Running Services: iass.exe, crss.exe, Constant writes?

Hi All, maybe somebody can enlighten me on this one. I noticed that my hard drive light blinks constantly, about 1 or 1 1/2 times per second forever. As far as I know this is a relatively new behavior.

When I look at running services in task manager, I see constant reads/writes for two services, iass.exe and crss.exe whose tally changes with each HDD blink. I also see svchost.exe, doing reads and writes, but not at the magnitude of the others.

Also, without foreground programs running, performance tab shows the cpu usage constant at 5-7%% and system idle process at 0.

I did a search for those two, including hidden and system fileas, and as far as Windows is concerned, there are no such files on this machine.

Any information would be appreciated.

Take care,

Martin

 

Sounds like malware to me martin. Run AdAware and Spybot to clean it up. Use good ol' HiJackThis also. Delete the files manually if you must. (Safe Mode)

 

I have lsass.exe and csrss.exe running in my processes but they are not causing cpu usage. They are in C:\Windows\system32 and in the DLL cache. Are these the things you see?

Do you have windows indexing turned on? That will cause your HD to hunt and peck incessantly.

 

Martin, you need to update your worms. You're running an older version and you may be missing some of the misery.

Agbot Worm

 

Mea Culpa, Mea Culpa:

Correct service names:

csrss.exe
isass.exe

Both are merrily writing and reading, after several hours of uptime. Windows will not allow service shutdown, claiming them to be "Critical Processes "

Ad Aware, Norton AV, SpyBot, PestPatrol, MSFT's anti spyware all come up empty.

Dude, maybe if you send me a link for the Worm update, those programs could find the updated version!

Tale care,

Martin

 

isass.exe is still a virus.

http://www.iamnotageek.com/a/isass.exe.php

Sometimes these keyloggers and such escape detection. Do an on-line with HouseCall maybe just for style points.

 

Gulp!

From: www.answersthatwork.com

Well, it looked like an i to me.

I will be in hiding for the next 24 hours.

Martin

 

Well, that settles it..You either need to run an on-line scan or run to the optometrist. Not to worry martin, I drop my candy in the sand once in a while too. We'll let you slide.

 

Hi Martin!

Suspicious activity and very odd CPU numbers. Lets have a closer look at your processes. Download Process Explorer, unzip and open, then click file>save as and put on your desktop. Open and copy/paste it here.

 

Hi Dave, Darn HDD, blink, blink, blink.

Here's the file:

 

This one doesn't look good to me.
INSTAN~1.EXE 2952

Please download the List Installed Programs script from here, run it and post it's log.

 

HeHe, you may be right Tony. I figured the cookie.exe is the Cookie Wall program, and I think I've been seeing too much of the Instant Access infection lately.

Gonna crawl into the corner and keep Martin company.

 

I dunno Dave, this corner is kind of crowded!

Anyhow, both you and Tony are correct, Cookie.exe is the executable for AnalogX's Cookie Wall, and the Instant Access is part of the OCR for ScanSoft scanner software.

Regardless, I did a search for the infected cookie.exe files, the reg keys associated with it and the DIZ file for the "You've Been Hit" email. All come up negative. (I remember getting that email, but no trace of the virus.)

I did the online virus scan, comes up empty.

In the meantime, the HDD led goes blink, blink, blink blink...........

Task Mgr. Performance now indicates processer use fluctuating between 2 & 4%, I am attaching screen shots, are we done? What else could cause the HDD blinks besides a virus?

lsass and csrss still doing their reads and writes, I suppose they are supposed to keep going and going and going? Along with HDD blink, blink, blink, blink, blink...................

Everybody should have a good day today, it is snowing here, BRRRRRRR

Take care,

Martin

Attachments of screenshots of performance graph did not load, 6.9 bytes too big, if of some use, I can resize?

 

could you use FileMon from sysinternals and see whos doing what?