Hello,
I have some legacy HP convertable tablets that on 7.24.2014 around 4pm began detecting and stopping w32.rootkit-gen from installing. I have the latest Avast installed on them and it stopped the install. It was located in a resources folder for actividentity which is an HP tool that lets you log in with smartcards and so on. I was able to run bootscans to remove the file which was found in c:\swsetup\hptools\PTAC_A8.400\AC61X86\ACx98.msi. It appears that the HPtools update is infected? I can’t figure out how it got on my computer if it’s not an update. Even after the bootscan and clean it still calls for the install. I can’t find the “trigger” or where it is calling for the win installer to remove it. Perhaps this is a undetected trojan making the call? From what I can tell it’s the win installer services being called to do the install and now errors out because the bootscan removed the msi file. In part I kind of feel like this may be a false positive or HP tools update is actually infected. These are XP machines that are scheduled to be re-imaged with a new OS. Please withhold lectures on XP. These tablets perform a specific function in our network and internet has been disabled for the users but ports are not blocked. The half that I already imaged show no signs of the rootkit but they also do not have the same HP tools Actvidentity feature installed.
I have checked the registry under Run and Runonce and they are clean. I went to msconfig and rebooted once with all startup disabled and once with all services except MS disabled. I checked task manager and the startup folder. I’m not seeing anything malicious except that Avast is saying the install is infected. I can’t really ignore it but it attempts install on every boot up and login. I can remove the MSI but the call to install still exists. All of this is why I kind of feel like this is a false positive in some regard. I’m basically looking to learn of some other techniques to determine if this is legit or not. I’ve searched a lot of anti-V companies and found nothing on this. I’m not terribly scared since the actual install is being stopped and I am actively re-imaging the machines. I want to learn if there was something I overlooked.
Any information on this would be helpful.
Thanks,
Rob