'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
your computer suddenly shows a new local administrator account you did not create
Short answer
Treat this as a possible compromise: disconnect the computer from the internet immediately, then capture basic details without making changes and get the device checked.
Do not do these things
- Don’t keep using the computer for email, banking, password managers, or work systems.
- Don’t delete the suspicious admin account yet (it can remove clues needed to fix this safely).
- Don’t “poke around” making lots of changes (disabling services, uninstalling things, editing settings) beyond the minimum steps below.
- Don’t install random “cleanup” tools or follow untrusted commands from forums/videos.
- Don’t allow anyone you didn’t contact first to remote into your device.
What to do now
-
Isolate the device (now).
Turn off Wi-Fi, unplug Ethernet, disconnect any VPN. If it’s safe and simple, unplug unknown USB devices. -
Capture what you’re seeing (keep it simple).
Take a photo/screenshot of:- the login screen showing the new account name
- any user list you can see without digging
Write down the exact account name and when you first noticed it.
-
If it’s work/school/IT-managed, stop and escalate.
Contact your IT/helpdesk/security team and say: “A new local administrator account appeared that I didn’t create. I’ve taken the device offline.”
Don’t attempt fixes unless they instruct you to. -
From a different trusted device, secure your key accounts first.
Use your phone or another computer (not this one) to:- change your primary email password (because it controls resets)
- change passwords for banking/finance and any accounts you used on this computer
- enable or re-check multi-factor authentication (MFA) and sign out of other sessions where your services let you
If you reuse passwords, assume they’re exposed and change those everywhere.
-
Check whether the “new admin” is a built-in/known account that was enabled or renamed (optional).
Only do this if you can sign in with a known-good account you already trust. Use built-in user management to confirm:- the unknown account exists
- it has administrator privileges
- whether your usual account’s privileges changed
If this feels uncertain, skip it and move on.
-
Run an offline scan, then a full scan.
On Windows, run Microsoft Defender Offline (it restarts and scans outside normal Windows), then run a full scan. If you use another reputable security product, run its full scan too. -
If anything looks wrong, choose the safer recovery path.
If the account was truly unauthorised, keeps returning, or scans find malware, the least risky approach is often:- back up only irreplaceable personal files (documents/photos) cautiously
- wipe/reset and reinstall the operating system from trusted sources
- restore files only after scanning them, and only if you’re confident they’re clean
If you’re not confident, use reputable in-person support rather than unknown “remote fix” offers.
-
If money was lost or you were scammed, report it.
If you think you’ve been hacked as part of an online scam or fraud:- In England/Wales/Northern Ireland, reporting is typically via Report Fraud (Action Fraud).
- In Scotland, fraud reporting is typically via Police Scotland (101).
If there’s immediate danger, call 999.
What can wait
- You do not need to work out who did it or how right now.
- You do not need to decide immediately whether to wipe/reinstall—first isolate, capture basics, and secure key accounts.
- You do not need to contact lots of companies at once; start with your email and financial accounts.
Important reassurance
A surprise administrator account is a reasonable reason to be alarmed. Taking the device offline and protecting your email and bank access are strong, protective first steps—even before you know the full cause.
Scope note
This is first-steps-only guidance to stabilise and reduce harm. Later decisions (forensics, rebuilds, workplace incident handling, insurance, legal/regulatory) depend on whether it’s personal vs managed, and whether any data or money was affected.
Important note
This is general information, not professional IT, legal, or security advice. If the device is owned/managed by your employer or school, follow their security process. If you suspect fraud or financial loss, contact your bank promptly.
Additional Resources
- https://www.ncsc.gov.uk/section/respond-recover/ml-ransomware-attack
- https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
- https://www.ncsc.gov.uk/section/respond-recover/ml-malware
- https://signpost-cyber-incident.service.gov.uk/
- https://www.gov.uk/report-suspicious-emails-websites-phishing
- https://stopthinkfraud.campaign.gov.uk/reporting-fraud/
- https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline