Possible new virus threat...

May. 1st, 2004 05:02 pm
[identity profile] methedras.livejournal.com posting in [community profile] techrecovery
Heads up guys, possible new pain in the ass coming our way...


This morning I appear to have received some sort of virus on my Windows XP machine, that is causing strange behaviour.

Using ADSL I am able to connect, can ping IP and domain, but can not browse or receive email. When trying to receive email, I was getting a "buffer error" in Eudora, and when trying to browse to www.google.com.au, the status bar would start flicking through :-

www.www.google.com.au.org
www.www.google.com.au.net
www.www.google.com.au.com

Then eventually gave a "Page can not be displayed error". I then also started to receive problems with IE giving "Can not open search page" and violation and exception errors.

When this occurred, I started to check running processes and eventually narrowed the process down to - avserve.exe causing me the problem.

After I performed an End Task on this process, the problem was resolved, though after a reboot will re-appear in the process list.

It will only appear in the Processes list when you are online.


Speaking to one of my reps on my team this afternoon, he has had a customer who has been affected by this problem too. After he disabled the process, the connection was working fine.

This customer was using dialup.

This may also be relevant, three days ago Norton Anti-Virus ceased to work on my system, doing the usual blocking of port 25 and 110. I uninstalled the software and the system was working fine.

Though now after downloading a 15 day trial of the latest NAV software, it is unable to install correctly on my system. I don't know whether this is relevant.


Anyone got any ideas?
Looks like I'll be formatting my baby this weekend.
  • Current Mood: aggravated
  • Add Memory
  • Share This Entry
Threaded | Top-Level Comments Only

Date: 2004-05-01 12:31 am (UTC)
From: [identity profile] gaymafiakingpin.livejournal.com
Before formatting I would try doing a scan for spyware using Ad-Aware, or Spybot, or something similar.

Date: 2004-05-01 12:33 am (UTC)
From: [identity profile] methedras.livejournal.com
Oh yeah, been there done that.

Found nothing, system is clean.

Date: 2004-05-01 12:41 am (UTC)
From: [identity profile] gaymafiakingpin.livejournal.com
If it's just that one .EXE file that's causing the problem, find it, delete it, and make sure it isn't listed in msconfig. Also search the registry for it, and get rid of any reference, to it, telling it to run on startup (be sure to back up the registry first).

Date: 2004-05-01 12:49 am (UTC)
From: [identity profile] methedras.livejournal.com
Yeah, I've found the file and I was going to remove it and everything, but I wanted to let the anti-virus see if it located it.

I didn't get enough time to complete troubleshooting it this afternoon before having to come to work.

I'll try these things too before I format. I want to see if I can at least kill it first, a format would take me ages to re-setup the system.

Date: 2004-05-01 01:01 am (UTC)
From: [identity profile] sebism.livejournal.com
I found this usenet post (http://groups.google.com/groups?selm=4C48Rk%241z_%40smth.org&oe=UTF-8&output=gplain) and translated from in english from chinese (http://www.worldlingo.com/wl/translate?wl_lp=ZH-EN&wl_fl=2&wl_rurl=http%3A%2F%2Fgroups.google.com%2Fgroups%3Fq%3Davserve.exe%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3D4C48Rk%25241z_%2540smth.org%26rnum%3D1&wl_url=http%3A%2F%2Fgroups.google.com%2Fgroups%3Fq%3Davserve.exe%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3D4C48Rk%25241z_%2540smth.org%26rnum%3D1&wl_g_table=-3). you might try some online antivirus too, mcafee or/and symantec should have one. Also try hijack this (http://tomcoyote.com/hjt/) and msconfig/Startup Control Panel and delete any entry containing of aserve.exe (and possibly 31131_up.exe) as well as the files if they weren't already deleted.

replying to myself...

Date: 2004-05-01 01:17 am (UTC)
From: [identity profile] sebism.livejournal.com
uh, well, the translation may timeout. so the page with the translating form is translation.langenberg.com (http://translation.langenberg.com/#WebPage) and with the WorldLingo translation (from Chinese to (rough) English) you should use the url of the post (http://groups.google.com/groups?q=avserve.exe&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&selm=4C48Rk%241z_%40smth.org&rnum=1).

Date: 2004-05-01 01:51 am (UTC)
From: [identity profile] toastmaniscool.livejournal.com
Heya,
Does either Spybot, Adaware or "hijack this" show anything at all ?

Date: 2004-05-01 01:54 am (UTC)
From: [identity profile] methedras.livejournal.com
WE HAVE A WINNAR!


http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html



Check it out, here's our bastard.
just been identified it seems.

Might want to start telling customers to perform a Windows Update.

Date: 2004-05-01 07:49 am (UTC)
inahandbasket: animated gif of spider jerusalem being an angry avatar of justice (Default)
From: [personal profile] inahandbasket
wow, that was quick. wasn't expecting to see an exploit on that one for a few weeks.
ah well.
  • Add Memory
  • Share This Entry
Threaded | Top-Level Comments Only

Profile

techrecovery: (Default)
Elitist Computer Nerd Posse
Tech Comedy (Reddit)

April 2017

S M T W T F S
      1
2345678
91011121314 15
16171819202122
23242526272829
30      

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Mar. 20th, 2026 08:13 pm
Powered by Dreamwidth Studios