• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos1 Stats

pe_rom.dll detected as Trojan.Gen.SMH.2

Norton Security Suite v 21.0.7.11

Windoze: 8.1 Pro x64

MoBo: Asus Maximum Formula VI

Seeing recurring Block of subject file being detected as Trojan.Gen.SMH.2 as described below. However, the file does not exist in the described location. Instead, there is only a similarly named file pe_file.dll. This raises the following questions.

Questions:

  1. What are the actions NSS takes to perform a "Block"?
  2. Given that NSS performed the block first on 20150703 and then again on 20150708, what occurred that the same file had to be blocked again?

Filename: pe_rom.dll
Threat name: Trojan.Gen.SMH.2
Full Path: c:\windows\pe_rom.dll

____________________________

Details
Unknown Community Usage,  Unknown Age,  Risk High

Origin
Downloaded from
 Unknown

Activity
Actions performed: Actions performed: 1

____________________________

On computers as of 
7/3/2015 at 4:29:05 PM

Last Used 
7/3/2015 at 4:29:05 PM

Startup Item 
No

Launched 
No

____________________________

Unknown
It is unknown how many users in the Norton Community have used this file.

Unknown
This file release is currently not known.

High
This file risk is high.

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

____________________________

Source: External Media

____________________________

File Actions

File: c:\windows\ pe_rom.dll Blocked
____________________________

File Thumbprint - SHA:
c657ffae5283dc61ec540929e21826d1c04701e57f97e32371d21cf0af3aaf0a
File Thumbprint - MD5:
Not available

Replies

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Virus Total reports old information <here> 
File / URL / Search at VirusTotal (link is external) or upload file to VirSCAN (link is external) and/or Jotti.   (link is external)

and/or submit for review analysis How to report false positives

Trojan.Gen.SMH.2 (July 22, 2014) info
http://www.symantec.com/security_response/writeup.jsp?docid=2014-072213-5317-99

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

These tools provide a means to analyze a suspected file. As I tried to state in my original problem description, the pe_rom.dll file cannot be found. The detection was against pe_rom.dll yet the only file that resembles it is pe_file.dll. Thus, I cannot submit the file for analysis. This is why I asked for the list of actions NSS takes when performing a "Block".

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hello

Are you asking about Norton Security Suite?

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.1.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

tocguy:

These tools provide a means to analyze a suspected file. As I tried to state in my original problem description, the pe_rom.dll file cannot be found. The detection was against pe_rom.dll yet the only file that resembles it is pe_file.dll. Thus, I cannot submit the file for analysis. This is why I asked for the list of actions NSS takes when performing a "Block".

Aha,  I hear ya' now.    Only that you posted detailed info from Norton.  You can use that info to submit for review analysis How to report false positives

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Yes, specifically Norton Security Suite version 21.0.7.11.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

OK, but again, I cannot submit the allegedly infected pe_rom.dll file for analysis because it is not found in the location stated by NSS Security History. Additionally, File Search also cannot locate the suspect file.

Is NSS confused about the filename?

Has NSS moved the file?

Has NSS renamed the file?

Has NSS hidden the file?

What is the compelling evidence that this may be a False Positive?

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

tocguy:  What is the compelling evidence that this may be a False Positive?

based upon https://community.norton.com/en/comment/6477231#comment-6477231 and the signature is generic and may need tweaking.   Finding a dll....maybe you need the executable to launch the dll...
On my machine I would see what Norton says... they're usually quick and painless.   Maybe you do not have enough info.  Only Norton can tell ya'.   $.02

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Umm, are you aware that the evidence you are presenting in support of this being a False Positive is this very thread. Plz double-check the URL you included. It appears the link you included has created some circular logic.

I appreciate your trying to help but as for the rest of your post, perhaps it is based on info to be obtained from the intended rather than posted URL but at present it is undecipherable to me.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

I pointed back to my earlier message because you asked why I'm thinking False Positive.
Norton Community is peer support.   Hopefully, another peer will satisfy. 

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Ah, ok. However, is it also possible that earlier signature files did not detect the Trojan? I understand what you are saying about it possibly being a FP but until I can obtain answers to my questions I don't know how to proceed.

