Solved Logon Process Initialiazation Failure - Please Help!!

[halifaxer12]

Found it ...here you go.

 

[VistaKing]

Shoot ! I keep forgetting for some reason I can't read it on an iPad . Lol i should get a surface but then again I will stick to an iPad .

Can you copy and paste the results ?

 

[halifaxer12]

I'll try....but I'm having some big problems now with the User...I restarted my computer to see if the new location would be recognized. But when I logged into my main Keon adminsrator account the desktop looks like the temporary Tutorial account I created and the disk space for C: is taken up...only has 7 gb left instead of the 21 it had before.

 

[VistaKing]

Did you get a message saying " you're signed in with a temporary account " ?

 

[halifaxer12]

Here's what changed in my Regedit ... There are two of those 1000 folders now. One of them has the ProfileImagePath as C:\Users\TEMP and the second backup 1000 has the ProfileImagePath as E:\Keon

So I guess a TEMP account was created for some reason...

 

[VistaKing]

Take a look at this tutorial

:ar: User Profile Error - Logged on with a Temporary Profile

 

[halifaxer12]

Btw here's the Hitman log...

HitmanPro 3.7.6.201

www.hitmanpro.com



   Computer name . . . . : KEON-PC

   Windows . . . . . . . : 6.1.1.7601.X64/8

   User name . . . . . . : Keon-PC\Keon

   UAC . . . . . . . . . : Disabled

   License . . . . . . . : Free



   Scan date . . . . . . : 2013-07-25 18:25:39

   Scan mode . . . . . . : Normal

   Scan duration . . . . : 1m 20s

   Disk access mode  . . : Direct disk access (SRB)

   Cloud . . . . . . . . : Internet

   Reboot  . . . . . . . : No



   Threats . . . . . . . : 0

   Traces  . . . . . . . : 653



   Objects scanned . . . : 1,692,919

   Files scanned . . . . : 21,490

   Remnants scanned  . . : 330,967 files / 1,340,462 keys



Suspicious files ____________________________________________________________



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002286.dll

      Size . . . . . . . : 942,907 bytes

      Age  . . . . . . . : 558.8 days (2012-01-14 00:15:52)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 151573760160ED491B4528616FF16C058966B9555B73E804AF1CD60B3F8EB33D

      Fuzzy  . . . . . . : 29.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002287.dll

      Size . . . . . . . : 948,113 bytes

      Age  . . . . . . . : 547.7 days (2012-01-25 01:09:58)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 1BE27031845D80D6803C15BCE2EBE1276C0CA17F3BD47FDA8EAD97DBF5A517AF

      Fuzzy  . . . . . . : 29.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002288.dll

      Size . . . . . . . : 948,118 bytes

      Age  . . . . . . . : 545.7 days (2012-01-27 01:16:48)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 3192353354FE593051B33886088D4C312ACB9A653D874281B2EBF131B80415CB

      Fuzzy  . . . . . . : 29.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002291.dll

      Size . . . . . . . : 965,329 bytes

      Age  . . . . . . . : 477.8 days (2012-04-04 00:07:02)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : CAE3128772295AC4F1179B881A00B061DB00505275CB258F9F0C84CC1DF9B2A5

      Fuzzy  . . . . . . : 29.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002292.dll

      Size . . . . . . . : 956,681 bytes

      Age  . . . . . . . : 475.8 days (2012-04-06 00:02:27)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493

      Fuzzy  . . . . . . : 29.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll

      Size . . . . . . . : 949,613 bytes

      Age  . . . . . . . : 305.9 days (2012-09-22 21:10:38)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0

      Fuzzy  . . . . . . : 29.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002325.dll

      Size . . . . . . . : 959,376 bytes

      Age  . . . . . . . : 159.8 days (2013-02-15 23:13:27)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : A85592ACDCFDA7C0293504A5F5279C2654ACC0E6D2398ED8958F6E03F05DCEB5

      RSA Key Size . . . : 2048

      Authenticode . . . : Valid

      Fuzzy  . . . . . . : 22.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.

         Program is code signed with a valid Authenticode certificate.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll

      Size . . . . . . . : 963,480 bytes

      Age  . . . . . . . : 14.8 days (2013-07-10 22:35:05)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E

      RSA Key Size . . . : 2048

      Authenticode . . . : Valid

      Fuzzy  . . . . . . : 23.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Time indicates that the file appeared recently on this computer.

         Program contains PE structure anomalies. This is not typical for most programs.

         Program is code signed with a valid Authenticode certificate.

      Forensic Cluster

         -0.2s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\htm\wc002331.htm

          0.0s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbcl.dll

      Size . . . . . . . : 963,480 bytes

      Age  . . . . . . . : 2.6 days (2013-07-23 03:02:29)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E

      RSA Key Size . . . : 2048

      Authenticode . . . : Valid

      Fuzzy  . . . . . . : 24.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Time indicates that the file appeared recently on this computer.

         Program contains PE structure anomalies. This is not typical for most programs.

         Program is code signed with a valid Authenticode certificate.

      Forensic Cluster

          0.0s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbcl.dll

          0.0s C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbcl.dll



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\pbclold.dll

      Size . . . . . . . : 963,480 bytes

      Age  . . . . . . . : 558.8 days (2012-01-14 00:11:42)

      Entropy  . . . . . : 7.6

      SHA-256  . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E

      RSA Key Size . . . : 2048

      Authenticode . . . : Valid

      Fuzzy  . . . . . . : 22.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.

