[Resolvido!] Remoção de Tattoodle da home page

fharing · Janeiro 12, 2010

Bom dia!

Há alguns meses entrei no site tattoodle e desde entao, ele se apresenta como minha home page.

Ja desinstalei tudo que podia via painel de controle, mas não consigo mudar minha home page.

Mesmo digitando em opções de internet um outro site para a home, ao abrir o IE o tattoodle volta como home page.

Não sei mais o que fazer!!!

Vcs podem me ajudar?

Ja tinha feito um topico e fui aconselhada a fazer nesse espaço. Devo ter usado o forum errado para tal.

Obrigada!

Flavia

wings · Janeiro 13, 2010

O caminho para mudar a homepage é por aí mesmo....

*Baixe o HijackThis e salve-o em Meus Documentos

*Instale-o

*Execute-o através do ícone criado no desktop

*Clique em [Do a system scan and save a logfile].

*Cole o relatório aqui no fórum

fharing · Janeiro 13, 2010

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:07:46, on 13/01/2010

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v8.00 (8.00.6001.18865)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Power Manager\PM.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\USB Video Camera\Monitor.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\IncrediMail\bin\IMApp.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\IncrediMail\bin\IncMail.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Windows\system32\conime.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\Flavia\AppData\Local\Temp\Temp1_HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.itautec.com.br

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tattoodle.com?tid={C1C3A0C3-D0DD-4aa4-AD27-F0621FA852FF}

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://br.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: IMBooster4web-en Toolbar - {346de098-61f9-4b42-89da-6dfba7091bb6} - C:\Program Files\IMBooster4web-en\tbIMBo.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: IMBooster4web-en Toolbar - {346de098-61f9-4b42-89da-6dfba7091bb6} - C:\Program Files\IMBooster4web-en\tbIMBo.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\PROGRAM FILES\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\PROGRA~1\GbPlugin\gbiehAbn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\PROGRA~1\GbPlugin\gbiehUni.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: IMBooster4web-en Toolbar - {346de098-61f9-4b42-89da-6dfba7091bb6} - C:\Program Files\IMBooster4web-en\tbIMBo.dll

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\USB Video Camera\Monitor.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)

O13 - Gopher Prefix:

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.incredigames.com/online/online2/zenerchi/ZenerchiWeb.1.0.0.10.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.incredigames.com/online/online2/zuma/popcaploader_v5.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: GbPluginAbn - C:\PROGRA~1\GbPlugin\gbiehAbn.dll

O20 - Winlogon Notify: GbPluginBb - C:\PROGRAM FILES\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: GbPluginUni - C:\PROGRA~1\GbPlugin\gbiehUni.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Gbp Service (GbpSv) - - C:\PROGRA~1\GbPlugin\GbpSv.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 8938 bytes

wings · Janeiro 13, 2010

*Clique em [iniciar] > [Executar] > digite: gpedit.msc

*Clique OK

*Agora vá em: Configuração do usuário > Componente do Windows > Internet Explorer

*Localize a opção DESABILITAR ALTERAÇÃO DAS CONFIGURAÇÕES DA HOME PAGE e dê dois cliques nela

*Selecione ATIVAR e na caixa de texto abaixo digite o site desejado (Ex. www.google.com.br)

*Clique OK e reinicie o PC

fharing · Janeiro 13, 2010

Aparece a msg q nao existe tal comando....Pede para me certificar q foi digitado corretamente e tentar novamente...

Obrigada!

wings · Janeiro 13, 2010

1.

*Clique em Iniciar > Painel de Controle > Contas de Usuários > Ativar ou Desativar Contas de Usuários > Confirme > Continuar > Desmarque "Utilizar o Controle de Conta de Usuário (UAC) para ajudar a proteger o computador" > OK > Confirme > Reinicie o PC

2.

*Baixe o AD-Remover e salve-o no desktop

*Duplo clique em AD-R.exe e instale o programa.

*Duplo clique no ícone criado no desktop e clique em [Oui]

*Tecle S > [ENTER]

*Aguarde o término

*Cole o relatório criado em C:\Ad-Report-SCAN.log

fharing · Janeiro 13, 2010

.

======= LOGFILE OF AD-REMOVER 1.1.4.6_H | ONLY XP/VISTA/7 =======

.

Updated by C_XX on 11.01.2010 at 22:29

Contact: AdRemover.contact@gmail.com

Website: http://pagesperso-orange.fr/NosTools/ad_remover.html

.

Launch at: 18:23:57, 13/01/2010 | Normal Boot | Option: SCAN

Executed from: C:\Ad-Remover\

Operating system: Microsoft® Windows Vista™ HomePremium Service Pack 2 versÆo 6.0.6000

Computer Name: FLAVIA-PC | Current user: Flavia

.

============== FOUND ELEMENT(S) ==============

.

C:\Windows\Installer\{E1B94435-241E-4519-B1C3-C4DD9EB352A2}

C:\Program Files\IMBooster4web-en

C:\Users\Flavia\AppData\Local\Iminent

C:\Users\Flavia\AppData\LocalLow\IMBooster4web-en

.

HKCU\software\appdatalow\software\IMBooster4web-en

HKCU\software\Iminent

HKCU\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{346de098-61f9-4b42-89da-6dfba7091bb6}

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{346de098-61f9-4b42-89da-6dfba7091bb6}

HKLM\Software\Classes\CLSID\{346DE098-61F9-4B42-89DA-6DFBA7091BB6}

HKLM\software\IMBooster4web-en

HKLM\software\Iminent

HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C5649B05-360C-4786-B644-56AB40F4B8F6}

HKLM\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{346de098-61f9-4b42-89da-6dfba7091bb6}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{346DE098-61F9-4B42-89DA-6DFBA7091BB6}

HKLM\software\microsoft\windows\currentversion\uninstall\IMBooster4web-en Toolbar

HKU\s-1-5-21-1496793110-4171843247-1538304563-1000\software\appdatalow\software\IMBooster4web-en

HKU\s-1-5-21-1496793110-4171843247-1538304563-1000\software\Iminent

.