Questions:

  1. What are the actions NSS takes to perform a "Block"?
  2. Given that NSS performed the block first on 20150703 and then again on 20150708, what occurred that the same file had to be blocked again?
  3. Is NSS confused about the filename?
  4. Has NSS moved the file?
  5. Has NSS renamed the file?
  6. Has NSS hidden the file?
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Noted:  I'll follow your Topic with interest.  Thanks

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hello

Have you checked in Norton History if there is anything reported in Resolved Security Risks, Unresolved Security Risks, or Quarantine? Also please run Norton Insight Scan. Check in Security History also to see if Norton Community Watch has submitted this mystery file?

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.1.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

My OP contained the details that were extracted from File Insight that itself was contained within Resolved Security Risks. All of your questions are addressed in my OP.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hello

Is your external media always connected to your computer?

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.1.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

That, I assume, indicates the presence of our Media server which is a separate, networked computer. I find no "pe_" files of any kind located there.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

NSS keeps alerting that the same file is being Blocked on every boot yet it cannot be found anywhere.

Ran DISM check - nothing.

Ran SFC check - nothing.

Ran NSS Full System Scan - nothing.

How do I troubleshoot this?

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

PE_Rom.Dll
MD5:
    b9909f6934e7e26cb032ff96b9dbb7f6
SHA1:
    b9e84e87fee3d3bc7caf10119577f5e11b9b083b
SHA256:
    1e872ee4299f208ae871750a5d325f40caea678bbd246471d07b37f4903a5b1d
Size:
    880880
Directory:
    %PROGRAMFILES%\ASUS\ASUSUpdate

Also

\Program Files (x86)\ASUS\AI Suite III\EZ Update\EzUpdt.exe

This file seems to make itself known when Asus Update does its thing. Its annoying that NIS also detects and blocks this. It generally occurs on bootup. today I tried running ASUS ezUpdate, it has been blocked from accessing the server yet I cannot configure NIS to allow it. I am seriously starting to look for alternative security as I have no time for all this.

It seems since the latest program updates preparing for Win 10, every other minute I am trying to direct Nortons to understand that half of the files on my computer are NOT suspicious. The latest I can add to this list is CuteFTP.exe. Its getting ridiculous.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

@Sunil_GA

    Can you help apanis with this Asus file that is getting blocked every day. It is a necessary file for Asus motherboard functions to occur. It gets blocked after every restart or startup of the computer I believe with NIS and N 360 updated.  I have the same file, but my NS 22.5 flags it, but it is just sent to Norton Community Watch and not blocked. But it does get sent there and a sample sent also for months now. I have this computer for 2 years next month and my previous computer also had a different Asus motherboard and I believe it might have been flagged then as, but I am not sure about the old, dead computer. Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.1.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

As far as I understand this file, it is NOT a vital file for the Asus motherboard functions to occur. As far as I understand Motherboards the only thing they rely on to operate is a BIOS. Anything else I would consider to be BLOATWARE. EzUpdate at best is a fail. Windows Update on the other hand should supply an operating system with the appropriate files to function correctly with any current motherboard. Short of files like Inf_Update for a motherboard and possibly SATA inf files. I cant see why anything else would be necessary. Motherboard files can be downloaded directly from ASUS, I would see this as a proffered process.

I operated my last motherboard without loading a single file that came with the board, windows update supplied the necessary software. But having said that I know very little about anything much, I am probably out of my league in here..

--=====================================================--

To start off I have gone into NIS settings/firewall/program control/

and manually "allowed" all connections to EzUpdt

I don't know much about all this stuff so as a layman here is what I have found:

PE_Rom.Dll will only load (appear) when it is called on. I believe it is called on when Asus EzUpdate is in a process. It is loaded into RAM.
Then when the process is completed PE_Rom.Dll goes back to where it came from. It is not a physical file that exists on the computer hard drive until this process starts.

If you open ASUS EzUpdate and ask it to check for updates, before clicking on "connect" open Windows explorer, do a search for PE_Rom.Dll, you will see it physically in C:\Windows

The last time this file was detected I asked NIS to allow it. I have since cleared my NIS recent history so I am unable to provide any further details. It would seem that the combination of allowing EzUpdate through my firewall and "Allowing/Ignoring" the file when last detected as a trojan, did the trick. Time will tell.

I hope I was of some assistance.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Given that this Mobo's drivers are no longer updated by Asus I've removed their EzUpdate app and eliminated this recurring issue. For those with newer Asus boards you may need to create a Firewall and/or Virus Detection rule permitting the process to run.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Running Norton Power Eraser fixed this for me.

