Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Rootkit warning

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
HexMurder
How do I cheat?
Reputation: 0

Joined: 14 Oct 2014
Posts: 8

PostPosted: Mon Jul 31, 2017 1:46 am    Post subject: Rootkit warning Reply with quote

So 2 nights ago I was working on an esp for BO3. Went to boot up cheat engine and I was greeted with this message:
"Windows Cannot find 'C:\Program Files (x86)\Cheat Engine 6.6\Cheat Engine.exe'."

(Forum doesn't allow me to post links but I find this to be rather important so just remove the (dot)'s from the links and replace with .'s)
(edited by db)



I had been using cheat engine every day for the last week or more, so I found this a little alarming. Thought it may have been my AV and after a little playing around and a little research I came across this thread:
http://forum.cheatengine.org/viewtopic.php?t=605186
Dark Byte recommended to rename the exe and see if it runs (And if so it's possible the system has been compromised). Sure enough that fixed my problem. So, I ran a gmer scan and a malwarebytes scan, and many others. All of which found nothing wrong with my sytem. So a friend of mine helped me do a little digging, and sure enough we found some more evidence that my system had been compromised. Using a tool called process monitor we found that it had been attempting to copy some file called Enable.exe to a ton of locations. As seen here:


Just figured I would put this out as a warning to anyone experiencing the problem of opening cheat engine. If you rename the exe and it runs you are likely infected, as suggested by Dark Byte. (Also naming any random exe to Cheat Engine.exe will result in that program also being blocked from running) Good luck. Stay safe. Gonna reformat now.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Mon Jul 31, 2017 3:21 am    Post subject: Reply with quote

CreateFile is also used to open files, so it means it's looking for a enable.exe in the search path.

(Which may be part of CE's processlist gathering when it looks for the icon )

But see if you can find enable.exe and check if it's a valid file or not

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Jul 31, 2017 4:07 am    Post subject: Reply with quote

HexMurder wrote:
Just figured I would put this out as a warning to anyone experiencing the problem of opening cheat engine. If you rename the exe and it runs you are likely infected, as suggested by Dark Byte.
(Also naming any random exe to Cheat Engine.exe will result in that program also being blocked from running)

wondering why this is happening to CE, what is the point of such rootkits.

how large is that file?
as a rootkit, it must be at least 1mb.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Mon Jul 31, 2017 12:53 pm    Post subject: Reply with quote

OldCheatEngineUser wrote:

how large is that file?
as a rootkit, it must be at least 1mb.


The size of a file has nothing to do with its purpose and capabilities. Rootkits do not have any type of file size limitation and can be much smaller than 1mb.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Jul 31, 2017 3:28 pm    Post subject: Reply with quote

true, and i know this thing.

but i heard that some of them cam with libraries, which are more dangerous.

please correct me if im worng, btw im very interested in rootkits.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
HexMurder
How do I cheat?
Reputation: 0

Joined: 14 Oct 2014
Posts: 8

PostPosted: Mon Jul 31, 2017 10:04 pm    Post subject: Reply with quote

I was never able to find the file. Not sure what was going on but it certainly wasn't normal activity, and I wasn't going to hang around and find out. I doubt I will be the last person to have this issue, so perhaps if someone else want's to do some more digging when they experience it we can find out more about it. But for now, just wanted to put a warning out there.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Aug 01, 2017 5:56 am    Post subject: Reply with quote

usually they are hidden files.

just make sure you check the option (show hidden files/folders)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
HexMurder
How do I cheat?
Reputation: 0

Joined: 14 Oct 2014
Posts: 8

PostPosted: Tue Aug 01, 2017 9:44 pm    Post subject: Reply with quote

If it was as simple as enabling hidden files it wouldn't be a very good rootkit lol. If I had to guess, from everything I tried, it uses DKOM to hide itself. It would be much more complicated than that.
Back to top
View user's profile Send private message
JustCallMeAlec
How do I cheat?
Reputation: 0

Joined: 11 Jan 2017
Posts: 1

PostPosted: Tue Aug 01, 2017 10:34 pm    Post subject: Cannot Find Cheat Engine Reply with quote

So I thought it could be a rootkit as well, but when going through with Process Monitor it shows no signs of there being a Rootkit, are there any other possibilities?

The file that concerns me the most is a file named mssitlb.dll.
After doing some research on this file it appears to be harmless, so I'm not sure what to try now if that's not the cause.


After going into the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
I found Cheat Engine registry keys (which had one named "Debugger" ). Deleting the Cheat Engine related Registry keys fixed my problem.

Now I have a new problem. Is Cheat Engine creating these registry keys? It seems every time it creates them, I get the error.
Back to top
View user's profile Send private message
HexMurder
How do I cheat?
Reputation: 0

Joined: 14 Oct 2014
Posts: 8

PostPosted: Thu Aug 03, 2017 3:39 am    Post subject: Reply with quote

I found a few other questionable Dlls. One of which was called ntmarta.dll or something along those lines. Couldn't find much on it from my research. Like i said though, it may be using DKOM to hide itself. If this is the case, who knows how hard it will be to find. I am no expert in malware by any means but i found this to be beyond my scope so i just took the safe route and formatted.

someone else said it may be ccleaner+the crack:
http://forum.cheatengine.org/viewtopic.php?p=5731340#5731340
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Mon Sep 18, 2017 9:10 am    Post subject: Reply with quote

not the crack, it's ccleaner itself

https://www.theverge.com/platform/amp/2017/9/18/16325202/ccleaner-hack-malware-security

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Xeddius
How do I cheat?
Reputation: 0

Joined: 23 Sep 2017
Posts: 1

PostPosted: Sat Sep 23, 2017 10:55 pm    Post subject: Reply with quote

Actually, it's possible that your copy of BO3 is blocking cheat engine. Using procmon I analyzed the registry modifications and it's the Black Ops 3.exe that is creating the registry key. But it seems like the latest version is causing this.


*I uninstalled ccleaner, cleared the registry keys, restarted, and was curious as to why this was still happening. Dark Byte almost had me re-installing windows. Which is of course a wise precaution. But I had to get to the bottom of this just in-case someone else was having the same issue.

TL;DR BO3 blocks cheat engine in registry.

Thus far as long as I don't start BO3, cheat engine works normally. Sandboxie is a wise consideration.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sat Sep 23, 2017 11:27 pm    Post subject: Reply with quote

can you show me where the changes were made?
ill PM you so you can me PM me back.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites