avserve.exe big problem - possible unknown virus

Posted on 2004-05-01
Last Modified: 2010-04-11
Well before I rant I must say that I am an IT professional and my computer is protected with a licensed version of Norton 2004 - updated daily.

Today I found this executable called avserve.exe in the Windows folder - whenver it ran - my internet connection would not go. i.e. I would be connected but IE would give me an error saying it cannot open any pages.

Also in my task manager I found randon numeric exe's running e.g.. 3683_up.exe 21986_up.exe

Files like these would cause the same internet problems..

Anyone know what this virus is?
Question by:clinthammer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 10966458
Note: am running Windows xp pro sp1
LVL 12

Expert Comment

ID: 10966578

Download HijackThis and install it in a folder of it's own - something like, C:\HijackThis or C:\Program Files\HJT - not
in a temp file or on your Desktop.
Close all browser windows, run it, and post a log file here.
Download it from:
Good luck!

Author Comment

ID: 10966704
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Expert Comment

ID: 10968633
Let us know if you have anymore trouble. For now, I am going to give you a list of tools originally posted by Sirbounty with some minor modifications.

Check for Spyware/Adware:
  Spybot-S&D 1.3 rc4 -->
  Ad-Aware 6 -->
  HijackThis -->
  Web Shredder -->

Check for Viruses with online scanners:
  Norton/Symantec -->
  Trend Micro -->
  Panda ActiveScan -->
  McAfee Security -->
  Individual File Scanner -->


Expert Comment

ID: 10969051
Please read this

This is the latest worm discovered on 4/30/04  and  mcfee has files which you can download from the following link and run on your computer and get rid of that worm as well as some other worms.

Now since you have Win XP, you have to take extra care which is described in that link.

All the best !!


Author Comment

ID: 10970360
I fixed it myself - before mcafee and norton gave their fixes :) - that's what 2 hrs of work did. I will never reformat - i rather die than let a virus control my pc :)

Expert Comment

ID: 10978883
avserve.exe is a sasser variant

i can see w'er in for a big one here experts :)

Expert Comment

ID: 10982806
Well, I probably screwed everything up now but I hadn't read this before having the problem and attempting a fix.  I just went into the task manager and told it to end the process.  That allowed me to get the computer working like it should.  I then searched for the avserve.exe on the hard drives and deleted them.  My computer seems to work ok now but I'm concerned that I might have gone about it in the wrong way.  Did a SpyBot check and found 38 spywares.  It cleaned all of them except a "TSCASH".  Can't seem to get that one off the computer.  If I've made any major mistakes, please let me know.  Hope everyone has good luck on getting rid of this nasty little worm.

Author Comment

ID: 10983712
No you didn't screw anything up.


Ending avserve.exe will not fix the problem. The avserve.exe is also an entry in the registry. Even if you delete this avserve.exe file from hard drive and registry, it will come back unless you have the patch from Microsoft.

Also note that avserve.exe created random exe files such as 123_up.exe. Well all the exe files it creates has part of its name as "_up".exe

You need:
1. The patch from Microsoft
2. update your virus definition files.

What antivirus program do you employ on your computer?

Trust me deleting avserve.exe without the patch is fruitless. It will come back over and over (it did to me for 2 hrs) and bite you in the ass :(

Expert Comment

ID: 10985335
I appreciate your reply Clinthammer.  I was using Symantec Norton Systemworks but it kept saying my hard drives were 90+% fragmented when they weren't.  I removed that and just went to AVG virus protection.  I will make sure the MS patch is installed just as soon as I get it back to the office and my internet connection.  Until then, I will do a search for "_up.exe" files.

How do you feel about the "SystemSuite" programs as a replacement for the Norton Systemworks?  I've read that it actually is a better program but being retired and always a day late and a dollar short, I'm concerned that it's just hype and might not work as well as what I have now.

Again, thanks for the information and I will act on it immediately.

Tom McCormick

Author Comment

ID: 10985445
Well I trust norton - it wasnt their fault they didnt pick up the virus... None other sites - mcafee, avg, nod32, pandasoftwarew, pc cillin picked it up either...

It was just my luck (bad luck rather) that I got it before any AV site reported it. Two hours after my unsuccessful attempts, the virus was reported...

Author Comment

ID: 10985454
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.


A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:


Accepted Solution

Netminder earned 0 total points
ID: 11037822
User resolved; closed, 500 points refunded.

Site Admin

Expert Comment

ID: 11065858
If you apply the following three security measures to your computer, you should be ok:

1. Keep updated antivirus software on your computer with "Autoprotect" enabled.

2. Very frequently check for and apply critical updates to your O/S.

3. Use a software and/or hardware firewall.

This should be considered as a MINIMUM security measure against Hackers and viruses.

Expert Comment

ID: 11110623

The worm operates as described by clinthammer.  I have removed it from my PC using the instructions at:

It deleted 84 files and 1 registry entry.


Good Luck

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses
Course of the Month5 days, 23 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question