Utilization at 99% on exchange box

what is the process that utilize all this cpu power?? Check it out in task manager - Processes

i will thank you. what else can i try? i am on my wat there right now thank you

When you see what process take that much power, it will tell you what application does that.. Depending on the application, there is several solutions possible.. Maybe rebooting will fix your problem. Check out your event viewer to see if there is any suspicious error message.

if you do not see a process taking all the cpu usage open up disk management to insure all your hdd's are still working fine. or all of your memory is still doing ok.

the process is services.exe it it at 95 -99% any ideas?

i found services.exe is running twice, but it will not let me kill it. any ideas? one services.exe is at 99% the otehr is like at 2%

Did you try to reboot to see if it remains the same? Check if there is still 2 services.exe after..

Do a full scan of your server with your antivirus software..

as per a newsgroup post:

Does services.exe max out when you boot to SafeMode?  If not, suspect a Third-Party
Service.  You can try identifying the offending service this way:

1.  If necessary, install the Windows 2000 Support Tools (see Windows 2000 Help topic
"To install Windows 2000 Support Tools")

2.  Click Start, click Run, type cmd and at the command prompt type the following
command to get a list of all the services (Svcs:) that services.exe (Services and
Controller app) is running:  tlist -s

3.  Check the list for 'suspects' such as Third-Party Services (see below for links to
articles that may help you decipher the tlist). Then, one-by-one, pause a 'suspect'
service and see if that stops services.exe from maxing out.  (For more information about
pausing a service, see Services Help topic:  "To start, stop, pause, resume, or restart
a service")

Windows 2000 Professional Services
http://www.blkviper.com/WIN2K/servicecfg.htm

"Glossary of Windows 2000 Services"
http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp

Windows 2000 Services Tweak guide
http://www.3dspotlight.com/tweaks/win2k_services/print.shtml

263201 - Default Processes in Windows 2000
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;263201

281770 - How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;281770

HOW TO Troubleshoot Startup Problems in Windows 2000
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q315396

TechNet Home >  Products & Technologies >  Windows 2000 Professional >  Resource Kits >
Troubleshooting:  Chapter 31 - Troubleshooting Tools and Strategies
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000pro/reskit/part7/proch31.asp

I rebooted and they both are still there. well I really did not reboot I tried the kill command from the command line, and then it shut it self down. I am not sure it is running antivirus exactly it is running the exchange gateway for it. any ideas to move forward. thank you so much

Sometimes, a symptom of infection is when service.exe is running at 99%

You have to know if there is an antivirus for the file system, not only for your exchange server.. you could run stigner from mcafee, but it would find tons of stuff related to your exchange server, and may remove stuff that shouldnt be removed.

Hmmm, try to scan for spyware on your computer. with adaware standard edition.

http://lavasoft.element5.com/support/download/

after installing it, run it, and press "check for update", after this, scan your computer

i am running it now, is there something specifically I am looking for. I do not wnat to just remove tghings. let me know. thank you so much for your help. I added another ticket. if you help resolve this I will give you both. thanks

You can safely remove everything that adaware put in there.. when it finishes to scan, you right click the result, and click select all.. It put everything in quarantine..

tell me the result.

check this out after.

http://www.mcse.ms/message860041.html

while I am waiting for that, how can I scan this computer for viruses without installing any software. He only has the exchange antivirus, it looks like nothing localy is running

Try this software.

http://vil.nai.com/vil/stinger/

Search for a bunch of all the newest viruses.. and it's free

it foun four things three tracking cookies, and one thyat says alexa. do I click next, or do i quarenteen them from here

Everything is normal then..

so click next and remove them?

yes

what do you think next?

services.exe is the a core Operating System component that runs multiple Services (as
seen using services.msc).  Some Windows 2000 Services that are run by services.exe
are: Alerter (Alerter), Application Management (AppMgmt), Computer Browser (Browser),
DHCP Client (DHCP), Distributed Link Tracking Client (TrkWks), Distributed Link
Tracking Server (TrkSrv), DNS Client (DNSCache), Event Log (EventLog), Logical Disk
Manager (dmserver), Messenger (Messenger), Plug and Play (PlugPlay), Protected
Storage (ProtectedStorage), RunAs Service (seclogon), Server (lanmanserver), TCP/IP
NetBIOS Helper Service (LmHosts), Windows Management Instrumentation Driver
Extensions (WMI), Windows Time (W32Time), Workstation (LanmanWorkstation).

