|
Log-Analyse und Auswertung: Interpol-Trojaner hat meinen Rechner gesperrtWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
23.11.2013, 14:59 | #1 |
| Interpol-Trojaner hat meinen Rechner gesperrt Hallo Leute, folgendes Problem: angeblich hat Interpol mein Rechner gesperrt . Was kann ich gegen diesen Trojaner machen? Mit Farbar Recovery Scan habe ich mir schon mal die Log-Datei erstellen lassen: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-11-2013 01 Ran by SYSTEM on MININT-27ALP96 on 22-11-2013 17:50:25 Running from G:\ Windows 7 Home Premium (X64) OS Language: German Standard Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [AmIcoSinglun64] - C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324608 2010-02-05] (Alcor Micro Corp.) HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2107176 2010-03-11] (Synaptics Incorporated) HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-05-26] (Egis Technology Inc.) HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [496160 2010-06-15] (Acer Incorporated) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM\...\Policies\Explorer: [NoControlPanel] 0 HKLM-x32\...\Run: [SuiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-05-26] (Egis Technology Inc.) HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201584 2010-03-10] (Egis Technology Inc.) HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [407920 2010-03-10] (Egis Technology Inc.) HKLM-x32\...\Run: [BackupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [265984 2010-06-28] (NewTech Infosystems, Inc.) HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-06-05] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [975952 2010-08-10] (Dritek System Inc.) HKLM-x32\...\Run: [MDS_Menu] - C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.) HKLM-x32\...\Run: [ArcadeMovieService] - C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe [124136 2010-06-25] (CyberLink Corp.) HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.) HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated) HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-07-29] () HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-07-29] () HKU\Schulle\...\Run: [Browser Infrastructure Helper] - C:\Users\Schulle\AppData\Local\Smartbar\Application\QuickShare.exe [20248 2013-06-16] (Smartbar) HKU\Schulle\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path) HKU\Schulle\...\RunOnce: [bq3xi] - C:\ProgramData\iae\cbhgq.exe [396800 2013-11-21] (NVIDIA Corporation) HKU\Schulle\...\Winlogon: [Shell] C:\ProgramData\mrsm\elera.exe,explorer.exe <==== ATTENTION ==================== Services (Whitelisted) ================= S2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [822304 2010-06-15] (Acer Incorporated) S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.) S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.) S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.) S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.) S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-05-26] (Egis Technology Inc.) S2 NTISchedulerSvc; C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [144640 2010-04-16] (NTI, Inc.) S2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [244904 2010-02-03] () S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{2e695283-51bc-c546-2862-d87b0e9f724e}\ \...\???\{2e695283-51bc-c546-2862-d87b0e9f724e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ==================== Drivers (Whitelisted) ==================== S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.) S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.) S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.) S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.) S3 mfeavfk01; No ImagePath S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.) S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.) S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.) S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.) S2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13784 2009-11-02] () S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-22 17:47 - 2013-11-22 17:47 - 00000000 ____D C:\FRST 2013-11-21 14:16 - 2013-11-21 14:16 - 00000364 _____ C:\Windows\PFRO.log 2013-11-21 14:07 - 2013-11-22 07:02 - 00000000 ____D C:\ProgramData\tjgensu 2013-11-21 14:07 - 2013-11-22 04:25 - 00000000 ____D C:\ProgramData\epc 2013-11-21 14:07 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\opfx 2013-11-21 14:07 