MCPMag.com

Sign up for our newsletter.

I agree to this site's Privacy Policy.

Windows Advisor

What's That Trojan Doing on My Server?

Root cause of some inexplicable reboots or other strange events on your systems might be a rootkit.

If you have ever experienced your Windows Server 2003, or even a Windows 2000 or Windows XP computer rebooting automatically, or if you have received a "serious error" message or a blue screen of death, your computer may be infected with a Spyware.Service.MiscrosoftUpdate (Trojan) rootkit spyware.

Discovering a Trojan on a production server can be a frightening experience for any network administrator. In order to remove the Trojan virus, you need to identify the files that may be causing the problem. Once you've identified the files, you can rename or delete the files so they are rendered useless.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:editor@mcpmag.com; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

The root cause of all these problems is typically a kernel driver that's installed by a couple of known rootkit spyware programs: msupd5.exe and reloadmedude.exe. To resolve this problem, you need to rename the kernel driver by using one of the following methods. You can either rename it using Windows Explorer while you're logged on to your computer, or rename it in Safe Mode. In Safe Mode, you can either use Windows Explorer or use the command prompt.

The first step in the process is to ensure that your system is infected. If it is, then you need to figure out which system files are the culprits. Once you know which files you're dealing with, you need to decide which method you should use to rename the malicious driver. The process may seem more complicated than it actually is. The difficult part is to identify the exact files that are infected. Let's look at the entire process of cleaning such a virus in a systematic order.

To prepare your computer, start Windows Explorer and make sure that your hidden and protected operating system files are visible. This can be confirmed by going to the View tab under Tools, Folder Options (see Figure 1). Remember to unhide file extensions because you will be searching for files with a specific extension.

Alt text here
Figure 1. Showing hidden files and folders.

Verifying Spyware Infection
To verify that your computer is infected with the spyware, start Windows Explorer and go to C:\%windir%\system32\drivers folder. Locate any files with the .sys extension that have the following characteristics:

  • A randomly generated file name that consists of eight lowercase letters. Some examples of files that have been found to contain spyware include:

    gbqxmhia.sys
    upzvlbvv.sys
    jsbmefvk.sys

  • A file with a date of January 11, 2005.
  • A file that doesn't have a version, product name, or name of the manufacturer listed.
  • A file with the size of 14 KB (13,824 bytes).
  • A file that has its hidden attribute set.

If you find files that meet the above criteria, you may have an infected system.

Cleaning Your Infected Computer
To clean your spyware-infected computer, first try to rename the infected system files in Windows Explorer. Simply rename the files by adding an extension, such as ".bad" to these files. In addition, also rename any of the following files if they exist on your computer:

  • Msupd.exe
  • Msupd4.exe
  • Msupd5.exe
  • Reloadmedude.exe

Reboot your computer and then scan your system for spyware using your anti-spyware software that has been updated with the latest definition files. Microsoft Windows Defender, which is still in beta, is one of the anti-spyware product that will detect this spyware.

If you're unable to rename the infected files using the above method, then use Safe Mode to rename the files. The procedure for renaming the malicious driver in Safe Mode is exactly the same as described above, except that you will boot into the Safe Mode by restarting your computer and pressing F8.

If you prefer to use command prompt, you can also reboot your computer into Safe Mode with Command Prompt and rename the files. At the command prompt in Safe Mode, type CD %windir%\system32\drivers. Type DIR /AH to look at the hidden attributes. You may see an output that looks something like this.

Directory of C:\WINDOWS\system32\drivers

01/11/2005 09:18 AM 13,824 gbqxmhia.sys
1 File(s) 13,824 bytes
0 Dir(s) 961,425,408 bytes free

Use the Attrib command to remove system and hidden attributes and then use the Ren command to rename the malicious files. Also, remember to rename the following files"

  • Msupd.exe
  • Msupd4.exe
  • Msupd5.exe
  • Reloadmedude.exe

Reboot your computer and then scan your system for spyware using your anti-spyware software that has been updated with the latest definition files.

Microsoft KnowledgeBase article 894278, "The computer may automatically restart, or you may receive a 'serious error' message or a Stop error message in Windows Server 2003, in Windows XP, or in Windows 2000," contains more details on this topic and also includes several stop error messages that you may encounter. Microsoft also lists several anti-spyware products that are supposed to detect this spyware.

comments powered by Disqus

Reader Comments:

Thu, Jun 1, 2006 Victoria UK

Thanks! It really works :)
By the way, NetInfo tool helps me finding spammers, tracing hackers, hunting mailers and porno promoters in my net additionally.

Wed, May 17, 2006 Anonymous Denver, CO

Thanks for the step by step. It made it so easy for me to follow and troubleshoot.

Wed, May 17, 2006 Anonymous CA

Your writing style is very easy to follow. This article was helpful in explaining. I've been troubleshooting various trojans off and on and this fixed one of the issues I've been dealing with.

Tue, May 16, 2006 petal UK

could also just be a hardware problem - my latest batch of servers from a well-known manufacturer came with a set of firmware that was prone to spontaneous reboots. Updating firmware to latest revision fixed the problem.

Tue, May 16, 2006 Anonymous Iowa, Usa

Thought the article was well put together. The one thing I would is using an offline tool such as Bart PE or Winternals NTCommander to accessthe drive, as many trojans (and spyware) are built to replicate and protect themselves when running under the windows kernel.

Tue, May 16, 2006 anonymous Germany

the article missed the "HackerDefender" series of trojans - my experience from last week when the hackers used our server as high-speed anonymous FTP server - I figured it out only because I happend to set the quotas on the disks, which then resulted in rebooting of the system... Then I scanned the open ports from outside, and figured it is not the same as what my netstat was showing. It turned out that they nuked my MSDE (altrough it did have latest service packs and sa password was rather complex), gained control, dumped the users/passwords and installed the FTP folders in Recycle bin and System Volume Information folders....
Prologue: Re-installed and set up maximum security.

Mon, May 15, 2006 Anonymous NY, USA

Gave me chills up my spine reading this! When faced with this exact situation I took it as an opportunity to save what data I could and rebuild the server with Server2003 R2. The install was quick and only took one round of updates (27 of them) to bring the server up to date.
They need to find these dweebs that write rootkits and make them support Linux desktops, or something.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above