As follows are some ways to determine the particular Services registered in the
services.exe processes on your computer:

- Run the command line program named tlist, with the -s switch.  For more information
about tlist see the "More Information" section in the following Microsoft Knowledge
Base Article:

KB250320 - Description of Svchost.exe
http://support.microsoft.com/?scid=250320

- Run the SysInternals application named Process Explorer (procexp.exe).  Right-click
Services.exe and choose Properties...  Then select the tab titled Services.  For more
information about procexp.exe see:

- Process Explorer
Copyright © 1998-2002 Mark Russinovich
Find out what files, registry keys and other objects processes have open, which DLLs
they have loaded, and more. This uniquely powerful utility will even show you who
owns each process.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

- Run services.msc, sort the list by the column titled "Started", then double-click
each Service that has the status of started and look in the "Path to executable" box
for: C:\WINNT\system32\services.exe

i found two services.exe the second one I found was at teh bootom of the page in this utility. I killed it and the pocess went away. how do i make sure this does not load again? Thank you so much

you have to know what is the process hiding behind this second services.exe using the tools mentionned in my previous post.. I can't tell you what it is, but knowing the process hiding behind will tell you the problem.. I can't tell you exactly what is the problem tho.. if it start again, just kill it again until you find what is behind this. you got everything in my last post to find it.

there was nothing uder this one, so If I restart and it shows up and I look in this program, it will just show itself. I want to make this second services.exe not start any ideas?

i am looking in the registry, and found service.exe in c:\winnt\services.exe
I also found it in image path %systemroot%\system32\services.exe are these both supposed to be here?

Hmmm. No hiden service under this one?... Check out what is in your startup folder, what services could be starting up in the services applet in administrative tools. and what is starting up in the Run section of your registry..


hkey local machine / software / microsoft / windows / current version / run

I don't think so, let me check..

the only thing in start progranms startup is winzip, in run in the registry there is a c:\winnt\service.exe also promon.exe, and winvnc

I will also look in admin tools

On my exchange box (windows 2000 SP4), the only place where I found services.exe were in:

C:\winnt\system32

that's it.

nothing out of the ordinary in services, ther are a couple things that are set to manual that are loading at startup

every search I did on "c:\winnt\services.exe" in google, reported that it may be a virus.

i found this %systemroot%\system32\services.exe  about 10 different places what do you tyhink I should do

%systemroot%\system32\services.exe = normal..

%systemroot% = your default windows directory. Since the file is supposed to be in there, I think this is normal

ok so what do you think? I am running a online scan right now

I think you should run the stinger antivirus I told you about

let'S see, i'm leaving the office in 20 min, let me know before that..

ok

newsgroup post:

If you have Windows NT4/2000/XP/2003 and the full path
to this program is  C:\WinNT\Services.exe  or  
C:\Windows\Services.exe,  then you most probably have
the   W32.Netsky@mm   virus.  If you have Windows
95/98/ME and this task is running in the background, then
you most probably have that virus too.

i am running trendmicro online scan right now. what do you think, I have a virus?

Maybe, maybe not.... we'll see.. if this does not work, use the stinger one I was telling you about a bit earlier.

So, what was the result??

it seems that it found a couple virus' and one affected teh services.exe. just waiting to hear back from the client. i will let you know thank you'
'

Jason

Great then :)

On a exchange server, there is always 2 antivirus that should be running.

1- Antivirus gateway scanner (for emails)
2- Local antivirus.. You have to be sure to exclude the other product (antivirus) directory, and the directory where the Mail data/badmail is stored too. If you do not do this, the local antivirus will keep detecting stuff 2 times... and it can mess everything up.

it found services.exe and p.exe, both were listed as BKDR_DOTD.A what do you think I should do?

Clean them, their are obviously viruses.. does your internet antivirus allow you to clean your computer?

By the way, you should run windows update on your box to see if it'S fully patched after having cleaned everything.

After having patched and cleaned everything, you should run Microsoft MBSA 1.2 on there too.. it's free, and it'S on microsoft website.

they are not cleanable they are both bkdr_dotd_a one is c:\winnt\p.exe, and the other is c:\winnt\services.exe. tehy are not cleanable. what shoudl I do?

Not cleanable, what do you mean, you can't clean them online? usually, you cant clean anything via online scan. If you only detected those 2 files, delete them.

I should delete the file that infected winnt\services.exe? are you sure? thank you so much for your help

i found this what do you think

http://securityresponse1.symantec.com/sarc/sarc.nsf/html/backdoor.autoupder.removal.tool.html

I am going to give you the credit on this question. thank you so much for your help, I opened a new one about the virus's. if you think you can help let m eknow

https://www.experts-exchange.com/questions/21085524/I-have-two-files-infected-with-BKDR-DOTD-A.html