New
#121
Found it ...here you go.
Found it ...here you go.
Shoot ! I keep forgetting for some reason I can't read it on an iPad . Lol i should get a surface but then again I will stick to an iPad .
Can you copy and paste the results ?
I'll try....but I'm having some big problems now with the User...I restarted my computer to see if the new location would be recognized. But when I logged into my main Keon adminsrator account the desktop looks like the temporary Tutorial account I created and the disk space for C: is taken up...only has 7 gb left instead of the 21 it had before.
Here's what changed in my Regedit ... There are two of those 1000 folders now. One of them has the ProfileImagePath as C:\Users\TEMP and the second backup 1000 has the ProfileImagePath as E:\Keon
So I guess a TEMP account was created for some reason...
Btw here's the Hitman log...Code:HitmanPro 3.7.6.201 www.hitmanpro.com Computer name . . . . : KEON-PC Windows . . . . . . . : 6.1.1.7601.X64/8 User name . . . . . . : Keon-PC\Keon UAC . . . . . . . . . : Disabled License . . . . . . . : Free Scan date . . . . . . : 2013-07-25 18:25:39 Scan mode . . . . . . : Normal Scan duration . . . . : 1m 20s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 653 Objects scanned . . . : 1,692,919 Files scanned . . . . : 21,490 Remnants scanned . . : 330,967 files / 1,340,462 keys Suspicious files ____________________________________________________________ C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002286.dll Size . . . . . . . : 942,907 bytes Age . . . . . . . : 558.8 days (2012-01-14 00:15:52) Entropy . . . . . : 7.6 SHA-256 . . . . . : 151573760160ED491B4528616FF16C058966B9555B73E804AF1CD60B3F8EB33D Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002287.dll Size . . . . . . . : 948,113 bytes Age . . . . . . . : 547.7 days (2012-01-25 01:09:58) Entropy . . . . . : 7.6 SHA-256 . . . . . : 1BE27031845D80D6803C15BCE2EBE1276C0CA17F3BD47FDA8EAD97DBF5A517AF Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002288.dll Size . . . . . . . : 948,118 bytes Age . . . . . . . : 545.7 days (2012-01-27 01:16:48) Entropy . . . . . : 7.6 SHA-256 . . . . . : 3192353354FE593051B33886088D4C312ACB9A653D874281B2EBF131B80415CB Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002291.dll Size . . . . . . . : 965,329 bytes Age . . . . . . . : 477.8 days (2012-04-04 00:07:02) Entropy . . . . . : 7.6 SHA-256 . . . . . : CAE3128772295AC4F1179B881A00B061DB00505275CB258F9F0C84CC1DF9B2A5 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002292.dll Size . . . . . . . : 956,681 bytes Age . . . . . . . : 475.8 days (2012-04-06 00:02:27) Entropy . . . . . : 7.6 SHA-256 . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll Size . . . . . . . : 949,613 bytes Age . . . . . . . : 305.9 days (2012-09-22 21:10:38) Entropy . . . . . : 7.6 SHA-256 . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002325.dll Size . . . . . . . : 959,376 bytes Age . . . . . . . : 159.8 days (2013-02-15 23:13:27) Entropy . . . . . : 7.6 SHA-256 . . . . . : A85592ACDCFDA7C0293504A5F5279C2654ACC0E6D2398ED8958F6E03F05DCEB5 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll Size . . . . . . . : 963,480 bytes Age . . . . . . . : 14.8 days (2013-07-10 22:35:05) Entropy . . . . . : 7.6 SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 23.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. Forensic Cluster -0.2s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\htm\wc002331.htm 0.0s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbcl.dll Size . . . . . . . : 963,480 bytes Age . . . . . . . : 2.6 days (2013-07-23 03:02:29) Entropy . . . . . : 7.6 SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 24.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. Forensic Cluster 0.0s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbcl.dll 0.0s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbcl.dll C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbclold.dll Size . . . . . . . : 963,480 bytes Age . . . . . . . : 558.8 days (2012-01-14 00:11:42) Entropy . . . . . : 7.6 SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys Size . . . . . . . : 139,032 bytes Age . . . . . . . : 558.8 days (2012-01-14 00:12:04) Entropy . . . . . : 7.8 SHA-256 . . . . . : 0CA9D48C9E3D938121A73EBE6EA3FBE19A9AE017EEDA066A22CF254A688A98C2 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. Potential Unwanted Programs _________________________________________________ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF\ (AskBar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E\ (AskBar) HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110011341191}\ (VidSaver) Cookies _____________________________________________________________________ C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pof.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:c1.atdmt.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:eset.122.2o7.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:kontera.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:microsoftsto.112.2o7.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:mtvn.112.2o7.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:network.realmedia.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:pcworldcommunication.122.2o7.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:pool-eu-ie.creative-serving.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:segainc.112.2o7.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.adotube.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:survey.g.doubleclick.net C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com C:\Users\Keon\AppData\Roaming\Microsoft\Windows\Cookies\57AH5DNQ.txt C:\Users\Keon\AppData\Roaming\Microsoft\Windows\Cookies\J7HZNUMK.txt C:\Users\Keon\AppData\Roaming\Microsoft\Windows\Cookies\V6K4AMTX.txt C:\Users\Tutorial.Keon-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Users\Tutorial.Keon-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com C:\Users\Tutorial.Keon-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:segainc.112.2o7.net
The tutorial is telling me to login to the other administrator account and to delete the Keon User folder...I'm trying to delete it then move on to making changes in Regedit.
EDIT: Now it says to find the .bak 1000 folder in Regedit and see if the ProfileImagePath is the same as the Keon User folder I just deleted. It's not, because I changed the ProfileImagePath earlier to E:\Keon ... And the non .bak 1000 is C:\TEMP ...So now I'm lost.
Do Option one of the tutorial below
User Profile Service failed the logon. User profile cannot be loaded.
Make sure the 1000.bak is your User profile
Right click on 1000 and select rename add .bk at the end . Back to 1000.bak right click select rename and just remove .bak on the right side make sure State and Refcount is zero ( 0 ) to change the value . Right click on State and select Modify and click Ok after you input 0 same thing for Refcount . Close the registry and restart .
NoteYou need to do this on an account with admin rights
The .bak isn't C:\User\Keon because it told me to delete the main User folder......the .bak ProfileImagePath is E:\Keon because that's what the first tutorial on how to move the User folder said to do... The original 1000 is C:\Users\TEMP... so rename that to .bk and then go to the other .bak and remove the .bak?