Solved

Utilization at 99% on exchange box

Posted on 2004-08-05
52
316 Views
Last Modified: 2010-04-14
hello,
 I have a client that has a server running microsoft exchange. there server is sitting at 95%-99% they have symantec corporate edition runnin th eexchange agent. Does any one have any ideas of why this is happening? Thank you
0
Comment
Question by:eberhardt2329
  • 27
  • 24
52 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11728655
what is the process that utilize all this cpu power?? Check it out in task manager - Processes
0
 

Author Comment

by:eberhardt2329
ID: 11728990
i will thank you. what else can i try? i am on my wat there right now thank you
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11729027
When you see what process take that much power, it will tell you what application does that.. Depending on the application, there is several solutions possible.. Maybe rebooting will fix your problem. Check out your event viewer to see if there is any suspicious error message.
0
 
LVL 4

Expert Comment

by:novacopy
ID: 11729274
if you do not see a process taking all the cpu usage open up disk management to insure all your hdd's are still working fine. or all of your memory is still doing ok.
0
 

Author Comment

by:eberhardt2329
ID: 11729483
the process is services.exe it it at 95 -99% any ideas?
0
 

Author Comment

by:eberhardt2329
ID: 11729551
i found services.exe is running twice, but it will not let me kill it. any ideas? one services.exe is at 99% the otehr is like at 2%
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11729636
Did you try to reboot to see if it remains the same? Check if there is still 2 services.exe after..

Do a full scan of your server with your antivirus software..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11729650
as per a newsgroup post:

Does services.exe max out when you boot to SafeMode?  If not, suspect a Third-Party
Service.  You can try identifying the offending service this way:

1.  If necessary, install the Windows 2000 Support Tools (see Windows 2000 Help topic
"To install Windows 2000 Support Tools")

2.  Click Start, click Run, type cmd and at the command prompt type the following
command to get a list of all the services (Svcs:) that services.exe (Services and
Controller app) is running:  tlist -s

3.  Check the list for 'suspects' such as Third-Party Services (see below for links to
articles that may help you decipher the tlist). Then, one-by-one, pause a 'suspect'
service and see if that stops services.exe from maxing out.  (For more information about
pausing a service, see Services Help topic:  "To start, stop, pause, resume, or restart
a service")

Windows 2000 Professional Services
http://www.blkviper.com/WIN2K/servicecfg.htm

"Glossary of Windows 2000 Services"
http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp

Windows 2000 Services Tweak guide
http://www.3dspotlight.com/tweaks/win2k_services/print.shtml

263201 - Default Processes in Windows 2000
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;263201

281770 - How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;281770

HOW TO Troubleshoot Startup Problems in Windows 2000
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q315396

TechNet Home >  Products & Technologies >  Windows 2000 Professional >  Resource Kits >
Troubleshooting:  Chapter 31 - Troubleshooting Tools and Strategies
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000pro/reskit/part7/proch31.asp

0
 

Author Comment

by:eberhardt2329
ID: 11729735
I rebooted and they both are still there. well I really did not reboot I tried the kill command from the command line, and then it shut it self down. I am not sure it is running antivirus exactly it is running the exchange gateway for it. any ideas to move forward. thank you so much
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11729830
Sometimes, a symptom of infection is when service.exe is running at 99%

You have to know if there is an antivirus for the file system, not only for your exchange server.. you could run stigner from mcafee, but it would find tons of stuff related to your exchange server, and may remove stuff that shouldnt be removed.

Hmmm, try to scan for spyware on your computer. with adaware standard edition.

http://lavasoft.element5.com/support/download/

after installing it, run it, and press "check for update", after this, scan your computer

0
 

Author Comment

by:eberhardt2329
ID: 11729972
i am running it now, is there something specifically I am looking for. I do not wnat to just remove tghings. let me know. thank you so much for your help. I added another ticket. if you help resolve this I will give you both. thanks
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730001
You can safely remove everything that adaware put in there.. when it finishes to scan, you right click the result, and click select all.. It put everything in quarantine..

tell me the result.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730053
0
 

Author Comment

by:eberhardt2329
ID: 11730085
while I am waiting for that, how can I scan this computer for viruses without installing any software. He only has the exchange antivirus, it looks like nothing localy is running

0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730111
Try this software.

http://vil.nai.com/vil/stinger/

Search for a bunch of all the newest viruses.. and it's free
0
 

Author Comment

by:eberhardt2329
ID: 11730122
it foun four things three tracking cookies, and one thyat says alexa. do I click next, or do i quarenteen them from here
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730131
Everything is normal then..
0
 

Author Comment

by:eberhardt2329
ID: 11730136
so click next and remove them?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730137
yes
0
 

Author Comment

by:eberhardt2329
ID: 11730148
what do you think next?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730163
services.exe is the a core Operating System component that runs multiple Services (as
seen using services.msc).  Some Windows 2000 Services that are run by services.exe
are: Alerter (Alerter), Application Management (AppMgmt), Computer Browser (Browser),
DHCP Client (DHCP), Distributed Link Tracking Client (TrkWks), Distributed Link
Tracking Server (TrkSrv), DNS Client (DNSCache), Event Log (EventLog), Logical Disk
Manager (dmserver), Messenger (Messenger), Plug and Play (PlugPlay), Protected
Storage (ProtectedStorage), RunAs Service (seclogon), Server (lanmanserver), TCP/IP
NetBIOS Helper Service (LmHosts), Windows Management Instrumentation Driver
Extensions (WMI), Windows Time (W32Time), Workstation (LanmanWorkstation).

As follows are some ways to determine the particular Services registered in the
services.exe processes on your computer:

- Run the command line program named tlist, with the -s switch.  For more information
about tlist see the "More Information" section in the following Microsoft Knowledge
Base Article:

KB250320 - Description of Svchost.exe
http://support.microsoft.com/?scid=250320

- Run the SysInternals application named Process Explorer (procexp.exe).  Right-click
Services.exe and choose Properties...  Then select the tab titled Services.  For more
information about procexp.exe see:

- Process Explorer
Copyright © 1998-2002 Mark Russinovich
Find out what files, registry keys and other objects processes have open, which DLLs
they have loaded, and more. This uniquely powerful utility will even show you who
owns each process.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

- Run services.msc, sort the list by the column titled "Started", then double-click
each Service that has the status of started and look in the "Path to executable" box
for: C:\WINNT\system32\services.exe
0
 

Author Comment

by:eberhardt2329
ID: 11730266
i found two services.exe the second one I found was at teh bootom of the page in this utility. I killed it and the pocess went away. how do i make sure this does not load again? Thank you so much
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730286
you have to know what is the process hiding behind this second services.exe using the tools mentionned in my previous post.. I can't tell you what it is, but knowing the process hiding behind will tell you the problem.. I can't tell you exactly what is the problem tho.. if it start again, just kill it again until you find what is behind this. you got everything in my last post to find it.

0
 

Author Comment

by:eberhardt2329
ID: 11730301
there was nothing uder this one, so If I restart and it shows up and I look in this program, it will just show itself. I want to make this second services.exe not start any ideas?
0
 

Author Comment

by:eberhardt2329
ID: 11730313
i am looking in the registry, and found service.exe in c:\winnt\services.exe
I also found it in image path %systemroot%\system32\services.exe are these both supposed to be here?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730328
Hmmm. No hiden service under this one?... Check out what is in your startup folder, what services could be starting up in the services applet in administrative tools. and what is starting up in the Run section of your registry..


hkey local machine / software / microsoft / windows / current version / run
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:Yan_west
ID: 11730334
I don't think so, let me check..
0
 

Author Comment

by:eberhardt2329
ID: 11730357
the only thing in start progranms startup is winzip, in run in the registry there is a c:\winnt\service.exe also promon.exe, and winvnc

I will also look in admin tools
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730377
On my exchange box (windows 2000 SP4), the only place where I found services.exe were in:

C:\winnt\system32

that's it.
0
 

Author Comment

by:eberhardt2329
ID: 11730380
nothing out of the ordinary in services, ther are a couple things that are set to manual that are loading at startup
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730390
every search I did on "c:\winnt\services.exe" in google, reported that it may be a virus.
0
 

Author Comment

by:eberhardt2329
ID: 11730391
i found this %systemroot%\system32\services.exe  about 10 different places what do you tyhink I should do
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730408
%systemroot%\system32\services.exe = normal..

%systemroot% = your default windows directory. Since the file is supposed to be in there, I think this is normal
0
 

Author Comment

by:eberhardt2329
ID: 11730417
ok so what do you think? I am running a online scan right now
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730422
I think you should run the stinger antivirus I told you about
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730427
let'S see, i'm leaving the office in 20 min, let me know before that..
0
 

Author Comment

by:eberhardt2329
ID: 11730432
ok
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730454
newsgroup post:

If you have Windows NT4/2000/XP/2003 and the full path
to this program is  C:\WinNT\Services.exe  or  
C:\Windows\Services.exe,  then you most probably have
the   W32.Netsky@mm   virus.  If you have Windows
95/98/ME and this task is running in the background, then
you most probably have that virus too.
0
 

Author Comment

by:eberhardt2329
ID: 11730494
i am running trendmicro online scan right now. what do you think, I have a virus?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11730524
Maybe, maybe not.... we'll see.. if this does not work, use the stinger one I was telling you about a bit earlier.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11732211
So, what was the result??
0
 

Author Comment

by:eberhardt2329
ID: 11732867
it seems that it found a couple virus' and one affected teh services.exe. just waiting to hear back from the client. i will let you know thank you'
'

Jason
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11734911
Great then :)

On a exchange server, there is always 2 antivirus that should be running.

1- Antivirus gateway scanner (for emails)
2- Local antivirus.. You have to be sure to exclude the other product (antivirus) directory, and the directory where the Mail data/badmail is stored too. If you do not do this, the local antivirus will keep detecting stuff 2 times... and it can mess everything up.
0
 

Author Comment

by:eberhardt2329
ID: 11736650
it found services.exe and p.exe, both were listed as BKDR_DOTD.A what do you think I should do?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11736696
Clean them, their are obviously viruses.. does your internet antivirus allow you to clean your computer?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11736813
By the way, you should run windows update on your box to see if it'S fully patched after having cleaned everything.

After having patched and cleaned everything, you should run Microsoft MBSA 1.2 on there too.. it's free, and it'S on microsoft website.
0
 

Author Comment

by:eberhardt2329
ID: 11740004
they are not cleanable they are both bkdr_dotd_a one is c:\winnt\p.exe, and the other is c:\winnt\services.exe. tehy are not cleanable. what shoudl I do?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11740563
Not cleanable, what do you mean, you can't clean them online? usually, you cant clean anything via online scan. If you only detected those 2 files, delete them.
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 11740573
but if they try to start when you restart, it will give you an error message....
0
 

Author Comment

by:eberhardt2329
ID: 11741204
I should delete the file that infected winnt\services.exe? are you sure? thank you so much for your help
0
 

Author Comment

by:eberhardt2329
ID: 11741833
0
 

Author Comment

by:eberhardt2329
ID: 11741894
I am going to give you the credit on this question. thank you so much for your help, I opened a new one about the virus's. if you think you can help let m eknow

http://www.experts-exchange.com/Applications/Viruses/Q_21085524.html
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now