Windows XPPost your Windows XP related questions here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I know this board also has excellent references to this error and the removal but as time seems to be of the essence and google came up with a hit in a nano second with all the to-dos so nicely included, including the links. I hope the security forum gurus will forgive me for doing this.
You may want to run into the security forum and post this up for friendly hand holding and walk thrus while you try to clean this up, if this trully is the problem.
Last edited by goddez1; 23rd November 2004 at 15:48.
Yes, PC got the sasser virus, if the "system shutdown"screen appears, you should click " start> run" and type in "shutdown -a" to abort system shutdown in 60 seconds. and do windows update. Good luck.
Like herry1314 said, when you get the message, click on Start, click on Run, key in
Code:
shutdown -a
and click OK. That will abort the shutdown. Then you can fix things.
However, you need to get the security patches that block Sasser/Blaster/etc. burned to CD since they really need to go on any time you do a fresh OS install and before you ever hit the internet.
Better yet, get SP2 on CD since it blocks those and quite a few other baddies as well as putting up a firewall so you aren't bitten when you first go on the net.
Why is Remote Procedure Call shutting down my computer after 60 seconds?
Why is LSASS.exe shutting down my computer after 60 seconds?
Why is svchost.exe crashing my computer?
Why is dllhost.exe taking 100% of my CPU time?
A buffer overrun is the cause of an issue affecting many versions of Windows to include NT, 2000, XP and 2003. The main indication of this is a 60 second shutdown counter just after connecting to the internet or "right after" an attack attempt. "Strange" network activity while you are not downloading or surfing is another key factor.
Upon examination of my firewall log files, I discovered that every two to five minutes, the vulnerable ports are being scanned. Since I am behind a firewall, I have not been affected by any of these problems. However, due to the firewall activity, I must assume that the Remote Procedure Call vulnerability information publicly released on July 16, 2003 and the LSASS vulnerability released April 13, 2004 are being exploited. The latest security patch described below (in the Third step) will solve all issues.
As I touched on with my configuration, by default, all incoming Remote Procedure Call traffic is blocked with all firewall's to include Windows XP's built in firewall. Being as though that is a general statement, I am sure I am going to get burned by it. But in all honesty, regardless if you are behind a firewall or not, the latest security patch should still be installed as it is the most critical one recently released and affects such a mass amount of systems.
ABSOLUTLY DO NOT disable the Remote Procedure Call Service using any Registry Patches or Hardware Profiles no matter who told you or why!
Remote Procedure Call is a vital core process that is required for your system to function properly and install the security patch. If you have already disabled it somehow and looking for help, I have a way to try and fix it.
The following is steps that you can take to protect yourself from this vulnerability:
Note: If you do not have a firewall or use something other than Windows XP, skip the first step.
First
In an effort to ensure that your system will not be attacked while attempting to solve the problem, disconnect the computer from the internet.
Block inbound (from the internet) and outbound (from your computer) TCP and UDP ports 135, 137, 138, 139, 445 and 593 at your firewall and ensure your firewall is active. This will stop Remote Procedure Call and LSASS.exe inbound traffic from the internet reaching your computer.
You can enable the built in Internet Connection Firewall with Windows XP by doing the following:
With the default Category Control Panel:
Head to Start
Select Control Panel
Select Network and Internet Connections
Select Network Connections
Right click your "internet" connection, whether it is dial-up (your modem) or local area network (your network card if using broadband)
Select the Properties option in the popup menu
Select the Advanced tab
Check the box next to "Protect my computer and network by limiting..."
Select the Ok button to apply the settings
With the Classic Control Panel:
Head to Start
Select Control Panel
Select Network Connections
Right click your "internet" connection, whether it is dial-up (your modem) or local area network (your network card if using broadband)
Select the Properties option in the popup menu
Select the Advanced tab
Check the box next to "Protect my computer and network by limiting..."
Select the Ok button to apply the settings
This action will start the Internet Connection Firewall Service.
Second
You can stop a computer from automatically rebooting during the 60 second countdown by doing the following:
Head to the Start button
Select Run...
type shutdown -a in the popup window
Select the Ok button to issue the command
Image 1.1: (45KB .jpg)You can "stop" the Remote Procedure Call Service from shutting down the system after 60 seconds each time the attack is attempted. This does not apply to LSASS.exe. I absolutely do not condone this action as a "fix," but it could be used to stop the system from rebooting while you are attempting to repair the issue and scan your computer for vulnerabilities if you have not already activated your firewall. In an effort to ensure that your system will not be attacked while attempting to solve the problem, disconnect the computer from the internet:
Head to the Start button
Select Run...
type services.msc in the popup window
Select the Ok button to issue the command
Select the Remote Procedure Call Service from the list by double clicking it
Select the "Recovery" tab (Image 1.1)
The default for this service is "Restart the Computer" for all failures
Change each one to "Restart the Service"
Select the Ok button to apply the settings
Again, this should not be done to fix the reboot issue, only to ensure that you have the proper amount of time to correct the problems.
Third
Ensure that all security patches are currently downloaded and installed. Before troubleshooting your computer any further, this step needs to be complete to be positive that this particular security issue is not being exploited and causing your problems.
Take note: Cryptographic Services in Windows XP and 2003 needs to be placed on automatic and/or started before installing security patches. Cryptographic Services requires the Remote Procedure Call Service. Again, do not disable Remote Procedure Call! It is required to install the patch! They both are placed on automatic by default.
Remote Procedure Call Information:
A security patch for Windows NT, 2000, XP and 2003 with additional information about the previous vulnerability is located here:
A security patch for Windows NT, 2000, XP and 2003 with additional information about the latest vulnerability, which includes the previous update, is located here:
Fourth
Scan your computer with the latest virus definitions. If your computer has already been attacked, any number of problems can arise from this:
A new user account could have been created with administrator privileges.
A trojan or worm could have been installed to attempt infection with other malicious code either to the local system or internet connected computers.
Exploits have already been circulating around the internet to include:
A trojan called "W32.Blaster.Worm" that executes "msblast.exe": Symantec Information
A worm called "Backdoor.IRC.Cirebot" that attempt to use a TFTP server to cause hate and discontent: Symantec Information
A worm called "w32.sasser.worm": Symantec Information
However, just because you have been hit with an attack against the Operating System vulnerability does not mean that you are automatically infected with anything.
Fifth
As far as I feel, if a system has been compromised, the only way to go would be to unplug the computer from the network and completely format the hard drives, turn off the computer, and then fire it back up and reinstall Windows clean. As far as I am concerned, that is the only way to ensure that all malicious code has been removed from the system in question. Understandably, this solution is not possible for everyone. However, if you patch the security hole and scan your computer for viruses, you should be closer to a safe system again.
---------------------------------------------------- NOTE: Please understand that that Fifth Step ^directly above is the writers personal opinion. Sometimes it is just not practical or desirable to clean install once again. One must weigh what the virus was, what it is capable of doing or may have already done and the success rate of a thorough cleanup.
Last edited by goddez1; 23rd November 2004 at 13:03.
I know your getting a lot of advice on which tool to run and clean your computer with. Many of these only address or clean one particular virus. This lsass.exe shutdown countdown has been attributed to a few different virus'. Not knowing which particular one you may have there is a stand alone cleaner that you can download that covers all of them and then some. Mcaffee puts it out, See: Stinger http://vil.nai.com/vil/stinger/
If you followed and read the directions given for disabling that countdown/shutdown you should have plenty of time to download the microsoft update which fixes this problem that allowed you to get infected in the first place and run the Cleanup StandAlone Tool "Stinger".
NOTE: Sometimes you may have to try that command to stop the countdown more than once. It's a timing thing, if you'll forgive the pun. It may help to immediately hit your winkey (the one with the flag on it) in combination with the letter R. This will immediately open the runline Type-in.
After doing these you should be clean but running a couple of on-line scans can't hurt either. Then you need to takes steps to secure your system with all Microsoft Security updates available and appropriate for your system, particularly the ones marked "Vital". Get a good antivirus program updated with latest dat files and use it. Get a good Firewall going. Either xp's or 3rd party. Plenty of board discussions on all these topics can be found in the archives.
I'm not real sure on d:\ or what you are referring to when you state it is a recovery directory....SO... I'm not going to comment on on the D: recovery directory other than:
If this is an OEM partition with your Restore data, leave it be. If it's a backup image (you made yourself) such as one made by a Ghosting Program and you think this where your problem began, I'd get rid of it. I personally tend to think you are just one of those unlucky Users who had the misfortune to get nailed by this virus before you had time to update via Microsoft. It happens. Some seemed to get nailed right from the get-go when connecting to the Net and going on line.
---------------
I am downloading Stinger as we speak. This tool again, as I see but was not aware of, has been updated since the last time I downloaded it. It includes even more virus'. It is small enough to keep on a floppy 930kb and oh so handy to have on hand. Make note on the additional link and suggestion for disabling "System restore" before running this and reenabling afterwards. All previous restore points will removed and a new one will be made. Since this is a clean install that should not be a problem, shouldn't be a problem in any case as risk of older restore points re-enfecting your computer is the biggest concern.
Last edited by goddez1; 23rd November 2004 at 16:16.
Here is where I'm at I go to system recovery in F-10 I do a fresh format and when I get it all loaded I have the same problem when I go on the internet isass.exe error come's up and shut me down in 60 seconds I put shutdown -a in run and doe's no good still shuts me down I run the virus remover you sent me the stringer.exe no virus found . Now the first time I run stinger .exe before I restored win xp I ran stinger.exe and it found 2 viruses in the windowns system32. Another thing I don't understand when I do a format or system recovery when I get back to windows I have some if not all the programs I had before I did a format I thought it would wipe it clean . Its a HP 512 W with windows xp home edition .
Thank you
Last edited by bobm735; 24th November 2004 at 11:19.
AH ha,
I think I have another possible reason for your current situation and it is may not be solely viral. Did you ever download the patch from hp which is suppose to be applied either before or after an sp1 update. See this: http://support.microsoft.com/default...;en-us;Q329450
SYMPTOMS
If you upgrade a Hewlett-Packard Pavilion or a Compaq Presario 6300-series desktop computer that is running Windows XP to Windows XP Service Pack 1 (SP1), and you then perform a non-destructive System Recovery operation, any of the following symptoms might occur: • When the System Recovery operation completes and the computer restarts, you receive an error message that is similar to:
File needed
The file c_20127.nls on Windows XP Home Edition CD-ROM is needed.
Type the path where the file is located, and then click OK.
• When the System Recovery operation completes and the computer restarts, you receive the following error message, and the computer continually restarts:
Lsass.exe - System Error.
• When you log on to Windows, your computer runs very slowly.
• If you try to reinstall Windows XP SP1, the installation is unsuccessful.
Note For Presario 6300-series computers, this information applies only to computers sold in the United States.
CAUSE
This issue occurs because of the way in which the non-destructive System Recovery operation restores the Windows XP files.
When you perform a System Recovery operation with the format option (a destructive system recovery), the System Recovery operation erases the contents of the partition on which Windows is installed and then restores the original operating system files. However, if you perform a non-destructive System Recovery operation, the Windows XP files, including those files that have been modified by SP1, are replaced with the original Windows XP files, but all other files on the hard disk remain unchanged. This causes mismatched Windows XP files to remain on the hard disk, and might cause the issues that are described in the "Symptoms" section of this article.
RESOLUTION
To resolve this incompatibility on affected Pavilion and Presario computers, obtain and install the SP1RcvryFix.exe patch from Hewlett-Packard or Compaq. To obtain this patch and the instructions about how to install it, visit the following Hewlett-Packard Web site: http://h20015.www2.hp.com/hub_search...00007684&cc=us
Note that you can install this patch before or after you install Windows XP SP1 to correct the incompatibility problem with the System Recovery tool. This patch must be installed before you perform a non-destructive recovery and can be installed either before or after the installation of SP1 for Windows XP. If you perform a non-destructive recovery before you install the update, you can use this patch to recover your system without performing a destructive recovery. To do this, use the appropriate instructions on the Compaq and Hewlett-Packard Web sites.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
MORE INFORMATION
If you use a Hewlett-Packard Pavilion or Compaq Presario 6300-series desktop computer and you visit the Microsoft Windows Update Web site (http://v4.windowsupdate.microsoft.com/en/default.asp), you may receive the following message:
Alert: Windows Update has detected that your computer is a Hewlett-Packard Pavilion desktop or Compaq Presario desktop PC with Windows XP pre-installed. After you install Windows XP Service Pack 1, you might encounter an issue with the PC System Recovery utility. If you use this utility to perform a non-destructive system recovery, you might be unable to start your computer. Recovering from this error requires a full destructive system recovery, which results in the loss of all user data. Hewlett-Packard will release an update to the PC System Recovery utility soon. When you install that update, this alert will no longer appear in Windows Update. Please refer to Microsoft Knowledge Base (KB) Article Q329450 for additional information.
This warning message is changed or removed when an update to the Hewlett-Packard and Compaq System Recovery programs becomes available.
----------------
Now the second question I would ask is are you doing a nondestructive recovery or destructive recovery?
If I'm understanding this correctly a nondestructive recovery will not work and a destructive or full factory restore will. I'm still a little cloudy on this but I will go to HP and see what I can dig up.
Now off to Hp to find out what to do if you have not installed the hp-patch and attempted a recovery (which apparently is botched) and are stuck in the lsass.exe reboot loop. Need to also find out what your alternatives are at this point.
I still wonder why that shutdown -a command hasn't worked. Humph...
Last edited by goddez1; 24th November 2004 at 13:21.
I've got to say, from what little bit time I've spent in the files, for your model they do say that "this effects the nondestructive recovery and if that fails your only alternative is the destructive". It appears your doing/done that. Oh well....downloading and installing the patch can't leave you any worse off.
----------
Opps.... Hi suferdude2,
You zipped in while I was a' typin'. Your link is good while it shows recovery walkthrus. My link is specific to his model. eny meany...
isass.exe error message
