Dear Forum,

Avast flagged TPPWRIF.SYS (path: c:\windows\system32\drivers) as a virus:

Object: c:\windows\system32\drivers\TPPWRIF.SYS
Infection: Win32:Malware-gen
Process: c:\program files\lenovo\system update\egather\ia.exe

• I was running Lenovo System Update when it flagged it
• Avast and MBAM (resident) are up to date
• Windows XP SP3 is also up to date
• File was moved to the chest
• I also ticked 'submit the file to avast! virus lab for further analysis
• Appears only Avast and Gdata (?!?!?) recognise TPPWRIF.SYS as generic malware (see below)
• Jotti and Virustotal find no infection for IA.exe (see below)
• Bleeping computer says it is a legitimate file http://www.file.net/process/tppwrif.sys.html
• Size of the file (4,442 bytes) matches this link http://www.file.net/process/tppwrif.sys.html
• No entries are to be found from a search on this forum

Please help! Your comments, suggestions and course of action would be much appreciated!

Best wishes,

Avastfan1

Online Scan Report: TPPWRIF.SYS

Virustotal Report: Only Avast and GData identify it as ‘Win32:Malware-gen’
http://www.virustotal.com/file-scan/report.html?id=86225f630d86a52d78c162c1307d9a7ef15e945fd061e0e6902bc64e25e0bbee-1287138709

Jotti: Only Avast and Gdata identify it as ‘Win32:Malware-Gen’
http://virusscan.jotti.org/en-gb/scanresult/b3db33bc80236e0e0d44f50979dfbb4821a6e820

Online Scan Report: IA.exe

Jotti: Nothing found http://virusscan.jotti.org/en-gb/scanresult/db87f7779ae62f746aef4085ca32a172a147ea65

Virustotal: Nothing found http://www.virustotal.com/file-scan/report.html?id=2a1939845b6322cd2e02d862f6abf7ee666dd48759206e2776b73127c7b4812f-1287142423

Most likely, it is a false positive. Hopefully we will find out soon.

Thanks Charley

I have attached the MBAM log and the HJT log.

Dear Forum,

If you require any more information, please let me know.

An analysis by www.hijackthis.de shows:

1. • C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe - ? - very safe - This is an unknown process
2. • C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? - - This is an unknown process
3. • O4 - HKLM..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? - - unknown application
4. • O4 - Global Startup: Digital Line Detect.lnk = ? - neutral - Unknown application.
     The entry is unnecessary and can be fixed.
5. • O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) - X - very safe - Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.
6. • 023 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe - ? - - Unknown service. (MICMUTE.exe)

Thanks in advance.

Avastfan1

Hello,
false positive will be fixed in next VPS update, sorry for inconvenience.

Milos

Milos!

Many thanks for the quick response. That is what I love about this forum and this team: professional, friendly and efficient service from experts.

Two questoins Milos:

1. Should I restore the file from the Chest?
2. May I ask what exactly triggered the false positive?

If anyone could comment on the six HJT entries above, I would appreciate it very much.

Cheers,

Avastfan1

Update your avast installation and when the file is set as clean (rescan into Chest), restore it

I love you! Will you marry me?

He hates malwares ;D

You mean Girls are Malware …hmmmm that may explain lots of stuff… ;D

.

At least I don’t want to marry Milos ;D

.

Well, during the time I was researching some “unknowns”, you have received info from Milos … plus some good natured joking.

From the HJT log, an overview of running tasks :

smss.exe
System process
Session Manager Subsystem

winlogon.exe
System process
Microsoft Windows Logon Process

services.exe
System process
Windows Service Controller

lsass.exe
System process
Local Security Authority Service

vtserver.exe
Backgroundtask
Passport Server Module

ibmpmsvc.exe
Backgroundtask
Ibmpmsvc

svchost.exe
System process
Microsoft Service Host Process

svchost.exe
System process
Microsoft Service Host Process

EvtEng.exe
Backgroundtask
Intel EvtEng Module

S24EvMon.exe
Driver
Event Monitor

AvastSvc.exe
Virusscan
avast! Antivirus

spoolsv.exe
System process
Microsoft Printer Spooler Service

TPHKSVC.exe
Backgroundtask
tphksvc

AcPrfMgrSvc.exe
Backgroundtask
Ac Profile Manager Service

cvpnd.exe
Application
Cisco VPN Service

DOZESVC.EXE
Backgroundtask
Doze Mode Service Program

svchost.exe
System process
Microsoft Service Host Process

rrpcsb.exe
Backgroundtask
Rapid Restore

jqs.exe
Backgroundtask
Java Quick Starter Service

mbamservice.exe
Backgroundtask
mbamservice

FWService.exe
Firewall
PC Tools Firewall Plus service

RegSrvc.exe
Driver
Intel Communications Service

SMAgent.exe
Backgroundtask
Analog Devices magent

svchost.exe
System process
Microsoft Service Host Process

tvt_reg_monitor_svc.exe
Backgroundtask
ThinkVantage Registry Monitor Service Module

