isass.exe error message

I did a fresh restore of windows xp home edition and when I went on the net I keep getting this error message .

C:\WINDOWS\system32\lsass.exe then it says it is going to shutdown in 60 seconds and it and it reboots my computer .

thank you

 

Ut Oh....virus suspect Sasser or some form of such (like MX Blaster). Boy this critter doesn't wait a second before grabbing some users, does it? See:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20958211.html

I know this board also has excellent references to this error and the removal but as time seems to be of the essence and google came up with a hit in a nano second with all the to-dos so nicely included, including the links. I hope the security forum gurus will forgive me for doing this.

You may want to run into the security forum and post this up for friendly hand holding and walk thrus while you try to clean this up, if this trully is the problem.

 

Yes, PC got the sasser virus, if the "system shutdown "screen appears, you should click " start> run" and type in "shutdown -a" to abort system shutdown in 60 seconds. and do windows update. Good luck.

 

isass.exe

trouble is can't stay online long enough to do a window up date isass.exe comes up and shut me down in 60 seconds.

 

Like herry1314 said, when you get the message, click on Start, click on Run, key in

Code:

shutdown -a

and click OK. That will abort the shutdown. Then you can fix things.

However, you need to get the security patches that block Sasser/Blaster/etc. burned to CD since they really need to go on any time you do a fresh OS install and before you ever hit the internet.

Better yet, get SP2 on CD since it blocks those and quite a few other baddies as well as putting up a firewall so you aren't bitten when you first go on the net.

 

Links are in here:
http://www.blackviper.com/AskBV/tech10.htm

----------------------------------------------------
NOTE: Please understand that that Fifth Step ^directly above is the writers personal opinion. Sometimes it is just not practical or desirable to clean install once again. One must weigh what the virus was, what it is capable of doing or may have already done and the success rate of a thorough cleanup.

 

format

after I format C: what do I do with D: recoverly drive do I have to format that drive to get rid of isass.exe virus?


thank you

 

Run The patch in link donwload from here

For More informations Here

Some time Shutdown -a or /a not working


GL

 

Hi Bob,

I know your getting a lot of advice on which tool to run and clean your computer with. Many of these only address or clean one particular virus. This lsass.exe shutdown countdown has been attributed to a few different virus'. Not knowing which particular one you may have there is a stand alone cleaner that you can download that covers all of them and then some. Mcaffee puts it out, See:
Stinger
http://vil.nai.com/vil/stinger/

If you followed and read the directions given for disabling that countdown/shutdown you should have plenty of time to download the microsoft update which fixes this problem that allowed you to get infected in the first place and run the Cleanup StandAlone Tool "Stinger ".
NOTE: Sometimes you may have to try that command to stop the countdown more than once. It's a timing thing, if you'll forgive the pun. It may help to immediately hit your winkey (the one with the flag on it) in combination with the letter R. This will immediately open the runline Type-in.

After doing these you should be clean but running a couple of on-line scans can't hurt either. Then you need to takes steps to secure your system with all Microsoft Security updates available and appropriate for your system, particularly the ones marked "Vital ". Get a good antivirus program updated with latest dat files and use it. Get a good Firewall going. Either xp's or 3rd party. Plenty of board discussions on all these topics can be found in the archives.

I'm not real sure on d:\ or what you are referring to when you state it is a recovery directory....SO... I'm not going to comment on on the D: recovery directory other than:
If this is an OEM partition with your Restore data, leave it be. If it's a backup image (you made yourself) such as one made by a Ghosting Program and you think this where your problem began, I'd get rid of it. I personally tend to think you are just one of those unlucky Users who had the misfortune to get nailed by this virus before you had time to update via Microsoft. It happens. Some seemed to get nailed right from the get-go when connecting to the Net and going on line.

---------------
I am downloading Stinger as we speak. This tool again, as I see but was not aware of, has been updated since the last time I downloaded it. It includes even more virus'. It is small enough to keep on a floppy 930kb and oh so handy to have on hand. Make note on the additional link and suggestion for disabling "System restore" before running this and reenabling afterwards. All previous restore points will removed and a new one will be made. Since this is a clean install that should not be a problem, shouldn't be a problem in any case as risk of older restore points re-enfecting your computer is the biggest concern.

 

What's up bobm735,
Just checking up on you? How are you coming along on this?

