Kudos0

Trojan.Gen.2

Hi everyone, could you please explain why NIS sometimes does not detect certain malware. Recently I noticed an intruding messages on my computor screen and only after performing a full scan, NIS detected and deleted 'Trojan.Gen.2.' virus. Do I have to manually run full scan on regular basis? Also the file location for the virus is 'programfiles/sminst/rmctools.dll'. Does this give any clues as to how the computor was infected? Thanks a lot Sam3000

Replies

Kudos0

Re: Trojan.Gen.2

Hi, That may have come via some Potentially Unwanted Program installation. Do you use any tool bars? Run a cross check with free version of malwarebytes antimalware from www.malwarebytes.org using its full system scan option to make sure everything is okay. You may keep it as a secondary scanner with the free version . Another tool of good use is http://www.eset.com/us/online-scanner/ [edit] If you are using an HP made system, then this file is related to your backup software provided by HP using 'SoftThinks'. In that case this is a false positive. http://www.vistax64.com/vista-general/142718-what-windir-sminst-launcher... Please keep us updated regarding this. . .
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Gen.2

Hi Sam3000:

Please see Orioness' recent thread Trojan.Gen.2 Advice Request regarding a similar detection in C:\program files (x86)\sminst\rmctools.dll on a 64-bit Vista system.  Symantec employee Tony Wiess has posted instructions in the thread How to report false positives for submitting your rmctools.dll file for analysis if you suspect this was a detection error.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 33.0 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Trojan.Gen.2

Hi Nikhil and Imcari, Thanks for your replies. I am indeed running HP system with windows 7 32-bit . Ran the malwarebytes.org and things seemed OK. If I am getting 'flase positive' as suggested, it does not seem to me a straight forward option reporting it... It is probably worth mentioning that since yesterday's full scans, I have not used the internet a lot and yet got 34 security risks after a full NIS scan today. And finally a note about CPU usage: Besides the 'Firefox high cpu usage' which I have been getting in the last few months, I have been also getting recently a 'RapportMgmt service high cpu usage' as well. What is the best way to deal with these two issues? thanks again for your help Sam3000

Kudos1 Stats

Re: Trojan.Gen.2

Hi Sam3000, The RapportMgmt service is a part of Trusteer security products and can be located at C:\Program Files\trusteer\rapport\bin\rapportmgmtservice.exe . If that is true in your case, can you make sure you didnt have any other security software pre installed or currently installed in your system ( other than Norton )? Or are you using IBM / Trusteer solutions?
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos1 Stats

Re: Trojan.Gen.2

Hi Sam3000:

What version of NIS are you using? Go to Support | About to check your version number - the latest is currently v. 21.6.0.32.

Could you also let us know what type of CPU microprocessor you have in your computer?  Norton products generate a high CPU alert when one or more cores are saturated so if you have a quad core CPU, for example, you'll get a warning when only one of your four cores (25% of total CPU) is utilized.  As long as your computer isn't freezing or running noticeably slower when you are browsing with Firefox, it should be safe to change your setting at Settings | General | Performance Monitoring | Resource Threshold Profile for Alerting from Medium (the default) to High if these CPU alerts are annoying you.

The bleepingcomputer comments here on Rapport Management Service indicate that RapportMgmtService.exe is likely a legitimate file required on your system for a security product (e.g. a fingerprint reader or online banking service).  Browse to the location of the RapportMgmtService.exe file (possibly C:\Program Files\Trusteer\Rapport\bin\), right click on the file, select Properties from the pop-up menu, and see if there's a Digital Signatures tab that confirms that the file is digitally signed by Trusteer.  According to the IBM support article here, you might also be able to see an entry named Trusteer Endpoint Protection (or something similar) at Control Panel | Programs and Features if this file is legitimate.

What is worrisome, however, is the 34 security risks found by your NIS Full System scan.  Can you tell us what type of detection Norton reported (e.g. WS.Reputation.1) and the names of some of these suspicious files?  Were they all compressed (.zip) files, for example?.  Did you run a Custom Scan of your full system (i.e., all your hard drives) with the free Malwarebytes Anti-Malware (MBAM), or just a standard Threat Scan?

EDIT:

I just noticed that you are running a 32-bit version of Win 7, when the 64-bit version of Win 7 is more common.  Just like I mentioned in Orioness' thread here, I'm beginning to wonder if Symantec has recently tweaked the algorithm for their reputation-based detections that is resulting in a high number of false positives on less common Windows OSs because files are not located in the "normal" path on the hard drive where Norton expects them to be.

