True story.

I'm playing D2 minding my own business and I'm noticing a lot of lag. like really bad lag. I get disconnected from the realms a few times, my computer is just crawling along.

So finally I do ctl+alt+del to see what is up.

100% cpu usage

Wtf? I look at the processes and something called avserve.exe is hogging every last byte of cpu power. so I shut the thing down. Go back to playing.

20 min late or so getting the same thing. I check processes this time I see one doing the same thing but the name of the process is some number like 45453_up.exe

well now I'm PO'd.

I look up avserve on the web. nada. If it were any sort of a standard normal windows app it would have shown up on my google search so I know i've been pwned.

I delete the thing and search for files that have _up in them. I find several more like the one I shut off. I delete them also.

start playing again.

5 min later my computer gives me an error that lsass.exe has closed due to an error and save my stuff cuase windows is shutting itself down in protest.

Grrr....

the compute resets and takes forever to boot up.
Guess what. Avserve is running again. AAAAAAAAAAARRRRRRRRRRRRGGGGHH!

I start doing some cheking into the error I received. a few minutes later the same lsass.exe error shuts me down.

turns out there is a worm going around (don't know about worms and how they work) that exploits an lsass issue to cause a shutdown. MS has a patch out for it. well they have 2 or 3. I DL one and it doesnt help. Dl the other and it does. :clap:

But what to do about this stupid avserve mess?

I'm no programmer but I came up with a really ghetto idea. :idea: I went where the thing always appears (windows directory) deleted it, copied another executable program into the windows directory, renamed it avserve and made it read only.

I deleted all the _up files and the real avserve and rebooted...

sure enough on startup my other app was autorun and no process-hogging apps sprang into life to annoy me.

So does anyone know how I can look at what programs are set to run on startup and figure out how to REALLY get rid of this virus or whatever it is? I already pwned it but I just want it gone period. Norton says there isnt any viruses (stupid norton!) but what else could this be?

Thanks UH6

:cheesy: erhhhhh right,you copied an exe and renamed it and it fixed your problems......erhhh..... i dont really think so,you would of had to re do the target for the file and stuff,and uh, yeah. MY post sounds as bad as your right now because i dotn really know what to say,none of that made an ounce of sense to me what you did and say that happend just dont sound right at all. yeah...i dont know what to say because i cant really understand what your saying because of the info your giving.

He created a file with the same name as the malicious one, in the directory that the virus kept copying it to. The virus probably does a check to see if adserve.exe is in the directory not to bother trying to recreate it...doesn't work all the time, but it's a solution that will work it's fair share from my experience.

I have a little program installed that's named : 'Startup control panel 2.7 by Mike Lin'. It adds a feature to the control panel.

Try to find that on internet, it lists all kinds of programs that start up without you knowing it.

Besides that you should update you antivirus software, download ad-aware, spy ware buster programs and maybe a firewall that asks you if a program wants to connect to internet.

And ofcourse don't install third-party programs for diablo2. don't even go to the sites of these programs. You get hacked very easily (if you knew this already, please ignore it :uhhuh: )

I have one of those startup managing programs too, not the one by Mike Lin though. It's very conveniant! Having such a program is probably one of the better ways of keeping your PC up to shape. After using it for a while, there are alot of auto starting programs (and I mean non-viral ones too) that drain your computer's memory and CPU (less on the CPU though).

Go to run...type msconfig. There you will find a tab button on the top that should say "startup" and you will find a list of the programs that start up when you boot up. Just uncheck all that you don't want to start up. Get a good antivirus program. Get a Adaware 6.0 to stop those pesky spyware things and you're good to go.

Go to run...type msconfig. There you will find a tab button on the top that should say "startup" and you will find a list of the programs that start up when you boot up. Just uncheck all that you don't want to start up. Get a good antivirus program. Get a Adaware 6.0 to stop those pesky spyware things and you're good to go.

if you're on win 2000, you don't have msconfig, but do a search and download the XP one... it works just fine. Otherwise you could edit your registries manually and remove the line that starts the bad program..... heh heh.... but if you don't know EXACTLY what you're doing, this is a very bad idea. So go with msconfig.

if you're on win 2000, you don't have msconfig, but do a search and download the XP one... it works just fine. Otherwise you could edit your registries manually and remove the line that starts the bad program..... heh heh.... but if you don't know EXACTLY what you're doing, this is a very bad idea. So go with msconfig.


Yeah I was going to put regedit also but it's tough if you don't know the exact line that starts it. Good call on the win2000 thing also, I wasn't thinking of that.

So does anyone know how I can look at what programs are set to run on startup and figure out how to REALLY get rid of this virus or whatever it is? I already pwned it but I just want it gone period. Norton says there isnt any viruses (stupid norton!) but what else could this be?

Thanks UH6

Although not always the nicest option you can just back up your data, wipe the disk clean and reinstall. How are these problems getting into your system?

Do you use Outlook? There is one possible way.

Do you use Internet Explorer? Another way.

Do you scan everything you download onto your system? If not there is yet another route. Often people only scan certain things and not others, ie they will scan email but not the glut of music and video they have download in a p2p program.

http://housecall.trendmicro.com/ online virus scanner, you already have Nortons however it never hurts to run a different scanner
http://www.lavasoftusa.com/support/download/ Ad-aware
http://www.safer-networking.org/ Spybot
http://www.mozilla.org/products/firefox/ alternative browser, it beats Explorer hands down, if people would give up this obsession with IE they would lead much happier computing lives ;)
http://www.mozilla.org/products/thunderbird/ alternative email client that doesn't function as the official microsoft virus installer like outlook, which is junk imo

http://www.linuxiso.org/ alternative operating systems Time to check out the power of the penguin perhaps? :D

online virus scanner, you already have Nortons however it never hurts to run a different scanner

*Scanner launches a fist the size of Texas into Kyar chops*
Owie....

*Scanner launches a fist the size of Texas into Kyar chops*
Owie....

Wow cool. thanks for all the replies.

I did the adaware 6 last night. it found like 40 processes that were dataminers or other garbage and got rid of them.

I'll try the mscofig next. anyone kneo a clean site to get it from? ;-)

I'll try the mscofig next. anyone kneo a clean site to get it from? ;-)

if you have windows XP or 98, you have it already. Just go start menu -> run -> type in "msconfig"

if you have win 2000, use the XP version (the 98 version works as well, but pops up all these errors that you just ignore). I use this site fairly regularly for drivers, no problems so far:

http://www.perfectdrivers.com/howto/msconfig.html

Well it seems your problem has a definite cause:

http://isc.sans.org/diary.php?date=2004-04-30

Just saw that on slashdot recently. Fire up windows update people, and nortons (and others I would assume) have the usual definitions and instructions out.

Here for the norton's side of things:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Well it seems your problem has a definite cause:

http://isc.sans.org/diary.php?date=2004-04-30

Just saw that on slashdot recently. Fire up windows update people, and nortons (and others I would assume) have the usual definitions and instructions out.

Here for the norton's side of things:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Wow. amazing that when I searched Avserve nothing came up!
So based on what you read at the norton site (I couldnt get it to load) what if anything should I do to get rid of the worm? The first link mentioned something about it creating a log file. Do I need to fine/delete this also?

thanks

Edit: Also I downloaded the MSconfig utility and it turns out there was a lot of garbage in my startup file. Why MS chose not to make it easy for a user to access this file is beyond me. 2 things were on there that I couldnt find clear info on. right now I have them turned off I'm not deleting them until I know what the deal is...

scvhost.exe
sm1bg.exe

any info would be appriciated

I'm just relieved that my computer is back to normal.

You're sure that's not svchost.exe?
That's an important one that you should turn on if it is.

Wtf? I look at the processes and something called avserve.exe is hogging every last byte of cpu power. so I shut the thing down. Go back to playing.


Sasser Worm: http://isc.sans.org/diary.php?date=2004-04-30

"ISC is aware of the LSASS Sasser worm. This worm is spreading through the MS04-011 (LSASS) vulnerability. According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry.."

like said above, svchost.exe is a program that takes care of hosting things for web/other network access. Leave it running.

sm1bg is something to do with USB storage and possibly Napster. Leave it as well, I think... but look for yourself.

Like I posted earlier (maybe not in this thread though)... if you want to know if a process should be running, google it. If you get a billion hits that don't all scream "this is a virus" then it's probably a keeper. Anything that is a trojan will most likely come up blank (like yours) or take you to a site that will describe how to fix it.

Hey, same thing happened to me. 100%cpu, this program symproxysvc.exe was taking up 98%!!! I just deleted it, no problems since. If there is something else i should do, someone please let me know.

True story.

I'm playing D2 minding my own business and I'm noticing a lot of lag. like really bad lag. I get disconnected from the realms a few times, my computer is just crawling along.

So finally I do ctl+alt+del to see what is up.

100% cpu usage

Wtf? I look at the processes and something called avserve.exe is hogging every last byte of cpu power. so I shut the thing down. Go back to playing.

20 min late or so getting the same thing. I check processes this time I see one doing the same thing but the name of the process is some number like 45453_up.exe

well now I'm PO'd.

I look up avserve on the web. nada. If it were any sort of a standard normal windows app it would have shown up on my google search so I know i've been pwned.

I delete the thing and search for files that have _up in them. I find several more like the one I shut off. I delete them also.

start playing again.

5 min later my computer gives me an error that lsass.exe has closed due to an error and save my stuff cuase windows is shutting itself down in protest.

Grrr....

the compute resets and takes forever to boot up.
Guess what. Avserve is running again. AAAAAAAAAAARRRRRRRRRRRRGGGGHH!

I start doing some cheking into the error I received. a few minutes later the same lsass.exe error shuts me down.

turns out there is a worm going around (don't know about worms and how they work) that exploits an lsass issue to cause a shutdown. MS has a patch out for it. well they have 2 or 3. I DL one and it doesnt help. Dl the other and it does. :clap:

But what to do about this stupid avserve mess?

I'm no programmer but I came up with a really ghetto idea. :idea: I went where the thing always appears (windows directory) deleted it, copied another executable program into the windows directory, renamed it avserve and made it read only.

I deleted all the _up files and the real avserve and rebooted...

sure enough on startup my other app was autorun and no process-hogging apps sprang into life to annoy me.

So does anyone know how I can look at what programs are set to run on startup and figure out how to REALLY get rid of this virus or whatever it is? I already pwned it but I just want it gone period. Norton says there isnt any viruses (stupid norton!) but what else could this be?

Thanks UH6



Buddy, I'm tech support at my uni in upstate NY. You have the Sasser virus, I believe, according to your symptoms. I'm assuming you're running Win XP. The best way to remove this virus is first go to Start -> Run -> and type in msconfig. Now check Services and Startup for suspicious looking programs or such. Go down the line, check the command lines to see where the executables actually are. Now that the virus is disabled, you need to protect your computer. If you are running a bootleg copy of Win XP, you'll have to get the XP Patch KB 1180238 (i think? ) and protect your computer. If not, simply connect to Windows Update. After that, just connect to http://www.microsoft.com/security/incident/sasser.asp and scroll down to the
little "Scan my computer button."

Haxors did not invade your computer. You did, but not updating your OS. ;D

-Riot

Buddy, I'm tech support at my uni in upstate NY. You have the Sasser virus, I believe, according to your symptoms. I'm assuming you're running Win XP. The best way to remove this virus is first go to Start -> Run -> and type in msconfig. Now check Services and Startup for suspicious looking programs or such. Go down the line, check the command lines to see where the executables actually are. Now that the virus is disabled, you need to protect your computer. If you are running a bootleg copy of Win XP, you'll have to get the XP Patch KB 1180238 (i think? ) and protect your computer. If not, simply connect to Windows Update. After that, just connect to http://www.microsoft.com/security/incident/sasser.asp and scroll down to the
little "Scan my computer button."

Haxors did not invade your computer. You did, but not updating your OS. ;D

-Riot

I have a legit xp and I have the live update thing and big fix. I got a fixit message about a month ago saying that it detected the sasser virus on my computer and please run this fix to eliminate it.

I never could get the update to run. Dince the bandaid I put on it described above I've had no problem with it doing anything to my computer. I emailed Microsoft support about it and that was at least 2 weeks ago and they never replied.

I did get the update that supposedly will stop sasser from re-infecting the computer so for now it looks like the problem is solved.

Mine was the same way except the computer wasn't shutting itself down. This program called symproxysvc.exe was hogging 98% of the cpu. I deleted but I still have the problem with Diablo going EXTREMELY slow. Anyone know what to do?

wow, way to dig up an old thread :flip: