An unknown User "NT AUTHORITY\SYSTEM " appears to be starting and stopping Services on my computer

21 posts / 0 new
Last post

   

   

hubby
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...

Another good "catchall" program to run is MalwareBytes.. You can get it for free here: MalwareBytes.

After you've run all the scans/cleanups, install & run HiJackThis, and copy/paste the results here. It will show us everything still running in your system to see if there is anything to worry about. You can get HijackThis here: HiJackThis Download ..

Confused XP Mom
Re: HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:41:55 PM, on 7/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Tools Security\BDT\FGuard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Documents\Program Files_OLD\AWS\WeatherBug\Weather.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.earthlink.net
R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCTools FGuard] C:\Program Files\PC Tools Security\BDT\FGuard.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [RegistryMechanic] "C:\Program Files\Registry Mechanic\RegMech.exe" /H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Documents and Settings\All Users\Documents\Program Files_OLD\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222714282670
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262781980092
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www1.vmi.edu/eventcalendar/wyncs/ActiveWyncs_3.4.cab
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Nirvana/controls/pcpitstop2.dll
O20 - Winlogon Notify: AutorunsDisabled - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Security\TFEngine\TFService.exe

hubby
Re: HiJackThis Log

Unless you really use/need it, i would uninstall Weatherbug:
C:\Documents and Settings\All Users\Documents\Program Files_OLD\AWS\WeatherBug\Weather.exe
It has been known in the past to carry spyware.

I would also uninstall Registry Mechanic:
C:\Program Files\Registry Mechanic\RegMech.exe
It can do more harm than good.

Other than those two items, neither of which I would even call 'dangerous', i see nothing that indicates any security issues.. What did all of your scans say ?

Confused XP Mom
Re: HiJackThis Log

Thank you for your recommendations. I will uninstall weatherbug for sure. Why do you
think that Registry Mechanic is no good. It seems to find things, but maybe it is creating other issues, like you said. I should ask for my money back from registry mechanic.

There were 153 errors with the Malwarebytes. I checked fix and it fixed them all.
Maybe I am just paranoid. I hope there is no issue. Only other question is:

Do you think the Facebook stuff is normal? It just does not seem to be consistent. {Either a blue vertical line appears to the left of my post (if I am posting on my wall or someone else's wall) and then goes away within a few seconds, or the whole area around what I am posting turns a pale pink color as soon as I hit enter (this happens when I am responding within the "message" portion of FaceBook). The color then fades back to the normal color. This does not always happen. It is intermittent. That is why when it does happen I notice. When I am on my work computer (which has a static IP Address), I get "stopped" in the bottom left corner of my FaceBook screen, intermittently, when changing screens. This only happens on my work computer. It also sometimes happens when I am on my earthlink email, on my work computer.}

hubby
Re: HiJackThis Log

[quote=Confused XP Mom]Maybe I am just paranoid.[/quote]
I didnt want to say anything :)

It's not that registry mechanic is 'no good' - it's just that if you tell it/let it remove the wrong thing (ie; if you dont really know what you're doing) it can cause issues. I wouldnt ask for my money back, because it does what it claims to do.

I dont know what's up with why your Facebook is doing that, but jumping to the conclusion that you have been hacked/being spy'd on is.. well.. not the same conclusion I would jump to. I also don't know why you are getting the 'stopped' message on your work computer either. I would ask your IT guy.. but, being a former IT guy, his answer might be something along the lines of "..why are you using your work computer for non-work krap like that?" (where i work, this would get you fired) ..

Confused XP Mom
Re: HiJackThis Log

Ok. We are all entitled to be a bit paranoid at times. I will concede that you have tried to help me determine if indeed I am nuts, but I am still not certain...beyond a reasonable doubt, but I guess I just have to give this up. One last question for my inquisitive mind though, before I let this go....

The Services that can be viewed in the Administrative Tools section of Control Panel have "Properties". If I display the properties and then go to the Logon tab, the field "this account" is populated with "NT AUTHORITY\NetworkService" for some of the services. There is a password on this screen, that I did not put in, nor do I have the ability to change this password. How did this password get set and who or what controls the use of these services, if it is someone other than me?

Oh, and by the way, I own a restaurant and am therefore self employed, so I can check my facebook without the worry of being fired. lol It is my former job as a application systems' analyst at IBM, that makes me so curious about these things happening on my computer. I plan to run the things you recommended on my work computer too, to see if there is anything weird here. The rootkit program that you suggested did not find anything, on my home computer. Think I forgot to tell you that...more ammo for the "crazy lady" theory. Thanks for your help. You have given me, at least, more peace of mind than I had before. How do you get paid for all of the advice that you give out?

hubby
Re: HiJackThis Log

[quote=Confused XP Mom]
The Services that can be viewed in the Administrative Tools section of Control Panel have "Properties". If I display the properties and then go to the Logon tab, the field "this account" is populated with "NT AUTHORITY\NetworkService" for some of the services. There is a password on this screen, that I did not put in, nor do I have the ability to change this password. How did this password get set and who or what controls the use of these services, if it is someone other than me?[/quote]

It's all automatic and built-into Windows.. that's just how it works...

When your current computer( s ) crash, and it's time for replacement, consider a Mac, or maybe even a Linux computer.. Farrrr less to be paranoid about!

Confused XP Mom
Re: HiJackThis Log

Thanks again for all of your help.

Anonymous Visitor
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...
Hubby is right on the mark with his suggestions.  In general, most all applications that purport to "clean" a computer's registry have the potential to mess things up.  At the best, they really have no effect.  As far as what's going on malware-wise, you've already run MalwareBytes.  I've listed some of my other favorite standalone applications below - they are safe and will detect different types of invasions at different levels.  With HitManPro, choose the one-time scan and after you get the results list and hit NEXT, there is a link in blue in the middle left that will activate the program for 30 days and allow you to clean what it found at no charge. TDSSKiller (from Kaspersky) aswMBR (from Avast) HitmanPro (from SurfRight)
Re: An unknown User "NT AUTHORITY\SYSTEM " appears to be ...

As to the orginal topic of this post. The unknown user "NT AUTOORITY\SYSTEM" is a built in Windows Super Admin account. Its been around since the start of Windows NT/Windows 2000 up to the current Windows 8. It is a higher ranking built in account mainly for System services and 3rd party applications that need total System access so they run in the "System" account. This account is similur to the Super User "Root" on a Linux/Unix System.

It should not be viewed as any threat or System Hack. I noticed this Post when looking for something else. Even though its several years old I thought I would mention this for others to see that find this post.

Regards.

CSN Admin

Pages

Add new comment