Avast has recently started displaying a popup saying that PWMIDTSK.EXE opened by svchost.exe is potentially unsafe. I have made no recent changes to my system that would account for this. When Avast scans PWMIDTSK.EXE, it doesn’t report any problems. Can anyone suggest why Avast is suddenly displaying this popup?

PWMIDTSK.EXE is located in C:\Program Files\ThinkPad\Utilities, just as it should be. I believe it is related to power management for the ThinkPad. Svchost.exe is located in C:\Windows\System32, as it should be.

So far I have responded to the Avast popup by selecting “Open in sandbox” or “Cancel open”. In either case the popup reoccurs a few minutes later. The popup appears to only occur when I’m connected to the Internet.

I had Avast scan the entire system with no problems reported. Then I had Avast do a scan for rootkits on reboot, and allowed it to remove 2 files with Beagle Win32 infections, and one file with NSIS:Adware-J [PUP].

So is there a problem on my system, or should I just tell Avast to allow PWMIDTSK.EXE to open normally, and to “Remember my answer for this program”?

I’m running Avast 6.0.1203 with virus definition version 110804-1 on Windows XP SP3.

upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/

Then run a quick scan with this…

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always make sure the program is updated before you scan
click on the remove selected button to quarantine anything found

post the scan log here

Hi bberger,

It’s the PoWer Manager IDle TaSK. Don’t get rid of it.
Establish it is this: http://www.runscanner.net/lib/pwmidtsk.exe.html
Watch out you do not get multiple instances of PWMIDTSK.EXE spawned and more instances of the process running…elsde you should not worry about it,

polonus

In response to Pondus:

VirusTotal reported that the file (with the same checksum as mine) had been previously scanned, and was OK.

VirusTotal result URL:

http://www.virustotal.com/file-scan/reanalysis.html?id=0162b66ebb6802d03b759e4e1b42c178fea698eb6735bb1e8f6290aebb8baaa4-1312591320

VirusTotal last report URL:

http://www.virustotal.com/file-scan/report.html?id=0162b66ebb6802d03b759e4e1b42c178fea698eb6735bb1e8f6290aebb8baaa4-1280164504

The Malwarebytes quick scan found no problems either. (The registry issues it found can be safely ignored.) Here is the scan log:

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7390

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/5/2011 9:13:04 PM
mbam-log-2011-08-05 (21-12-47).txt

Scan type: Quick scan
Objects scanned: 221912
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

In response to polonus:

Yes, I knew PWMIDTSK was related to Power Management, and did not intend to get rid of it. The VirusTotal scan establishes that it is what it appears to be. There are in fact no instances of PWMIDTSK.EXE spawned, according to Task Manager. There are several instances of svchost.exe running, which is normal for Windows XP, and Avast has reported that one of them is trying to open PWMIDTSK.EXE, which Avast has suddenly decided is potentially unsafe.

In response to all:

So my conclusion is that PWMIDTSK.EXE is not unsafe. There is no evidence that it has become infected with any malware. The Avast popup appears to be a false positive. It would be nice to understand why Avast suddenly decided that this file might be potentially unsafe. Could an update to the Avast virus database result in a false positive of this sort? Who knows. But I will proceed by telling Avast to open the file normally.

Thanks to all for their assistance.