For the last 3 days I have had an issue on my network where workstations spontaneously shutdown and then upon reboot I get the "NTLDR is missing" message. This is happening to wireless laptops as well as desktops that are hardwired. Users reported that "icons just started disappearing off the desktop" before it shut itself down. My investigation so far has revealed that something is randomly deleting files/programs before finally deleting NTLDR and shutting down. I run Sophos Anti-Virus software on the network and it has the latest defs. Scans of the infected HDD's turn up nothing. I also have a security program on all my workstations called Clean Slate. For thoes of you who don't know, this is a program that when configured properly will "undo" any changes made to a workstation by a user when that user logs off or shuts down. Then when the workstation is rebooted or logged back in, it is returned to it's default state. While talking to techs at Clean Slate I have learned that there is a brief moment when the machine is booting where something like this could happen before Clean Slate has a chance to fully load. Which answered my first question as to why it wasn't doing it's job. A 2nd theory on this is that the Admin pw has gotten out and someone is using it to remotely get in the workstations undetected by Clean Slate. The program is set up to disable itself if it detects an Admin is logging in. Another interesting fact we have noticed is that only workstations with this program installed are the ones being infected, coincidence? We have several workstations that do not have this program and none of them are having this issue. It could very well be a coincidence, we're talkin about a WAN here that has over 4000 computers on it and so far I have reports of only about 75 affected workstations that are loctaed in 2 out of the 12 seperate buildings. All this makes me lean more towards some kind of hack rather than a virus. Any of you guys ever experience anything like this or even heard of it?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Help with virus/hack
- Thread starter StArGaZeR
- Start date
At first glance I would say it is some sort of bad configuration, or more commonly network trouble when trying to reload them. I would check and see the topology going to each building and see if they have a common connection. I ran into this a lot with the Altiris package. The idea that one or two people with the password would run around causing this trouble is unlikely in my opinion. I assume you use a PXE boot to reload? Just a suggestion so I would appreciate it if no one flamed me for my inexperience. 
*EDIT* Or you could have 75 bad hard drives.
*EDIT* Or you could have 75 bad hard drives.
We do use Sysprep and PXE boot for re-imaging. I think I can rule out the bad hard drive idea. This is spread over several different model computers, some laptops, some desktops. The laptops are Dell D620's that were bought this past summer and the desktops all vary anywhere from Optiplex GX 280's up through 745's.
Is Windows up to date on all your PCs is Clean Slate keeping them away too? I had a problem like that like 3 years ago on windows XP boxes that werent updated with the latest updates.
I also learned the shutdown -a command in the meantime.
I dont know if it's the same problem you're having but random PCs would all of a sudden give you a 45 second shutdown notice and it had to do with the Remote Procedure Call.
I also learned the shutdown -a command in the meantime.
I dont know if it's the same problem you're having but random PCs would all of a sudden give you a 45 second shutdown notice and it had to do with the Remote Procedure Call.