 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Olath
Cheater
![]() Reputation: 0
Joined: 30 Sep 2012
Posts: 33
|
 Posted: Mon Oct 15, 2012 7:12 pm Post subject: |
 |
|
| Gniarf wrote: | Trusted installer is a bullt-in account that is created when installing windows and that is used for installing core components & updates and preventing users/admins from doing stupid things. Admins can of course overwrite Trusted installer's rights when they really want it, but that is not recommended.
If you couldn't change the rights of the previously mentioned registry key, that's because you would need to change the rights for parent keys first, but it's better to let those permissions as is since they are the same as on a sane machine: mine.
No, it's abnormal. My download directory is empty (save for a desktop.ini file). Try to open one with notepad and if you see "This program cannot be run in DOS mode" near the beginning, well it's a disguised exe/dll. Even if this string is absent, if the 2 very first character are "MZ" there are chances it is a program.
Randomly named files are normally stored in %temp%, unless those are temporary download files. I saw you had bitcomet running, but I dunno if it's it.
Just in case see if there is a baddie in:
C:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Let me know if sophos finds something. |
Aight, i should rephrase my statement from above, they are not files, but rather folders, but they are always empty.. also, ran Sophos, all it found was my Skidrow crack for Borderlands 2 attachment to show results.. My startup folder is also empty..
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Oct 16, 2012 12:41 am Post subject: |
|
|
I just took a buddha off a non updated borderland 2+dlc, uploaded it to virustotal, which checks your file on 43 AVs - including sophos -, and guess what, their sophos didn't find a thing.
Something else:
| lichcat wrote: | Look here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
cmd.exe etc.
Under each of the .exe files that doesn't work, there is a handle called "Debugger" with the value set to "setuprs1.PIF" on mine. Delete the entire debugger entry.
If your name is the same, you can just search for all instances of setuprs1.pif, and delete them all. |
In your case it might be something different from setuprs1.PIF, but look this up anyway.
Try a gmer scan (note: a gmer scan lasts way more that 5s). And if you're feeling ambitious, this is an interesting read about manual rootkit removal.
Basically, you said earlier that *something* wiped away your MBAM, *something* auto closes UserAccountControlSettings.exe probably based on window name, and *something* probably hooks ShellExecuteEx to prevent your made admins to run some apps (ytf does it not apply to BI admin?). Yet that something is absent from your taskman, so either it injected itself in another process, or it hides itself by hooking some more windows API=rootkit.
And then I guess you could try various boot-time AVs (just skip the 3 first chapters). And yes I know you used avast.
|
|
| Back to top |
|
|
Olath
Cheater
![]() Reputation: 0
Joined: 30 Sep 2012
Posts: 33
|
| Posted: Tue Oct 16, 2012 1:23 am Post subject: |
|
|
| Gniarf wrote: | I just took a buddha off a non updated borderland 2+dlc, uploaded it to virustotal, which checks your file on 43 AVs - including sophos -, and guess what, their sophos didn't find a thing.
Something else:
In your case it might be something different from setuprs1.PIF, but look this up anyway.
Try a gmer scan (note: a gmer scan lasts way more that 5s). And if you're feeling ambitious, this is an interesting read about manual rootkit removal.
Basically, you said earlier that *something* wiped away your MBAM, *something* auto closes UserAccountControlSettings.exe probably based on window name, and *something* probably hooks ShellExecuteEx to prevent your made admins to run some apps (ytf does it not apply to BI admin?). Yet that something is absent from your taskman, so either it injected itself in another process, or it hides itself by hooking some more windows API=rootkit.
And then I guess you could try various boot-time AVs (just skip the 3 first chapters). And yes I know you used avast. |
Currently running a gmer scan, watching all the files it scans fly by and wondering why CCleaner did not remove some of them ~facedesk~ most are temp IE files from my brothers account.. who hasnt used this pc in.. ages. should really just remove the account all together, which happens to be the start of how i fell upon this issue, of not being able to run admin things.. i have absolutly no frakking idea why the BI admin is unaffected by majority of the issues, as stated, it can run 99% of the things, its restriction is only to the UAC for some reason..
also, that Budda file wasnt from Skidrow, (the one found by Sopos) i found that a few days before Skidrow released their 1.1.1 patch, so it could well have been a bug.. once Gmer finishes, ill post an attachment of its findings, if any...
