Anyone knows:process mctadmin?

drazenn · 05 Feb 2009

Hi
I am running windows 7 for a while now,and yesterday I have noticed a startup process mctadmin,and I have it 2 times??
I've google it,looked in SS&D,but didn't found answer.Does anybody know what is it for?

Mark · 06 Feb 2009

I haven't got it on mine.

Airbot · 06 Feb 2009

No, never seen that one in any of my startups. Can't really find any info on it either.

scaramonga · 06 Feb 2009

Apparently to do with Network Service.

C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

What exactly, I haven't a clue :)

drazenn · 11 Feb 2009

scaramonga said:

Apparently to do with Network Service.

C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

What exactly, I haven't a clue :)

Yes,exactly in 'NETWORK SERVICE',but thing that bothering me is that I haven't seen it for a month,and then it suddenly appeared,and appeared first just one,and now I have it two times already.
So I was a little affraid that it isn't some kind of troyan,or something which redirects me through somebody's IP when I am connecting to internet,because I see several unknown adresses in netstat,and strange things are happening to me like a changing of original iGoogle,mouse cursor shaking(what we all know that it is a sign that someone is connected to my PC),and I don't have any firewall besides included one.
And a reason for that is I can't find any simple but good one that is compatible,something like ZoneAlarm,and with Kaspersky IS I have to many problems(BSOD,every .exe reported like a malware so I had to uninstalled it),so for me,Avast Professional(which is really really good,effective and doesn't waste too much resources) is the best option for antivirus, and don't know which firewall should I install beside it,doesn't matter,paid or free.

manu3ll · 11 Feb 2009

I don't have it neither.And by the way i also use Avast Pro and I think it's a great antivirus.I had a few problems thou with some K**gen(they were detected as trojans),but it's fine. Maybe you should log on as an admin and see if the process still exists.Or stop the process in the Control Panel/Administrative Tools/Component Services and see if anything happens

Airbot · 11 Feb 2009

Well, Avast has a network shield provider already that works pretty good at blocking network attacks. Has saved me a few times. If you're worried, you can do a boot time scan with Avast, scan with something like Malwarebytes and Spybot SD. Both free. And Spybot has real time protection. Works pretty good with Avast. I believe you'd need to run it in Vista compatibility mode and as an administrator though.

martyfelker · 24 Mar 2009

Hi:

I did have two copies of mctadmin but didn't notice it until I tried to install VMware WS. The VMware didn't mention it and all seemed able to install Build 7000 as guest and host. However, when I rebooted the system froze after login in (the welcome screen). I was able to restore the systlem to before the VMware WS (Windows 7 definitely has enchaced recovery options over Vista).
Then installed Spybot and noticed the two startup items for mctadmin which I disabled. BTW there were 2 entries for Sidebar which I also disabled. Then VMware installed perfectly. I doubt that mctadmin is malware as I aslo use Avast and I'm pretty certain it wou;ld have found it. I'm using Build 7057 and it does have some bugs (the desktop.ini issue) so it's possbile MS was using mctadmin to debug some network problems.

marty

johngalt · 25 Mar 2009

OK, I did some searching, and here is what I found:

http://www.prevx.com/filenames/X22684716160985460-0/MCTADMIN2EEXE.html said:

MCTADMIN.EXECurrently being reviewed

The filename MCTADMIN.EXE is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.

MCTADMIN.EXE, Prevx

The PrevX page also shows three versions having been submitted for analysis -

# Microsoft Corporation; MCTAdmin; 6.1.7048.0 (winmain.090219-1845)
# Microsoft Corporation; MCTAdmin; 6.1.6956.0 (winmain.081122-1150)
# Microsoft Corporation; MCTAdmin; 6.1.7000.0 (winmain_win7beta.081212-1400)

All of them Windows 7.

Several HiJack This logs have this listed, most notably MSNMSGR.EXE - No Disk error : Windows 7 Miscellaneous : Windows 7 Beta : Microsoft TechNet Forums - notice how there are two instances, one for Local service and one for Network service. I did see a third one in one log, which listed Postgre service as well.

I searched my HD and found 7 references to it, 2 executable files, 2 .mui files, 2 Manifests, and 1 folder - located in Winsxs folder.

I suppose that ti has something to do with databases, and I know it is not Windows Live Messenger, as I have that running, nor a few more items. However, I don't currently have Office installed, and IIRC every one with this entry in their HiJack this *does* have Office installed.

wd40 · 03 May 2009

I'm showing this in hijackthis as well:

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

Also strange is the little window that opens-then-closes-almost instantly upon desktop login after a reboot. It happens so quickly I almost don't see it!

I'm running build 7077 - is it possible that my system's been compromised??

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:48 PM, on 5/3/2009
Platform: Unknown Windows (WinNT 6.01.2981)
MSIE: Internet Explorer v8.00 (8.00.7077.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Users\W\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\W\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\W\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [googletalk] C:\Users\W\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GO36F4~1.DLL
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9c181a2b00fc0) (gupdate1c9c181a2b00fc0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

Major thanks for any and all help with this strange, unidentified pop-up window. (attached a screenshot of the task-manager 'services' tab also in case that helps). Thanks!

Anyone knows:process mctadmin?

Anyone knows:process mctadmin?

Mctadimgg