avserve.exe big problem - possible unknown virus

Posted on 2004-05-01
Last Modified: 2010-04-11
Well before I rant I must say that I am an IT professional and my computer is protected with a licensed version of Norton 2004 - updated daily.

Today I found this executable called avserve.exe in the Windows folder - whenver it ran - my internet connection would not go. i.e. I would be connected but IE would give me an error saying it cannot open any pages.

Also in my task manager I found randon numeric exe's running e.g.. 3683_up.exe 21986_up.exe

Files like these would cause the same internet problems..

Anyone know what this virus is?
Question by:clinthammer

Author Comment

ID: 10966458
Note: am running Windows xp pro sp1
LVL 12

Expert Comment

ID: 10966578

Download HijackThis and install it in a folder of it's own - something like, C:\HijackThis or C:\Program Files\HJT - not
in a temp file or on your Desktop.
Close all browser windows, run it, and post a log file here.
Download it from:
Good luck!

Author Comment

ID: 10966704

Author Comment

ID: 10966714

Author Comment

ID: 10966830

Expert Comment

ID: 10968633
Let us know if you have anymore trouble. For now, I am going to give you a list of tools originally posted by Sirbounty with some minor modifications.

Check for Spyware/Adware:
  Spybot-S&D 1.3 rc4 -->
  Ad-Aware 6 -->
  HijackThis -->
  Web Shredder -->

Check for Viruses with online scanners:
  Norton/Symantec -->
  Trend Micro -->
  Panda ActiveScan -->
  McAfee Security -->
  Individual File Scanner -->


Expert Comment

ID: 10969051
Please read this

This is the latest worm discovered on 4/30/04  and  mcfee has files which you can download from the following link and run on your computer and get rid of that worm as well as some other worms.

Now since you have Win XP, you have to take extra care which is described in that link.

All the best !!


Author Comment

ID: 10970360
I fixed it myself - before mcafee and norton gave their fixes :) - that's what 2 hrs of work did. I will never reformat - i rather die than let a virus control my pc :)
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.


Expert Comment

ID: 10978883
avserve.exe is a sasser variant

i can see w'er in for a big one here experts :)

Expert Comment

ID: 10982806
Well, I probably screwed everything up now but I hadn't read this before having the problem and attempting a fix.  I just went into the task manager and told it to end the process.  That allowed me to get the computer working like it should.  I then searched for the avserve.exe on the hard drives and deleted them.  My computer seems to work ok now but I'm concerned that I might have gone about it in the wrong way.  Did a SpyBot check and found 38 spywares.  It cleaned all of them except a "TSCASH".  Can't seem to get that one off the computer.  If I've made any major mistakes, please let me know.  Hope everyone has good luck on getting rid of this nasty little worm.

Author Comment

ID: 10983712
No you didn't screw anything up.


Ending avserve.exe will not fix the problem. The avserve.exe is also an entry in the registry. Even if you delete this avserve.exe file from hard drive and registry, it will come back unless you have the patch from Microsoft.

Also note that avserve.exe created random exe files such as 123_up.exe. Well all the exe files it creates has part of its name as "_up".exe

You need:
1. The patch from Microsoft
2. update your virus definition files.

What antivirus program do you employ on your computer?

Trust me deleting avserve.exe without the patch is fruitless. It will come back over and over (it did to me for 2 hrs) and bite you in the ass :(

Expert Comment

ID: 10985335
I appreciate your reply Clinthammer.  I was using Symantec Norton Systemworks but it kept saying my hard drives were 90+% fragmented when they weren't.  I removed that and just went to AVG virus protection.  I will make sure the MS patch is installed just as soon as I get it back to the office and my internet connection.  Until then, I will do a search for "_up.exe" files.

How do you feel about the "SystemSuite" programs as a replacement for the Norton Systemworks?  I've read that it actually is a better program but being retired and always a day late and a dollar short, I'm concerned that it's just hype and might not work as well as what I have now.

Again, thanks for the information and I will act on it immediately.

Tom McCormick

Author Comment

ID: 10985445
Well I trust norton - it wasnt their fault they didnt pick up the virus... None other sites - mcafee, avg, nod32, pandasoftwarew, pc cillin picked it up either...

It was just my luck (bad luck rather) that I got it before any AV site reported it. Two hours after my unsuccessful attempts, the virus was reported...

Author Comment

ID: 10985454
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.


A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:


Accepted Solution

Netminder earned 0 total points
ID: 11037822
User resolved; closed, 500 points refunded.

Site Admin

Expert Comment

ID: 11065858
If you apply the following three security measures to your computer, you should be ok:

1. Keep updated antivirus software on your computer with "Autoprotect" enabled.

2. Very frequently check for and apply critical updates to your O/S.

3. Use a software and/or hardware firewall.

This should be considered as a MINIMUM security measure against Hackers and viruses.

Expert Comment

ID: 11110623

The worm operates as described by clinthammer.  I have removed it from my PC using the instructions at:

It deleted 84 files and 1 registry entry.


Good Luck

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now