Sometimes it is the simplest of things, a client of mine was experiencing random server "crashes". Investigate, and find every single one was a controlled shutdown initiated by the admin user account. I said they should change the admin account ASAP. They said they had tried but other systems where the previous admin had used the admin account would break, and they didn't have a list. To what would be affected. I said and this is better than having someone randomly shutting down your operations, and potentially stealing anything they wanted, or leaving behind Trojans or back doors? 10 minutes later the admin account was disabled, and we just started trouble shifting and changing other system as they appeared broken, then the next user account was was found that started shutting stuff down. Any remote access to these systems? Well the previous IT providor used to use team viewer........ Changed that account and the attacks stopped. Sometimes it really is just the simple things.