The computer may automatically restart, or you may receive a "serious error" message or a Stop error message in Windows Server 2003, in Windows XP, or in Windows 2000
This article describes several symptoms that you may experience if the computer is running the Spyware.Service.MiscrosoftUpdate (Trojan) rootkit spyware. To remove the Trojan virus, you must identify the files that cause this problem and then rename the files.
The user-mode (spyware) components Msupd*.exe and Reloadmedude.exe can be cleaned by some antivirus or anti-spyware programs as soon as the hidden driver is renamed. The hidden driver may be named "gbqxhia.sys," "upzvlbvv.sys," "jsbmefvk.sys," or some other random file name that contains only lowercase letters.
Several anti-spyware programs that can detect this virus are listed in the "More Information" section.
You may experience one or more of the following symptoms:
•
The computer automatically restarts.
•
After you log on, you receive the following error message:
Microsoft Windows
The system has recovered from a serious error.
A log of this error has been created.
Please tell Microsoft about this problem.
We have created an error report that you can send to help us improve Microsoft Windows. We will treat this report as confidential and anonymous.
To see what data this error report contains, click here.
If the error message remains on the screen, click the "click here" link at the bottom of the message box if you want to see the data that the error report contains. If you do this, you see error signature information that may be similar to the following:
A problem has been detected and Windows has been shut down to prevent damage to the computer
Technical information:
*** STOP: 0x00000050 (0xeb7ff002, 0x00000000, 0x8054af32, 0x00000001) PAGE_FAULT_IN_NONPAGED_AREA nt!ExFreePoolWithTag+237
•
The System log records an event that is similar to the following:
Date: date
Source: System
Error Time: time Category: (102)
Type: Error
Event ID: 1003
User: N/A
Computer: computer Description: Error code 00000050, parameter1 0xeb7ff002, parameter2 0x00000000, parameter3 0x8054af32, parameter4 0x00000001. For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 00000MN 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c
The symptoms of a Stop error vary according to the failure options of the computer system.
For more information about how to configure system failure options, click the following article number to view the article in the Microsoft Knowledge Base:
307973 (http://support.microsoft.com/kb/307973/)
How to configure system failure and recovery options in Windows
The four parameters that are included in the error signature information (BCPn) and inside the parentheses of the technical information for the Stop error may vary according to the computer's configuration.
Not all stop 0x00000050 errors are caused by the problem that is described in the "Cause" section.
Method 2: In Safe Mode, rename the malicious driver by using My Computer
1.
Start the computer in Safe Mode. To do this, follow these steps:
a.
Restart the computer.
b.
As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.
c.
Use the UP ARROW and DOWN ARROW keys to highlight Safe Mode,
and then press ENTER.
2.
Open Internet Explorer
3.
In the Address box, type %windir%\system32\drivers, and then press ENTER.
4.
Enable the viewing of hidden files. To do this, follow these steps:
a.
Click Start, and then click My Computer.
b.
On the Tools menu, click Folder Options.
c.
On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.
d.
Under Hidden files and folders, click Show hidden files and folders.
e.
Click to clear the Hide extensions for known file types check box.
f.
In the Folder views area, click Apply to All Folders, and then click OK.
5.
Locate the folder named C:\%windir%\System32\Drivers.
6.
Locate any .sys file that has the following characteristics:
a.
A randomly generated file name that is made up of eight lowercase letters, such as "gbqxmhia.sys," "upzvlbvv.sys," or "jsbmefvk.sys"
b.
A date of January 11, 2005
c.
A size of 14 KB (13,824 bytes)
d.
A hidden attribute that is set
Note A file that has its hidden attribute set displays an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b of the procedure that is described in the "More information" section.
e.
It has no version, product name, or manufacturer information.
7.
For each file that you locate, right-click the file, and then select Rename.
8.
Type malware1.old to rename the first file, and then press ENTER.
Note Type malware2.old to rename the second file, type malware3.old to rename the third file, and so on.
9.
Locate the %windir%\System32 folder.
10.
Rename the following files, if they exist:
•
Msupd5.exe. Rename this file msupd5.old.
•
Msupd4.exe. Rename this file Msupd4.old.
•
Msupd.exe. Rename this file Msupd.old.
•
Reloadmedude.exe. Rename this file Reloadmedude.old.