As to the "Setuprs1" thing, i dont have that reg address, i can follow it up to CurrentVersion (replacing Windows NT with just plain Windows) but i dont have an Image File Exec options folder. I did however to a registry search for it but it yielded no results
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Oct 16, 2012 4:32 am Post subject: |
|
|
| Olath wrote: | | As to the "Setuprs1" thing, i dont have that reg address, i can follow it up to CurrentVersion (replacing Windows NT with just plain Windows) |
Wait, does that mean you don't have HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ? That would be very alarming.
| Olath wrote: | | i dont have an Image File Exec options folder. I did however to a registry search for it but it yielded no results |
That is odd. For example flash player creates subkeys under "Image File Execution Options". One such subkey is named "FlashPlayerUpdateService.exe".
I checked on a pair of win7 machines and they both have a ...\Windows NT\CurrentVersion\Image File Execution Options key
BTW: Image File Exec options has the folder icon, and behaves like a folder, but it's called a registry key. I dunno why, but that's the proper terminology.
|
|
| Back to top |
|
|
Olath
Cheater
![]() Reputation: 0
Joined: 30 Sep 2012
Posts: 33
|
| Posted: Tue Oct 16, 2012 3:42 pm Post subject: |
|
|
| Gniarf wrote: |
Wait, does that mean you don't have HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ? That would be very alarming. |
ok so i feel stupid.. must have over looked that one.. its there..
| Gniarf wrote: | That is odd. For example flash player creates subkeys under "Image File Execution Options". One such subkey is named "FlashPlayerUpdateService.exe".
I checked on a pair of win7 machines and they both have a ...\Windows NT\CurrentVersion\Image File Execution Options key
BTW: Image File Exec options has the folder icon, and behaves like a folder, but it's called a registry key. I dunno why, but that's the proper terminology. |
Yeah.. as stated above... i must have over looked it... but its there, nothing out of the ordinary (i think)
heres what Gmer found/dint find not sure what to make of it
---v
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Oct 16, 2012 10:46 pm Post subject: |
|
|
Your gmer log looks clean. Sptd is a service installed with daemon tools.
So I...officially...yield.
I know it's the second time I kick the bucket in your face, but I'm out of ideas (except reinstalling windows). I'm still hesitating between badly damaged windows settings and a malware running amok. Googling turns up nothing for the former, scans and manual detection tricks nothing for the latter so *shrug*.
|
|
| Back to top |
|
|
Olath
Cheater
![]() Reputation: 0
Joined: 30 Sep 2012
Posts: 33
|
| Posted: Tue Oct 16, 2012 11:09 pm Post subject: |
|
|
| Gniarf wrote: | Your gmer log looks clean. Sptd is a service installed with daemon tools.
So I...officially...yield.
I know it's the second time I kick the bucket in your face, but I'm out of ideas (except reinstalling windows). I'm still hesitating between badly damaged windows settings and a malware running amok. Googling turns up nothing for the former, scans and manual detection tricks nothing for the latter so *shrug*. |
Aye... i sit at that crossroad atm... thinking of just removing the entire C drive, replacing with a larger drive... and then reinstall.. works for me.. (my c drive is an abomination atm... with less than 40 gb of space total.. less than 1gb free... dont ask... wasnt new to start with) ive since gotten a 300 gb drive as E, but its slowly filling as well.. time to get a couple TB drives and replace them both.. see if i run out of room then... XD
|
|
| Back to top |
|
|
Saifallofjmr
Grandmaster Cheater Supreme
![]() Reputation: 4
Joined: 02 Apr 2007
Posts: 1450
|
| Posted: Wed Oct 17, 2012 7:47 am Post subject: |
|
|
It's a crack for a pirated game...what do you expect.
