w32.rootkit-gen detected and stopped, can't find trigger

Posted on 2014-07-25
Last Modified: 2014-08-12

I have some legacy HP convertable tablets that just yesterday around 4pm began detecting and stopping w32.rootkit-gen from installing. I have the latest Avast installed on them and it stopped the install. It was located in a resources folder for actividentity which is an HP tool that lets you log in with smartcards and so on. I was able to run bootscans to remove the file which was found in c:\swsetup\hptools\PTAC_A8.400\AC61X86\ACx98.msi. It appears that the HPtools update is infected? I can't figure out how it got on my computer if it's not an update. Even after the bootscan and clean it still calls for the install. I can't find the "trigger" or where it is calling for the win installer to remove it. Perhaps this is a undetected trojan making the call?

Any information on this would be helpful.

Question by:RobMes
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 64

Expert Comment

ID: 40220765
Try cleaning one with MBAM to see how it goes.
Turn off System Restore, run it in Safe Mode repeatedly until you get no positive results. Then make sure the machine boots, runs, and connects to a network properly, as system files and/or registry entries may have been changed.

Autoruns can be very useful in finding which files and settings used in the startup process may have changed - certainly check under logon and winlogon that settings are pointing to the correct files. You may also wish to check under the network-oriented tabs (e.g., winsock). Browser proxy settings and the HOSTS file should also be checked in case of poor connectivity.

Rkill may be useful if the virus will not let other security software like MBAM or your AV run.

Other rootkit tools, if necessary, include GMER and Rootkit Revealer.
LVL 35

Expert Comment

by:Cris Hanna
ID: 40220786
I'm a big fan of malwarebytes and Rkill but recently found a rootkill on one of my customers machines that was not detected by Malwarebytes...research led me to 3  other rootkit tools  Norton Power Eraser (free)
And McAfee RootKitRemover
And finally Kaspersky TDSSKiller

And scan all your other machines too.  Personally I'm a big fan of flattening any machine that is rootkitted
LVL 70

Expert Comment

ID: 40220788
Have you looked in the start-up group
go to your run>type msconfig press enter>open the start-up>these load with windows, if there any form of calls for an install you should see it here. The line for the programs in start-up also show the registry location and date installed.
open your run type in regedit press enter then expand each till you see run, on the right side look what is in here rightclick the key  delete it

startup programsexample what is in run
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 29

Expert Comment

by:Thomas Zucker-Scharff
ID: 40220897
DON'T turn off system restore! ! Turning off system restore will delete all your restore points (unless that is what you want to do). There are several articles on system restore here on ee.

Also check out my article on antirootkit software.

Author Comment

ID: 40220941
Im going to reimage all of these laptops that this rootkit has shown up on. They aren't Infected with the rootkit yet and I learned about it when it's existance when it was caught on install attempt.  I ran avast bootscan and it removed the rootkit installer but the system still attempts to install. It just errors out now cause it can locate the installer msi. I've looked in the run and runonce registry, msconfig (disabled all services except ms  and startup) as well as startup in program menu even check task manager. It shows up in all machines which is an update for hptools actividentity.  I half think its a legit update that is infected and its the msinstaller being called to install. Overall I just want to figure out how the infection happened. These machines are currently xp and are already planned to be imaged with a new os. The ones that are already upgraded dont have any issues.
LVL 70

Expert Comment

ID: 40220965
Overall I just want to figure out how the infection happened<< windows XP is vulnerable.
And since it is now vulnerable there will be those who want to use it their advantage. Stay up to date with what's going on.
Like owning car you should learn how to drive it and the dangers.
Windows updates are nolonger available so how much are manual downloading of software pertaining to report make your computer secure are now being offered and installed?
They can come in the form of cookies and software that looks like genuine software.
If you really want your eyes opened
I remember that there was threat in 2012 with windows itself, brand new computers were having rootkits installed with the OS.  I kept this article to share with people.
Of course Microsoft and the FBI have fixed the bad site now but it does remind me of the dangers of owning a computer and what steps to keep our information safe.
Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday. 2012..
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
Then there was the flash  warning recently that turned out to be  virus
Remove “WARNING! Your Flash Player may be out of date” virus
That's two examples.. and when adding a network it could cross /travel the network to other computers through shared folders.
I havent had any viruses or threats and put it down to the fact how I update stuff on my windows, with flash I have it set to auto through the flash player in control panel, I donot update manually off the web.
I use only manufacturer drivers and use only reputable web sites. I buy most of my tools and the free I get from the manufacturer open source. Free can have hidden spyware.
I have a sound understanding of my running tasks.
I have my security set to high and with a good antivirus and firewall regular cleanups and scan all good.
I use Chrome as well not Internet Explorer. May help :)

Rootkits: Subverting the Windows Kernel
"This book is an essential read for anyone responsible for Windows security. Security
professionals, Windows system administrators, and programmers in general will want to
understand the techniques used by rootkit authors.

LVL 64

Expert Comment

ID: 40221039
Will be good to send the msi to online such as virustotal, jotti, metascan, malwr to see the traces it left so that there are more artefact to investigate.  But suggest all external portable storage and shared file server be scanned as well as likely they are entry and exit point to the to kill the rootkit is still as shared reimage...
LVL 55

Accepted Solution

McKnife earned 500 total points
ID: 40221463
Ever thought about the possibility of a false positive detection?
LVL 64

Expert Comment

ID: 40222008
hence best to try ascertain the installation pack with online multiav to give another check try. HP definitely wouldn't send you a virus. ...there should be some checksum or hash value or signature on these package to ensure integrity before using it

Neither are forensic tools, both are for editing of MSI files and contents, but used on a copy of your file might help your examination. Insted is probably easier to grab, since Orca requires download of the (large) SDK from MS
(1) Microsoft's own tool, Orca.exe, made available as part of the MS Windows SDK, from
(2) Insted from

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question