asked on

TCPSVCS.exe process takes up huge amounts of Virtual Memory

I am having a problem with a process on some of my servers that is taking up large amounts of pagefile space. The TCPSVCS.exe process is currently sucking up 1.9 GB of VM on several of my servers. I am unable to figure out what is causing it to grow so high and why some of my servers do not grow like this. The servers are all domain controllers with at least 3GB of RAM. They are all running 2003 Server Standard. They all run DHCP, DNS, WINS, and print services. Any ideas would be greatly appreciated. Thank you!

gurutc

Hi,

Do you have any Antivirus/Anti-spyware running? Also what driver are you using on the VM config?

Good Luck,

- gurutc

Mase2k

ASKER

Gurutc,
We currently run Symantec Anti-Virus Corporate Edition 8.1. It runs on all of our DC's. Other than that though we have no other adware/spyware running. I am not sure what you mean by driving on the VM config. Can you tell me how to get this information for you? Thank you!

Mase2k

ASKER

Here is a picture of what im talking about. Not sure if it will help.

qnstie

It loks to me like you have a trojan, because normally this process should not use so much of memory.
Check e.g. this link, for more info:
http://www.symantec.com/security_response/writeup.jsp?docid=2002-021121-4532-99&tabid=2

Best luck!

Mase2k

ASKER

IE8 is kicking my butt this morning. Apparently it doesn't like experts-exchange...Here it is again
Capture.JPG

gurutc

I was brain dead, thinking vm was virtual machine, not virtual memory, duh, but I still think you're probably infected.

- gurutc

Mase2k

ASKER

Ok. I am looking into it now. I don't see any obvious infections, but I will dig :)

gurutc

You can go to www.trendmicro.com and run the free housecall scan...

- gurutc

Mase2k

ASKER

I will give it a try. I checked the Virusscan logs on Symantec and do not see any virus reports or infections.

Mase2k

ASKER

It does not appear that I will be able to run the housecall as it is taking too many resources away from the servers. I forgot to mention that these servers are also Terminal Servers for up to 20 users.

gurutc

Hmmm, try it later when all the users are offline perhaps?

I don't see a way of thoroughly checking the servers that won't interfere with user sessions.

- gurutc

Mase2k

ASKER

Is the Symantec Corporate AntiVirus solution not thorough enough? It scans the systems nightly as well as updates itself daily.

gurutc

Just speaking from my experience, no single-vendor solution is totally capable of detecting and/or fixing every malware threat out there.

Sometimes, the only solution I've found that works is using an off-line scanning solution such as the Ultimate Bood CD for Windows, found at:

www.ubcd4win.com

With this CD, you can boot entirely from cd and run scans, taking out the possibility of a well-hidden rootkit loading from the hard drive and messing up the scan.

- gurutc

Mase2k

ASKER

I understand. I am mostly concerned with the number of servers that are doing this. It seems very sporadic, but one trend I have found is it only appears to affect servers with the original 2003 Server Standard and not the R2 version. I have found several references on the Internet regarding this process, but nothing that really shows how to resolve it. Hardly any point to a virus infection.

ASKER CERTIFIED SOLUTION

Mase2k

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

gurutc

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Mase2k

ASKER

Thank you kindly. And thank you very much for your quick attention on this.