Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


avserve.exe big problem - possible unknown virus

Posted on 2004-05-01
Medium Priority
Last Modified: 2010-04-11
Well before I rant I must say that I am an IT professional and my computer is protected with a licensed version of Norton 2004 - updated daily.

Today I found this executable called avserve.exe in the Windows folder - whenver it ran - my internet connection would not go. i.e. I would be connected but IE would give me an error saying it cannot open any pages.

Also in my task manager I found randon numeric exe's running e.g.. 3683_up.exe 21986_up.exe

Files like these would cause the same internet problems..

Anyone know what this virus is?
Question by:clinthammer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 10966458
Note: am running Windows xp pro sp1
LVL 12

Expert Comment

ID: 10966578

Download HijackThis and install it in a folder of it's own - something like, C:\HijackThis or C:\Program Files\HJT - not
in a temp file or on your Desktop.
Close all browser windows, run it, and post a log file here.
Download it from:
Good luck!

Author Comment

ID: 10966704
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Expert Comment

ID: 10968633
Let us know if you have anymore trouble. For now, I am going to give you a list of tools originally posted by Sirbounty with some minor modifications.

Check for Spyware/Adware:
  Spybot-S&D 1.3 rc4 -->
  Ad-Aware 6 -->
  HijackThis -->
  Web Shredder -->

Check for Viruses with online scanners:
  Norton/Symantec -->
  Trend Micro -->
  Panda ActiveScan -->
  McAfee Security -->
  Individual File Scanner -->


Expert Comment

ID: 10969051
Please read this

This is the latest worm discovered on 4/30/04  and  mcfee has files which you can download from the following link and run on your computer and get rid of that worm as well as some other worms.

Now since you have Win XP, you have to take extra care which is described in that link.

All the best !!


Author Comment

ID: 10970360
I fixed it myself - before mcafee and norton gave their fixes :) - that's what 2 hrs of work did. I will never reformat - i rather die than let a virus control my pc :)

Expert Comment

ID: 10978883
avserve.exe is a sasser variant

i can see w'er in for a big one here experts :)

Expert Comment

ID: 10982806
Well, I probably screwed everything up now but I hadn't read this before having the problem and attempting a fix.  I just went into the task manager and told it to end the process.  That allowed me to get the computer working like it should.  I then searched for the avserve.exe on the hard drives and deleted them.  My computer seems to work ok now but I'm concerned that I might have gone about it in the wrong way.  Did a SpyBot check and found 38 spywares.  It cleaned all of them except a "TSCASH".  Can't seem to get that one off the computer.  If I've made any major mistakes, please let me know.  Hope everyone has good luck on getting rid of this nasty little worm.

Author Comment

ID: 10983712
No you didn't screw anything up.


Ending avserve.exe will not fix the problem. The avserve.exe is also an entry in the registry. Even if you delete this avserve.exe file from hard drive and registry, it will come back unless you have the patch from Microsoft.

Also note that avserve.exe created random exe files such as 123_up.exe. Well all the exe files it creates has part of its name as "_up".exe

You need:
1. The patch from Microsoft
2. update your virus definition files.

What antivirus program do you employ on your computer?

Trust me deleting avserve.exe without the patch is fruitless. It will come back over and over (it did to me for 2 hrs) and bite you in the ass :(

Expert Comment

ID: 10985335
I appreciate your reply Clinthammer.  I was using Symantec Norton Systemworks but it kept saying my hard drives were 90+% fragmented when they weren't.  I removed that and just went to AVG virus protection.  I will make sure the MS patch is installed just as soon as I get it back to the office and my internet connection.  Until then, I will do a search for "_up.exe" files.

How do you feel about the "SystemSuite" programs as a replacement for the Norton Systemworks?  I've read that it actually is a better program but being retired and always a day late and a dollar short, I'm concerned that it's just hype and might not work as well as what I have now.

Again, thanks for the information and I will act on it immediately.

Tom McCormick

Author Comment

ID: 10985445
Well I trust norton - it wasnt their fault they didnt pick up the virus... None other sites - mcafee, avg, nod32, pandasoftwarew, pc cillin picked it up either...

It was just my luck (bad luck rather) that I got it before any AV site reported it. Two hours after my unsuccessful attempts, the virus was reported...

Author Comment

ID: 10985454
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.


A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:


Accepted Solution

Netminder earned 0 total points
ID: 11037822
User resolved; closed, 500 points refunded.

Site Admin

Expert Comment

ID: 11065858
If you apply the following three security measures to your computer, you should be ok:

1. Keep updated antivirus software on your computer with "Autoprotect" enabled.

2. Very frequently check for and apply critical updates to your O/S.

3. Use a software and/or hardware firewall.

This should be considered as a MINIMUM security measure against Hackers and viruses.

Expert Comment

ID: 11110623

The worm operates as described by clinthammer.  I have removed it from my PC using the instructions at:

It deleted 84 files and 1 registry entry.


Good Luck

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
How does someone stay on the right and legal side of the hacking world?
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question