Strange files - avserve2.exe & xaeulrzu.exe

Discussion in 'Computer Support' started by Gameface, Jun 24, 2004.

  1. Gameface

    Gameface Guest

    I've found these in my System Config Utility and disabled them.. no problems
    have come from it yet I want to remove these for good, as I'm pretty sure
    they are virus related - I was infected with the Sasser worm after xp
    reinstall.

    How can i remove these simply & safely?
     
    Gameface, Jun 24, 2004
    #1
    1. Advertisements

  2. Gameface

    Toolman Tim Guest

    Toolman Tim, Jun 24, 2004
    #2
    1. Advertisements

  3. Gameface

    °Mike° Guest

    <Canned response>

    The Sasser worm attempts to exploit the LSASS vulnerability
    discussed in Microsoft Security Bulletin MS04-011. To kill
    the worm before proceeding, boot into Safe Mode and
    start your registry editor:
    Start / Run / regedit

    Navigate to:
    HKEY_LOCAL_MACHINE
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Run

    In the right-hand pane, look for any entry/ies that include
    AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .

    DELETE it/them.
    These are the files associated with the different variants:
    Variant A - avserve.exe
    Variant B - avserve2.exe
    Variant C - avserve2.exe
    Variant D - skynetave.exe

    You have now disabled the worm from running at startup, so
    boot into normal mode again, and turn off ALL system restores
    to purge your system of any remnants.

    Open Windows Explorer to the
    ..\Windows\
    or
    ..\WinNT\
    folder and DELETE *any* of the files named above.

    Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    folder and find the reference to the above file/s (any reference
    will be similar to: <filename.exe>-<alphanumerics>.PF), for
    example, avserve.exe-0235D8H6.pf, and DELETE it/them.

    Update your virus scanner and run a FULL system scan.

    Now you can download and install the patch from Microsoft.
    Microsoft Security Bulletin MS04-011
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    What You Should Know About the Sasser Worm and It Variants
    http://www.microsoft.com/security/incident/sasser.asp

    Sasser A and Sasser B removal tool
    http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17

    Shorter link to above removal tool:
    http://makeashorterlink.com/?I14942538

    W32.Sasser.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

    W32.Sasser.B.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html

    W32.Sasser.C.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.c.worm.html

    W32.Sasser.D.Worm
    http://www.symantec.com/avcenter/venc/data/w32.sasser.d.html

    Some users have also stated that the Sasser worm removes the shutdown
    button from the Start menu. If you find this to be the case, start your
    registry editor:

    Start \ Run \ regedit

    Navigate to:

    HKEY_CURRENT_USER
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Policies
    +Explorer

    In the right-hand window, look for:
    "NoClose" with a value of 0x0000001 (1)

    If the entry exists, double-click on it, and change the
    value to 0 (zero).
     
    °Mike°, Jun 24, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.