Strange W2k OS behaviour spreading between machines like a virus (but no AV can identify one)
Posted on 2004-11-01
My Win2k servers are behaving very strangely, as are my 2k desktops. The first thing that you notice is that when you click on an application icon, you get the message "unable to run this command".
After a reboot, on the 2k servers, you cannot log in at all. The "Press AltConDel" message does not react to the key combination. Mouse is an hourglass.
You can terminal server to the boxes. Clicking icons gives you the message above. Entering the executable name into Start->Run works; but many of the system apps (like event manager) do not work properly with red crosses where you would expect to see the various logs.
A few services do not start.
Plug&Play, Messenger, Logical Disk Manager, Internet Authentication Service. Other services start OK. No correlation between who they log in as, and which ones start/don't start.
Regedit displays the top level hives, but when you open them, the registry looks empty.
All this has happened on two different W2k servers which are DCs for two different domains, running in different site but connected by a 64kb link. The W2k desktops at THREE sites are doing similar things. The third site (yet another domain connected by IP slow link) has W2k3 for a domain controller. The W2k3 servers are not entirely unaffected. They are losing they License Authorisation. Seems to be problems with the Device Manager.
Device Manager is a common thread here. Sometimes when booting the 2k servers, you briefly get a message refering to the Hotplug Device Manager. I suspect that the other services depend on this one but am not sure.
This is the wierdest problem I have even seen (considering the scope of the problem). It seems virus like because it suddenly affect so many machines in three sites. Running the Mcafee sting does not find anything. Running spybot doesn't find anything either.
A corrupt group policy might do something like this; but I wouldn't have though it would do it across domains. The domains do have bi-directional trust relationships.
If anyone is suffering from this problem, or has any ideas, I would be very keen to hear from them.