Hi Grif,

Thanks for providing this solution above, but unfortunately I am having the same trouble. I have run Malwarebytes and also SuperAntispyware at least twice each time and they both found files to delete only the first time around. My system is running on Win XP professional with McAfee 8.5i enterprise. Apart from Malwarebytes and Superantispyware, I have also run Spybot search and destroy and Ad-aware. I do not have any issues with popups as I use chrome and Mozilla, but McAfee discovers a .tmp every 5 to 6 min to delete if I am connected to the net. Any help would be greatly appreciated.

Thanks

When McAfee detects FakeAlert what action do we take? Does the threat say that it was cleaned or deleted? Update system to the latest DAT which is 5792 and run a full system scan with Artemis enabled on High (KB53732) . We can take a look at the log to see what the location of the infected files are and target those directories for undetected samples that we can submit to McAfee Labs (KB50388) . I have also attached a document for fighting FakeAlert Trojans. Also, One thing we can do is configure an "User Defined" Access Protection rule within Virus Scan. This can be a "File-Folder" blocking rule on the directory in which the temp files are being dropped. We can set that action to block or report on that directory. Once the detection takes place on the .tmp files we can then look in the Access Protection log to see what process is responsible for dropping the .tmp file. We can then target that process. If you need further assistance just let me know.

Ron

Hi Ron,

   thanks so much for the detailed response.

1. McAfee ends up deleting the file after it is created in the Temp folder.

2. I activated high on protection with Artemis and ran a full scan. It picked up 1 file which it deleted right away. Problem still exists after reboot after that.

3. I did the File/Folder Access protection rule and this is what I found.

11/5/2009 7:29:29 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe C:\WINDOWS\TEMP\iwnv.tmp User-defined Rules:File block for Trojan Action blocked : Create

since it is a svchost.exe file I believe its a system process attempting to create the temp file in the temp folder.

I am not sure where to go from here. Logs from reg perhaps?? Please do let me know. I really do appreciate your help in this matter.

Thanks,

Maneesh

Perfect, we are getting closer. Now download Process Explorer  http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Launch Process Explorer

Once the application is up perform a CTRL+D

Highlight the first svchost process

This should show the lower pane with the listed dll's of the svchost process

You will be looking for any dll that does not have Description or company name (record the dll)

Do this for each svchost process

Once you have identified the suspicous dll's go to the following site and upload each dll one by one

http://www.virustotal.com/

This will let you know who is detecting the file as a threat and what kind of threat it is. If you have any of the dll's being detected by 3 or more AV vendors then I would feel confident that we may have found some valid samples for research. You will want to zip all the samples and password protect the zip with the password  - infected

You will then want to submit the sample to McAfee Labs KB50388

After you get the analysis ID you may get an extra.dat within an hour. If not, you will want to call into support create a case and have it escalated to McAfee Labs for research.

Let me know how it goes and if you have any questions.

Ron

Went through the whole process and found the following with either the description missing (which was all but one) or the company name missing (one). Just to be sure I was only looking for dll files right? Or any file without either description or company name?

CLBCATQ.DLL

COMRes.dll

OLEAUT32.dll

colbact.dll

comsvcs.dll

es.dll

dmserver.dll - Company name was Microsoft Corp. instead of Microsoft Corporation like the rest of them.

NCObjAPI.dll

uploaded each one separately to the site you pointed to and all of them gave a result of 0/41 (o.oo%). Does that mean that they were safe?

Thanks and looking forward to hearing back.

More than likely they are not malicous. I went back and read through the original post and notice you say the detection occurs when browsing the web. We may need to launch your browser and look at the svchost processes again and also the browser's process as well.

Just to confirm, you are still getting detections if you launch your browser correct?

Does it matter which browser?

There may be a BHO involved here as well.

Download IceSword (link below) and you will see a section for BHO. See if there are any suspicous BHO's shown. Delete the BHO's and then see if the detection still occurs. Make sure browsers are closed before deleting the BHO.

ftp://custftp2.nai.com/outgoing/rstevens/icesword.zip

Actually its starts as soon as I start any application that needs an internet connection. As long as I am not connected, the detection/deletion does not happen.

I have run icesword, and nothing out of the ordinary on there. Have only 4 entries, three for acrobat related products and one for snagit which I use for editing.

Also have gone through a lot more dll's on the process explorer and checked some processes which run right before the tmp file is created. unfortunately, all the dll's which I looked up returned with either 0/40 or 0/41. This is getting challenging by the minute. Do let me know what other options we have.

Thanks again for all your help and patience.

hi Ron, I just thought I will paste the Hijackthis log in case that might help. Please do let me know if there is anything else we can do.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:19:32 AM, on 11/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\DTS.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\AtService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Program Files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Lenovo\System Update\SUService.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe

C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\RotateImage\RCIMGDIR.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\msahay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\msahay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\msahay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.corp.adobe.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=LOOK-WARNTY#sw

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe"

O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: RCIMGDIR.exe.lnk = ?

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_16\bin\npjpi142_16.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.adobe.com

O15 - Trusted Zone: *.macromedia.com

O16 - DPF: {5328061E-6A43-4CA6-A4B9-13EB98922070} (IN_DB 80 Control) - https://infrav8app-prd.corp.adobe.com/infraprd/INFRA_CONTROLS80.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257278618417

O16 - DPF: {8E8583EF-A32D-48CC-96D5-0B8EBA600E7A} (Infra wrapper 80) - https://infrav8app-prd.corp.adobe.com/infraprd/in_wrapper80.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = can.adobe.com

O17 - HKLM\Software\..\Telephony: DomainName = can.adobe.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = can.adobe.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = can.adobe.com,corp.adobe.com,sea.adobe.com,eur.adobe.com,pac.adobe.com,macromedia.com, corp.adobe.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = can.adobe.com,corp.adobe.com,sea.adobe.com,eur.adobe.com,pac.adobe.com,macromedia.com, corp.adobe.com

O20 - AppInit_DLLs: acaptuser32.dll zepuwuvi.dll c:\windows\system32\vulademu.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll

O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe

O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe

O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe

O23 - Service: EPHDManager - GuardianEdge Technologies, Inc. - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe

O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

O23 - Service: WebClientSrv - PC Guardian Technologies, Inc. - C:\Program Files\PC Guardian\Encryption Plus Management Console Client\WebClientSrv.exe

--

End of file - 15245 bytes