• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1033
  • Last Modified:

Disk spage agressively being chewed up by something

Hi Experts,
   I really hope you can help me out on this one cause I've been banging my head  on it all weekend. I have a windows 2003 server running Exchange 2003 e also have ISA server installed. Everything was fine until last Thursday when the server reported it had no more disk space available. That sounded strange so I removed some log files and some unused files freeing up about 8gig of data. The whole sytem went back to normal when all of a sudden I noticed the disk space going out rapidly at a rate of 1 gig per min. I thought someone was in our network so I disconnected the server isolating him still the space was being chewed up. I did a seach on modified files but nothing came up. Needless to say the server became really slow. Any Idea what this can be ? I checked the ttask manager and everything looked normal. We aslo have AVG installed and it did not detect any viruses on the system.
0
Biju708
Asked:
Biju708
  • 9
1 Solution
 
Biju708Author Commented:
I am attaching the log from hijakthis maybe you can have a better idea.

Logfile of HijackThis v1.99.1
Scan saved at 3:03:55 PM, on 3/19/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\certsrv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\GFI\MailSecurity\msecatt.exe
C:\Program Files\GFI\MailEssentials\msecatt.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\GFI\Network Server Monitor\Server\iothrust.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\80\COM\logread.exe
C:\Program Files\GFI\MailSecurity\autdlsvc.exe
C:\Program Files\Microsoft SQL Server\80\COM\logread.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft ISA Server\isastg.exe
C:\WINDOWS\system32\wuauclt.exe
F:\WindowsServer2003-KB914961-SP2-x86-ENU.exe
e:\5d22ab50bde17113ac1da2795a2d\i386\update\update.exe
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168697083281
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\Software\..\Telephony: DomainName = asp-consulting.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = asp-consulting.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{276CD682-4C13-43FB-BE85-DCC1CFFC7335}: NameServer = 212.56.128.196,212.56.128.132
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: GFI virusdef updater (autdlsvc) - GFI Software - C:\Program Files\GFI\MailSecurity\autdlsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GFI Content Security Attendant - GFI Software Ltd. - C:\Program Files\GFI\MailSecurity\msecatt.exe
O23 - Service: GFI MailEssentials Attendant - Unknown owner - C:\Program Files\GFI\MailEssentials\msecatt.exe" -service (file missing)
O23 - Service: GFI POP2Exchange - GFI Software Ltd. - C:\Program Files\GFI\MailEssentials\pop2exch.exe
O23 - Service: GFI Network Server Monitor (GfiNmSvc) - GFI Software Ltd. - C:\Program Files\GFI\Network Server Monitor\Server\GfiNmSvc.exe
O23 - Service: GFI List Server (listserv) - GFI Software Ltd - C:\Program Files\GFI\MailEssentials\ListServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: MSSQL$MSFW - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe" -sMSFW (file missing)
O23 - Service: Persits Software EmailAgent - Unknown owner - C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe" /run (file missing)
O23 - Service: SQLAgent$MSFW - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlagent.EXE" -i MSFW (file missing)

0
 
KCTSCommented:
Have you backed up Exchange and cleared your transaction logs recently?
0
 
Biju708Author Commented:
no not recently KCTS
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
Biju708Author Commented:
I'm doing a backup right now KCTS the store and site replication services using NT backup. Will transaction logs automatically clear after backup ?
0
 
Biju708Author Commented:
did that but it did not help at all I still have the same problem. Any other ideas ?
0
 
Biju708Author Commented:
What I noticed now is that after a restart everything works fine, then after about 10 minutes Outlook clients will not update their emails from the server this will then start the disk consumpion on the server. I am really at a loss here since I have never seen anything like it. any help will really be appreciated.
0
 
Biju708Author Commented:
NOw I just cloned the drive and replaced it with a new one maybe it was a drive problem
0
 
Biju708Author Commented:
That did not do the trick either. I'm really at a loss now no idea what it could be.
0
 
Biju708Author Commented:
I am now checking the login logs and it seems that the server crashes evertime a particular user logs in via MAC entourage is it a possibility or that cannot be ?

0
 
Biju708Author Commented:
I think I found the solution here

http://msexchangetips.blogspot.com/2006/08/exchange-transaction-log-files-growing.html

I will test it out and see what happens.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now