Have I been hacked?! (User already logged in)


  1. Posts : 6
    Windows 10
       #1

    Have I been hacked?! (User already logged in)


    So i have a fairly fresh install of Windows 10 - i installed about a month ago. I keep my computer logged in and running 24/7.
    I have a small network with an old domain controller running Windows Server 2000 (yes thats correct).
    Every morning I unlock my windows 10 PC to start using it. This morning however, when i tried to unlock it, it said that there was another user already logged in! And it was the Administrator account, which I never use. And if i remember right it was the domain Administrator, not the local Administrator. So i freaked out and told it to go ahead and log that user out and log me in (as my usual user).
    I'm kind of freaking out here because this sounds like bad news and maybe i was hacked.
    Another strange thing is that i have a Windows 8.1 virtual machine running on this same PC, and when i tried unlocking it, the same thing happened - it said there was another user already logged in, and it wad the Administrator account.
    Was I hacked? Im freaking out a bit here.
    I dont use an email client, just gmail and i havent clicked on anything weird lately. The built in Windows 10 antivirus and firewall are enabled and running. This just doesnt make sense.
    Any tips, hints, info would be great if you've got them.
    Thank you!
      My Computer


  2. Posts : 17,086
    Windows 10 Home x64 Version 22H2 Build 19045.4894
       #2

    I am not sure if you mean that an account was in use that had admin status or that the account that had the username Administrator [in full] was in use.

    If the account that had the username Administrator [in full] was in use then you have been infiltrated because that account is, by default, disabled and no third-party should be able to enable it if you have UAC ["User account control"] set up normally.

    Your immediate action should be to disable it
    Administrator account - Enable or Disable - TenForumsTutorials

    Then, whatever the identity of the user account concerned, check your UAC setting
    Change User Account Control level - TenForumsTutorials
    Note that if the account you are routinely logged in to has admin status then you need to set UAC to its highest setting because malware can, it is thought, find ways to sneek through otherwise.

    Next, whatever the identity of the user account concerned, you will then have to run a full Windows defender scan to try to remove whatever has been put on by the hacker.
    - Of course that hacker might have just been copying off data but is likely to have at least tried to put something on to help get back in later on.
    - That hacker might also have been trying to encrypt your own files, a "ransomware" attack.
    Manually Scan Files, Folders, and Drives with Windows Defender Antivirus - TenForumsTutorials
    Windows Defender Offline Scan - TenForumsTutorials

    You can search for additional guidance in AntiVirus, Firewalls and System Security - TenForums and can post there if you further assistance.

    Denis
      My Computer


  3. Posts : 6
    Windows 10
    Thread Starter
       #3

    Hi Try3,

    Thank you for the reply with all that information.

    So just to clarify, my account name that I always log into (and stay logged into) is called 'jamie'. It is a Domain account. It has administrator privileges. The account that Windows *told me* that was *already* logged in when I tried to unlock my computer this morning (thinking that I was still logged in as 'jamie'), was the domain Administrator account. At least I'm pretty sure it was the domain Administrator (I think I remember seeing the syntax: domainname\Administrator syntax) account.

    I'm not sure if this changes anything...sounds like it might? I know what you mean by the *local* administrator account not being enabled - I've never even tried logging into that account.
      My Computer


  4. Posts : 17,086
    Windows 10 Home x64 Version 22H2 Build 19045.4894
       #4

    Jamie,

    You need to check with one of the IT support staff managing the domain but the username "Administrator" is a reserved name and I cannot imagine why they might have deliberately assigned that name to anything else.

    However, if you are the "IT support staff" then what I said in my first post applies but you'll have to do it for the computers and for the server. I do not know anything about doing this for the server.

    Windows server 2000 has been out of support for a decade.
    - Malware writers are bound to be able to get through it because they've had a decade to try working out how to do it safe in the knowledge that no vulnerabilities they discover are ever going to get fixed.
    - An out-of-date OS is the most common means of subverting the security of a computer or, in this case, your whole network. Some people say that 90% of all malware attacks are against perceived vulnerabilities of an OS {others say 99% but it does not make much difference what the precise figure is because they are probably all made up on the spot anyway}
    - Personally, I'd suggest turning the server off while any computer is connected to the internet until you have replaced it with a modern server OS that is still supported.

    Denis
      My Computer


  5. Posts : 6
    Windows 10
    Thread Starter
       #5

    It's actually my very small home network, so I'm the IT staff.

    Correct, there's nothing special about that Administrator account - I did not create it. It is the actual/real domain Administrator account for my domain. I added that account to my Windows 10 PC in the 'Other users' area (under the 'Work or school users' section) in case something happens to my everyday 'jamie' account.
      My Computer


  6. Posts : 17,086
    Windows 10 Home x64 Version 22H2 Build 19045.4894
       #6

    Understood. The immediate actions are
    1 Create a password-protected local admin account on each computer so that you have an account to fall back on if Jamie gets corrupted.
    2 Removing that common built-in domain admin from every computer's 'Other users' lists
    3 The immediate actions given in my first post - disable every Built-In admin, check UAC, malware scanning & removal
    3 Ditch the server OS

    Denis
      My Computer


  7. Posts : 17,086
    Windows 10 Home x64 Version 22H2 Build 19045.4894
       #7

    Jamie, Our last couple of posts have crossed over each other during editing - I corrected & added to my posts after you had responded but before I could see that you had done so. Sorry. Denis
      My Computer


  8. Posts : 6
    Windows 10
    Thread Starter
       #8

    Thank you Denis! No worries about modifying your posts at all! I just appreciate the help/time you've taken.

    Yeah, I know Windows 2000 Server has been long outdated...I guess I just have been being cheap and figuring I've been lucky this long...

    Thank you for the actions and advice you've given...I'm going to get started as soon as I get back home.

    Jamie
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:31.
Find Us




Windows 10 Forums