Isass.exe terminated unexpectedly - then shutdown 2

[multiplex77]

Hi,

I just bought a PC that was assembled in the shop. 1.2G Celeron on 256MB RAM running W2K Pro.

Lately I've been getting this message popping up on my screen mid-way while I'm working:

"The system process C:\WINNT\System32\Isass.exe terminated unexpectedly with status code 128. The system will now shut down and restart."

There's a 1-min timer after which it restarts automatically. What could be the reason for this?

I notice another prob possibly related to this. Whenever I attempt to access the Internet (ie opening IE or my email client, Eudora) before I have dialed up to my ADSL, often IE will give a message that an error occurred and it has to restart (IE). Eudora also sometimes shuts down unexpectedly when I try to check mail before I've dialed up.

Has anyone encountered something like this? Would appreciate any advice. Thanks!

 

[bcastner]

Unless you have mis-spelled things, Isass.exe is not a windows file, but a well known trojan.

I am not sure how long your windows internet connection will be stable, if possible, download Hijack This and let it remove the run key from your registry for Isass.exe:

http://mjc1.com/mirror/hjt/

It is not a big file. Disconnect then from the internet and boot to Safe Mode. Run Hijack This and look for this key entry: O4 - HKLM\..\Run: [Services] Isass.exe

Check the box next to it, and let Hijack remove the entry.

Now boot to normal mode and:

. Follow every step in faq608-4650
. Head to Windows Update to make sure you are current on all Security Hotfixes;
. Add a firewall. There are many excellent freeware firewalls from Zone Alarm, Tiny, Kerio, Sygate and others. Just add something.

Best,
Bill Castner

 

[Hondy]

Dude, you have this virus

http://vil.nai.com/vil/content/v_125007.htm

The link explains all

 

[BionicJohn]

Hi, multiplex77,

Yes, it's a real pain.

I've just experienced it. Stinger, Norton AV and the Symantec Removal tool all reported the system clean. Also, File and Folder search did not locate AVSERVE.EXE, AVSERVE.EXE or *_up.exe.

However the download from Microsoft Security Bulletin MS04-011 -

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

- did clean the system. I had just enough time to download and install the Security Update before the system re-booted.

HTH.

Iechyd da! John
Glannau Mersi, Lloegr.

 

[bcastner]

BigJohnD,

You might be interested in this advisory I posted elsewhere today: thread779-832911

 

[BionicJohn]

Thanks, Bill. That's really useful. I rarely look in the WinXP forum so wouldn't have seen your message otherwise. I did find some links in the Virus/Spyware discussion Forum about the W32.Sasser Worm.

The worm was on a friend's PC - he has a young teenage son who's a heavy Kazaa user, so we suspect that was how the infection arrived. It was rebooting after about 10 minutes.

Needless to say, Kazaa and the associated P2P processes are now fully disabled.

Iechyd da! John
Glannau Mersi, Lloegr.

 

[bcastner]

Add a firewall!

This is actually a worm that comes in through open ports 135 or 445.

 

[BionicJohn]

Hi, Bill,

> Add a firewall!

I assumed that their ADSL router with NAT would be sufficiently secure - cleary not.

I'll go and check tomorrow, install ZoneAlarm and run Shields Up and the rest from Gibson Research -

http://grc.com/default.htm

Many thanks.

Iechyd da! John
Glannau Mersi, Lloegr.

 

[multiplex77]

Thanks all. Yes it was a Trojan Horse. After I installed the Microsoft update, all is well now.

Thanks for the advice!

 

[bcastner]

Good for you. And add a firewall!