An unknown User "NT AUTHORITY\SYSTEM " appears to be starting and stopping Services on my computer

22 posts / 0 new
Last post
Confused XP Mom
An unknown User "NT AUTHORITY\SYSTEM " appears to be starting and stopping Services on my computer

When I look in the Event viewer under Administrative tools, I see "security" events for this user called: NT AUTHORITY\SYSTEM. There are also events for my user name.
I do not know what or who this NT Authority User is.

I have been watching my Event Log and this User "NT AUTHORITY\SYSTEM" seems to be starting and stopping services and running dll programs on my computer. It appears they have opened ports and can make exceptions to my firewall settings. There is some sort of digital imaging going on and there are a bunch of "CAB" files, that I suspect are being used to send copies of images of things I write on Facebook, in emails and keep track of websites that I visit and bookmark. IF I go into "Services" from the Administrative Tools screen, and click on things like "ASP.NET State Service" and display the login properties, this service is being controlled by the User: NT AUTHORITY\SYSTEM with a login password. The service is "enabled". The same thing applies to "DNS Client" and "Distributed Transaction Coordinator". There are a series of services that get started every time I turn my computer on. One of them is something called "IMAPI CD Burning COM Service". There are also quicktime files that are being generated. Also, Microsoft Silverlight and Final Media Player files seem to be being generated. None of these are programs that I have any idea what they do or what makes them run, but they seem to be running at various times. I tried disabling things on my windows firewall and unchecking ports, but the NT AUTHORITY\SYSTEM User seems to get around them. I also "went into properties within the services screen and tried "disabling" services, but they will still run. Can you help me figure out if this is a hacker and how I stop this all from happening. I also got a message that popped up on my screen that someone might be trying to impersonate my server. I have a Linksys router. I tried to attach my son's computer to my wireless network and it would not connect. It almost seems like my computer is hooked to some other network rather than to my own wireless network. This is quite a mess. I do not even know where to begin to figure this all out.

   

   

hubby
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...

A lot of things going on here - none of which I would be overly concerned about, nor would I necessarily consider "a mess"...

First - if you are concerned that you are being watched/followed/tracked/spied on, do the following: Install a (or update your current antivirus) program and run a full scan. Install an AntiSpyware program and run a full scan. Install an anti-keylogger program and run a full scan. Install an anti-Rootkit program and run a full scan..

NT AUTHORITY\SYSTEM is normal on all XP (maybe even Vista/Windows 7, not sure) systems - this does not necessarily mean anything is amiss..

CAB files are compressed (similar to ZIP files) commonly used by Windows to store it's system files. You can download a CAB File Viewer to easily see what is in the specific CAB files you are looking at

What makes you think there is "some sort of digital imaging going on" ? - there are built in systems/services with the name "digital imaging"

ASP.NET, DNS Client, IMAPI CD Burning COM and Distributed Transaction Coordinator are all normal parts of Windows.

Services starting every time you start your computer is not only normal, but absolutely necessary for Windows to run.

Quicktime files are part of Quicktime (or generated by other programs) and do not necessarily mean anything is amiss. The same with Silverlight or Final Media files - but, you should be able to look/view/watch the files to see what they are, with the appropriate player..

Disabling services/changing settings without fully understanding what you are doing or what the ramifications are is not usually a good idea - however if you DO have a hacker in your system this can be a good way of stopping them, because you will most likely kill your entire system.

"someone might be trying to impersonate your server" ?? - what was the EXACT wording?

Not being able to attach your computer to a wireless network does not necessarily mean your computer is hacked or on another network - it just means it needs to be troubleshat ..

again - i see nothing here that would alarm me but, do the first things that i posted (run the scans) - and come back with what the scans find.

Confused XP Mom
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...

I have "Paint" (.bmp) files of some of the errors about impersonating my server, that I can send to you. Not sure how to attach files in this forum.

I have PC Tools Spyware Doctor installed on my computer and it finds only tracking cookies. I have not yet done the other two things you recommend.

As far as the digital imaging... Whenever I type something on Facebook, there are two different things that happen. Either a blue vertical line appears to the left of my post (if I am posting on my wall or someone else's wall) and then goes away within a few seconds, or the whole area around what I am posting turns a pale pink color as soon as I hit enter (this happens when I am responding within the "message" portion of FaceBook). The color then fades back to the normal color. This does not always happen. It is intermittent. That is why when it does happen I notice. When I am on my work computer (which has a static IP Address), I get "stopped" in the bottom left corner of my FaceBook screen, intermittently, when changing screens. This only happens on my work computer. It also sometimes happens when I am on my earthlink email, on my work computer.

The "possibly impersonating your server messages" are kind of long and I have gotten it a few different times, so if I could send you the .bmp file that would be the easiest. Let me know how to get those to you. Msg says: Secure connection failed (at the top). Then it lists a file name and it says: 443 uses an invalid security certificate. Error code ssl_error_bad_cert_domain)

Then it says: This could be a problem with the server's configuration or it could be someone trying to impersonate the server.

lokey79
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...

In the running Processes is there something called MSBLAST.EXE running?

Confused XP Mom
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...
no there is not.
hubby
NT AUTHORITY\SYSTEM

forgot to ask the most important question: what leads you to believe that you are being watched/spied on/hacked ?

Confused XP Mom
Re: NT AUTHORITY\SYSTEM

It all started one day when my computer was running slowly. I pulled up task manager and there was some AppleMobileSync thing running. I do not have any apple products. No Ipad. No Iphone. My son had an ipod years ago and we had itunes installed, but he was not home and had not been home in about a month. I did a search on files with the word "apple" in them and these files came up.

AppleMobileBackup.exe.00.log
C:\Documents and settings\Pam\Application Data\Apple Computer\Logs\MobileSync

APPLEMOBILEBACKUP.EXE-2CE2BBBA.pf
C:\WINDOWS\Prefetch

APPLEMOBILEDEVICEHELPER.EXE-1C98CF29.pf
C:\WINDOWS\Prefetch

They were recent files that had been generated within the past few days. I could not imagine why such stuff would be on my computer if I had no Mac/Apple products.

Around the same time I got the message while on my email.

"Secure Connection Failed" c.betrad.com: 443 uses an invalid security certificate. This certificate is only valid for the following names:

a248.e.akamai.net, *.akamai.net

Error Code:ssl_error_bad_cert_domain

This could be a problem with the server's configuration or it could be someone trying to impersonate your server.

If you have connected to this server successfullly in the past the error may be temporary and you can try again later.

This occurred on my computer at home and also on my computer at work. It has occurred maybe 3 or 4 times. I think I was always in my email when this happened.

hubby
Re: NT AUTHORITY\SYSTEM

The Apple, MobileSync and (any) Prefetch stuff is all 100% normal if you've ever had iTunes installed (prefetch, even without apple stuff)..

betrad.com is (i believe) an ad-delivery system/service - you may have been at a website that was using their ads and there was a problem connecting to their (secure) ad-server .. OR, it's possible you have some adware installed on your computer, that any Antispyware/AntiAdware program should be able to remove..

Still - I'm seeing nothing that would lead me to believe that you are being hacked/spied upon..

hubby
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...

I'm still not seeing/hearing anything that overly concerns me.. I will await the results of all your system scans.

Confused XP Mom
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...
Is there an antiroot kit program that you would suggest? I saw something called Sophos Endpoint Security and Data Protection. Seems like it has antivirus and anti root kit stuff, but not sure if I need to disable any of the other antivirus/spyware programs that I have running, to make it work. It says I can download it for free, but that always makes me skeptical. Please advise.
hubby
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...

I use a Mac, so i havnt had to fuss with any silly software like this since I was using Windows a few years ago, but Sophos products are usually very good. Read up on exactly what it is installing - you do NOT want to have two "active" scanning antiviruses installed at the same time. So either install/activate only the antiroot kit portion or disable your current AV scanning (temporarily) ..

You can probably download/run it for free, but if it finds anything it may want you to pay before you can remove anything - you will have to read up on exactly what it does/doesnt do for free..

Pages

Add new comment