TpKmpSVC.exe
Driver
IBM ThinkPad Utility

tvtsched.exe
Backgroundtask
IBM ThinkVantage Scheduler

WLIDSVC.EXE
Unknown process (Windows Live ID Service)
Unknown task http://www.pcpitstop.com/libraries/process/i/WLIDSVC.EXE.html

AcSvc.exe
Backgroundtask
Access Connections Main Service

PWMDBSVC.EXE
Backgroundtask
PMVDBSVC.exe

suservice.exe (I am wondering why is this here?)
Virusscan
McAfee Streaming Update Service

WLIDSvcM.exe
Unknown process (Windows Live ID Service Monitor)
Unknown task http://www.pcpitstop.com/libraries/process/i/WLIDSVCM.EXE.html

CALMAIN.exe
Driver
Canon Camera Access Library

SvcGuiHlpr.exe
Backgroundtask
ThinkVantage Access Connections Service GUI Helper

Explorer.EXE
System process
Microsoft Windows Explorer

SynTPLpr.exe
Driver
Synaptics TouchPad Driver Helper

SynTPEnh.exe
Driver
Synaptics touchpad tray icon

TPOSDSVC.exe
Backgroundtask
TPOSDSVC.exe

EzEjMnAp.Exe
Driver
EasyEject Utility

SMax4PNP.exe
Driver
SMax4PNP MFC Application

ibmprc.exe
Backgroundtask
ibmprc Application

rundll32.exe
System process
Microsoft Rundll32

tfswctrl.exe
Application
HP DLA Packet Writing Software

TPONSCR.exe
Driver
ThinkPad Hotkey Manager

TpScrex.exe
Driver
ThinkPad UltraZoom

FirewallGUI.exe
Firewall
PC Tools Firewall GUI

avastUI.exe
Virusscan
avast! Antivirus

realsched.exe
Application
RealNetworks Scheduler

scheduler_proxy.exe
Backgroundtask
scheduler_proxy Application

AcMurocHlpr.exe
Unknown task (Associated with ThinkVantage Access Connections)
Unknown task http://www.pcpitstop.com/libraries/process/i/AcMurocHlpr.exe.html

virtscrl.exe
Unknown task (Lenovo Auto Scroll Start Service)
Unknown task http://www.systemexplorer.net/fileinfo2/lvvsst.exe.html

TpShocks.exe
Driver
IBM Hard Drive Active Protection

hkcmd.exe
Application
Intel multimedia devices

igfxpers.exe
Driver
Intel Common User Interface Module

ACWLIcon.exe
Backgroundtask
acwlicon

WMPNSCFG.exe
Backgroundtask
Windows Media Player Network Sharing Service Confi

ctfmon.exe
System process
Alternative User Input Services

DLG.exe
Backgroundtask
Detects whether your are plugged into a digital telephone line and displays the information graphically.

mbamgui.exe
Suspicious process (malwarebytes antimalware user interface)
mbamgui.exe http://www.bleepingcomputer.com/startups/mbamgui.exe-24148.html

HijackThis.exe
Application
Merijn Hijackthis

Thanks Charley0 for your time and research.

I believe that the above file belongs to IBM update (http://www.bleepingcomputer.com/startups/suservice.exe-19075.html).

Do you have any further suggestions for the six items I highlighted from the HJT log?

1. • C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe - ? - very safe - This is an unknown process
2. • C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? - - This is an unknown process
3. • O4 - HKLM..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? - - unknown application
4. • O4 - Global Startup: Digital Line Detect.lnk = ? - neutral - Unknown application.
     The entry is unnecessary and can be fixed.
5. • O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) - X - very safe - Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.
6. • 023 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe - ? - - Unknown service. (MICMUTE.exe)

Thanks in advance!

Best wishes,

Avastfan1

Yes, if you will add exclusion for the destination directory, or wait until the new VPS will be released (don’t ask me when ;-)).

2. May I ask what exactly triggered the false positive?

The answer is that we didn’t have the file in our cleanset.

Milos

Thanks for the prompt reply Milos.

Strange that the file was not in the cleanset. I used the Lenovo System Update several times during the last few months, and that file would certainly have been flagged before!?!?!?!?!

No, it wasn’t detected before. The detection was improved and tested on our cleanset and it passes, so it was released today morning (CET) in VPS 101015-0.

Milos

The only 2 that need fixing with HJT are your numbers 4 & 5.
The others are legitimate entries according to the research I did above.

You are welcome as I am glad to help.

Take care!

Thanks Charley0.

I found another entry in the log:

7. O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

What is your opinion on this one?

Thanks!

Avastfan1