Solved

Windows XP Pro mysteriously reboots and opens under Administrator

Posted on 2015-02-07
18
74 Views
Last Modified: 2015-02-09
I came home last week and found my comp desktop totally changed. Most my icons were gone.
After research found that it had rebooted and changed from my "XYZ" user that I use all the time to "Administrator" which I never use.
I did a roll back and it still does it for no reason like 3x a day. Just reboots under Administrator log in.
Is this a hack, virus or malware that anybody has heard about.
Never seen anything like this.
0
Comment
Question by:stevemib
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +5
18 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 40596374
One reason modern systems completely disable "administrator" is because it is so easily hacked.

First, back up your documents, email and anything else you need to another media. Do this now and first.

Second, log in and see if you can (a) see your regular user (Computer, right click, Manage, Users and Groups, Users).

Now try to create a new user and see if you can log in as the new user. What happens?
0
 
LVL 37

Expert Comment

by:bbao
ID: 40596384
> I came home last week and found my comp desktop totally changed

do you mean your computer was always on when you were not at home? is there any possibility that someone else had accessed or touched the computer during that time?

> I did a roll back and it still does it for no reason like 3x a day

was it a successful restore? was the status (such as the disappeared desktop icons) was brought back once the restore was done?

> Is this a hack, virus or malware that anybody has heard about.

do you observe any abnormal disk or network activity when the computer is idle? e.g. the hard disk and/or NiC LEDs are always blinking when the computer is on but not running any particular frontend task?
0
 

Author Comment

by:stevemib
ID: 40596393
Yes I see my regular user account and just created new user and can see it.
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 

Author Comment

by:stevemib
ID: 40596400
Yes comp was on all the time, I just now saw it happen. It just blinks screen and reboots, during reboot
it goes to user Administrator not the user name i use. I then have to switch user to bring back my desktop i use.
Problem is it reboots for no reason and then changes the user during reboot.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40596401
You could have gone to a site that used "administrator" to corrupt the profile.

You can probably save what you have by backing up as I suggested, making a new profile and setting it up. When all is working, delete the damaged profile.

Also make sure "administrator" and a very strong password with two special characters, two numerals, two upper case characters and not less than 10 characters total.
0
 

Author Comment

by:stevemib
ID: 40596406
Not sure Im explaining this properly John. Comp reboots for no reason and changes to user Administrator. I then have to log off that user and switch to my normal user "xyz". My profile xyz is fine, all data is in tack.
I am just trying to figure out why it all of the sudden reboots and changes users.

Its just mind boggling why windows would reboot under user Admin as i have never used it before.
It seems like a virus or malware or something. Or somebody has hacked thru my 2 routers and firewall and remote reboots my comp switching users.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40596409
Viruses and malware do not "find their way in" . We invite these in by hovering over or clicking on a bogus link.

In modern systems, there is no "administrator" (disabled) and UAC prevents any installations. XP has none of this, so virus writes use "administrator" to gain access to XP underpinnings. The result is what you see.

Try running Malwarebytes to see if it can correct things. More likely, however, especially given XP, you need to back up completely, format and reinstall XP (or move up to a new system).
0
 
LVL 37

Accepted Solution

by:
bbao earned 250 total points
ID: 40596412
> it goes to user Administrator not the user name i use

this can be fixed this way.

http://windowsxp.mvps.org/Autologon.htm

regarding your concerns of any hack on the compyter, you may run NETSTAT -a -n -o > s.txt to list all current network sessions into a plain text file named s.txt.

you may review the list yourself or post it here for help. you may mask your personal IP address from the list if there is any privacy concern.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40596414
this can be fixed this way.  <-- As Steve has clarified, he gets the machine running under any userid and it just reboots. So there is more wrong than fixing administrator.
0
 
LVL 78

Expert Comment

by:arnold
ID: 40596421
You might or something is setting the admin user for autologn.
You can use users control panel to reset it or navigate with registry to HKLM\software\microsoft\windows nt\currentversion\netlogon and see whether defaultuser,defaultpassword, allowadminlogon are set with the correct data.

Has anything been recently installed. Does the user you commonly use have admin rights? Something new installed, could have been tainted, prompting for admin rights......
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 40596440
It truly sounds like your computer has been compromised some how with malware,  permitting someone to hack into your computer and rebooting your system into the administrator user account (hence there are no desktop icons because the user is logged on as administrator and not you). It is highly likely a system restore will not resolve this issue. What I would try to do is unplug your network cable and see if your computer still reboots to the administrator user profile. If it does not then plug it back in, if after reconnecting your network connection it reboots to the administrator account then you know some one is hacking into your computer, it is therefore not safe to go online with this computer.  I would use Roguekiller to see if can resolve this issue. Download it with another computer. I would also download and run rkill. Both applications are portable and do not install the application on the computer they run from the application you download. You can safely download both applications from the bleeping computer website. And as previously mentioned you can download and run malwarebytes.
0
 
LVL 10

Expert Comment

by:10023
ID: 40596465
Is there any way you can get out of xp...Haven't they stopped updating it!!  Ok that' easy for me to say when someone might be on a tight budget but unfortunately that just the way it is...I am surprised no one has mentioned this...am I wrong about this?
0
 
LVL 37

Expert Comment

by:bbao
ID: 40596487
> I am surprised no one has mentioned this...am I wrong about this?

i am not surprised as i do keep using my XP systems at home, for testing and entertainment only :)
0
 
LVL 92

Expert Comment

by:nobus
ID: 40596542
look also if there is a task doing this
and check in event viewer for errors, or problems too
0
 
LVL 88

Expert Comment

by:rindi
ID: 40596706
To me it looks like someone is accessing your PC remotely. Immediately remove it from the LAN, then as Thinkpads already mentioned, backup whatever isn't backed up yet, then do a clean re-installation.

I'd also suggest to change any passwords for your email accounts and sites you need a logon for etc., and of course also for your PC's users accounts.
0
 
LVL 92

Assisted Solution

by:nobus
nobus earned 250 total points
ID: 40596769
it can be wise to change the router password also!
0
 

Author Comment

by:stevemib
ID: 40599743
Looks like bbao solved most of the problem. I have reset all users passwords and was waiting a couple days to see if mysterious reboots happened. One happened last night but this time it rebooted in my normal user. So @bbao you helped solve half of my challenge.
I am also thinking @nobus will solve the other half of the problem as I never reset the password on my broadband router after the tech installed. Actually he never gave it to my wife as i was not home.
It is strange though that even if they have that password with remote access how are they getting past the 2nd router I have. The broadband is connected to a LAN router i am using for my network.
Anyways, I think we are good to go. Thanks guys n gals, your awesome.
0
 

Author Closing Comment

by:stevemib
ID: 40599749
Thanks all. It seems the 2 of you are spot on.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hallo! I guess almost every Windows Administrator must have got stumped with this question "Where does WINDOWS store a users cached credentials? Every user who had once logged onto a Server/Desktop while it was connected to the domain could sti…
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question