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\mrsm 2013-11-21 14:07 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\iae 2013-11-21 14:03 - 2013-11-22 07:02 - 00000000 ____D C:\ProgramData\avppqbj 2013-11-17 04:14 - 2013-11-22 07:02 - 00000392 _____ C:\Windows\setupact.log 2013-11-17 04:14 - 2013-11-17 04:14 - 00000000 _____ C:\Windows\setuperr.log 2013-11-16 13:25 - 2013-11-16 13:32 - 00027136 _____ C:\Users\Schulle\Downloads\Mitgliederzahlen.xls 2013-11-13 11:16 - 2013-11-16 11:17 - 00000000 ____D C:\Windows\System32\MpEngineStore 2013-11-13 11:16 - 2013-11-13 11:16 - 00000000 ____D C:\1d1f670d4d142ce06840f642e140 ==================== One Month Modified Files and Folders ======= 2013-11-22 17:47 - 2013-11-22 17:47 - 00000000 ____D C:\FRST 2013-11-22 07:12 - 2013-10-13 10:21 - 00670008 _____ C:\Windows\WindowsUpdate.log 2013-11-22 07:09 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-11-22 07:09 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-11-22 07:02 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\tjgensu 2013-11-22 07:02 - 2013-11-21 14:03 - 00000000 ____D C:\ProgramData\avppqbj 2013-11-22 07:02 - 2013-11-17 04:14 - 00000392 _____ C:\Windows\setupact.log 2013-11-22 07:02 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-11-22 04:25 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\epc 2013-11-21 14:16 - 2013-11-21 14:16 - 00000364 _____ C:\Windows\PFRO.log 2013-11-21 14:14 - 2013-10-11 10:17 - 00006584 _____ C:\Users\Schulle\Documents\Re_Ferienwohnung_Fam_Norbert_Schulz.eml 2013-11-21 14:14 - 2013-06-02 08:22 - 00339968 _____ C:\Users\Schulle\Documents\kopfbogen neu 2013 Aufnahmeantrag nur Abbuchung.dot 2013-11-21 14:14 - 2013-02-27 22:39 - 06728784 _____ C:\Users\Schulle\Documents\InstallMyTomTomSA.exe 2013-11-21 14:14 - 2012-12-29 04:36 - 15271824 _____ C:\Users\Schulle\Documents\picasa39-setup.exe 2013-11-21 14:14 - 2012-08-05 04:04 - 196139624 _____ C:\Users\Schulle\Documents\Rossmann-Fotosoftware-Setup.exe 2013-11-21 14:14 - 2012-08-05 03:04 - 00016384 ___SH C:\Users\Schulle\Documents\Thumbs.db 2013-11-21 14:14 - 2011-10-09 09:27 - 00910624 _____ C:\Users\Schulle\Documents\jre-6u27-windows-i586-iftw.exe&File=jre-6u27-windows-i586-iftw.exe&BHost=javadl.sun.com 2013-11-21 14:14 - 2011-05-22 08:12 - 04186072 _____ C:\Users\Schulle\Documents\McAfeeSetup.exe 2013-11-21 14:14 - 2011-04-01 10:06 - 00000000 ____D C:\Users\Schulle\AppData\Roaming\SoftGrid Client 2013-11-21 14:13 - 2013-10-12 07:57 - 00117760 _____ C:\Users\Schulle\Documents\10110 SV Dreetz 1980.xls 2013-11-21 14:13 - 2013-09-01 02:00 - 46592416 _____ C:\Users\Schulle\Documents\EIE10_EN-US_WOL_Win764.EXE 2013-11-21 14:13 - 2013-04-11 10:56 - 51310752 _____ C:\Users\Schulle\Documents\IE10-Setup-Full-x64.exe 2013-11-21 14:13 - 2013-03-17 01:06 - 29083336 _____ C:\Users\Schulle\Documents\family_tree_builder_5634.exe 2013-11-21 14:13 - 2013-02-24 10:39 - 04189792 _____ C:\Users\Schulle\Documents\ccsetup327.exe 2013-11-21 14:13 - 2012-10-17 09:43 - 00107008 _____ C:\Users\Schulle\Documents\10110%20SV%20Dreetz%201980 (2).xls 2013-11-21 14:07 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\opfx 2013-11-21 14:07 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\mrsm 2013-11-21 14:07 - 2013-11-21 14:07 - 00000000 ____D C:\ProgramData\iae 2013-11-21 13:33 - 2011-01-13 11:41 - 00654852 _____ C:\Windows\System32\perfh007.dat 2013-11-21 13:33 - 2011-01-13 11:41 - 00130434 _____ C:\Windows\System32\perfc007.dat 2013-11-21 13:33 - 2009-07-13 21:13 - 01500104 _____ C:\Windows\System32\PerfStringBackup.INI 2013-11-21 13:26 - 2011-04-01 04:59 - 00000000 ____D C:\users\Schulle 2013-11-21 13:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing 2013-11-21 13:23 - 2012-12-27 10:07 - 00000000 ____D C:\Users\Schulle\Desktop\OpenOffice.org 3.4.1 (de) Installation Files 2013-11-21 13:23 - 2011-09-22 09:16 - 00000000 __RSD C:\Users\Schulle\Documents\My Stationery 2013-11-21 13:23 - 2011-04-01 10:12 - 00000000 ____D C:\Windows\System32\Tasks\Games 2013-11-21 13:23 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal 2013-11-21 13:23 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\restore 2013-11-21 13:23 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar 2013-11-21 13:23 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer 2013-11-21 13:23 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker 2013-11-21 13:23 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices 2013-11-21 13:23 