 

format

Hi Ann

Here is where I'm at I go to system recovery in F-10 I do a fresh format and when I get it all loaded I have the same problem when I go on the internet isass.exe error come's up and shut me down in 60 seconds I put shutdown -a in run and doe's no good still shuts me down I run the virus remover you sent me the stringer.exe no virus found . Now the first time I run stinger .exe before I restored win xp I ran stinger.exe and it found 2 viruses in the windowns system32. Another thing I don't understand when I do a format or system recovery when I get back to windows I have some if not all the programs I had before I did a format I thought it would wipe it clean . Its a HP 512 W with windows xp home edition .

Thank you

 

AH ha,
I think I have another possible reason for your current situation and it is may not be solely viral. Did you ever download the patch from hp which is suppose to be applied either before or after an sp1 update. See this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329450

SYMPTOMS
If you upgrade a Hewlett-Packard Pavilion or a Compaq Presario 6300-series desktop computer that is running Windows XP to Windows XP Service Pack 1 (SP1), and you then perform a non-destructive System Recovery operation, any of the following symptoms might occur: "¢ When the System Recovery operation completes and the computer restarts, you receive an error message that is similar to:
File needed

The file c_20127.nls on Windows XP Home Edition CD-ROM is needed.

Type the path where the file is located, and then click OK.
• When the System Recovery operation completes and the computer restarts, you receive the following error message, and the computer continually restarts:
Lsass.exe - System Error.
• When you log on to Windows, your computer runs very slowly.
• If you try to reinstall Windows XP SP1, the installation is unsuccessful.
Note For Presario 6300-series computers, this information applies only to computers sold in the United States.
CAUSE
This issue occurs because of the way in which the non-destructive System Recovery operation restores the Windows XP files.

When you perform a System Recovery operation with the format option (a destructive system recovery), the System Recovery operation erases the contents of the partition on which Windows is installed and then restores the original operating system files. However, if you perform a non-destructive System Recovery operation, the Windows XP files, including those files that have been modified by SP1, are replaced with the original Windows XP files, but all other files on the hard disk remain unchanged. This causes mismatched Windows XP files to remain on the hard disk, and might cause the issues that are described in the "Symptoms" section of this article.
RESOLUTION
To resolve this incompatibility on affected Pavilion and Presario computers, obtain and install the SP1RcvryFix.exe patch from Hewlett-Packard or Compaq. To obtain this patch and the instructions about how to install it, visit the following Hewlett-Packard Web site:
http://h20015.www2.hp.com/hub_search/document.jhtml?lc=en&docName=c00007684&cc=us
Note that you can install this patch before or after you install Windows XP SP1 to correct the incompatibility problem with the System Recovery tool. This patch must be installed before you perform a non-destructive recovery and can be installed either before or after the installation of SP1 for Windows XP. If you perform a non-destructive recovery before you install the update, you can use this patch to recover your system without performing a destructive recovery. To do this, use the appropriate instructions on the Compaq and Hewlett-Packard Web sites.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

MORE INFORMATION
If you use a Hewlett-Packard Pavilion or Compaq Presario 6300-series desktop computer and you visit the Microsoft Windows Update Web site (http://v4.windowsupdate.microsoft.com/en/default.asp), you may receive the following message:
Alert: Windows Update has detected that your computer is a Hewlett-Packard Pavilion desktop or Compaq Presario desktop PC with Windows XP pre-installed. After you install Windows XP Service Pack 1, you might encounter an issue with the PC System Recovery utility. If you use this utility to perform a non-destructive system recovery, you might be unable to start your computer. Recovering from this error requires a full destructive system recovery, which results in the loss of all user data. Hewlett-Packard will release an update to the PC System Recovery utility soon. When you install that update, this alert will no longer appear in Windows Update. Please refer to Microsoft Knowledge Base (KB) Article Q329450 for additional information.
This warning message is changed or removed when an update to the Hewlett-Packard and Compaq System Recovery programs becomes available.

----------------
Now the second question I would ask is are you doing a nondestructive recovery or destructive recovery?

If I'm understanding this correctly a nondestructive recovery will not work and a destructive or full factory restore will. I'm still a little cloudy on this but I will go to HP and see what I can dig up.

