XP SP3 Admin user hijacked

[Molecule]

from what I can make of it, it's a pretty deep hijack

 

I shut down my system from Administrator and all was well.

 

When I started it up, as I remember it, before logon but with blue logon screen, I was presented with two small message boxes, one after the other, which I unfortunately failed to photograph.

 

One of them informed me that my administrator user files were corrupted (they were working fine when I shut down) and Windows had to do blah-blah.

 

I pulled the internet connection and reset the motherboard.

 

On next bootup, XP presented a logon as usual, and I logged on as usual.

 

XP somehow

(a.) allows me to signon as "administrator" using my old password, but I don't connect to that account

(b.) someone created a new admin account name ("Administrator.8441F50924994FF" under Documents and Settings) with my old password

(c.) the MyComputer icon was removed from the desktop

(d.) the theme I was using was replaced with Luna

(e.) half of the desktop icons were gone

(f.) it kicked out my Firefox ESR and installed a new Firefox, which I don't like (it dumps advertisements all over the place)

 

Has anyone had this experience before?  Was I hijacked, or did I have a crash somehow, and this a genuine microsoft procedure.

 

If there is a way to keep this system I'd probably prefer to do that.  What should I do?

 

When I logoff as Administrator.8441F50924994FF and try to logon as "administrator" XP just puts me back to the new administrator.

 

Thanks

[HarryTri]

It seems that your Administrator account was corrupted and Windows created a new Administrator account. You can try deleting this account, all the files of Administrator and Administrator.xxx user folders (backup what you want to preserve first), all the related registry entries, reboot and then try creating the account again. If you have System Restore enabled and a system restore point prior to the incident just use it and it will probably restore everything (since it contains the SAM and SECURITY files of the registry which have to do with the user accounts).

[Ponch]

Try these steps first (this is for Win7 but the key is probably the same for XP).

[Molecule]

thanks HarryTri and Ponch

 

the repair suggested by Ponch for Win7 worked

 

I just renamed the reg entries as suggested, removed 500M of internet and mail cache from documents and settings, administrator, local settings, application data, mozilla etc and rebooted, and as least that system is back

 

well almost

 

the Firefox browser got updated, and now when FF downloads nirsoft utilities, it sends them to some devnul somewhere -- claims it has virus program -- problem is, I don't have any antivirus installed, and windows security AV is turned off.

 

so that's a Firefox topic

 

big thanks!

 

==EDIT==

 

in addition to installing a new FF browser, it also installed a program in the Quick Start area of the taskbar, which I had never seen or downloaded -- Lightscribe -- an old HP program.  when I right clicked it it gave an explanation and a link, which looked very simple, www.lightscribe.com but which is longer valid -- so I'm clueless how that got in quickstart on the new admin profile.

 

the shortcut to the quickstart lightscribe was not found in C:\Documents and Settings\[uSERNAME]\Application Data\Microsoft\Internet Explorer\Quick Launch, so I assume it was coming from somewhere else

Edited October 3, 2014 by Molecule

[HarryTri]

 

the shortcut to the quickstart lightscribe was not found in C:\Documents and Settings\[uSERNAME]\Application Data\Microsoft\Internet Explorer\Quick Launch, so I assume it was coming from somewhere else

 

Impossible - may be it is a hidden file? Also you 'd rather scan your system for viruses with a good AV program - I personally recommend AVG or ClamWin.

[submix8c]

"All Users"....

"Default User"...

LightScribe is for burning an "image" in the "top" side of a DVD. Look at your Burner. Bet it has the symbol/words on it. It's Freeware. Just google the word...

Edited October 6, 2014 by submix8c