Systems all over the network are rebooting spontaneously at the same time!

[Ben]

As from yesterday several computers(6) and a few servers
(3) across the entire network got the error code 128 on %
\systemroot%\system32\services.exe and started to shut
down after 60 seconds.
We tried to find what caused the problem but noting showed
up.
Last night the same thing happened only on larger scale.
Now 13 servers were rebooted with the same error message.
Again nothing showed up in event logs or firewall traffic
logs.
This afternoon the same thing happened but again more
bigger as before. About 70 computers and a lot of servers
all over our network and different subnets started to
reboot after the services.exe error message.

We cannot find anything that causes this very strange
problem.

We are sure that none of the affected pc's are infected by
any know virus (Blaster etc).
All machines are running windows 2000 SP4.
No strange services are running and no tasks are scheduled.
No strange events are shown, only the unexpected shutdown
occurred message.
No strange network traffic can be found in the firewall
logs. (no broadcast from a certain pc for shutdown or
something).

Does anyone know what is happening over here?

Thank you very much in advance.

 

[Enkidu]

THis still sounds like one or more viruses. Take a machine offline,
format and reinstall the OS, all patches and all virus software and
definitions - take it elsewhere to do this if necessary. Do not
connect it to your network until it is totally patched up and virus
checked.Then scan each offending machines *and* all other machines.

Cheers,

Cliff

 

[Steven Ung]

As from yesterday several computers(6) and a few servers
(3) across the entire network got the error code 128 on %
\systemroot%\system32\services.exe and started to shut
down after 60 seconds.
We tried to find what caused the problem but noting showed
up.
Last night the same thing happened only on larger scale.
Now 13 servers were rebooted with the same error message.
Again nothing showed up in event logs or firewall traffic
logs.
This afternoon the same thing happened but again more
bigger as before. About 70 computers and a lot of servers
all over our network and different subnets started to
reboot after the services.exe error message.

We cannot find anything that causes this very strange
problem.

We are sure that none of the affected pc's are infected by
any know virus (Blaster etc).
All machines are running windows 2000 SP4.
No strange services are running and no tasks are scheduled.
No strange events are shown, only the unexpected shutdown
occurred message.
No strange network traffic can be found in the firewall
logs. (no broadcast from a certain pc for shutdown or
something).

Does anyone know what is happening over here?

Thank you very much in advance.

Some of the PCs on our network shows the same symptoms. I tried all
Anti-virus known to man to scan the infected computer (scaned using NAV,
Housecall etc), but none shows that the PC is infected.

1. Task manager shows 100% CPU Utilization and there are no weird services
running.
2. Automatically shuts down Windows, DOS applications, or REGEDIT after a
few seconds.
3. Rapidly transfer data to/from network, causing the PC to lose connection
to the network, and worst locking the the entire network segment.
4. When Win2000 startup, we can observe 3 DOS like windows executing, but
unable to read what it is executing.


I'm really stumped!

(Ps. Sorry, my English sucks as it is not my first language)

 

[Guest]

I've tried that al well.
The strange thing is that is are not allways the same
machines which are restarting. Just random workstations
and servers.
Time interval seems to be about 9 hours between the
restarts.
It looks like something in the network is sending a
broadcast to restart machines across the network.
I've scanned some machines with stinger, mcafee, and
symantec but all with no result.

 

[Enkidu]

Some of the PCs on our network shows the same symptoms. I tried all
Anti-virus known to man to scan the infected computer (scaned using NAV,
Housecall etc), but none shows that the PC is infected.

1. Task manager shows 100% CPU Utilization and there are no weird services
running.
2. Automatically shuts down Windows, DOS applications, or REGEDIT after a
few seconds.
3. Rapidly transfer data to/from network, causing the PC to lose connection
to the network, and worst locking the the entire network segment.
4. When Win2000 startup, we can observe 3 DOS like windows executing, but
unable to read what it is executing.


I'm really stumped!

(Ps. Sorry, my English sucks as it is not my first language)

Stephen and Ben, it is important to scan from a known clean
installation. Some viruses disable and/or block anti-virus programs.

Something that affects a number of machines and progressively too,
seems to me to scream "virus"..... However, it could be coincidence.
Unlikely? Or a particular rollout of an application? You judge...

It's easy for me to make suggestions, I realise. You are the ones at
the coalface. Please don't take exception to my concentration on the
virus angle...

Cheers,

Cliff

 

[Steven Ung]

Stephen and Ben, it is important to scan from a known clean
installation. Some viruses disable and/or block anti-virus programs.

Something that affects a number of machines and progressively too,
seems to me to scream "virus"..... However, it could be coincidence.
Unlikely? Or a particular rollout of an application? You judge...

It's easy for me to make suggestions, I realise. You are the ones at
the coalface. Please don't take exception to my concentration on the
virus angle...

Actually you're right. It was due to virus and it had since been solved,
well, after the Microsoft DCOM patch was applied to the 15+ WinXP/2000 Pro
computers.

Thanks for your help