Hope that helps.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

The OP answered the questions in detail, and I get the same problem.  It would appear to me as two items first Norton 360 and Windows 10 can not function together effectively at all.  Second the separation into 360 and Utilities has created such a problem it ridiculous.  It went from 360 down to Norton 160 after they separated the utilities and the actual virus software, and when the complaint was filed, the response was users don't use it.  I use this software currently, but one my sub runs out I will find a new software to use.  After Utilities runs it little gig it screws up the vault, and sends it into a loop as well.  Norton no longer seems effective as a valid security suite.  Just the adware that I have to block to post is insane.  My suggestion to the original post get rid of Norton's period.  Even getting on the forums, it gave me a suggested name, then said it was taken.  Yes its taken by my account, and I did a little hoop jumping around that.  The programmers have gotten lazy, the software is malfunctioning, and they are four steps behind Windows 10.  This is the same reason why I dropped TrendMicro after they dumbed down their software to be nothing more than a pretty GUI.  I know it isn't because they didn't have time to work with it.  I had my evaluation copy of Windows 10 a year ago, and they seem to have gotten it after release.  Is this a true Trojan based on the original post, who knows, the question hasn't been answered and just danced around.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Todd nothing you just ranted on about has anything to do with the original post. If you had of read the thread you would of discovered that this is an ASUS softeware issue regarding an action that lives in a dll file alerting Nortons (possibly justifiably) to a possible threat. Its what I think is called a false positive that just needs communication between ASUS and Nortons developers.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hello Tony & Mohan

Has there been any communication between Asus and Symantec concerning this .dll being mentioned in this thread? Any resolution to it?

Thanks.

@Tony_Weiss

@Mohan_G

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.1.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

I had the exact same problem. I actually reinstalled Windows 10 once and secondly restored from a system image in order to rid my computer of the problem. I created the system image the first time I reinstalled my machine, and before I installed anything from Asus (ONLY Windows 10, Nvidia drivers, Norton and Google chrome). Upon restoring from the system image I then proceeded to install the drivers for my Asus sabretooth z97 motherboard. This was with Norton already up and running. Not a problem so far. The driver installs required rebooting the computer a few times, which I did. Again not a peep from Norton. then I installed the first utility which was Asus AI Suite 3. Only then did Norton recognise and "block" the file pe_rom.dll. Of course I couldn't find the damn file either. Owing to the fact that the last action I performed on the computer was installing the Asus utility from the supplied CD I considered it likely to be a false positive. I then excluded the file from future scans by Norton, and pe_rom.dll now shows up within the windows folder, exactly where it was supposed to be. That was half an hour ago.

Edit: I have just did a Norton file insight on the file and It says Norton has given this file a favourable rating. Also EZ update seems to be a feature of the AI suite 3, at least on my machine anyway.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hello

I have had various Asus motherboards over the years that came with Al Suite 3 and EZ Updater. I have never had any problem with that .dll. Now I am on Windows 7. My current computer was just 2 years old in Aug. I am also on NS so don't know if the o/s and the security program makes a difference here.

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.1.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

I just had this come up.

I don't know much about security software, so I normally let Norton do it's thing, however this time it said the file was on computer for 2 years, and thousands of users had used it.

So why is Norton suddenly pulling it now? How do I know if it's safe or not? Does this mean Norton failed to recognise a virus file for 2 years? There's no information about it in Norton so help me decide what to do with it.

Also, why does this forum auto complete with my Norton username and password, then send me an email saying i've created new account, and now it seems i have NO devices, before I had bout 10 protected devices. Has Norton lost everyone's account details!?

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

The post has to do with ASUS MOBOs and their updater, specifically the EZ Updater, which has never really worked ever.  The fact that Norton decides it a Trojan now, and not in win7, 8 ,8.1 is amazing.  I did find it amazing that AFTER they decided to separate the utilities, and the what they called a complete package it can pick it up.  As far as a false positive Norton's puts up allot if them, I have dealt with it on a constant basis.  Hacking around Norton's super security is easy, and getting in to by pass admin passwords, rights, privilege's, and switching users to be admins, wiping out admin passwords is kind of a huge thing.  Takes about 4 minutes to do it, muddling around.  That's using crap software to bypass Norton's, which I still tell people to buy currently.  Norton needs to do some communicating with a few vendors out there, and tighten up on boot ups, and the ability to provided security when physical access it available.  People think a lot in the logic world, not enough in the physical one sorry to say.  Here have a go at this for fun.  Download a few antivirus software suites of your choice, run them on a system with a virus and see who picks up what.  Ranting about security and false positives has everything to do with security.  Anyone who works in the field will tell you that hackers are always ahead of the security specialists, you can watch it live on a few sights.  If it is picking up this junk as a false positive, removing it, and just unable to find it; what is going to happen when I set up a honey pot?  Is it going to divert the traffic back to my actual system, because of a false positive? ack ack crack crack.

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hi. I ran Power Eraser and it showed "failed". I put together a new PC build a week or so ago, using an Asus Z97 Pro Wi-Fi ac motherboard. Every time I boot the PC, I get the Trojan.Gen.SMH.2 blocked alert. That is why I decided to try power eraser (after running a complete scan with Norton 360). I also have Asus AI Suite 3 installed which includes EZ update which I thought was quite useful insofar as it made the process of checking whether the bios needs to be updated very simple for a novice.

So do I uninstall AI Suite 3? Live with the regular false alerts I get form Norton 360? I've run Malwarebytes and Super AntiSpyWare, and nothing regarding this "Trojan" comes up. I'm tempted to try another antivirus program like Bitdefender, but I have been a satisfied user of Norton for many years and am not inclined to switch now....especially since I have a new 5 user 1 year subscription to Norton Security which I can begin using in 90 days. 

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hello alstein

You do not have to wait until your subscription runs out. All you have to  do is to install the new Norton Security and then have a chat with Customer Support and they will add the remaining days to your new Subscription. Here is the link for chat.

www.norton.com/chat

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.1.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Hi all

Ok, I don't think pe_rom.dll is a false positive, well not in my case. The reason tocguy can't see it in that location is because it has been removed by NIS.

I got this virus a few days ago, it seems to have altered or took the form of pe_rom.dll

Reasons I think this:

1) It is located in the Windows folder in Win7 and everytime NIS removes it, it reappears at start-up and NIS removes it again, that's why when you look in Windows it is not there.

2) I use a search tool that shows the current files and files that have been deleted (They are Ghosted) and they are definitely in Windows

3) I have a True Imagine Backup I made two hours after unknowingly getting the Virus (It was in the AM, so was not at PC. Ugh!) And I have two True Imagine Backups from 10 months ago and 12 months ago and they both contain pe_rom.dll in the Windows folder BUT it is a different date (2014 I think) and when you pull it out of the mounted image NIS is fine with this. When I mount the image that was made a few days ago and pull pe_rom.dll out NIS blocks it instantly and removes it.

Also the date is different (2015 December) and everytime it has been recreated at boot up it's got the December date

Norton has not offered a fix for this, it just kills the virus at start-up, it's not fully removing the virus or finding the program that dumped it on my PC

Norton power eraser is useless so can Symantec or any users out there help me?

If this is not a virus why does pr_rom.dll keep reappearing at reboot and then is instantly blocked by NIS? And why does it have the creation date of just a few days ago instead of the date of the file a year ago?

Can Symantec or anyone help me find the virus that has inserted itself into this file?

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

In my case it has been diferente, I have an Asus Mobo X99-a and same EZ you all have, but in my case Norton redirect to suspicious Agiesub (subtitle editor) and to Mediacoder (video files editor and recode). I use a lot those two and about some years...

I uninstal both using Revo, and has solve this hassel...

As I'm a newbi in NSS I hope this can be of any use...

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

similar problem - trying to install Activision's Zork 'grand inquisitor' from a set of original CD's, when Norton antivirus aborted the installation. a separate scan of the first CD claimed two instances of Trojan.Gen.smh.2 are present on the disc.

I am trying to Install the program on a old XP computer under win.95 emulation.

how can a original, mass copied CD carry malware ?

Kudos0

Re: pe_rom.dll detected as Trojan.Gen.SMH.2

Would you be able to submit the samples to Norton as FP? They will then review and take action.Keep in mind that Trojan.Gen.SMH.2 is a generic detection for many individual but varied Trojans for which specific definitions have not been created.

This thread is closed from further comment. Please visit the forum to start a new thread.