Isass.exe

Printable View

May 23rd, 2004, 12:33 AM
jayclark

Isass.exe

Hi all, I just did a clean install of Windows 2000. And after about 15 minutes of use. I get a pop up that basicly says. Your pc will be restarted after 60 secs. Please close and save anything you have open. Then says something like it was authorised by NT Authority System. Then it gives the location. C:\WINNT\system32\Isass.exe What the heck is this?
May 23rd, 2004, 01:54 AM
Rapmaster

Your system is infected with the Sasser worm (it doesn't take long if you connect an unpatched system (such as a clean install) to the Internet without running a firewall.

Look here... http://www.microsoft.com/security/incident/sasser.asp

Specific Windows 2000 instructions: http://www.microsoft.com/security/in..._print2000.asp
May 23rd, 2004, 02:31 AM
jayclark

I went to the site and it said I wasn't infective. Last time it happened I was playing Battlefield. Which was about 15 minutes ago. I was also looking up some things on the internet about it. I am not for sure if it is Lsass.exe or Isass.exe which one of these is caused by the Sasser worm?
May 23rd, 2004, 02:38 AM
jayclark

When I go to task manager I see lsass.exe thats with a L. PID number is 220. CPU is 00 and mem usage is 660k.
May 23rd, 2004, 08:32 AM
DuaneB

There is no valid Isass.exe process. What you are seeing a lower case L. LSASS or lsass is the Local Security Authentication Server.

Sasser is only the most recent exploit that shows these symptoms. Blaster and Agobot/Gaobot do also. Run these scanners/removal tools and see if either of these is the problem. Or, try Avert Stinger 2.2.7 which recognizes a few others with similar symptoms.

W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com...oval.tool.html

W32.Gaobot Removal Tool
http://securityresponse.symantec.com...oval.tool.html

Avert Stinger 2.2.7
http://vil.nai.com/vil/averttools.asp
May 23rd, 2004, 04:24 PM
jayclark

Ok, The first and third tool both found a form of the Blaster worm. That worm sure does move fast. Didn't even have the pc on the net but long enough to get Windows updates. I haven't had any restarts since last night. Thanks for the help it was getting real annoying.
May 23rd, 2004, 04:31 PM
DuaneB

Make sure you're using a firewall with an updated antivirus program and the Microsoft patch or it'll just keep coming back.

The Microsoft patch for Blaster.
http://support.microsoft.com/default.aspx?kbid=824146