============== Added scan ==============

.

* Internet Explorer Version 8.0.6001.18865 *

.

[HKEY_CURRENT_USER\..\Internet Explorer\Main]

.

Do404Search: 01000000

Local Page: C:\Windows\system32\blank.htm

Show_ToolBar: yes

Search Page:

Enable Browser Extensions: yes

Start Page: hxxp://www.tattoodle.com?tid={C1C3A0C3-D0DD-4aa4-AD27-F0621FA852FF}

Default_Page_URL: hxxp://www.itautec.com.br

Use Search Asst:

Search Bar:

SearchAssistant:

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]

.

Start Page: hxxp://www.msn.com/

Default_Page_URL: hxxp://www.itautec.com.br

Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896

Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896

Delete_Temp_Files_On_Exit: yes

Local Page: C:\Windows\System32\blank.htm

Enable Browser Extensions: yes

Use Search Asst: no

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]

.

Tabs: res://ieframe.dll/tabswelcome.htm

.

===================================

.

3169 Byte(s) - C:\Ad-Report-SCAN[1].log

2885 Byte(s) - C:\Ad-Report-SCAN[2].log

.

908 File(s) - C:\Users\Flavia\AppData\Local\Temp

45 File(s) - C:\Windows\Temp

124 File(s) - C:\Windows\Prefetch

.

2 File(s) - C:\Ad-Remover\BACKUP

0 File(s) - C:\Ad-Remover\QUARANTINE

.

End at: 18:31:10 | 13/01/2010 - SCAN[2]

.

============== E.O.F ==============

.

wings · Janeiro 13, 2010

1.

*Execute novamente o AD-Remover

*Tecle L > [ENTER]

*Aguarde...pode demorar. O PC poderá ser reiniciado automaticamente ao término da limpeza.

*Cole o relatório criado em C:\Ad-Report-CLEAN.log e novo log do hijack

fharing · Janeiro 13, 2010

.

======= LOGFILE OF AD-REMOVER 1.1.4.6_H | ONLY XP/VISTA/7 =======

.

Updated by C_XX on 11.01.2010 at 22:29

Contact: AdRemover.contact@gmail.com

Website: http://pagesperso-orange.fr/NosTools/ad_remover.html

.

Launch at: 19:50:08, 13/01/2010 | Normal Boot | Option: CLEAN

Executed from: C:\Ad-Remover\

Operating system: Microsoft® Windows Vista™ HomePremium Service Pack 2 versÆo 6.0.6000

Computer Name: FLAVIA-PC | Current user: Flavia

.

============== NEUTRALIZED ELEMENT(S) ==============

.

C:\Windows\Installer\{E1B94435-241E-4519-B1C3-C4DD9EB352A2}

C:\Program Files\IMBooster4web-en

C:\Users\Flavia\AppData\Local\Iminent

C:\Users\Flavia\AppData\LocalLow\IMBooster4web-en

(!) -- Temp files deleted.

.

HKCU\software\appdatalow\software\IMBooster4web-en

HKCU\software\Iminent

HKCU\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{346de098-61f9-4b42-89da-6dfba7091bb6}

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{346de098-61f9-4b42-89da-6dfba7091bb6}

HKLM\Software\Classes\CLSID\{346DE098-61F9-4B42-89DA-6DFBA7091BB6}

HKLM\software\IMBooster4web-en

HKLM\software\Iminent

HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C5649B05-360C-4786-B644-56AB40F4B8F6}

HKLM\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{346de098-61f9-4b42-89da-6dfba7091bb6}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{346DE098-61F9-4B42-89DA-6DFBA7091BB6}

HKLM\software\microsoft\windows\currentversion\uninstall\IMBooster4web-en Toolbar

.

============== Added scan ==============

.

* Internet Explorer Version 8.0.6001.18865 *

.

[HKEY_CURRENT_USER\..\Internet Explorer\Main]

.

Do404Search: 01000000

Local Page: C:\Windows\system32\blank.htm

Show_ToolBar: yes

Enable Browser Extensions: yes

Start Page: hxxp://fr.msn.com/

Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Use Search Asst:

Search Bar: hxxp://go.microsoft.com/fwlink/?linkid=54896

SearchAssistant:

Default_search_url: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]

.

Start Page: hxxp://fr.msn.com/

Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Delete_Temp_Files_On_Exit: yes

Local Page: C:\Windows\System32\blank.htm

Enable Browser Extensions: yes

Use Search Asst: no

Search bar: hxxp://search.msn.com/spbasic.htm

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]

.

Tabs: res://ieframe.dll/tabswelcome.htm

.

===================================

.

2936 Byte(s) - C:\Ad-Report-CLEAN[1].log

3169 Byte(s) - C:\Ad-Report-SCAN[1].log

3211 Byte(s) - C:\Ad-Report-SCAN[2].log

.

0 File(s) - C:\Users\Flavia\AppData\Local\Temp

0 File(s) - C:\Windows\Temp

0 File(s) - C:\Windows\Prefetch

.

21 File(s) - C:\Ad-Remover\BACKUP

135 File(s) - C:\Ad-Remover\QUARANTINE

.

End at: 19:54:42 | 13/01/2010 - CLEAN[1]

.

============== E.O.F ==============

.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:01:23, on 13/01/2010

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v8.00 (8.00.6001.18865)

Boot mode: Normal

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\winlogon.exe