Microsoft KB Archive/894278

= The computer may automatically restart, or you may receive a &quot;serious error&quot; message or a Stop error message in Windows Server 2003, in Windows XP, or in Windows 2000 =

Article ID: 894278

Article Last Modified on 2/6/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Tablet PC Edition 2005
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional x64 Edition
 * Microsoft Windows XP for Itanium-based Systems Version 2003
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Media Center Edition 2004
 * Microsoft Windows XP Media Center Edition 2005
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server

-



SUMMARY
''This article describes several symptoms that you may experience if the computer is running the Spyware.Service.MiscrosoftUpdate (Trojan) rootkit spyware. To remove the Trojan virus, you must identify the files that cause this problem and then rename the files.

The user-mode (spyware) components Msupd*.exe and Reloadmedude.exe can be cleaned by some antivirus or anti-spyware programs as soon as the hidden driver is renamed. The hidden driver may be named &quot;gbqxhia.sys,&quot; &quot;upzvlbvv.sys,&quot; &quot;jsbmefvk.sys,&quot; or some other random file name that contains only lowercase letters.

Several anti-spyware programs that can detect this virus are listed in the &quot;More Information&quot; section.''



SYMPTOMS
You may experience one or more of the following symptoms:  The computer automatically restarts. After you log on, you receive the following error message:

Microsoft Windows

The system has recovered from a serious error. A log of this error has been created. Please tell Microsoft about this problem. We have created an error report that you can send to help us improve Microsoft Windows. We will treat this report as confidential and anonymous. To see what data this error report contains, click here.

If the error message remains on the screen, click the &quot;click here&quot; link at the bottom of the message box if you want to see the data that the error report contains. If you do this, you see error signature information that may be similar to the following:

BCCode : 00000050 BCP1 : 0xeb7ff002 BCP2 : 0x00000000 BCP3 : 0x8054af32 BCP4 : 0x00000001 OSVer : 5_1_2600 SP : 0_0 Product : 256_1

 You receive the following Stop error message:

A problem has been detected and Windows has been shut down to prevent damage to the computer Technical information: *** STOP: 0x00000050 (0xeb7ff002, 0x00000000, 0x8054af32, 0x00000001) PAGE_FAULT_IN_NONPAGED_AREA nt!ExFreePoolWithTag+237

  The System log records an event that is similar to the following: Date:

Source: System Error

Time:

Category: (102)

Type: Error

Event ID: 1003

User: N/A

Computer:

Description: Error code 00000050, parameter1 0xeb7ff002, parameter2 0x00000000, parameter3 0x8054af32, parameter4 0x00000001. For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 00000MN 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c 

CAUSE
This error message is caused by a kernel driver that is installed by the following known rootkit spyware programs:
 * Msupd5.exe
 * Reloadmedude.exe



RESOLUTION
To resolve this problem, use one or more of the following methods. The methods are listed in the preferred order.

Method 1: Rename the malicious driver by using Internet Explorer

 * 1) Open Internet Explorer.
 * 2) In the Address box, type %windir%\system32\drivers, and then press ENTER.
 * 3) Locate the randomly named .sys file, right-click the file, and then select Rename.
 * 4) Type malware.old to rename the file, and then press ENTER.
 * 5) In the Address box, type \WINDOWS\system32, and then press ENTER.
 * 6) Locate and then rename the following files, if they exist:
 * 7) * Msupd5.exe. Rename this file Msupd5.old.
 * 8) * Msupd4.exe. Rename this file Msupd4.old.
 * 9) * Msupd.exe. Rename this file Msupd.old.
 * 10) * Reloadmedude.exe. Rename this file Reloadmedude.old.
 * 11) Close Internet Explorer.
 * 12) Restart the computer.
 * 13) Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

Method 2: In Safe Mode, rename the malicious driver by using My Computer
 Start the computer in Safe Mode. To do this, follow these steps:  Restart the computer.</li> As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.</li> Use the UP ARROW and DOWN ARROW keys to highlight Safe Mode, and then press ENTER.</li></ol> </li> Open Internet Explorer</li> In the Address box, type %windir%\system32\drivers, and then press ENTER.</li> Enable the viewing of hidden files. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, and then click My Computer.</li> On the Tools menu, click Folder Options.</li> On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.</li> Under Hidden files and folders, click Show hidden files and folders.</li> Click to clear the Hide extensions for known file types check box.</li> In the Folder views area, click Apply to All Folders, and then click OK.</li></ol> </li> Locate the folder named C:\%windir%\System32\Drivers.</li> Locate any .sys file that has the following characteristics: <ol style="list-style-type: lower-alpha;"> A randomly generated file name that is made up of eight lowercase letters, such as &quot;gbqxmhia.sys,&quot; &quot;upzvlbvv.sys,&quot; or &quot;jsbmefvk.sys&quot;</li> A date of January 11, 2005</li> <li>A size of 14 KB (13,824 bytes)</li> <li>A hidden attribute that is set

Note A file that has its hidden attribute set displays an &quot;HA&quot; in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b of the procedure that is described in the &quot;More information&quot; section.</li> <li>It has no version, product name, or manufacturer information.</li></ol> </li> <li>For each file that you locate, right-click the file, and then select Rename.</li> <li>Type malware1.old to rename the first file, and then press ENTER.

