vtwtm.dll/index.html#37049

Hi All,
After running ad-aware, spybot, hijackthis, spy ferret and cwshred my browser is still is hijacked. I have posted the log from hijackthis in hopes that someone will be able to send me in the right direction. When the first six lines (R0 & R1's) are removed something puts them right back. Tks in advance. billn.

Logfile of HijackThis v1.97.7
Scan saved at 11:37:13 AM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Helexis\Drive Health\dhcore.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\addon32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\addeh32.exe
C:\Documents and Settings\Bill Nxxxxxx\Local Settings\Temp\Temporary Directory 5 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtwtm.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vtwtm.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vtwtm.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtwtm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vtwtm.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vtwtm.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A30E1DF-0A72-AEB7-7E44-79412564B4A7} - C:\WINDOWS\winvq.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [addeh32.exe] C:\WINDOWS\addeh32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

The six lines I refer to above are after the break, (R0/R1's)

Hi billn,

Before fixing anything, does this program seem familiar to you? It may be the source of your problems.
O4 - HKLM\..\Run: [addeh32.exe] C:\WINDOWS\addeh32.exe

Can you browse to the file in My Computer, right-click it and tell me the properties and version info?

Move or unzip HijackThis to a permanent location such a C:\HJT so it can make backups of what we fix.

Run HijackThis, place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtwtm.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vtwtm.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vtwtm.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtwtm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vtwtm.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vtwtm.dll/sp.html#37049
O2 - BHO: (no name) - {7A30E1DF-0A72-AEB7-7E44-79412564B4A7} - C:\WINDOWS\winvq.dll

Boot into Safe Mode. Here's instructions:
http://service1.symantec.com/SUPPOR...01052409420406/

Show hidden files:
How to Show hidden files and folders.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Delete the following file:
C:\WINDOWS\vtwtm.dll

Reboot normally and post a new log.

Consider installing Spywareblaster and Spywareguard.

Tom

Hi Tom
Here isLogfile of HijackThis v1.97.7
Scan saved at 5:56:50 PM, on 6/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Helexis\Drive Health\dhcore.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\addon32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\addeh32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CallWave\IAM.exe
C:\Documents and Settings\Bill Nxxxxxx\Local Settings\Temp\Temporary Directory 8 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qrfid.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qrfid.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qrfid.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qrfid.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qrfid.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qrfid.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6CB6FA3E-4E06-6264-2A77-866A236736C8} - C:\WINDOWS\apiki32.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [addeh32.exe] C:\WINDOWS\addeh32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [addon32.exe] C:\WINDOWS\system32\addon32.exe
O4 - HKLM\..\RunOnce: [d3wk32.exe] C:\WINDOWS\d3wk32.exe
O4 - HKLM\..\RunOnce: [ieds32.exe] C:\WINDOWS\system32\ieds32.exe
O4 - HKLM\..\RunOnce: [atlux.exe] C:\WINDOWS\system32\atlux.exe
O4 - HKLM\..\RunOnce: [crlj32.exe] C:\WINDOWS\crlj32.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41A6BB1-46B3-4826-B679-B449E341681C}: NameServer = 207.69.188.187 207.69.188.186

The "new" log after the suggested repairs has changed the "vtwtm" to "qrfid". The addeh32.exe is 27.5k with no ver. number. Please also note the 5 new "run once" entries. They reside either in the windows directory or the prefetch directory within windows. The new BHO "apiki32.dll" is also in the windows directory. I have no idea where that came from. Line 17 is also new. tks, billn

The address in the: O17 - HKLM\System\CCS\Services\Tcpip\..\{F41A6BB1-46B3-4826-B679-B449E341681C}: NameServer = 207.69.188.187 207.69.188.186

Resolves to Earthlink, is that your ISP?

