machinery (but I don't have later BBEdit's so I cannot verify that). It is not a torjan. They use it for their own purposes.

That path lists includes a reference to git. So are you using some git package? Again it a "legal" use environment.plist for its purposes too.

Of course if you cannot explain who created that path list I would remove it. May not be trojan related but personally I don't like unexplained stuff install into my system and would just remove it. See what breaks. And then if I decide that was the cause, put it back if I really want whatever broke to work again. That's a general statement. I definitely don't want something else messing with the $PATH that I set up in my own shell environment.

These are rare instances (well maybe not so rare if BBEdit is actually doing this). For the vast majority of users there is no ~/.MacOSX directory so that publicized defaults read is "good enough". Heck, that seemed to be a fairly unknown mechanism until all this trojan stuff occurred. Now I guess everyone knows about it.😉

I believe you said that, here:

https://discussions.apple.com/thread/3844172?answerId=18053802022#18053802022&ac_cid=142432#18053802

For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

Perhaps I misread what you meant?

You didn't misread it. But see my last paragraph in my previous post. It's hard to describe a set of instructions that doesn't turn everyone off from trying and summarize the general results briefly. Those cover the majority of users. There's always exceptions. That's what followup posts like yours are for. I really didn't want to clutter up the general results with possible exceptions.

Oh, in that line you quoted, I did say "almost"! 😉

easthollow wrote:

I don't see how having this value means I'm infected:

You're not. The presence of <~/.MacOSX/enviroment.plist> is not an indication of infection, only the presence of the DYLD_INSERT_LIBRARIES key in this file is an indication of infection. Note again, that the presence of this key in another file is also not necessarily an indication of infection. But the key is primarily designed for testing, so it shouldn't be present in the config file of a finished app like Safari or Chrome.

X423424X wrote:

personally I don't like unexplained stuff install into my system

My feelings exactly. I would do as X423424X suggests, unless you know already what requires it.

that seemed to be a fairly unknown mechanism until all this trojan stuff occurred.

Well, it was not unknown to those who needed it. It's even had a GUI for quite a while now

<http://www.rubicode.com/Software/RCEnvironment/>

It's the only way to set per-user environment variables for GUI apps.

Apple develops tool to 'detect and remove' Flashback Trojan

http://www.bbc.co.uk/news/technology-17675314

I got lots of bits and pieces of information from this thread and thought I would post what I found and did just to help out the next person.

I originally got an email from the network admin saying my computer had the flashback virus. The terminal commands from F--secure did NOT detect the virus.

I then ran Little snitch and it informed me of two programs

.aman and .flserv

both located in /user/primary.

These programs were trying to connect to

vxvhwcixcxqcd.com

vxvhwcixcxqcd.net

tygoiuoigwodd.com

tygoiuoigwodd.net