Now off to Hp to find out what to do if you have not installed the hp-patch and attempted a recovery (which apparently is botched) and are stuck in the lsass.exe reboot loop. Need to also find out what your alternatives are at this point.

I still wonder why that shutdown -a command hasn't worked. Humph...

 

System recovery

destructive recovery


I can't get to the site to get the patch any place else I can get the fix?

http://h20015.www2.hp.com/hub_search/document.jhtml?lc=en&docName=c00007684&cc=us

 

http://search.hp.com/query.html?hpvc=US+-+English&submit.x=10&submit.y=4&qt=SP1RcvryFix.exe+&la=en

Try that link...Or use the one Goddez1 is fixin' to post.

 

try this:
http://h10025.www1.hp.com/ewfrf/wc/...8&product=83499&dlc=en&softwareitem=pv-9155-1

I've got to say, from what little bit time I've spent in the files, for your model they do say that "this effects the nondestructive recovery and if that fails your only alternative is the destructive ". It appears your doing/done that. Oh well....downloading and installing the patch can't leave you any worse off.

----------
Opps.... Hi suferdude2,
You zipped in while I was a' typin'. Your link is good while it shows recovery walkthrus. My link is specific to his model. eny meany...

===============
Might as well include this since it also has quite a few ms security updates as well:
http://h10025.www1.hp.com/ewfrf/wc/softwareList?dlc=en&lc=en&product=83499&lang=en&cc=us&os=228

Shoot... heres the support front door to your model:
http://h10025.www1.hp.com/ewfrf/wc/solveCategory?dlc=en&lc=en&product=83499&lang=en&cc=us&

 

patch for Hp fix

I found and downloaded patch for fix on isass.exe I'll let you no how I make out . thank you

 

I got my fingers and toes crossed for you....

Not questioning your ability to know the difference between nondestructive or full(destruction restore) but reforcement or review can't hurt:
http://h10025.www1.hp.com/ewfrf/wc/...&product=83499&lang=en&cc=us&docname=bph07145

Since this may eventually boil down to ordering recovery disks (I so hope not)that link is also in the above. Second option is an Hp call to see if they got a magic trick for stopping that lsass.exe reboot loop, since the shutdown switch doesn't work....still wonder why..

 

patch for Hp fix

Hi all went well put patch on updated norton virus put sp2 on so everything went well . Thank you for your help.
Thank you

 

Good news Bob. Thanks for the feedback.

May you never get a problem that Ann can't find a patch for. You'll be in deep yogurt!

 

Oh happy day's, thank goodness and what a relief. I was so worried this was not going to have a happy ending. I hope you don't mind if I respond to your emails in this thread as this post will pretty much say the same things. As for the "Thank You" you are most welcome and thank you back at ya' for hanging in there and keeping your post updated. As for anything in this post, it remains in tact. Others use the data base of help.net files for references to find fixes for similar problems. Keeping the running threads of the steps taken and progress, good or bad, is how board members share experiences and problem solving that hopefully lead to a positive resolution. It may help to save another further down the road.

Once again thanks for the update and your most welcome....

-------------
To suferdude2,
Thank goodness and my biggest "thank you's" go to those gifted enough to figure out what the initial problem is and write those patches. It sure makes the fixins' easier. Well this has been fun but the deed is done....

So bye for now....

-----Ignore the below. This is for the Archives.-----------
Since I still have a notepad with rabbits I had yet to pull out of the hat, I thought I would go ahead and throw these in here. No guarantee that any of the below will work but I thought they'd be worth a shot when the standard recommended didn't or don't.......

If shutdown -a doesn't work maybe a couple of the other shutdown.exe switches will so these are possibilities......

*shutdown -i This will bring up remote shutdown dialog box.
*Add your computer name (found by right clicking on My Computer and going to properties).
*Then change the amount of seconds to 9999 to give you time to do the updates and scans.
OR USE THE SWITCH BELOW
use the shutdown -t xx seconds, xx being an integer of # of seconds. Example such as shutdown shutdown -t 7200 in theory sets shutdown to 2 hours.
-----------------------
To figure out if this is truly related to a virus:
Do a file find to see if any of those virus files exist on your computer.
------------------------
Last ditch effort is to replace these two files:
extract lsass.exe
extract shutdown.exe
--------------------------
Log in on the official administrator account sometimes this works out. As the account may not be effected by what ails the other.