Windows Advisor

What's That Trojan Doing on My Server?

Root cause of some inexplicable reboots or other strange events on your systems might be a rootkit.

If you have ever experienced your Windows Server 2003, or even a Windows 2000 or Windows XP computer rebooting automatically, or if you have received a "serious error" message or a blue screen of death, your computer may be infected with a Spyware.Service.MiscrosoftUpdate (Trojan) rootkit spyware.

Discovering a Trojan on a production server can be a frightening experience for any network administrator. In order to remove the Trojan virus, you need to identify the files that may be causing the problem. Once you've identified the files, you can rename or delete the files so they are rendered useless.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

The root cause of all these problems is typically a kernel driver that's installed by a couple of known rootkit spyware programs: msupd5.exe and reloadmedude.exe. To resolve this problem, you need to rename the kernel driver by using one of the following methods. You can either rename it using Windows Explorer while you're logged on to your computer, or rename it in Safe Mode. In Safe Mode, you can either use Windows Explorer or use the command prompt.

The first step in the process is to ensure that your system is infected. If it is, then you need to figure out which system files are the culprits. Once you know which files you're dealing with, you need to decide which method you should use to rename the malicious driver. The process may seem more complicated than it actually is. The difficult part is to identify the exact files that are infected. Let's look at the entire process of cleaning such a virus in a systematic order.

To prepare your computer, start Windows Explorer and make sure that your hidden and protected operating system files are visible. This can be confirmed by going to the View tab under Tools, Folder Options (see Figure 1). Remember to unhide file extensions because you will be searching for files with a specific extension.

Alt text here
Figure 1. Showing hidden files and folders.

Verifying Spyware Infection
To verify that your computer is infected with the spyware, start Windows Explorer and go to C:\%windir%\system32\drivers folder. Locate any files with the .sys extension that have the following characteristics:

  • A randomly generated file name that consists of eight lowercase letters. Some examples of files that have been found to contain spyware include:

    gbqxmhia.sys
    upzvlbvv.sys
    jsbmefvk.sys

  • A file with a date of January 11, 2005.
  • A file that doesn't have a version, product name, or name of the manufacturer listed.
  • A file with the size of 14 KB (13,824 bytes).
  • A file that has its hidden attribute set.

If you find files that meet the above criteria, you may have an infected system.

Cleaning Your Infected Computer
To clean your spyware-infected computer, first try to rename the infected system files in Windows Explorer. Simply rename the files by adding an extension, such as ".bad" to these files. In addition, also rename any of the following files if they exist on your computer:

  • Msupd.exe
  • Msupd4.exe
  • Msupd5.exe
  • Reloadmedude.exe

Reboot your computer and then scan your system for spyware using your anti-spyware software that has been updated with the latest definition files. Microsoft Windows Defender, which is still in beta, is one of the anti-spyware product that will detect this spyware.

If you're unable to rename the infected files using the above method, then use Safe Mode to rename the files. The procedure for renaming the malicious driver in Safe Mode is exactly the same as described above, except that you will boot into the Safe Mode by restarting your computer and pressing F8.

If you prefer to use command prompt, you can also reboot your computer into Safe Mode with Command Prompt and rename the files. At the command prompt in Safe Mode, type CD %windir%\system32\drivers. Type DIR /AH to look at the hidden attributes. You may see an output that looks something like this.

Directory of C:\WINDOWS\system32\drivers

01/11/2005 09:18 AM 13,824 gbqxmhia.sys
1 File(s) 13,824 bytes
0 Dir(s) 961,425,408 bytes free

Use the Attrib command to remove system and hidden attributes and then use the Ren command to rename the malicious files. Also, remember to rename the following files"

  • Msupd.exe
  • Msupd4.exe
  • Msupd5.exe
  • Reloadmedude.exe

Reboot your computer and then scan your system for spyware using your anti-spyware software that has been updated with the latest definition files.

Microsoft KnowledgeBase article 894278, "The computer may automatically restart, or you may receive a 'serious error' message or a Stop error message in Windows Server 2003, in Windows XP, or in Windows 2000," contains more details on this topic and also includes several stop error messages that you may encounter. Microsoft also lists several anti-spyware products that are supposed to detect this spyware.

About the Author

Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at [email protected].

comments powered by Disqus
Most   Popular