Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown user named "sys"


  • Please log in to reply
48 replies to this topic

#1 spork92

spork92

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 02 September 2009 - 10:13 PM

Hello, I'm writing in hope for an answer to my mystery. I seem to have a "phantom" user on my computer. My comp is 3 years old and has only had two users registered, both as administrators. recently my hard drive crashed and a good friend and computer guru was able to recover our files and put them onto a new hard drive which he installed into the computer. at first everything seemed normal, but now, about 3 months after the crash, we have a third user showing up on our welcome screen by the name of Sys. Sys has his own icon and is listed as an administrator with a password. (neither my husband or I use a password on our accounts) occasionally and more and more frequently Sys shows as having programs running (as can be seen on the welcome screen). And the worst of all is when we come to use the computer, quite often the screen is black and there is a mouse arrow with a hourglass next to it, and is basicly frozen. you can move the mouse around but cant see or do anything. I usually just reboot and can get back on. My husband thinks that when this happens "sys" is "using" the comp. I went into user accounts under control panel and attempted to delete this account, or delete the password but it gives me a warning saying sys will lose all encrypted files and websites...etc. So I am afraid to delete. I ran a malware program from this site suggested to me by the same friend who helped us before, but it came up with nothing. I cant find anything on the web to help me with this problem, does anyone have any ideas? Please help I feel like my identity is being stolen!

Thanks -Jen

BC AdBot (Login to Remove)

 


#2 joseibarra

joseibarra

  • Members
  • 1,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:11:52 PM

Posted 03 September 2009 - 06:02 AM

You could ask your guy and he could explain it and you can decide what to do.

If nobody knows anything:

It could be your computer fixer person created the Sys account to install or run things that usually require and account to run (like Scheduled Tasks) so it would not interfere with your other accounts. Scheduled Tasks generally do require a
password so your unpassworded accounts would not be suitable for running STs. Not required, but generally.

A ST could be a disk defrag, backup, anti virus scanning programs, etc. so Sys could have a legitimate purpose.

With Windows, every user that has an account and successfully logged in will have a folder under C\Documents and Settings AFTER the first login. If there is none, the Sys user exists, but has never logged in. Any clues in C\Documents and Settings\ with Sys folders as to what Sys is up to? If there is no folder there for Sys, the user exists, but has never actually logged in (logging in is not required for an account to work for STs).

You could run Task Manager. Right click Taskbar, Task Manager. On the Processes tab, do you see Sys? What is it doing in the Image Name column? If you see it and don't know, post the Image Name for Sys back here.

You could change the password on Sys to something that only you know, reboot and Sys will never be able to login, but that would keep other things like Scheduled Tasks from running. It may take a while to figure out that something is not working anymore, and it is because the Sys password changed (Ah-ha!)

If Sys is s user and you know the password because you changed it and there is a C:\Documents and Settings folder, login as Sys and see what kind of desktop you get, what is in your Start menu, etc.

Browse to the C:\Windows\Tasks folder and look for STs. Right click, Properties - is Sys in any of the Run as: boxes? What is the task?

While you are at it, make sure you can still login to the Administrator account (generally no password). If your friend put a password on that account, you need to know what it is or you could be (will be) in big trouble later. For my home stuff I have no PW on my Administrator account or my user (just me) account and that is okay for my environment. If you add a PW to Administrator and forget what it is, that will not be pretty.

Nothing scary about deleting the account after you know what it is - those messages are normal warnings, but it would be good to know just who this Sys character is, has Sys ever logged in, etc.

You seem to have a certain urgency with this Sys thing, so figure it out and then we can work on your black screen. Sounds like a screen saver of inactivity timeout thing your friend may have put on (in good faith) but is not what you are used to.