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD 2013-11-21 13:23 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media 2013-11-21 13:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz 2013-11-21 13:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz 2013-11-21 13:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME 2013-11-21 13:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Cursors 2013-11-21 13:22 - 2013-02-24 10:43 - 00000000 ____D C:\Program Files\CCleaner 2013-11-21 13:22 - 2012-08-06 10:34 - 00000000 ____D C:\Program Files (x86)\Rossmann Fotowelt Software 2013-11-21 13:22 - 2011-06-21 08:32 - 00000000 ____D C:\Program Files (x86)\MyTomTom 3 2013-11-21 13:22 - 2011-04-03 06:41 - 00000000 ____D C:\Program Files (x86)\T-Online_Software_6 2013-11-21 13:22 - 2011-04-01 10:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client 2013-11-21 13:22 - 2011-01-13 02:54 - 00000000 ____D C:\Program Files (x86)\Launch Manager 2013-11-21 13:22 - 2010-09-07 23:55 - 00000000 ____D C:\Program Files (x86)\EgisTec IPS 2013-11-21 13:22 - 2010-09-07 23:49 - 00000000 ____D C:\ProgramData\McAfee 2013-11-21 13:22 - 2010-09-07 23:34 - 00000000 ____D C:\Program Files (x86)\AmIcoSingLun 2013-11-21 13:22 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries 2013-11-21 13:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration 2013-11-21 12:59 - 2013-03-13 12:22 - 00000000 ____D C:\Program Files\Microsoft Silverlight 2013-11-21 12:59 - 2013-03-13 12:22 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight 2013-11-17 04:14 - 2013-11-17 04:14 - 00000000 _____ C:\Windows\setuperr.log 2013-11-16 13:32 - 2013-11-16 13:25 - 00027136 _____ C:\Users\Schulle\Downloads\Mitgliederzahlen.xls 2013-11-16 11:17 - 2013-11-13 11:16 - 00000000 ____D C:\Windows\System32\MpEngineStore 2013-11-16 07:35 - 2012-12-14 05:18 - 00262144 _____ C:\Windows\System32\config\ELAM 2013-11-13 11:16 - 2013-11-13 11:16 - 00000000 ____D C:\1d1f670d4d142ce06840f642e140 2013-11-13 11:16 - 2013-08-14 23:47 - 00000000 ____D C:\Windows\System32\MRT 2013-11-13 11:16 - 2011-06-15 09:33 - 82896128 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-11-13 10:46 - 2012-12-29 04:38 - 00000000 ____D C:\Program Files (x86)\Google 2013-11-13 10:44 - 2011-04-02 05:11 - 00000000 ____D C:\Users\Schulle\AppData\Local\Google 2013-10-24 09:38 - 2011-04-01 10:12 - 00000000 ____D C:\Users\Schulle\AppData\Local\Microsoft Games ZeroAccess: C:\Users\Schulle\AppData\Local\Google\Desktop\Install ZeroAccess: C:\Program Files (x86)\Google\Desktop\Install ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= 15 Restore point made on: 2013-10-13 13:07:19 Restore point made on: 2013-10-13 13:11:03 Restore point made on: 2013-10-13 13:17:05 Restore point made on: 2013-10-13 13:57:26 Restore point made on: 2013-10-20 08:33:08 Restore point made on: 2013-10-20 08:40:38 Restore point made on: 2013-10-20 09:00:06 Restore point made on: 2013-10-27 10:00:24 Restore point made on: 2013-11-03 10:00:10 Restore point made on: 2013-11-10 10:00:22 Restore point made on: 2013-11-13 11:15:54 Restore point made on: 2013-11-17 10:00:29 Restore point made on: 2013-11-21 12:45:41 Restore point made on: 2013-11-21 12:58:43 Restore point made on: 2013-11-21 13:15:00 ==================== Memory info =========================== Percentage of memory in use: 18% Total physical RAM: 3764.48 MB Available physical RAM: 3060.02 MB Total Pagefile: 3762.63 MB Available Pagefile: 3047.78 MB Total Virtual: 8192 MB Available Virtual: 8191.87 MB ==================== Drives ================================ Drive c: (Acer) (Fixed) (Total:451.66 GB) (Free:403.44 GB) NTFS Drive e: (PQSERVICE) (Fixed) (Total:14 GB) (Free:2.4 GB) NTFS Drive g: () (Removable) (Total:7.45 GB) (Free:4.11 GB) FAT32 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: C28353B4) Partition 1: (Not Active) - (Size=14 GB) - (Type=27) Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=452 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: 26D09764) Partition 1: (Active) - (Size=7 GB) - (Type=0B) LastRegBack: 2013-11-10 09:24 ==================== End Of Log ============================ |
Themen zu Interpol-Trojaner hat meinen Rechner gesperrt |
adobe, association, browser, ccsetup, desktop, explorer, explorer.exe, gesperrt, google, helper, home, installation, log-datei, micro, microsoft, neu, nvidia, picasa, pmmupdate.exe, problem, registry, rootkit, scan, services.exe, siteadvisor, smartbar, svchost.exe, system, trojaner, windows xp, winlogon.exe |