_________________
|
|
| Back to top |
|
|
Cryoma
Member of the Year
![]() Reputation: 198
Joined: 14 Jan 2009
Posts: 1819
|
| Posted: Wed Oct 17, 2012 8:59 am Post subject: |
|
|
| Saifallofjmr wrote: | | It's a crack for a pirated game...what do you expect. |
I would expect it to work just fine.
|
|
| Back to top |
|
|
Hero
I'm a spammer
 Reputation: 79
Joined: 16 Sep 2006
Posts: 7154
|
| Posted: Wed Oct 17, 2012 11:19 am Post subject: |
|
|
| Saifallofjmr wrote: | | It's a crack for a pirated game...what do you expect. |
The weird part is, the first DLC is about pirates
Anyway OP, you're screwed. Reformat and buy borderlands 2, its worth the money.
|
|
| Back to top |
|
|
Olath
Cheater
![]() Reputation: 0
Joined: 30 Sep 2012
Posts: 33
|
| Posted: Wed Oct 17, 2012 2:49 pm Post subject: |
|
|
| Saifallofjmr wrote: | | It's a crack for a pirated game...what do you expect. |
True it is, however ive never had any problems with Skidrow cracks, its the best way to test a game to see if its worth buying, in this case, so far, BL2 does not compare to a few other games ive found.. so it will remain un-bought for now..
| Cryoma wrote: | | I would expect it to work just fine. |
It does in fact work perfectly, updated within days of the steam copy ^-^ but no talk of such things on this forum... Geri might come yell at meh :c
| Hero wrote: | The weird part is, the first DLC is about pirates
Anyway OP, you're screwed. Reformat and buy borderlands 2, its worth the money. |
Aye, thats the planner... :c or just leave as is untill it gets really bad XD ive got an almost bypass with the BI admin, it can run the programs my other account cant so atm, im fine..
As far as the first DLC being of pirates... i think it might have to do with all the pirates playing  they need some friends ^-^
As a side note... i was wondering... can i NTFS junction the Program File and Program File (x86) to E drive to free up some space in my rather cluttered C drive? if so i know how to do it, just dont want to mess anything up worse than it is.. Microsoft strongly disregaurds changing the Dir install path, so bleh.. otherwise id do that..
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Oct 17, 2012 11:15 pm Post subject: |
|
|
| Olath wrote: | | can i NTFS junction the Program File and Program File (x86) to E drive to free up some space in my rather cluttered C drive? |
There are a couple of traps to avoid but it is possible, as explained here
|
|
| Back to top |
|
|
Olath
Cheater
![]() Reputation: 0
Joined: 30 Sep 2012
Posts: 33
|
| Posted: Thu Oct 18, 2012 2:49 am Post subject: |
|
|
| Gniarf wrote: | | Olath wrote: | | can i NTFS junction the Program File and Program File (x86) to E drive to free up some space in my rather cluttered C drive? |
There are a couple of traps to avoid but it is possible, as explained here |
Ok so thats for moving the whole thing... instead of doing it that way, since it would be hella more work than i desire to do, i could instead just move the individual ones i want, like my games that decided to not install to my games drive... >.< instead using the junction method without having to worry about the long process of doing it (since the sub folders of the program directories seem to be movable w/o any issues)
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Thu Oct 18, 2012 5:21 am Post subject: |
|
|
| Olath wrote: | | it would be hella more work than i desire to do |
1-Install junction
2-Copy the 8 first commands into something1.bat, double click on it
3-Copy the 16 remaining commands into something2.bat
4-Reboot into recovery mode using any win7/vista setup dvd/usb stick
5-Execute something2.bat
7-Press D for directory, when prompted
6-Reboot & enjoy
Luckily for you the example moves the directories from c: to e: which is probably what you'll want to do.
| Olath wrote: | | the long process of doing it |
It's only going to be long if xcopy has a lot of files to copy from c: to e:. The whole thing can probably be done in 5mn+time to copy the files.
|
|
| Back to top |
|
|
Olath
Cheater
![]() Reputation: 0
Joined: 30 Sep 2012
Posts: 33
|
| Posted: Thu Oct 18, 2012 3:13 pm Post subject: |
|
|
Ums umz... what the hell is this.... -> STFD6FF.tmp <- i would upload it, but i dunno what it is.. found it in my C drive tucked away inside my programs folder..
~uploads it anyhow~ or not.. wont let me add it >.<
Also msdia80.dll is in my C:\ (root) is this normal xD (same place that above file is located)
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