Here are some respectable malicious software scanning programs you should run:

Download, install, update and do a full scan with these free malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

Edited by joseibarra, 03 September 2009 - 06:13 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#3 spork92

spork92
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 03 September 2009 - 07:49 AM

Thank you for your response. I think I checked everything you suggested to check, but I did not change the password to the sys account yet. Our friend says he knows nothing about it, however he is on vacation and I will ask him more specifically if he created an account to run tasks. Anyway here's what I have:

Sys does have a folder under documents and settings, it doesn't have much under it, but under downloads is has firefox setup listed with a date of 8/29/09 as a created date.

I do see sys in the task manager, two processes are runnings: csrss.exe and winlogon.exe

In the tasks folder there is one scheduled task, a defraggler.
In properties under this task, the Run as: is NT Authority\System
Under Run: it says "C:\Program Files\Defraggler\df.exe" C:

I think the black screen is related to sys, and I have a sense of urgency because I'm afraid I'm being hacked or something bad is happening. Let me know what you think! Thanks!

#4 joseibarra

joseibarra

  • Members
  • 1,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:11:52 PM

Posted 03 September 2009 - 08:49 AM

Hmmm... so I would think that Mr. Sys has logged in at least once - perhaps.

Where is the downloads folder?

Under C:\Documents and Settings\... (you fill in the rest).

In Task Manager, those two process would usually belong to SYSTEM (SYSTEM) - not just sys, so what does it say exactly? You should see a lot of things belonging to SYSTEM - click the User Name could heading to sort the list.

Defraggler is a third party disk defragmenter that has to be downloaded and installed on purpose. It could be bundled into something else that was downloaded for troubleshooting. Some people like it just fine, but it does not belong to SYS (NT Authority is a valid choice), so if you did not install it, you can ask your friend about it, you can disable the task, get rid of the task, uninstall Defraggler, etc. - it is not required for XP. Or, just leave it.

You could enable auditing of login events to see if sys ever logs in, but that can get messy, so when you are ready, just change the password for Mr. Sys and you will know for sure that sys never logs in (nothing to check anymore).

Just for grins, if the Defraggler task is enabled, disable it (uncheck the Enabled box) in Properties. The task will have a red X in it when it is disabled. You can turn it back on later. Reboot. Make sure Defraggler is disabled. Does your black screen problem go away?

Maybe Defraggler is running when your system is idle for X amount of minutes and then you come back to it and Defraggler is busy doing whatever it does and it just takes a long time for it to give control back to you (the hourglass). How long do you wait? Wait longer.

Please run MBAM and SAS as indicated :( .

Edited by joseibarra, 03 September 2009 - 08:56 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:52 PM

Posted 03 September 2009 - 09:54 AM

FWIW: System is one of the default users with full permissions on a system. But...I've never seen a user account for it nor have I seen any Docs & Settings accounts for such.

Louis

#6 spork92

spork92
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 03 September 2009 - 10:00 AM

well, since my last post I went to let the dog outside and came back to a black screen with the hour glass. I left it for an hour and it still hadnt come up so I rebooted. Sys no longer shows as having any programs running so when I go to task manager he is not there. I can't be 100% sure but I am 99% sure those processes were run by sys when I checked this morning, where as now when I look at my task manager there are processes by SYSTEM and JEN (me).

The firefox download file is located: C:\Documents and Settings\sys\My Documents\Downloads\Programs

I have disabled the defraggler but not yet rebooted. I dont think it's the cause of the black screen because it is set to only work at 2am every Thursday, but what do I know.

If I try to remove the password for sys, I get a warning saying sys will lose all EFS-Encrypted files, personal certificates, and stored passwords for websites or network resources. Do I care about losing that? Since the defraggler is the only task that was under task manager, is it safe to say that sys isnt there to run scheduled tasks?

One other thing that may or may not mean anything, but when we first got our computer back from our friend, sys did not show up on the welcome screen, but my husband said occasionally he would see it in the morning. I didnt think much of it until now, the name is always there and often has programs running. <sigh> thanks for you help, I really appreciate it. I will run those two links soon.

-Jen

#7 spork92

spork92
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 03 September 2009 - 10:02 AM

oh, and the program I ran suggested by my friend was combofix which appeared to find nothing

thanks

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 03 September 2009 - 10:26 AM

oh, and the program I ran suggested by my friend was combofix which appeared to find nothing

thanks

Never run ComboFix unless someone on a forum like this asks you to. For one thing it must be uninstalled after running to reset some parts of your system like System Restore. Go right now to Start > Run. Copy the following bold text and paste it into the Run Box and hit Enter:

combofix /u

This isn't going to fix your issue but will get the system more back to normal than it would be otherwise.

I'll second Louis's observations about the System being a default user account--even Windows itself has to have an account for security reasons. But you shouldn't see it in the Welcome screen or in Documents and Settings under normal conditions. Run those malware scans, but if it isn't malware then something else abnormal is going on. I would look into how exactly your friend got you onto a new hard drive. Did he do a fresh install of the operating system on the new hard drive, reinstalling your programs and changing your settings to how you like it, etc.? Or did he use a disk image? If the latter, what program was used and give as much detail as you can about how the transfer was accomplished.

I know that in its earlier days, the dot net framework would create a user account on its own and it would show up in the Welcome screen--there is some fix to make it go away that I don't recall at the moment. But it is entirely possible that Windows has created a way for it to run. I would suspect an improperly installed disk image. Either way it may be best to just reformat and reinstall.

The thing about people

is they change

when they walk away.--Mipso


#9 joseibarra

joseibarra

  • Members
  • 1,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:11:52 PM

Posted 03 September 2009 - 10:42 AM

The password removal message is normal.

Do you even know what the sys password is? Somebody had to create that account and assign it a password!

Just change it to something only you know and then Sys will not be able to login anymore. End of questions about Sys logging in without your knowledge.

Keep us posted on the progress!

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#10 spork92

spork92
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 03 September 2009 - 11:00 AM

no, I have no idea what the password is and the friend says he didnt put anything on here with a password. This friend fixes computers for a living, that is why I trusted the combofix, he got it from this site..he's probably a member. I will try to find out how he restored the hard drive, he said he had a very difficult time doing it..it took days but eventually found some software on the net that helped him to do it. Thats all I know. If sys is just my own computer's account, is it bad? maybe I should just leave it alone?

ps I uninstalled combofix

#11 spork92

spork92
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 03 September 2009 - 11:17 AM

oh my god. So I changed the password and logged in to sys. I'm sure its a hacker, there's a history trail in firefox...i'm totally freaked out what do I do

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 03 September 2009 - 11:30 AM

Well, the first thing to do is not panic. I'm not ready to jump to the conclusion that it is a hacker just yet. Run the antimalware programs you were asked to do earlier and post the logs from them. Do MBAM while logged into one of your normal accounts and then run it again while logged into the Sys account. I'll post back in a few with how to post the logs.

The thing about people

is they change

when they walk away.--Mipso


#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 03 September 2009 - 11:37 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Run this scan as a double-check:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The thing about people

is they change

when they walk away.--Mipso


#14 spork92

spork92
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 03 September 2009 - 12:19 PM

ok, I did the first scan and I did a full scan cause I did it before your instructions. It came up with two bad files with hijack in their name. I removed them and rebooted the comp. I have to go to work now so I will have to continue this mission later, hopefully i'm safe until then. Can someone please tell me how this happened....ugh. thanks I'll keep you posted soon. here's the log from the first scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2735
Windows 5.1.2600 Service Pack 3

9/3/2009 1:09:42 PM
mbam-log-2009-09-03 (13-09-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196764
Time elapsed: 24 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 03 September 2009 - 01:00 PM

Well, those aren't files and so aren't an actual trojan or malware, but a couple of changed settings that aren't typical. They may have been changed by malware or by legitimate means--without malware files being found there still is no conclusive evidence you're infected.

I won't be back on til later this evening either. Be sure to run SAS and the other MBAM scan as requested. Also find out what the name of the software is that your friend used. Also, what was the password that allowed you to log into the Sys Account?

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users