207.69.188.186 = [ ns2.mindspring.com ]

OrgName: EarthLink Inc.
OrgID: ERMS
Address: 1375 PEACHTREE ST LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US
NetRange: 207.69.0.0 - 207.69.255.255
CIDR: 207.69.0.0/16
NetName: EARTHLINK2000-D
NetHandle: NET-207-69-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: ITCHY.MINDSPRING.NET
NameServer: SCRATCHY.MINDSPRING.NET
Comment:
RegDate: 2000-04-20
Updated: 2000-04-20
TechHandle: DAE4-ARIN
TechName: Domain Administrator Administrator
TechPhone: 1-404-815-0770
TechEmail: arinpoc@corp.earthlink.net

I'd like you to do a couple of online scans:

http://housecall.trendmicro.com/

www.pandasoftware.com/activescan/activescan

Tom

Hi Tom,
Yes, earthlink is my ISP. I will post the results of the two scans as soon as they are done. I had trouble with the first and the pandascan is going now. I think I determined this morning that I do not need "addon32.exe" and "addeh32.exe", but I'll wait to delete them. Tks again for your assistance. billn

Hi Tom,
Here is the log of the pandascan. I'll try the other in the AM. M/S had to interupt (3X) the scan, "we're sorry for the inconvenience".
Incident Status Location

Virus:Trj/Downloader.HV Disinfected Operating system
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bill Nxxxxxx\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-6e0ee6e1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bill Nxxxxxx\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-6e0ee6e1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bill Nxxxxxx\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6394a72c-1452c0c4.zip[Dummy.class]
Virus:Trj/Syshi.A Disinfected C:\WINDOWS\addeh32.exe
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\ccmnvx.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\ftxizf.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\gvkdep.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\jnzwve.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\myjfnp.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\osxnbw.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\sdkel.exe
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\vtteau.dat billn

Hi Tom,
EVERY attempt at the Trendmicro scan causes the "IE must close now" error msg. I'll continue trying and will post if I get a scan.

biilln

With all the infections, let's disable System Restore. Right-click My Computer > Properties > System Restore tab > check Turn off System Restore

Here's another one you can try:

Bitdefender
http://www.bitdefender.com/scan/licence.php

Let's do a trojan scan too:

Trojan Hunter
http://www.misec.net/trojanhunter/

Keep it up... you're getting there!

Hi Tom,
I've been married for 35 years, I'm pretty good at doing what I'm told. I'll post another "hijackthis log" after the two scans.

biln..

Hahaha! I can relate

Hi Tom,
Here are the results of the two scans:


Incident Status Location

Virus:Trj/Downloader.HV Disinfected Operating system
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bill Nievera\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-6e0ee6e1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bill Nievera\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-6e0ee6e1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Bill Nievera\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6394a72c-1452c0c4.zip[Dummy.class]
Virus:Trj/Syshi.A Disinfected C:\WINDOWS\addeh32.exe
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\ccmnvx.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\ftxizf.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\gvkdep.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\jnzwve.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\myjfnp.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\osxnbw.dat
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\sdkel.exe
Virus:Trj/Downloader.HV Disinfected C:\WINDOWS\vtteau.dat
and,
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\Program Files\SpyFerret by OnlinePCfix\SFerret.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\addon32.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\addon32.exe (Adware.Jdf.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\atlux.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\atlux.exe (Adware.Jdf.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\crlj32.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\crlj32.exe (Adware.Jdf.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\d3hk.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\d3hk.exe (Adware.Jdf.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\d3wk32.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\d3wk32.exe (Adware.Jdf.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\ieds32.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\ieds32.exe (Adware.Jdf.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\ipbc.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\ipbc.exe (Adware.IELoad.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\javadt32.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\javadt32.exe (Adware.Jdf.100)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\avxoscan\Infected\sdkel.exe (Add to ignore list)
Found trojan file: C:\WINDOWS\avxoscan\Infected\sdkel.exe (Adware.IELoad.100)
9 trojan files found

I'll post the hijackthis scan separately, it makes the post too long.
billn

and the hijackthis scan:Logfile of HijackThis v1.97.7
Scan saved at 11:11:31 AM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Helexis\Drive Health\dhcore.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program