Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rapportmgmtservice using high resources


  • Please log in to reply
7 replies to this topic

#1 mikmak007

mikmak007

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 13 March 2012 - 10:59 PM

I've read that this service loads at startup, and many say it's necessary for secure banking. Okay, fine, but while just ordinary browsing, my Norton's monitoring ap pops a msg saying this service is using unusually high CPU. I also have a speedometer, and sure enough, it's showing 100%. After a while, the speedo drop and the msg disappears.

I thought this service was used only for A]startup or B]online banking security. I am doing neither when getting the high usage.

Any suggestions?

thnx

BC AdBot (Login to Remove)

 


#2 Nephilim1955

Nephilim1955

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:28 AM

Posted 14 March 2012 - 01:52 AM

Go to the Security Forum, Am I Infected? What do I do? Post a new topic there.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:28 AM

Posted 14 March 2012 - 01:18 PM

FWIW: http://www.pcpitstop.com/libraries/process/i/RapportMgmtService.exe.html

See also: http://www.bleepingcomputer.com/startups/RapportMgmtService.exe-26152.html

Any program monitoring your system...probably does so 24/7. Symantec programs are fairly well-known for a history of this type, among other programs.

<<After a while, the speedo drop and the msg disappears>>

It's not unusual for a program to reflect high usage temporarily.

Me...I would remove the Symantec program for sure, replacing it with a free alternative that doesn't weigh so heavily on the system.

As for the program I linked to...that's your decision. I've never found it necessary to use an additional program of that type on any system I use. If in doubt, I would check with my bank.

Louis

Edited by hamluis, 14 March 2012 - 01:20 PM.


#4 mikmak007

mikmak007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 14 March 2012 - 03:11 PM

Many thanks. I was a Nortons user for years, and stopped when it became such a hog. But the last two versions of their full package runs quite well, and it provides a few neat speedometers that show what is happening. And it's free for me.

#5 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 15 March 2012 - 07:52 AM

Many thanks. I was a Nortons user for years, and stopped when it became such a hog. But the last two versions of their full package runs quite well, and it provides a few neat speedometers that show what is happening. And it's free for me.


I'd be very wary of any app connected with banking security which is 'free' if I were you (unless provided by the bank itself). 'Free' means the developer isn't being paid for it and therefore may not support it should a problem arise. If you read this article, you'll see that there's a Trojan on the loose which can inject itself into the "RapportMgmtService.exe" service with all the consequences that may imply: http://www.threatexpert.com/report.aspx?md5=03379147f34fd84405e70b424e962553

Microsoft also published a report regarding a similar danger: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FKillav.EL

#6 mikmak007

mikmak007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 15 March 2012 - 02:35 PM

Those are great resources, many thanks. I checked these:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup.exe]

Debugger = "RPXService.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

00CD1A4050 = "%System%\70DD559500CD1A40AC84.exe,"

and

The trojan intercepts requests to run the above processes by creating the following registry data:

Adds value: "Debugger"
With data: "zasrakomondohui31338.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe

Adds value: "Debugger"
With data: "zasrakomondohui31338.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe

and all is good. I also ran a thorough scan with Malwarebytes Pro and Nortons security suite.

All is good, but I will also try to figure why I even have Rapport service. I don't recall getting it, and my bank does not require any special software. I know this because i have accessed my bank from my secondary laptop while traveling. And I have created very long and complex user names and equally complex passwords.

Edited by mikmak007, 15 March 2012 - 02:36 PM.


#7 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 16 March 2012 - 04:36 AM

Here's some background info on the app. It's made by a company called Trusteer Ltd which is located in Israel according to WhoIs: WhoIs Trusteer Ltd

Besides the business app, there's also a free consumer version: The free version of Rapport is limited Maybe you have that one on your system somewhere?

Did you check those registry hives I posted? Sometimes it's worth your while doing a manual check just in case your security software misses something. You don't need to manually scroll through every hive: just run regedit to open the registry editor and then go to Edit | Find, type (or copy/paste from here) 70DD559500CD1A40AC84.exe and then click "Find Next". Do the same with the others to see if anything turns up.

Here are instructions on how to uninstall Rapport: http://www.trusteer.com/support/uninstalling-rapport

#8 mikmak007

mikmak007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 16 March 2012 - 02:52 PM

Many thanks. There is no

70DD559500CD1A40AC84.exe

in my registry, but I need to look at trusteer and try to recall why it was installed, or what value it has.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users