Net-Unathorized Administrator Added to computer OS Win 2000 Pro

[Wind777]

Recently my boyfriend had a new administrator on his computer. It popped up after being connected to the internet all day while changing analog files from home videos of drum lessons to digital files on his computer. The next day we started his computer and got a new desktop even though the name was the same. At first we thought all his programs and files were gone. Fortunately we disconnected the internet immediately. We found out after going to my computer C:\Documents and Settings there were two administrators listed. The new name was administrator plus the name of the computer. My boyfriends administrator name had his documents and programs still listed. When logging off or shutting and restarting there is no option for another user than the new desktop administrator which uses my boyfriends original administrator name.

When checking the new administator's internet history files, we discovered all of the files we had accessed the day before listed. I checked log files and found several which were changed or originated on 11/12/08, and one which was changed on 11/11/08. System Volume 1 is unaccessible.

When running AVG antivirus no viruses showed up, but there were several file changes.

C:/WINNT/system32/ .....Kernel.32.....wsock32.dll.....user32.dll ntosknl.ex

What is going on here?

 

[Wind777]

Plan on reformatting drive

Just a note. We plan on reformatting his drive as soon as we save all his information on other media. We will not connect this computer to the internet until we have done this. I am posting this problem to find out what happened in order to prevent it in the future. Also I noticed a file in the new Administrators file information called wizard.txt with the password for the router.

 

[kimsland]

Many technicians write files like this to Administrator user profile documents, in case they need to refer to it later. Has the computer ever been serviced by someone?

As for the access dates, this can happen from automatic indexing, or even scanning for files by Antivirus etc

About 2 Administrators (well I know it's Win2K) but it's quite common on Xp to have multiple Administrators (all different user names)

By the way have you thought of going to Xp?

 

[Wind777]

No one has serviced this computer or should have access.

Basically I am the only person on this computer. My boyfriend rarely gets on it unless I help him as his knowledge of computers is nil. There is nobody else with access to this computer. The account seems to be accessed through the net and the files which we accessed is listed on his internet history files.

 

[kimsland]

Is your system infected? Read this before Cleaning or Formatting
Yes probably re-install will be best

 

[Wind777]

Infected Computer

It appears somebody has been able to hack into our router and put an account onto my boyfriend's computer. Especially as the router password is in the new administrators information.
I will be making sure all of that is changed. Unfortunately I did not have a password for the administrator on his computer and the password for the router was probably easy to crack. Though we did have it set on WPA. I have Zonealarm on the computer I am using and I noticed several IP addresses trying to access it everytime I get on, but zone alarm has been blocking them all. It is on the same router.

 

[Sprintthegrint]

My girlfriend had the same problem and on the same day. It seems that she had downloaded and installed windows updates which required rebooting and the problem occured on the reboot. I'm not sure that this was the source of the problem but it was certainly concurrent. Seems a bit of a coincidence that you and she were hacked on the same day?? Or not?? Virus checks showed nothing untoward and we restored everything in place to the new administrator. Further searching found this MS link, with explanation and remedial action (haven't tried it yet). It doesn't actually explain the 'how' but certainly does the 'what'. Did you also the update or is something more sinister at work??

Oops forgot the link!!
http://support.microsoft.com/kb/314045 'How to restore a user profile in Windows 2000'
.

 

[Wind777]

Hi,

I didn't have time to fix the computer problem. Today I decided to back up the information from my boyfriends computer and as soon as I hooked up my back up external drive to the computer two folders showed up on my backup drive. Recycler and System Volume 1. When trying to delete the folders off ofmy backup drive it says I am unathorized. I tried to change to share with all users. Recycler still will not let me delete. System Volume has a created date of 7/14/2007. When I tried to change to share with all users it came up with a message The shared resource was not created at this time and would not let me share the file.
I figure these two folders are part of a virus. I have used this 250 gig hard drive numerous times and never seen these folders. They were really easy to see as I put all my information into three main folders with sub folders. Now I am afraid to hook it up to this computer at least until I know there is a program I can remove the files with.
I am waiting to hear from someone before I format the hard drive with Win 2000 pro. I will be putting Windows XP Pro after I reformat the drive.

Please let me know any information on this issue. I will research the link given.

Thank you

It is possible I put a windows update the same date. I remember updating because I thought it was odd. As far as I knew Microsoft was not putting out updates for Windows 2000 anymore.

 

[Wind777]

attempting to reformat drive

I have backup my information, but I do not want the virus to show up when I access the backup hard drive after reformatting my C:\ hard drive. What should I do to fix the problem. Is there a anti virus that can rid this virus from my back up hard drive before I download any information from the drive ?

 

[kimsland]

I would just have an installed and updated good Antivirus software running
You could go a little further and have a good firewall or even Spybots S&D protecting any change as well
Then just return the backup, or scan the backup drive first