Cheat Engine

Olath · Cheater Reputation: 0 Joined: 30 Sep 2012 Posts: 33

Ive asked this on a few sites that were more appropriate, but they keep sending me to programs to install.. when ive clearly stated, that thats impossible to do.. so heres the problem:

it started around last night, ive lost all admin rights on my admin account, unable to install or run most programs, namely things that would get rid of whatevers crawling in the dark.. ive done boot scans with avast, found a few infected files, deleted them asap, problem still persists.. went to install Malwarbytes (had it installed, it vanished it would appear) but when i did i got an error stating that the file could not be found, even though i had just downloaded it.. my system restore files were all infected, thus, cannot restore to a previous state.. ive attempted to run cmd as admin to run a sfc scan but to no avail, it opens cmd as normal, but cant open it as admin, when i select to run as admin it tells me it cant find the program, but it runs just fine as non admin.. "Windows cannot find 'xxx'. Make sure you typed the name correctly, and then try again." I have tried to Open as Administrator but get the same prompt. After downloading each fix that I find on the internet, I click on the repair exe files and get, "ShellExecuteEx failed, code 2. The system cannot find the file specified." I have tried to open Regedit.exe but get the same result. can anyone help in any way...

Cryoma · Posted: Thu Oct 11, 2012 11:55 pm Post subject:

Reboot into safe mode, at the login screen press ctrl+alt+delete twice, should give you the classic usn/pass window.
Put in administrator for the username and try logging in without a pass.
If it works you just got in what is basically windows' super user account.
Try doing your installs and whatnot that way.
If you can't get in, well, I would just reformat.
Back up all your important files to an external hard drive if you can.
If not, remove your hard drive, slave it to another computer, back up your files that way.
Wipe the drive and start over, it's always better and easier than trying to remove deep-set malware and repair windows.

Olath · Cheater Reputation: 0 Joined: 30 Sep 2012 Posts: 33

That seems to have worked so far, running a scan with hitman pro and malwarebytes along with avast pro while in safe mode, ill reboot once they are done and rescan in normal mode, if nothing else, ill have to reform.. Hitmanpro has returned nothing from safe mode, still waiting on the other two however

Alright so the other two finished running, no issues while in safe mode, i switched back to normal mode however im still unable to run both programs, keeps saying that they cant be found.. hitman however runs on startup, it found nothing, sadly..

So, the root of my problem seems to not be just any program that i cant run, only programs that require admin rights, sadly i was not able to get the super admin account to work, or i would have made another account with admin rights to see if the first one is just becoming corrupt

Gniarf · Posted: Sat Oct 13, 2012 2:04 pm Post subject:

An antivirus that does not find virus, how come I'm not even surprised...

I don't know if you really can't use regedit or if it's a leftover from canary67's post copy-paste, but anyway, try this to edit your registry.

For your malware problem, and if you got regedit to work, this thread could be an interesting read, though it mostly sums up as: look at all your run/runonce registry keys and delete anything suspicious (both the registry entry and the referenced file).

All folders in c:\users (win 7/vista) or c:\documents and settings (win xp) represent one account (though there are a few more accounts on your computer). See if your hacker has created himself an account, which will most likely have admin privileges. Then try items 6-10 from here to remove the hacker's account password, then log as him and create/restore your admin account.

Finally is your current admin account windows's built-in admin account, or one you created?
If it's one you created, try item 5 from previous link.

Olath · Cheater Reputation: 0 Joined: 30 Sep 2012 Posts: 33

Gniarf · Posted: Sat Oct 13, 2012 5:00 pm Post subject:

As the built-in admin, try start menu->run, and type lusrmgr.msc here. Can you run it?
if yes: I guess you know what to do by now...
if no: what error message do you get? Also try the others lusmgr.msc (I have 8 ones scattered under my windows\* directory).

If you didn't see anything odd in the run / runonce keys maybe the infection is cleared after all, check the scheduled tasks when you have the rights though.

FYI: File and folder timestamps are fakable. I hope that extra u in Updatususer is a posting typo, otherwise it is script-kiddie-ish=suspicious.

Olath · Cheater Reputation: 0 Joined: 30 Sep 2012 Posts: 33

Cryoma · Posted: Sat Oct 13, 2012 9:14 pm Post subject:

:\
Infected for sure, you're best off with a reformat.
Sorry mate.

Gniarf · Posted: Sun Oct 14, 2012 12:07 am Post subject:

Actually, what happens when you try to access control panel->user account settings as the BI admin? (if you get an error message, give me enough to google for it this time)

If the UAC is blocking you, you can try this

Can you run sfc /scannow as the BI admin?

As for UpdatusUser, google shows it is nvidia optimus related. Nothing to see here.

As BI admin try creating one more admin by entering in cmd:

Olath · Cheater Reputation: 0 Joined: 30 Sep 2012 Posts: 33

Gniarf · Posted: Sun Oct 14, 2012 2:48 am Post subject:

Olath · Cheater Reputation: 0 Joined: 30 Sep 2012 Posts: 33

Gniarf · Posted: Sun Oct 14, 2012 8:26 am Post subject:

Shots 1 & 2: Your system looks free of simple malwares, unfortunately. Still give shot at Sophos anti-rootkit.
I've never used that sophos' tool, but if that doesn't work the last idea I have before suggesting a repair reinstall is running combofix which require you to disable all resident protections/AVs (you have avast, but don't forget you have microsoft defender too). I'm suggesting to run it because it fixes some stuff on top of removing malwares, but you'll see a lot of warning like "you should run combofix (CF) without the supervision of trainer personnel" on internet, well I'm NOT what they call trainer personnel, as I don't know what CF exactly does. Then again, if you're about to reinstall windows, it's not a big deal if CF puts your OS upside down.
One more thing: combofix will disable your lan/internet access, do not attempt to restore it, heck don't touch your PC while it scans.

UserAccountControlSettings.exe: make a copy of the exe, and rename that copy.

shot 4: I meant right-click on {EA2C6B24-C590-457B- BAC8-4A0F9B13B5B8} and select "Permissions..." in the drop-down menu.

shot 5: you're in the right folder. The .tmp file could have been a virus at some point, but Microsoft also loves to rename its temporary exe that way.
Hiding a virus in a .log file would have been odd, but not impossible. Well it turns out %temp%\FXSAPIDebugLogFile.log is generated by Windows Fax and Scan service -> no problem.

BTW: alt+print screen = screenshot of only the active window.

Olath · Cheater Reputation: 0 Joined: 30 Sep 2012 Posts: 33

Gniarf · Posted: Sun Oct 14, 2012 10:41 pm Post subject:

Trusted installer is a bullt-in account that is created when installing windows and that is used for installing core components & updates and preventing users/admins from doing stupid things. Admins can of course overwrite Trusted installer's rights when they really want it, but that is not recommended.
If you couldn't change the rights of the previously mentioned registry key, that's because you would need to change the rights for parent keys first, but it's better to let those permissions as is since they are the same as on a sane machine: mine.