And apologies to Nikhil_CV.  I didn't notice that he'd already posted information about RapportMgmtService.exe while I was composing my message.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 33.0 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Trojan.Gen.2

Hi Nikhil_CV and Imcari , I do realize that Rapport Mgm service software is a legitimate file which was installed on my computer as part of a security service software a couple of years ago. I was only wondering if Norton is giving unnecessary false alert about high CPU usage as this issue has only appeared recently. The system, however, keeps alerting about Firefox high cpu usage and Imacari’s suggestion with regards to safety is most likely correct since the computer does not freeze or slows down during the alert. With regards to Imcari’s queries, NIS is the current version 21.6.0.32. HP system type is 32-bit and processor is AMD Athlon(tm) 7550 Dual-core 2.5GHz. It is probably an old system which is worth changing in the near future. The 34 security risks were only low risk alerts (cookies) but I thought they were too many for only 2-3 hours internet use. Today, I did Malwarebytes full scan and then NIS full scan before surfing the net, and there were only 5 low risks alert dealt with. Imacri, I think you are absolutely right; the issue could be due to Norton being too zealous nowadays with regards to their algorithm for their detection causing higher false positives. With my appreciation to you both Sam3000
Kudos0

Re: Trojan.Gen.2

The 34 security risks were only low risk alerts (cookies) but I thought they were too many for only 2-3 hours internet use. Today, I did Malwarebytes full scan and then NIS full scan before surfing the net, and there were only 5 low risks alert dealt with.

Hi Sam3000:

You can reduce the number of cookies you accumulate in your Firefox browser by changing the privacy settings in your browser as described in the Mozilla support article Settings for privacy, browsing history and do-not-track.  I have my settings at Tools | Options | Privacy set to Tell sites that I do not want to be tracked for Tracking and Never for Accept third-party cookies, and if necessary, you can fine tune your settings and create site exceptions so that important sites that require cookies will still function.

Are you using the latest Firefox v. 33.x?  I also have a dual-core CPU, and while Firefox has a reputation for consuming high amounts of CPU, I don't see constant alerts with my Norton alerting threshold discussed here set to Medium.  Resetting Firefox back to its default settings as described in the Mozilla support article Reset Firefox – easily fix most problems can often solve many common Firefox problems, including excessive CPU consumption, but please note that this will remove extensions like Adblock Plus, Video DownloadHelper, etc. that you've added to your browser.  Once you've reset your browser try using it for a few days without reinstalling your browser extensions just in case it's one of your extensions that's causing the high CPU problem.

If you don't want to try a browser reset post back and I'll provide alternate instructions for creating a new Firefox user profile that you can use for testing purposes.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 33.0 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Trojan.Gen.2

Hi Sam3000:

I forgot to mention that you can go one step further with MBAM scans and and temporarily enable rootkit scanning (Settings | Detection and Protection | Detection Options | Scan for rootkits).  Rootkit scanning significantly increases your MBAM scan times and I always leave this option disabled (see the warnings in the MBAM support article Why is scan for rootkit off by default?) unless I suspect that I still might have some deeply embedded rootkits or bootkits that were missed by all my other Norton and MBAM scans.  A full Custom Scan with rootkit scanning enabled can take well over 3 hours on many systems

If you suspect that you have malware on your system that cannot be detected by Norton and MBAM, you can also register with one of the free malware removal forums recommended by delphinium in the thread Malware Removal Forum Recommendations and have a trained malware removal specialist work with you one-on-one to check your system for malware.  I used the WhatTheTech forum a few years ago and found their services were excellent, although it took a few days for a removal specialist to be assigned to my case.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 33.0 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Trojan.Gen.2

Hi sam3000, Along with Imacri's above messages ( I should admit he has the excellent info gathering skills ), since you mentioned you had trusteer product once in your machine, you will have to remove it using the tool named SafeUninstall Utility provided by IBM at : http://www.trusteer.com/support/uninstalling-rapport-using-safeuninstall... . . . . . ( I hope this wont clash with Imacri's replies. )
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Gen.2

Thanks again Imacri I have reset my browsing history , firefox and used the MBAM rootkit scanning. Things are looking better... Your help is appreciated. Sam3000

This thread is closed from further comment. Please visit the forum to start a new thread.