Solved

w32.rootkit-gen detected and stopped, can't find trigger

Posted on 2014-07-25
9
393 Views
Last Modified: 2014-08-12
Hello,

I have some legacy HP convertable tablets that just yesterday around 4pm began detecting and stopping w32.rootkit-gen from installing. I have the latest Avast installed on them and it stopped the install. It was located in a resources folder for actividentity which is an HP tool that lets you log in with smartcards and so on. I was able to run bootscans to remove the file which was found in c:\swsetup\hptools\PTAC_A8.400\AC61X86\ACx98.msi. It appears that the HPtools update is infected? I can't figure out how it got on my computer if it's not an update. Even after the bootscan and clean it still calls for the install. I can't find the "trigger" or where it is calling for the win installer to remove it. Perhaps this is a undetected trojan making the call?

Any information on this would be helpful.

Thanks,
Rob
0
Comment
Question by:RobMes
9 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40220765
Try cleaning one with MBAM to see how it goes.
http://malwarebytes.org
Turn off System Restore, run it in Safe Mode repeatedly until you get no positive results. Then make sure the machine boots, runs, and connects to a network properly, as system files and/or registry entries may have been changed.

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb545027.aspx can be very useful in finding which files and settings used in the startup process may have changed - certainly check under logon and winlogon that settings are pointing to the correct files. You may also wish to check under the network-oriented tabs (e.g., winsock). Browser proxy settings and the HOSTS file should also be checked in case of poor connectivity.

Rkill http://www.technibble.com/rkill-repair-tool-of-the-week/ may be useful if the virus will not let other security software like MBAM or your AV run.

Other rootkit tools, if necessary, include GMER and Rootkit Revealer.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40220786
I'm a big fan of malwarebytes and Rkill but recently found a rootkill on one of my customers machines that was not detected by Malwarebytes...research led me to 3  other rootkit tools  Norton Power Eraser (free) https://support.norton.com/sp/en/us/home/current/solutions/kb20100824120155EN_EndUserProfile_en_us
And McAfee RootKitRemover  http://www.mcafee.com/us/downloads/free-tools/how-to-use-rootkitremover.aspx
And finally Kaspersky TDSSKiller http://usa.kaspersky.com/downloads/TDSSKiller

And scan all your other machines too.  Personally I'm a big fan of flattening any machine that is rootkitted
0
 
LVL 69

Expert Comment

by:Merete
ID: 40220788
Have you looked in the start-up group
go to your run>type msconfig press enter>open the start-up>these load with windows, if there any form of calls for an install you should see it here. The line for the programs in start-up also show the registry location and date installed.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
open your run type in regedit press enter then expand each till you see run, on the right side look what is in here rightclick the key  delete it

startup programsexample what is in run
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40220897
DON'T turn off system restore! ! Turning off system restore will delete all your restore points (unless that is what you want to do). There are several articles on system restore here on ee.

Also check out my article on antirootkit software.

http://mobile.experts-exchange.com/Software/Anti-Virus/A_2245-Anti-rootkit-software.html
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:RobMes
ID: 40220941
Im going to reimage all of these laptops that this rootkit has shown up on. They aren't Infected with the rootkit yet and I learned about it when it's existance when it was caught on install attempt.  I ran avast bootscan and it removed the rootkit installer but the system still attempts to install. It just errors out now cause it can locate the installer msi. I've looked in the run and runonce registry, msconfig (disabled all services except ms  and startup) as well as startup in program menu even check task manager. It shows up in all machines which is an update for hptools actividentity.  I half think its a legit update that is infected and its the msinstaller being called to install. Overall I just want to figure out how the infection happened. These machines are currently xp and are already planned to be imaged with a new os. The ones that are already upgraded dont have any issues.
0
 
LVL 69

Expert Comment

by:Merete
ID: 40220965
Overall I just want to figure out how the infection happened<< windows XP is vulnerable.
And since it is now vulnerable there will be those who want to use it their advantage. Stay up to date with what's going on.
Like owning car you should learn how to drive it and the dangers.
Windows updates are nolonger available so how much are manual downloading of software pertaining to report make your computer secure are now being offered and installed?
They can come in the form of cookies and software that looks like genuine software.
If you really want your eyes opened
I remember that there was threat in 2012 with windows itself, brand new computers were having rootkits installed with the OS.  I kept this article to share with people.
Of course Microsoft and the FBI have fixed the bad site now but it does remind me of the dangers of owning a computer and what steps to keep our information safe.
quote>
Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday. 2012..
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
Source>
http://www.computerworld.com/s/article/9231277/Microsoft_finds_new_computers_in_China_preinstalled_with_malware
Then there was the flash  warning recently that turned out to be  virus
Remove “WARNING! Your Flash Player may be out of date” virus
http://malwaretips.com/blogs/warning-your-flash-player-may-be-out-of-date-virus/
That's two examples.. and when adding a network it could cross /travel the network to other computers through shared folders.
I havent had any viruses or threats and put it down to the fact how I update stuff on my windows, with flash I have it set to auto through the flash player in control panel, I donot update manually off the web.
I use only manufacturer drivers and use only reputable web sites. I buy most of my tools and the free I get from the manufacturer open source. Free can have hidden spyware.
I have a sound understanding of my running tasks.
I have my security set to high and with a good antivirus and firewall regular cleanups and scan all good.
I use Chrome as well not Internet Explorer. May help :)

Rootkits: Subverting the Windows Kernel
"This book is an essential read for anyone responsible for Windows security. Security
professionals, Windows system administrators, and programmers in general will want to
understand the techniques used by rootkit authors.
http://micropenguin.net/files/Other/Rootkits_Subverting_the_Windows_Kernel.pdf

Rootkit:W32/TDSS.gen!A
http://www.f-secure.com/v-descs/rootkit_w32_tdss_gen!a.shtml
0
 
LVL 61

Expert Comment

by:btan
ID: 40221039
Will be good to send the msi to online such as virustotal, jotti, metascan, malwr to see the traces it left so that there are more artefact to investigate.  But suggest all external portable storage and shared file server be scanned as well as likely they are entry and exit point to the rootkit..best to kill the rootkit is still as shared reimage...
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40221463
Ever thought about the possibility of a false positive detection?
0
 
LVL 61

Expert Comment

by:btan
ID: 40222008
hence best to try ascertain the installation pack with online multiav to give another check try. HP definitely wouldn't send you a virus. ...there should be some checksum or hash value or signature on these package to ensure integrity before using it

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS
(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, from http://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx
(2) Insted from http://www.instedit.com/features.html
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now