Avast keeps displaying a warning box that rootkit information, SVC:PenWesContr Win32:Rootkit-gen[Rtk] has been found on my pc. I take the recommended action deletion and boot scan but it keeps coming back. I have also scanned with spybot search and destroy, malwarebytes and superantispyware but have found nothing on the pc. Any help greatly appreciated
Please attach the logs:
https://forum.avast.com/index.php?topic=53253.0
Hope this is the info you require. I’m not that up on pcs.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/28/2014 at 11:42 AM
Application Version : 5.7.1018
Core Rules Database Version : 11151
Trace Rules Database Version: 8963
Scan type : Complete Scan
Total Scan Time : 00:53:16
Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User
Memory items scanned : 772
Memory threats detected : 0
Registry items scanned : 69850
Registry threats detected : 0
File items scanned : 85138
File threats detected : 62
Adware.Tracking Cookie
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\EJUK0WS0.txt [ /collective-media.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\R0SWIY05.txt [ /adform.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\4Q6ZT1ID.txt [ /ru4.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\6UCW37Z2.txt [ /c1.adform.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\UHAHGF0B.txt [ /burstnet.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\XMCLIOEE.txt [ /account.login.aol.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\JH32F0BL.txt [ /ads.undertone.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\VMAKFF2U.txt [ /at.atwola.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\BN59M0IU.txt [ /collective-media.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\NQPEHNOW.txt [ /ad6media.fr ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\HKT89DK3.txt [ /advertising.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\ROSEJNQC.txt [ /atwola.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\UIPI4BJR.txt [ /accounts.youtube.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\CGDE0M94.txt [ /myaccount.talktalk.co.uk ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\B64O0RYD.txt [ /my-account.edfenergy.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\JLAH2RFZ.txt [ /ar.atwola.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\99QKPNYP.txt [ /pornhub.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\Q2DY06B6.txt [ /dmtracker.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\V7993HA2.txt [ /creafi-online-media.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\2VZ27D2E.txt [ /ru4.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\A33KQ6JO.txt [ /questionmarket.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\JDY7E653.txt [ /adtech.de ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\09RQ50UL.txt [ /royalmail.112.2o7.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\SAU4YN07.txt [ /112.2o7.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\36GHPIVX.txt [ /smartadserver.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\BFN9KLD7.txt [ /elitedaily.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\0FAE6W4B.txt [ /ads.yahoo.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\5MN22TUE.txt [ /tacoda.at.atwola.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\1X4SX70J.txt [ /xiti.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\EWNC1RXS.txt [ /e-2dj6ael4qidpoaq.stats.esomniture.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\L92YVOHA.txt [ /trinitymirror.112.2o7.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\UK19KWYZ.txt [ /lo.marketer.lpsnmedia.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\69LCLYT3.txt [ /newsquestdigitalmedia.122.2o7.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\791DPMAR.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\T00JKARZ.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\A30GUDP2.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\RWP191SV.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\0RWA6VQZ.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\7BGH1AVB.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\E9FSYJDE.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\UBVPCO14.txt [ /www.googleadservices.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\PT1BA22X.txt [ /adserve.postrelease.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\AUEMYN4P.txt [ /eyeviewads.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\0IVO0Z82.txt [ /eas8.emediate.eu ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\5LLE8PWB.txt [ /gmeurope.112.2o7.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\9MFEBKRY.txt [ /accounts.google.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\IMM8GIVO.txt [ /amazon-adsystem.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\V55RKP3G.txt [ /in.getclicky.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\BKMPYA6Q.txt [ /yadro.ru ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\104LFJH4.txt [ /revsci.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\7UO9OWJD.txt [ /ads2.williamhill.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\VGG3HR1X.txt [ /flextrack.msi-aci.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZD6FAZ06.txt [ /oracle.112.2o7.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\N2C9SKBG.txt [ /stats.paypal.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\5708KOMJ.txt [ /ads.stickyadstv.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\6RXW10VK.txt [ /adtech.which.co.uk ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\X51M9NUA.txt [ /liveperson.net ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\N73WIO0R.txt [ /media6degrees.com ]
C:\Users\Moray\AppData\Roaming\Microsoft\Windows\Cookies\Low\50D70N3S.txt [ /liveperson.net ]
accounts.google.com [ C:\USERS\MORAY\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\USERS\MORAY\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
cdn1b.static.pornhub.phncdn.com [ C:\USERS\MORAY\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER#SHAREDOBJECTS\6UWZ2DN4 ]
Malwarebytes Anti-Malware
www.malwarebytes.org
Update, 08/04/2014 18:03:02, SYSTEM, 6CORE-PC, Manual, Rootkit Database, 2014.2.20.1, 2014.3.27.1,
Update, 08/04/2014 18:03:30, SYSTEM, 6CORE-PC, Manual, Malware Database, 2014.3.4.9, 2014.4.8.4,
(end)
Hope this is the info you require. I'm not that up on pcs.Did you click the link Eddy gave you, and read the info?
Not copy and paste, but attach Malwarebytes / OTL / aswMBR logs
I had that come up yesterday. Before I did anything I did a search around, and opinion online seemed to be unsure as to whether it was actually a rootkit/malware or not.
A couple of warnings: I tried disabling penwes in Services, but then I found that I could no longer browse the internet. Whatever the program is, it seems to have something to do with DNS settings. I then found that I couldn’t re-start penwes in Services. I rebooted, but this just removed penwes from the list of services altogether, so I still couldn’t browse and now I couldn’t do anything with penwes either.
The only thing that worked for me was to go into the Program Files folder and look for the program folder for penwes, then use the uninstall.exe there to remove it from your system altogether. That should restore your DNS settings to what they were before penwes was installed/installed itself.
Hope this helps.
FYI about PenWes: http://www.penwes.com/977-everything-you-need-to-know-about-penwes.php
If you have problems after un-install…
[i]If these settings have changed, Internet access may be disrupted. To get it running smoothly again, just follow these simple steps:
- Ensure that you have administrator access on your computer
- Open the network connections
- Right click on the local network connection (if the PC is connected to the Internet by cable) or on the wireless network connection (if the PC is connected to the Internet by Wi-Fi)
- Select Properties
- Select Internet Protocol TCP/IP
- Click on Properties
- Select Obtain DNS servers automatically
- Confirm by clicking OK, close all windows and restart your PC[/i]