Solved

Disk spage agressively being chewed up by something

Posted on 2007-03-19
10
1,009 Views
Last Modified: 2012-06-21
Hi Experts,
   I really hope you can help me out on this one cause I've been banging my head  on it all weekend. I have a windows 2003 server running Exchange 2003 e also have ISA server installed. Everything was fine until last Thursday when the server reported it had no more disk space available. That sounded strange so I removed some log files and some unused files freeing up about 8gig of data. The whole sytem went back to normal when all of a sudden I noticed the disk space going out rapidly at a rate of 1 gig per min. I thought someone was in our network so I disconnected the server isolating him still the space was being chewed up. I did a seach on modified files but nothing came up. Needless to say the server became really slow. Any Idea what this can be ? I checked the ttask manager and everything looked normal. We aslo have AVG installed and it did not detect any viruses on the system.
0
Comment
Question by:Biju708
  • 9
10 Comments
 

Author Comment

by:Biju708
Comment Utility
I am attaching the log from hijakthis maybe you can have a better idea.

Logfile of HijackThis v1.99.1
Scan saved at 3:03:55 PM, on 3/19/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\certsrv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\GFI\MailSecurity\msecatt.exe
C:\Program Files\GFI\MailEssentials\msecatt.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\GFI\Network Server Monitor\Server\iothrust.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\80\COM\logread.exe
C:\Program Files\GFI\MailSecurity\autdlsvc.exe
C:\Program Files\Microsoft SQL Server\80\COM\logread.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft ISA Server\isastg.exe
C:\WINDOWS\system32\wuauclt.exe
F:\WindowsServer2003-KB914961-SP2-x86-ENU.exe
e:\5d22ab50bde17113ac1da2795a2d\i386\update\update.exe
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168697083281
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\Software\..\Telephony: DomainName = asp-consulting.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: GFI virusdef updater (autdlsvc) - GFI Software - C:\Program Files\GFI\MailSecurity\autdlsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GFI Content Security Attendant - GFI Software Ltd. - C:\Program Files\GFI\MailSecurity\msecatt.exe
O23 - Service: GFI MailEssentials Attendant - Unknown owner - C:\Program Files\GFI\MailEssentials\msecatt.exe" -service (file missing)
O23 - Service: GFI POP2Exchange - GFI Software Ltd. - C:\Program Files\GFI\MailEssentials\pop2exch.exe
O23 - Service: GFI Network Server Monitor (GfiNmSvc) - GFI Software Ltd. - C:\Program Files\GFI\Network Server Monitor\Server\GfiNmSvc.exe
O23 - Service: GFI List Server (listserv) - GFI Software Ltd - C:\Program Files\GFI\MailEssentials\ListServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: MSSQL$MSFW - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe" -sMSFW (file missing)
O23 - Service: Persits Software EmailAgent - Unknown owner - C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe" /run (file missing)
O23 - Service: SQLAgent$MSFW - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlagent.EXE" -i MSFW (file missing)

0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
Comment Utility
Have you backed up Exchange and cleared your transaction logs recently?
0
 

Author Comment

by:Biju708
Comment Utility
no not recently KCTS
0
 

Author Comment

by:Biju708
Comment Utility
I'm doing a backup right now KCTS the store and site replication services using NT backup. Will transaction logs automatically clear after backup ?
0
 

Author Comment

by:Biju708
Comment Utility
did that but it did not help at all I still have the same problem. Any other ideas ?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Biju708
Comment Utility
What I noticed now is that after a restart everything works fine, then after about 10 minutes Outlook clients will not update their emails from the server this will then start the disk consumpion on the server. I am really at a loss here since I have never seen anything like it. any help will really be appreciated.
0
 

Author Comment

by:Biju708
Comment Utility
NOw I just cloned the drive and replaced it with a new one maybe it was a drive problem
0
 

Author Comment

by:Biju708
Comment Utility
That did not do the trick either. I'm really at a loss now no idea what it could be.
0
 

Author Comment

by:Biju708
Comment Utility
I am now checking the login logs and it seems that the server crashes evertime a particular user logs in via MAC entourage is it a possibility or that cannot be ?

0
 

Author Comment

by:Biju708
Comment Utility
I think I found the solution here

http://msexchangetips.blogspot.com/2006/08/exchange-transaction-log-files-growing.html

I will test it out and see what happens.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now