Note Type malware2.old to rename the second file, type malware3.old to rename the third file, and so on.</li> <li>Locate the %windir%\System32 folder.</li> <li>Rename the following files, if they exist: <ul> <li>Msupd5.exe. Rename this file msupd5.old.</li> <li>Msupd4.exe. Rename this file Msupd4.old.</li> <li>Msupd.exe. Rename this file Msupd.old.</li> <li>Reloadmedude.exe. Rename this file Reloadmedude.old.</li></ul> </li> <li>Restart the computer.</li> <li>Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.</li></ol>

Method 3: In Safe Mode, rename the malicious driver by using the command prompt
<ol> <li>Start the computer in Safe Mode. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Restart the computer.</li> <li>As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.</li> <li>Use the UP ARROW and the DOWN ARROW keys to select Safe Mode with Command Prompt, and then press ENTER.</li></ol> </li> <li>Click Start, click Run, type cmd in the Open box, and then click OK.</li> <li>At the command prompt, type CD %windir%\system32\drivers, and then press ENTER.</li> <li>Type Dir /ah, and then press ENTER.</li> <li> You will see text that is similar to the following text. The .sys file name will be randomly generated.

Directory of C:\WINDOWS\system32\drivers

01/11/2005 09:18 AM               13,824 gbqxmhia.sys 1 File(s)           13,824 bytes 0 Dir(s)    961,425,408 bytes free </li> <li>Type Attrib –s –h, and then press ENTER. This action removes the system attributes and the hidden attributes from the file.

Note The placeholder  represents the name of the .sys file that is displayed after you perform step 5. For example, for the file name that is specified in the example in step 5, you would type Attrib –s –h gbqxmhia.sys .</li> <li>Type Ren  malware.old, and then press ENTER. This action renames the randomly named file.</li> <li>Type CD, and then press ENTER. This changes the command line to the %windir%\System32 folder.</li> <li>Type the following commands one at a time, and then press ENTER after you type each command:

Ren msupd5.exe msupd5.old

Ren msupd4.exe msupd4.old

Ren msupd.exe msupd.old

Ren reloadmedude.exe reloadmedude.old

Note If you receive the following error message, you can safely ignore the message, because it indicates that the targeted file does not exist:

The system cannot find the file specified.

</li> <li>Type Exit, and then press ENTER.</li> <li>Restart the computer.</li> <li>Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
To verify whether the computer is infected with this spyware, follow these steps: <ol> <li>Start Internet Explorer.</li> <li>In the Internet Explorer Address box, type %windir%\system32\drivers, and then press ENTER.</li> <li>Change the way that Windows displays hidden files and protected operating system files. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>On the Tools menu, click Folder Options.</li> <li>On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.</li> <li>Under Hidden files and folders, click Show hidden files and folders.</li> <li>Click to clear the Hide extensions for known file types check box.</li> <li>Click to select the Display the contents of system folders check box, and then click OK.</li> <li>On the View menu, click Details.</li></ol> </li> <li>Press F5 to update the Drivers folder display.</li> <li>Locate any system files (files that have a .sys extension in the name) that have their hidden attribute set and are missing details regarding product name, company, and file version.

Note Files that have their hidden attribute set display an &quot;HA&quot; in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b.

To do this, follow these steps.

Note The spyware file may appear to have a randomly generated file name that is made up of eight lowercase letters. <ol style="list-style-type: lower-alpha;"> <li>Change the way that Windows Explorer displays details for the files in the folder. To do this, follow these steps: <ol> <li>On the View menu, click Choose Details.</li> <li>Click to select the Attributes check box.</li> <li>Click to select the Product Name check box.</li> <li>Click to select the Company check box.</li> <li>Click to select the File Version check box.</li></ol> </li> <li>Click the Attributes column heading to sort the list of files by attributes. Files in the Drivers folder typically contain only the archive attribute (A). Look for any files that also have the hidden attribute (HA).

The following list contains example names of spyware files that are known to cause this problem: <ul> <li>gbqxmhia.sys</li> <li>upzvlbvv.sys</li> <li>jsbmefvk.sys</li></ul>

After you locate a file that you suspect is a spyware file, verify the properties of the file by using the Properties dialog box. Right-click the file, click Properties, and then look for the following information: <ul> <li>On the General tab: <ul> <li>Modified : January 11, 2005</li> <li>Size: 14 KB (13,824 bytes)</li> <li>A check mark in the Hidden check box</li></ul> </li> <li>On the Version tab: <ul> <li>No file version</li> <li>No description</li> <li>No copyright</li> <li>No company name</li> <li>No product name</li></ul> </li></ul> </li></ol>

If a file has the hidden attribute set and is also missing details regarding product name, company, and file version, the computer is infected with the spyware.</li> <li>Click OK to close the Properties dialog box, and then follow the steps of one of the methods that are described in the &quot;Resolution&quot; section to resolve the problem.</li> <li>In the Internet Explorer Address box, type %windir%\system32, and then press ENTER.</li> <li>Look for application files (files that have an .exe extension in the name) that have names that are similar to the following: <ul> <li>Msupd.exe</li> <li>Msupd .exe

Note The placeholder  represents a single-digit number</li> <li>Reloadmedude.exe</li></ul>

These files will have a random date and a size of 60 KB (61,440 bytes).

Known names of the spyware files include the following file names: <ul> <li>Msupd.exe</li> <li>Msupd4.exe</li> <li>Msupd5.exe</li> <li>Reloadmedude.exe</li></ul> </li> <li>If one or more of these files exist, the computer is infected with the spyware. Follow the steps of one of the methods that are described in the &quot;Resolution&quot; section to resolve the problem.</li></ol>

Security products that detect this spyware
Several security products detect this spyware. Examples of these products and the reported spyware names include the following:

<div class="references_section">