Which program is causing abnormal disc activity?

[John Latter]

I don't know much about computers but I seem to be having a lot of
disc activity since changing my hard drive and reinstalling windows
xp.

I've been to windows task manager & have enabled I/O Read Bytes & I/O
Write bytes.

When I'm doing nothing the following 3 programs are constantly
changing. I've been online for about 3 hours now & these are the
approximate figures:

ashserve.exe (Avast antivirus):

read: 4,700,000,000 write: 3,700,000

svhost.exe:

read: 705,000,000 write: 718,000,000

lsass.exe:

read: 1,010,000 write: 540,000

Today is the 1st time my firewall reporeted that lsass requested
internet access though this disc activity has been noticable since
doing the reinstall.

Any help or advice would be appreciated!

 

[Rick \Nutcase\ Rogers]

Hi,

Avast probably has background scanning running and its VRDB points building,
which would account for its disk activity.

Svchost could indicate a number of things, but my guess is that since it's a
new installation this is most likely the indexing service at work.

lsass is a normal system function used to authenticate logons, but it should
not need to access the internet. This act may indicate suspicious activity,
and (to me at least) warrants investigation in Safe mode. By any chance were
you connected to the internet via a broadband connection when you were
installing the operating system? There is a point where the system is "live"
but the firewall is not fully running yet, and a connected system can
quickly become infected by sasser (which causes issues with lsass) and other
active worms seeking unprotected machines.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Guest]

If using XPPro, run the command

tasklist /svc

at the command prompt. Find the PID number of the svchost.exe that's
causing the activity and look it up in the above command prompt window.

Let us know what the items listed under services in the far right column
are and someone should be able to let you know if they're benign or malicious.

 

[John Latter]

Hi,

Avast probably has background scanning running and its VRDB points building,
which would account for its disk activity.

Svchost could indicate a number of things, but my guess is that since it's a
new installation this is most likely the indexing service at work.

lsass is a normal system function used to authenticate logons, but it should
not need to access the internet. This act may indicate suspicious activity,
and (to me at least) warrants investigation in Safe mode. By any chance were
you connected to the internet via a broadband connection when you were
installing the operating system? There is a point where the system is "live"
but the firewall is not fully running yet, and a connected system can
quickly become infected by sasser (which causes issues with lsass) and other
active worms seeking unprotected machines.

Hi Rick,

Unfortunately its not VRDB

I've done some googling & by disabling terminal services Isass.exe is
no longer constantly accessing the disc but svchost.exe & ashserve are
- i think svc is 'triggering' ashserve.

 

[John Latter]

If using XPPro, run the command

tasklist /svc

at the command prompt. Find the PID number of the svchost.exe that's
causing the activity and look it up in the above command prompt window.

Let us know what the items listed under services in the far right column
are and someone should be able to let you know if they're benign or malicious.

Hiya,

I've done some googling & tried tasklist /svc before I realized that
the info was for XP Pro and I've only got Home

Still googling - would be grateful for any help

John

 

[Malke]

Hiya,

I've done some googling & tried tasklist /svc before I realized that
the info was for XP Pro and I've only got Home

Still googling - would be grateful for any help

John - When you reinstalled Windows, did you connect to the Internet
without having a firewall in place? If you did, it is possible that you
have some malware running. Here are things to check:

1. Do some clean-boot troubleshooting:

http://support.microsoft.com/default.aspx?kbid=310353
and How to Troubleshoot By Using the Msconfig Utility in Windows XP -
http://support.microsoft.com/?id=310560

2. Make sure your computer is 100% malware-free. Start by running
Ad-aware and Spybot Search & Destroy. Install and update these free
programs and then scan with them (not simultaneously!) in Safe Mode. If
you need more detailed malware removal steps, I have some on my website
here:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Since you have Avast, make sure its definitions are current and do a
scan with it in Safe Mode also.

Malke

 

[John Latter]

John - When you reinstalled Windows, did you connect to the Internet
without having a firewall in place? If you did, it is possible that you
have some malware running. Here are things to check:

1. Do some clean-boot troubleshooting:

http://support.microsoft.com/default.aspx?kbid=310353
and How to Troubleshoot By Using the Msconfig Utility in Windows XP -
http://support.microsoft.com/?id=310560

2. Make sure your computer is 100% malware-free. Start by running
Ad-aware and Spybot Search & Destroy. Install and update these free
programs and then scan with them (not simultaneously!) in Safe Mode. If
you need more detailed malware removal steps, I have some on my website
here:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Since you have Avast, make sure its definitions are current and do a
scan with it in Safe Mode also.

Malke

Hiya Maoke,

Thanks for the advice & info Malke

I installed XP, installed SP2, installed McAfee PFW & only then
connected to the internet.

 

[Malke]

Thanks for the advice & info Malke

I installed XP, installed SP2, installed McAfee PFW & only then
connected to the internet.

I'd still do the above. Clean-boot t-shooting is a really good tool, and
checking for malware can't hurt. Also check and see if the Indexing
Services is running. You might want to turn it off and see if that
solves the issue. Start>Run services.msc [enter] and scroll down to the
Indexing Service.

Malke

 

[Guest]

Having difficulty posting a question, so I hope I have not done the wrong
thng by intruding on another subject. When I press "new" and question, I get
nothing. Anyway, my question is: Recently I downloaded a photo editing
program Ulead photosmart. When I went to install the program, I got the
message "not a valid win 32 application. Can anyone tell me what is going on
here. I thought the Ulead programmes would be suitable for windows XP

 

[Malke]

Having difficulty posting a question, so I hope I have not done the
wrong
thng by intruding on another subject. When I press "new" and
question, I get
nothing. Anyway, my question is: Recently I downloaded a photo
editing
program Ulead photosmart. When I went to install the program, I got
the
message "not a valid win 32 application. Can anyone tell me what is
going on
here. I thought the Ulead programmes would be suitable for windows XP

Hi, Pam. Actually it isn't a good idea to hijack someone else's thread.
It really limits your chances of getting an answer. I only looked at
this thread (which is finished) because I participated in it. The
reason you are having trouble posting is because you are using the web
interface, which is terrible. Let me give you info on how to use a
newsreader, and then I'll address the Ulead issue.

A. Newsgroups

Since you are using the web interface, you may not realize that this is
really a newsgroup. You will get far more out of this resource if you
learn to use a newsreader. There are many good newsreaders for Windows,
but you can use Outlook Express since you already have it. Here are
some links to information about newsgroups:

http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
explanation of newsgroups
http://michaelstevenstech.com/outlookexpressnewreader.htm
http://rickrogers.org/setupoe.htm
http://support.microsoft.com/default.aspx?scid=/support/news/howto/default.asp
- Set Up Newsreader

http://www.dts-l.org/goodpost.htm

http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is
working properly
http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
crossposting

B. Ulead

What version of Ulead? Is it an old program? If it is old, it may not be
support by XP. If everything else is working well on your computer, I
would check with the program's tech support. Here's a link:

http://www.ulead.com/tech/techsupport.htm

If you need more help, get your newsreader set up and make a new post.
Take the time to go to the "goodpost" and "smart-questions" links
first.

Malke

 

[Guest]

Hi, Pam. Actually it isn't a good idea to hijack someone else's thread.
It really limits your chances of getting an answer. I only looked at
this thread (which is finished) because I participated in it. The
reason you are having trouble posting is because you are using the web
interface, which is terrible. Let me give you info on how to use a
newsreader, and then I'll address the Ulead issue.

A. Newsgroups

Since you are using the web interface, you may not realize that this is
really a newsgroup. You will get far more out of this resource if you
learn to use a newsreader. There are many good newsreaders for Windows,
but you can use Outlook Express since you already have it. Here are
some links to information about newsgroups:

http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
explanation of newsgroups
http://michaelstevenstech.com/outlookexpressnewreader.htm
http://rickrogers.org/setupoe.htm
http://support.microsoft.com/default.aspx?scid=/support/news/howto/default.asp
- Set Up Newsreader

http://www.dts-l.org/goodpost.htm

http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is
working properly
http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
crossposting

B. Ulead

What version of Ulead? Is it an old program? If it is old, it may not be
support by XP. If everything else is working well on your computer, I
would check with the program's tech support. Here's a link:

http://www.ulead.com/tech/techsupport.htm

If you need more help, get your newsreader set up and make a new post.
Take the time to go to the "goodpost" and "smart-questions" links
first.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[John Latter]

If using XPPro, run the command

tasklist /svc

at the command prompt. Find the PID number of the svchost.exe that's
causing the activity and look it up in the above command prompt window.

Let us know what the items listed under services in the far right column
are and someone should be able to let you know if they're benign or malicious.

Tasklist.exe gives:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman,Nla,RasMan,
Schedule, seclogon,SENS,SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,wuauserv

Thats tidied up more or less as it appears in the command window,
after pasting it actually looked like this:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla,
RasMan,
Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,
wuauserv

Jorolat

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech