w32.rootkit-gen detected and stopped, can't find trigger


I have some legacy HP convertable tablets that just yesterday around 4pm began detecting and stopping w32.rootkit-gen from installing. I have the latest Avast installed on them and it stopped the install. It was located in a resources folder for actividentity which is an HP tool that lets you log in with smartcards and so on. I was able to run bootscans to remove the file which was found in c:\swsetup\hptools\PTAC_A8.400\AC61X86\ACx98.msi. It appears that the HPtools update is infected? I can't figure out how it got on my computer if it's not an update. Even after the bootscan and clean it still calls for the install. I can't find the "trigger" or where it is calling for the win installer to remove it. Perhaps this is a undetected trojan making the call?

Any information on this would be helpful.

Who is Participating?
Ever thought about the possibility of a false positive detection?
btanExec ConsultantCommented:
Try cleaning one with MBAM to see how it goes.
Turn off System Restore, run it in Safe Mode repeatedly until you get no positive results. Then make sure the machine boots, runs, and connects to a network properly, as system files and/or registry entries may have been changed.

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb545027.aspx can be very useful in finding which files and settings used in the startup process may have changed - certainly check under logon and winlogon that settings are pointing to the correct files. You may also wish to check under the network-oriented tabs (e.g., winsock). Browser proxy settings and the HOSTS file should also be checked in case of poor connectivity.

Rkill http://www.technibble.com/rkill-repair-tool-of-the-week/ may be useful if the virus will not let other security software like MBAM or your AV run.

Other rootkit tools, if necessary, include GMER and Rootkit Revealer.
Cris HannaCommented:
I'm a big fan of malwarebytes and Rkill but recently found a rootkill on one of my customers machines that was not detected by Malwarebytes...research led me to 3  other rootkit tools  Norton Power Eraser (free) https://support.norton.com/sp/en/us/home/current/solutions/kb20100824120155EN_EndUserProfile_en_us
And McAfee RootKitRemover  http://www.mcafee.com/us/downloads/free-tools/how-to-use-rootkitremover.aspx
And finally Kaspersky TDSSKiller http://usa.kaspersky.com/downloads/TDSSKiller

And scan all your other machines too.  Personally I'm a big fan of flattening any machine that is rootkitted
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Have you looked in the start-up group
go to your run>type msconfig press enter>open the start-up>these load with windows, if there any form of calls for an install you should see it here. The line for the programs in start-up also show the registry location and date installed.
open your run type in regedit press enter then expand each till you see run, on the right side look what is in here rightclick the key  delete it

startup programsexample what is in run
Thomas Zucker-ScharffSolution GuideCommented:
DON'T turn off system restore! ! Turning off system restore will delete all your restore points (unless that is what you want to do). There are several articles on system restore here on ee.

Also check out my article on antirootkit software.

RobMesAuthor Commented:
Im going to reimage all of these laptops that this rootkit has shown up on. They aren't Infected with the rootkit yet and I learned about it when it's existance when it was caught on install attempt.  I ran avast bootscan and it removed the rootkit installer but the system still attempts to install. It just errors out now cause it can locate the installer msi. I've looked in the run and runonce registry, msconfig (disabled all services except ms  and startup) as well as startup in program menu even check task manager. It shows up in all machines which is an update for hptools actividentity.  I half think its a legit update that is infected and its the msinstaller being called to install. Overall I just want to figure out how the infection happened. These machines are currently xp and are already planned to be imaged with a new os. The ones that are already upgraded dont have any issues.
Overall I just want to figure out how the infection happened<< windows XP is vulnerable.
And since it is now vulnerable there will be those who want to use it their advantage. Stay up to date with what's going on.
Like owning car you should learn how to drive it and the dangers.
Windows updates are nolonger available so how much are manual downloading of software pertaining to report make your computer secure are now being offered and installed?
They can come in the form of cookies and software that looks like genuine software.
If you really want your eyes opened
I remember that there was threat in 2012 with windows itself, brand new computers were having rootkits installed with the OS.  I kept this article to share with people.
Of course Microsoft and the FBI have fixed the bad site now but it does remind me of the dangers of owning a computer and what steps to keep our information safe.
Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday. 2012..
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
Then there was the flash  warning recently that turned out to be  virus
Remove “WARNING! Your Flash Player may be out of date” virus
That's two examples.. and when adding a network it could cross /travel the network to other computers through shared folders.
I havent had any viruses or threats and put it down to the fact how I update stuff on my windows, with flash I have it set to auto through the flash player in control panel, I donot update manually off the web.
I use only manufacturer drivers and use only reputable web sites. I buy most of my tools and the free I get from the manufacturer open source. Free can have hidden spyware.
I have a sound understanding of my running tasks.
I have my security set to high and with a good antivirus and firewall regular cleanups and scan all good.
I use Chrome as well not Internet Explorer. May help :)

Rootkits: Subverting the Windows Kernel
"This book is an essential read for anyone responsible for Windows security. Security
professionals, Windows system administrators, and programmers in general will want to
understand the techniques used by rootkit authors.

btanExec ConsultantCommented:
Will be good to send the msi to online such as virustotal, jotti, metascan, malwr to see the traces it left so that there are more artefact to investigate.  But suggest all external portable storage and shared file server be scanned as well as likely they are entry and exit point to the rootkit..best to kill the rootkit is still as shared reimage...
btanExec ConsultantCommented:
hence best to try ascertain the installation pack with online multiav to give another check try. HP definitely wouldn't send you a virus. ...there should be some checksum or hash value or signature on these package to ensure integrity before using it

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS
(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, from http://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx
(2) Insted from http://www.instedit.com/features.html
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.