         Program is code signed with a valid Authenticode certificate.



   C:\Users\Keon\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys

      Size . . . . . . . : 139,032 bytes

      Age  . . . . . . . : 558.8 days (2012-01-14 00:12:04)

      Entropy  . . . . . : 7.8

      SHA-256  . . . . . : 0CA9D48C9E3D938121A73EBE6EA3FBE19A9AE017EEDA066A22CF254A688A98C2

      RSA Key Size . . . : 2048

      Authenticode . . . : Valid

      Fuzzy  . . . . . . : 22.0

         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.

         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

         Authors name is missing in version info. This is not common to most programs.

         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

         Program contains PE structure anomalies. This is not typical for most programs.

         The file is a device driver. Device drivers run as trusted (highly privileged) code.

         Program is code signed with a valid Authenticode certificate.





Potential Unwanted Programs _________________________________________________



   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF\ (AskBar)

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E\ (AskBar)

   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110011341191}\ (VidSaver)



Cookies _____________________________________________________________________



   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pof.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:c1.atdmt.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:eset.122.2o7.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:kontera.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:microsoftsto.112.2o7.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:mtvn.112.2o7.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:network.realmedia.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:pcworldcommunication.122.2o7.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:pool-eu-ie.creative-serving.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:segainc.112.2o7.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.adotube.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:survey.g.doubleclick.net

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com

   C:\Users\Keon\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com

   C:\Users\Keon\AppData\Roaming\Microsoft\Windows\Cookies\57AH5DNQ.txt

   C:\Users\Keon\AppData\Roaming\Microsoft\Windows\Cookies\J7HZNUMK.txt

   C:\Users\Keon\AppData\Roaming\Microsoft\Windows\Cookies\V6K4AMTX.txt

   C:\Users\Tutorial.Keon-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net

   C:\Users\Tutorial.Keon-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com

   C:\Users\Tutorial.Keon-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies:segainc.112.2o7.net

 

[halifaxer12]

The tutorial is telling me to login to the other administrator account and to delete the Keon User folder...I'm trying to delete it then move on to making changes in Regedit.

EDIT: Now it says to find the .bak 1000 folder in Regedit and see if the ProfileImagePath is the same as the Keon User folder I just deleted. It's not, because I changed the ProfileImagePath earlier to E:\Keon ... And the non .bak 1000 is C:\TEMP ...So now I'm lost.

 

[VistaKing]

Do Option one of the tutorial below

:ar: http://www.sevenforums.com/tutorial...d-logon-user-profile-cannot-loaded.html?ltr=U

Make sure the 1000.bak is your User profile

Right click on 1000 and select rename add .bk at the end . Back to 1000.bak right click select rename and just remove .bak on the right side make sure State and Refcount is zero ( 0 ) to change the value . Right click on State and select Modify and click Ok after you input 0 same thing for Refcount . Close the registry and restart .

   Note

You need to do this on an account with admin rights

 

[halifaxer12]

The .bak isn't C:\User\Keon because it told me to delete the main User folder......the .bak ProfileImagePath is E:\Keon because that's what the first tutorial on how to move the User folder said to do... The original 1000 is C:\Users\TEMP... so rename that to .bk and then go to the other .bak and remove the .bak?

 

[halifaxer12]

I did what you said..I think I'll restart

 

[VistaKing]

How did you delete the user account ?

 

[halifaxer12]

The tutorial for User Profile service failing said to delete it. So I just deleted the Keon User folder in C: ... I did what you said and the 1000 ProfileImagePath is set to E:\Keon ... Now I don't have my Keon username anymore. Just the tutorial username.... And I have only 2 gb left on C:\ and more space on E:

 

[halifaxer12]

In Regedit the profile image path for 1000 is now E:\Keon and the .bk 1000 is the C:\TEMP. The user folders in my C: are "TEMP" "Tutorial" and "Tutorial.Keon-PC" and the user folder in E: is "Keon"

 

[VistaKing]

Open up an Elevated Command Prompt. Click on rb: in

type CMD . Right click on CMD under Programs (1) choose

. On the User Access Control window click on the Yes button . Command Prompt opens up to C:\Windows\System32>_

Inside the command prompt type the command below and press Enter upload the UserAccounts.txt file

wmic useraccount get name,sid >%UserProfile%\Desktop\UserAcounts.txt

The UserAccounts.txt should be on the desktop of the account you're logged in on .

 

[halifaxer12]

Nevermind I got the UserAccount.txt

 

[halifaxer12]

Here

 

[VistaKing]

Did you place a space after ,SID

 

[halifaxer12]

Name SID
Administrator S-1-5-21-2211214855-910507047-1092501742-500
D2D2240760E34F5CB77F S-1-5-21-2211214855-910507047-1092501742-1004
E3C367A3A51040B5B498 S-1-5-21-2211214855-910507047-1092501742-1003
Guest S-1-5-21-2211214855-910507047-1092501742-501
HomeGroupUser$ S-1-5-21-2211214855-910507047-1092501742-1002
Keon S-1-5-21-2211214855-910507047-1092501742-1000
Tutorial S-1-5-21-2211214855-910507047-1092501742-1013

 

[VistaKing]

Where are these from ?


D2D2240760E34F5CB77F S-1-5-21-2211214855-910507047-1092501742-1004
E3C367A3A51040B5B498 S-1-5-21-2211214855-910507047-1092501742-1003


Where is this account located

:ar: Keon S-1-5-21-2211214855-910507047-1092501742-1000

Is it on C:\Users or E:\Users