Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1904
  • Last Modified:

TCPSVCS.exe process takes up huge amounts of Virtual Memory

I am having a problem with a process on some of my servers that is taking up large amounts of pagefile space. The TCPSVCS.exe process is currently sucking up 1.9 GB of VM on several of my servers. I am unable to figure out what is causing it to grow so high and why some of my servers do not grow like this. The servers are all domain controllers with at least 3GB of RAM. They are all running 2003 Server Standard. They all run DHCP, DNS, WINS, and print services. Any ideas would be greatly appreciated. Thank you!
0
Mase2k
Asked:
Mase2k
  • 10
  • 6
2 Solutions
 
gurutcCommented:
Hi,

Do you have any Antivirus/Anti-spyware running?  Also what driver are you using on the VM config?

Good Luck,

- gurutc
0
 
Mase2kAuthor Commented:
Gurutc,
     We currently run Symantec Anti-Virus Corporate Edition 8.1. It runs on all of our DC's. Other than that though we have no other adware/spyware running. I am not sure what you mean by driving on the VM config. Can you tell me how to get this information for you? Thank you!
0
 
Mase2kAuthor Commented:
Here is a picture of what im talking about. Not sure if it will help.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
qnstieCommented:
It loks to me like you have a trojan, because normally this process should not use so much of memory.
Check e.g. this link, for more info:
http://www.symantec.com/security_response/writeup.jsp?docid=2002-021121-4532-99&tabid=2

Best luck!
0
 
Mase2kAuthor Commented:
IE8 is kicking my butt this morning. Apparently it doesn't like experts-exchange...Here it is again
Capture.JPG
0
 
gurutcCommented:
I was brain dead, thinking vm was virtual machine, not virtual memory, duh, but I still think you're probably infected.

- gurutc
0
 
Mase2kAuthor Commented:
Ok. I am looking into it now. I don't see any obvious infections, but I will dig :)
0
 
gurutcCommented:
You can go to www.trendmicro.com and run the free housecall scan...

- gurutc
0
 
Mase2kAuthor Commented:
I will give it a try. I checked the Virusscan logs on Symantec and do not see any virus reports or infections.
0
 
Mase2kAuthor Commented:
It does not appear that I will be able to run the housecall as it is taking too many resources away from the servers. I forgot to mention that these servers are also Terminal Servers for up to 20 users.
0
 
gurutcCommented:
Hmmm, try it later when all the users are offline perhaps?

I don't see a way of thoroughly checking the servers that won't interfere with user sessions.

- gurutc
0
 
Mase2kAuthor Commented:
Is the Symantec Corporate AntiVirus solution not thorough enough? It scans the systems nightly as well as updates itself daily.
0
 
gurutcCommented:
Just speaking from my experience, no single-vendor solution is totally capable of detecting and/or fixing every malware threat out there.

Sometimes, the only solution I've found that works is using an off-line scanning solution such as the Ultimate Bood CD for Windows, found at:

www.ubcd4win.com

With this CD, you can boot entirely from cd and run scans, taking out the possibility of a well-hidden rootkit loading from the hard drive and messing up the scan.

- gurutc
0
 
Mase2kAuthor Commented:
I understand. I am mostly concerned with the number of servers that are doing this. It seems very sporadic, but one trend I have found is it only appears to affect servers with the original 2003 Server Standard and not the R2 version. I have found several references on the Internet regarding this process, but nothing that really shows how to resolve it. Hardly any point to a virus infection.
0
 
Mase2kAuthor Commented:
I believe I may have gotten to the bottom of this. See attached Microsoft article regarding the memory leak that caused this problem.

http://support.microsoft.com/kb/939928/en-us

Also I attached a screenie of what the server did after I executed the workaround instructions.
change.JPG
0
 
gurutcCommented:
Dad-gummit, I thought there might be a patch/hotfix issue.  Looks like you licked it yourself.  Good job!

- gurutc
0
 
Mase2kAuthor Commented:
Thank you kindly. And thank you very much for your quick attention on this.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 10
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now