Help required - TPPWRIF.SYS

[Avastfan1]

Dear Forum,

Avast flagged TPPWRIF.SYS (path: c:\windows\system32\drivers) as a virus:

Object: c:\windows\system32\drivers\TPPWRIF.SYS
Infection: Win32:Malware-gen
Process: c:\program files\lenovo\system update\egather\ia.exe

- I was running Lenovo System Update when it flagged it
- Avast and MBAM (resident) are up to date
- Windows XP SP3 is also up to date
- File was moved to the chest
- I also ticked 'submit the file to avast! virus lab for further analysis
- Appears only Avast and Gdata (?!?!?) recognise TPPWRIF.SYS as generic malware (see below)
- Jotti and Virustotal find no infection for IA.exe (see below)
- Bleeping computer says it is a legitimate file http://www.file.net/process/tppwrif.sys.html
- Size of the file (4,442 bytes) matches this link http://www.file.net/process/tppwrif.sys.html
- No entries are to be found from a search on this forum

Please help! Your comments, suggestions and course of action would be much appreciated!

Best wishes,

Avastfan1

Online Scan Report: TPPWRIF.SYS

Virustotal Report: Only Avast and GData identify it as 'Win32:Malware-gen'
http://www.virustotal.com/file-scan/report.html?id=86225f630d86a52d78c162c1307d9a7ef15e945fd061e0e6902bc64e25e0bbee-1287138709

Jotti: Only Avast and Gdata identify it as 'Win32:Malware-Gen'
http://virusscan.jotti.org/en-gb/scanresult/b3db33bc80236e0e0d44f50979dfbb4821a6e820

Online Scan Report: IA.exe

Jotti: Nothing found http://virusscan.jotti.org/en-gb/scanresult/db87f7779ae62f746aef4085ca32a172a147ea65

Virustotal: Nothing found http://www.virustotal.com/file-scan/report.html?id=2a1939845b6322cd2e02d862f6abf7ee666dd48759206e2776b73127c7b4812f-1287142423

[CharleyO]

***

Most likely, it is a false positive. Hopefully we will find out soon.


***

[Avastfan1]

Thanks Charley :-)

I have attached the MBAM log and the HJT log.

[Avastfan1]

Dear Forum,

If you require any more information, please let me know.

An analysis by www.hijackthis.de shows:

1. - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe - ? - very safe - This is an unknown process
2. - C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? -       - This is an unknown process
3. - O4 - HKLM\..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? -   -  unknown application
4. - O4 - Global Startup: Digital Line Detect.lnk = ?   -  neutral - Unknown application.
The entry is unnecessary and can be fixed.
5. - O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) - X - very safe -     Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.
6. - 023 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe - ? -     - Unknown service. (MICMUTE.exe)

Thanks in advance.

Avastfan1

[Milos]

Hello,
false positive will be fixed in next VPS update, sorry for inconvenience.

Milos

[Avastfan1]

Milos!

Many thanks for the quick response. That is what I love about this forum and this team: professional, friendly and efficient service from experts.

Two questoins Milos:
1. Should I restore the file from the Chest?
2. May I ask what exactly triggered the false positive?

If anyone could comment on the six HJT entries above, I would appreciate it very much.

Cheers,

Avastfan1

[Lisandro]

Should I restore the file from the Chest?

Update your avast installation and when the file is set as clean (rescan into Chest), restore it

[Pondus]

I love you! Will you marry me? 

And all this time i have been thinking you liked girls 

[Lisandro]

And all this time i have been thinking you liked girls 

He hates malwares

[Pondus]

And all this time i have been thinking you liked girls 

He hates malwares

You mean Girls are Malware ......hmmmm that may explain lots of stuff...

[Avastfan1]

.

[Lisandro]

You mean Girls are Malware ......hmmmm that may explain lots of stuff...

At least I don't want to marry Milos

[Avastfan1]

.

[CharleyO]

***

Well, during the time I was researching some "unknowns", you have received info from Milos ... plus some good natured joking.   


From the HJT log, an overview of running tasks :

smss.exe   
System process   
Session Manager Subsystem

winlogon.exe   
System process   
Microsoft Windows Logon Process

services.exe   
System process   
Windows Service Controller

lsass.exe   
System process   
Local Security Authority Service

vtserver.exe   
Backgroundtask   
Passport Server Module

ibmpmsvc.exe   
Backgroundtask   
Ibmpmsvc

svchost.exe   
System process   
Microsoft Service Host Process

svchost.exe   
System process   
Microsoft Service Host Process

EvtEng.exe   
Backgroundtask   
Intel EvtEng Module

S24EvMon.exe   
Driver   
Event Monitor

AvastSvc.exe   
Virusscan   
avast! Antivirus

spoolsv.exe   
System process   
Microsoft Printer Spooler Service

TPHKSVC.exe   
Backgroundtask   
tphksvc

AcPrfMgrSvc.exe   
Backgroundtask   
Ac Profile Manager Service

cvpnd.exe   
Application   
Cisco VPN Service

DOZESVC.EXE   
Backgroundtask   
Doze Mode Service Program

svchost.exe   
System process   
Microsoft Service Host Process

rrpcsb.exe   
Backgroundtask   
Rapid Restore

jqs.exe   
Backgroundtask   
Java Quick Starter Service

mbamservice.exe   
Backgroundtask   
mbamservice

FWService.exe   
Firewall   
PC Tools Firewall Plus service

RegSrvc.exe   
Driver   
Intel Communications Service

SMAgent.exe   
Backgroundtask   
Analog Devices magent

svchost.exe   
System process   
Microsoft Service Host Process

tvt_reg_monitor_svc.exe   
Backgroundtask   
ThinkVantage Registry Monitor Service Module

TpKmpSVC.exe   
Driver   
IBM ThinkPad Utility

tvtsched.exe   
Backgroundtask   
IBM ThinkVantage Scheduler

WLIDSVC.EXE   
Unknown process   (Windows Live ID Service)
Unknown task      http://www.pcpitstop.com/libraries/process/i/WLIDSVC.EXE.html

AcSvc.exe   
Backgroundtask   
Access Connections Main Service

PWMDBSVC.EXE   
Backgroundtask   
PMVDBSVC.exe

suservice.exe      (I am wondering why is this here?)
Virusscan   
McAfee Streaming Update Service

WLIDSvcM.exe   
Unknown process   (Windows Live ID Service Monitor)
Unknown task      http://www.pcpitstop.com/libraries/process/i/WLIDSVCM.EXE.html

CALMAIN.exe   
Driver   
Canon Camera Access Library

SvcGuiHlpr.exe   
Backgroundtask   
ThinkVantage Access Connections Service GUI Helper

Explorer.EXE   
System process   
Microsoft Windows Explorer

SynTPLpr.exe   
Driver   
Synaptics TouchPad Driver Helper

SynTPEnh.exe   
Driver   
Synaptics touchpad tray icon

TPOSDSVC.exe   
Backgroundtask   
TPOSDSVC.exe

EzEjMnAp.Exe   
Driver   
EasyEject Utility

SMax4PNP.exe   
Driver   
SMax4PNP MFC Application

ibmprc.exe   
Backgroundtask   
ibmprc Application

rundll32.exe   
System process   
Microsoft Rundll32

tfswctrl.exe   
Application   
HP DLA Packet Writing Software

TPONSCR.exe   
Driver   
ThinkPad Hotkey Manager

TpScrex.exe   
Driver   
ThinkPad UltraZoom

FirewallGUI.exe   
Firewall   
PC Tools Firewall GUI

avastUI.exe   
Virusscan   
avast! Antivirus

realsched.exe   
Application   
RealNetworks Scheduler

scheduler_proxy.exe   
Backgroundtask   
scheduler_proxy Application

AcMurocHlpr.exe   
Unknown task    (Associated with ThinkVantage Access Connections)
Unknown task     http://www.pcpitstop.com/libraries/process/i/AcMurocHlpr.exe.html

virtscrl.exe   
Unknown task   (Lenovo Auto Scroll Start Service)
Unknown task      http://www.systemexplorer.net/fileinfo2/lvvsst.exe.html

TpShocks.exe   
Driver   
IBM Hard Drive Active Protection

hkcmd.exe   
Application   
Intel multimedia devices

igfxpers.exe   
Driver   
Intel Common User Interface Module

ACWLIcon.exe   
Backgroundtask   
acwlicon

WMPNSCFG.exe   
Backgroundtask   
Windows Media Player Network Sharing Service Confi

ctfmon.exe   
System process   
Alternative User Input Services

DLG.exe   
Backgroundtask   
Detects whether your are plugged into a digital telephone line and displays the information graphically.

mbamgui.exe   
Suspicious process   (malwarebytes antimalware user interface)
mbamgui.exe          http://www.bleepingcomputer.com/startups/mbamgui.exe-24148.html

HijackThis.exe   
Application   
Merijn Hijackthis


***

[Avastfan1]

suservice.exe      (I am wondering why is this here?)
Virusscan   
McAfee Streaming Update Service

Thanks Charley0 for your time and research.

I believe that the above file belongs to IBM update (http://www.bleepingcomputer.com/startups/suservice.exe-19075.html).

Do you have any further suggestions for the six items I highlighted from the HJT log?

1. - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe - ? - very safe - This is an unknown process
2. - C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? -       - This is an unknown process
3. - O4 - HKLM\..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe - ? -   -  unknown application
4. - O4 - Global Startup: Digital Line Detect.lnk = ?   -  neutral - Unknown application.
The entry is unnecessary and can be fixed.
5. - O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) - X - very safe -     Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.
6. - 023 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe - ? -     - Unknown service. (MICMUTE.exe)

Thanks in advance!

Best wishes,

Avastfan1