Intermittent reboots

0 pts.
Tags:
Microsoft Windows
This one has me stumped. I have 40 clients, all running win2k sp4. At various intervals, one or another will have a window pop up, saying 60 seconds to save files before a reboot. (I've yet to catch the full text of the message.) This affects both staff computers and student computers. So far there is no pattern to which machines go down when. I''ve heard of it happening as little as 10 minutes after a reboot to twice a day to not happening at all. So far there is no pattern in who is hit. So far there is no pattern as to which machine is hit. Ideas? (My servers are all FreeBSD, so I'm skeptical about a virus on the server. The 18 comptuers in the student lab are rebuilt from an image every night.)
ASKED: January 12, 2007  4:47 PM
UPDATED: January 16, 2007  11:34 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

The shutdown command that Microsoft includes with various windows versions includes the ability to restart a computer remotely if you have admin rights on the computer. Could this be a prank where someone is manually causing the reboots?

Check the system event log. It should record when a shutdown/restart was initiated and by what user.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Lirria
    Best guess is some of your machines are infected with the sasser virus - I would go get a removal tool for it - symantec has a good one at http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99 you will also need to download the patch to stop it from getting reinfected. The above link had the details. Run the tool on all systems and it should stop the problem once they are patched and have the file removed. Good luck! Lirria
    0 pointsBadges:
    report
  • Petroleumman
    Hello, Question, you said that 18 of your 40 clients are rebuilt nightly from a stored image. What about the rest of your machines? Is your problem isolated to just the 18 student machines or wide spread amongst all 40 machines? Are your computers networked either in a workgroup or domain? Do they have internet access or email? I would not rule out a virus so fast. If your machines are connected to each other in any way all it takes is one infected computer to infect the rest. Run a scan on your machines with a reputable anti-virus product and if possible, anti-spyware product as well and see what you find. If your connected to the internet, disconnect and test. You may even choose to evaluate your system image as that may be the source of your problems. Also, set up logging on one or more of your computers and examine your event logs particularly the security log, for clues. If it's a prankster you'll catch his/her activities there. Good luck!
    0 pointsBadges:
    report
  • SGBotsford
    I didn't rule out a virus. Only the partiular one mentioned. F-Secure failed to find any viruses. ClamAV didn't find any viruses. Prevx found lots -- about 40, although most of these were variants of one type (All were named ABC.exe where ABC could be any three letters. All were about 145KB in size.) The other were copies of the explore virus, a dialer virus and a couple others that I'd not heard of. To my dismay even laptops that had F-secure and Kerio firewall were affected. To answer your earlier question: This affected all of my computers. Reinfection time was on the order of minutes. I ended up stomping it out by shuting down ALL the computers, and bring them up one by one and installing prevx on them.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following