Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


w32.rootkit-gen detected and stopped, can't find trigger

Posted on 2014-07-25
Medium Priority
Last Modified: 2014-08-12

I have some legacy HP convertable tablets that just yesterday around 4pm began detecting and stopping w32.rootkit-gen from installing. I have the latest Avast installed on them and it stopped the install. It was located in a resources folder for actividentity which is an HP tool that lets you log in with smartcards and so on. I was able to run bootscans to remove the file which was found in c:\swsetup\hptools\PTAC_A8.400\AC61X86\ACx98.msi. It appears that the HPtools update is infected? I can't figure out how it got on my computer if it's not an update. Even after the bootscan and clean it still calls for the install. I can't find the "trigger" or where it is calling for the win installer to remove it. Perhaps this is a undetected trojan making the call?

Any information on this would be helpful.

Question by:RobMes
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 65

Expert Comment

ID: 40220765
Try cleaning one with MBAM to see how it goes.
Turn off System Restore, run it in Safe Mode repeatedly until you get no positive results. Then make sure the machine boots, runs, and connects to a network properly, as system files and/or registry entries may have been changed.

Autoruns can be very useful in finding which files and settings used in the startup process may have changed - certainly check under logon and winlogon that settings are pointing to the correct files. You may also wish to check under the network-oriented tabs (e.g., winsock). Browser proxy settings and the HOSTS file should also be checked in case of poor connectivity.

Rkill may be useful if the virus will not let other security software like MBAM or your AV run.

Other rootkit tools, if necessary, include GMER and Rootkit Revealer.
LVL 35

Expert Comment

by:Cris Hanna
ID: 40220786
I'm a big fan of malwarebytes and Rkill but recently found a rootkill on one of my customers machines that was not detected by Malwarebytes...research led me to 3  other rootkit tools  Norton Power Eraser (free)
And McAfee RootKitRemover
And finally Kaspersky TDSSKiller

And scan all your other machines too.  Personally I'm a big fan of flattening any machine that is rootkitted
LVL 70

Expert Comment

ID: 40220788
Have you looked in the start-up group
go to your run>type msconfig press enter>open the start-up>these load with windows, if there any form of calls for an install you should see it here. The line for the programs in start-up also show the registry location and date installed.
open your run type in regedit press enter then expand each till you see run, on the right side look what is in here rightclick the key  delete it

startup programsexample what is in run
Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40220897
DON'T turn off system restore! ! Turning off system restore will delete all your restore points (unless that is what you want to do). There are several articles on system restore here on ee.

Also check out my article on antirootkit software.

Author Comment

ID: 40220941
Im going to reimage all of these laptops that this rootkit has shown up on. They aren't Infected with the rootkit yet and I learned about it when it's existance when it was caught on install attempt.  I ran avast bootscan and it removed the rootkit installer but the system still attempts to install. It just errors out now cause it can locate the installer msi. I've looked in the run and runonce registry, msconfig (disabled all services except ms  and startup) as well as startup in program menu even check task manager. It shows up in all machines which is an update for hptools actividentity.  I half think its a legit update that is infected and its the msinstaller being called to install. Overall I just want to figure out how the infection happened. These machines are currently xp and are already planned to be imaged with a new os. The ones that are already upgraded dont have any issues.
LVL 70

Expert Comment

ID: 40220965
Overall I just want to figure out how the infection happened<< windows XP is vulnerable.
And since it is now vulnerable there will be those who want to use it their advantage. Stay up to date with what's going on.
Like owning car you should learn how to drive it and the dangers.
Windows updates are nolonger available so how much are manual downloading of software pertaining to report make your computer secure are now being offered and installed?
They can come in the form of cookies and software that looks like genuine software.
If you really want your eyes opened
I remember that there was threat in 2012 with windows itself, brand new computers were having rootkits installed with the OS.  I kept this article to share with people.
Of course Microsoft and the FBI have fixed the bad site now but it does remind me of the dangers of owning a computer and what steps to keep our information safe.
Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday. 2012..
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
Then there was the flash  warning recently that turned out to be  virus
Remove “WARNING! Your Flash Player may be out of date” virus
That's two examples.. and when adding a network it could cross /travel the network to other computers through shared folders.
I havent had any viruses or threats and put it down to the fact how I update stuff on my windows, with flash I have it set to auto through the flash player in control panel, I donot update manually off the web.
I use only manufacturer drivers and use only reputable web sites. I buy most of my tools and the free I get from the manufacturer open source. Free can have hidden spyware.
I have a sound understanding of my running tasks.
I have my security set to high and with a good antivirus and firewall regular cleanups and scan all good.
I use Chrome as well not Internet Explorer. May help :)

Rootkits: Subverting the Windows Kernel
"This book is an essential read for anyone responsible for Windows security. Security
professionals, Windows system administrators, and programmers in general will want to
understand the techniques used by rootkit authors.

LVL 65

Expert Comment

ID: 40221039
Will be good to send the msi to online such as virustotal, jotti, metascan, malwr to see the traces it left so that there are more artefact to investigate.  But suggest all external portable storage and shared file server be scanned as well as likely they are entry and exit point to the to kill the rootkit is still as shared reimage...
LVL 56

Accepted Solution

McKnife earned 1500 total points
ID: 40221463
Ever thought about the possibility of a false positive detection?
LVL 65

Expert Comment

ID: 40222008
hence best to try ascertain the installation pack with online multiav to give another check try. HP definitely wouldn't send you a virus. ...there should be some checksum or hash value or signature on these package to ensure integrity before using it

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS
(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, from
(2) Insted from

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question