w32.rootkit-gen detected and stopped, can't find trigger

Posted on 2014-07-25
Last Modified: 2014-08-12

I have some legacy HP convertable tablets that just yesterday around 4pm began detecting and stopping w32.rootkit-gen from installing. I have the latest Avast installed on them and it stopped the install. It was located in a resources folder for actividentity which is an HP tool that lets you log in with smartcards and so on. I was able to run bootscans to remove the file which was found in c:\swsetup\hptools\PTAC_A8.400\AC61X86\ACx98.msi. It appears that the HPtools update is infected? I can't figure out how it got on my computer if it's not an update. Even after the bootscan and clean it still calls for the install. I can't find the "trigger" or where it is calling for the win installer to remove it. Perhaps this is a undetected trojan making the call?

Any information on this would be helpful.

Question by:RobMes
LVL 63

Expert Comment

ID: 40220765
Try cleaning one with MBAM to see how it goes.
Turn off System Restore, run it in Safe Mode repeatedly until you get no positive results. Then make sure the machine boots, runs, and connects to a network properly, as system files and/or registry entries may have been changed.

Autoruns can be very useful in finding which files and settings used in the startup process may have changed - certainly check under logon and winlogon that settings are pointing to the correct files. You may also wish to check under the network-oriented tabs (e.g., winsock). Browser proxy settings and the HOSTS file should also be checked in case of poor connectivity.

Rkill may be useful if the virus will not let other security software like MBAM or your AV run.

Other rootkit tools, if necessary, include GMER and Rootkit Revealer.
LVL 35

Expert Comment

by:Cris Hanna
ID: 40220786
I'm a big fan of malwarebytes and Rkill but recently found a rootkill on one of my customers machines that was not detected by Malwarebytes...research led me to 3  other rootkit tools  Norton Power Eraser (free)
And McAfee RootKitRemover
And finally Kaspersky TDSSKiller

And scan all your other machines too.  Personally I'm a big fan of flattening any machine that is rootkitted
LVL 70

Expert Comment

ID: 40220788
Have you looked in the start-up group
go to your run>type msconfig press enter>open the start-up>these load with windows, if there any form of calls for an install you should see it here. The line for the programs in start-up also show the registry location and date installed.
open your run type in regedit press enter then expand each till you see run, on the right side look what is in here rightclick the key  delete it

startup programsexample what is in run
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 40220897
DON'T turn off system restore! ! Turning off system restore will delete all your restore points (unless that is what you want to do). There are several articles on system restore here on ee.

Also check out my article on antirootkit software.

Author Comment

ID: 40220941
Im going to reimage all of these laptops that this rootkit has shown up on. They aren't Infected with the rootkit yet and I learned about it when it's existance when it was caught on install attempt.  I ran avast bootscan and it removed the rootkit installer but the system still attempts to install. It just errors out now cause it can locate the installer msi. I've looked in the run and runonce registry, msconfig (disabled all services except ms  and startup) as well as startup in program menu even check task manager. It shows up in all machines which is an update for hptools actividentity.  I half think its a legit update that is infected and its the msinstaller being called to install. Overall I just want to figure out how the infection happened. These machines are currently xp and are already planned to be imaged with a new os. The ones that are already upgraded dont have any issues.
LVL 70

Expert Comment

ID: 40220965
Overall I just want to figure out how the infection happened<< windows XP is vulnerable.
And since it is now vulnerable there will be those who want to use it their advantage. Stay up to date with what's going on.
Like owning car you should learn how to drive it and the dangers.
Windows updates are nolonger available so how much are manual downloading of software pertaining to report make your computer secure are now being offered and installed?
They can come in the form of cookies and software that looks like genuine software.
If you really want your eyes opened
I remember that there was threat in 2012 with windows itself, brand new computers were having rootkits installed with the OS.  I kept this article to share with people.
Of course Microsoft and the FBI have fixed the bad site now but it does remind me of the dangers of owning a computer and what steps to keep our information safe.
Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday. 2012..
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
Then there was the flash  warning recently that turned out to be  virus
Remove “WARNING! Your Flash Player may be out of date” virus
That's two examples.. and when adding a network it could cross /travel the network to other computers through shared folders.
I havent had any viruses or threats and put it down to the fact how I update stuff on my windows, with flash I have it set to auto through the flash player in control panel, I donot update manually off the web.
I use only manufacturer drivers and use only reputable web sites. I buy most of my tools and the free I get from the manufacturer open source. Free can have hidden spyware.
I have a sound understanding of my running tasks.
I have my security set to high and with a good antivirus and firewall regular cleanups and scan all good.
I use Chrome as well not Internet Explorer. May help :)

Rootkits: Subverting the Windows Kernel
"This book is an essential read for anyone responsible for Windows security. Security
professionals, Windows system administrators, and programmers in general will want to
understand the techniques used by rootkit authors.

LVL 63

Expert Comment

ID: 40221039
Will be good to send the msi to online such as virustotal, jotti, metascan, malwr to see the traces it left so that there are more artefact to investigate.  But suggest all external portable storage and shared file server be scanned as well as likely they are entry and exit point to the to kill the rootkit is still as shared reimage...
LVL 54

Accepted Solution

McKnife earned 500 total points
ID: 40221463
Ever thought about the possibility of a false positive detection?
LVL 63

Expert Comment

ID: 40222008
hence best to try ascertain the installation pack with online multiav to give another check try. HP definitely wouldn't send you a virus. ...there should be some checksum or hash value or signature on these package to ensure integrity before using it

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS
(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, from
(2) Insted from

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hibernate on windows 10 18 171
Ensuring all VLANs/subnets are covered in VA & industry practices 5 108
Vulnerability assesment , how much should I charge? 3 122
ScanGuard 4 148
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question