11.
Restart the computer.
12.
Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a
complete system scan.
Method 3: In Safe Mode, rename the malicious driver by using the command prompt
1.
Start the computer in Safe Mode. To do this, follow these steps:
a.
Restart the computer.
b.
As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.
c.
Use the UP ARROW and the DOWN ARROW keys to select Safe Mode with Command Prompt, and then press ENTER.
2.
Click Start, click Run, type cmd in the Open box, and then click OK.
3.
At the command prompt, type CD %windir%\system32\drivers, and then press ENTER.
4.
Type Dir /ah, and then press ENTER.
5.
You will see text that is similar to the following text. The .sys file name will be randomly generated.
Directory of C:\WINDOWS\system32\drivers
01/11/2005 09:18 AM 13,824 gbqxmhia.sys
1 File(s) 13,824 bytes
0 Dir(s) 961,425,408 bytes free
6.
Type Attrib –s –h RandomFilename, and then press ENTER. This action removes the system attributes and the hidden attributes from the file.
Note The placeholder RandomFilename represents the name of the .sys file that is displayed after you perform step 5. For example, for the file name that is specified in the example in step 5, you would type Attrib –s –h gbqxmhia.sys.
7.
Type Ren RandomFilename malware.old, and then press ENTER. This action renames the randomly named file.
8.
Type CD, and then press ENTER. This changes the command line to the %windir%\System32 folder.
9.
Type the following commands one at a time, and then press ENTER after you type each command: Ren msupd5.exe msupd5.old
Ren msupd4.exe msupd4.old
Ren msupd.exe msupd.old
Ren reloadmedude.exe reloadmedude.old Note If you receive the following error message, you can safely ignore the message, because it indicates that the targeted file does not exist:
The system cannot find the file specified.
10.
Type Exit, and then press ENTER.
11.
Restart the computer.
12.
Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a
complete system scan.
To verify whether the computer is infected with this spyware, follow these steps:
1.
Start Internet Explorer.
2.
In the Internet Explorer Address box, type
%windir%\system32\drivers, and then press ENTER.
3.
Change the way that Windows displays hidden files and protected operating system files. To do this, follow these steps:
a.
On the Tools menu, click Folder Options.
b.
On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.
c.
Under Hidden files and folders, click Show hidden files and folders.
d.
Click to clear the Hide extensions for known file types check box.
e.
Click to select the Display the contents of system folders check box, and then click OK.
f.
On the View menu, click Details.
4.
Press F5 to update the Drivers folder display.
5.
Locate any system files (files that have a .sys extension in the name) that have their hidden attribute set and are missing details regarding product name, company, and file version.
Note Files that have their hidden attribute set display an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b.
To do this, follow these steps.
Note The spyware file may appear to have a randomly generated file name that is made up of eight lowercase letters.
a.
Change the way that Windows Explorer displays details for the files in the folder. To do this, follow these steps:
1.
On the View menu, click Choose Details.
2.
Click to select the Attributes check box.
3.
Click to select the Product Name check box.
4.
Click to select the Company check box.
5.
Click to select the File Version check box.
b.
Click the Attributes column heading to sort the list of files by attributes. Files in the Drivers folder typically contain only the archive attribute (A). Look for any files that also have the hidden attribute (HA). The following list contains example names of spyware files that are known to cause this problem:
•
gbqxmhia.sys
•
upzvlbvv.sys
•
jsbmefvk.sys
After you locate a file that you suspect is a spyware file, verify the properties of the file by using the Properties dialog box. Right-click the file, click Properties, and then look for the following information:
•
On the General tab:
•
Modified : January 11, 2005
•
Size: 14 KB (13,824 bytes)
•
A check mark in the Hidden check box
•
On the Version tab:
•
No file version
•
No description
•
No copyright
•
No company name
•
No product name
If a file has the hidden attribute set and is also missing details regarding product name, company, and file version, the computer is infected with the spyware.
6.
Click OK to close the Properties dialog box, and then follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.
7.
In the Internet Explorer Address box, type %windir%\system32, and then press ENTER.
8.
Look for application files (files that have an .exe extension in the name) that have names that are similar to the following:
•
Msupd.exe
•
Msupd*.exe
Note The placeholder * represents a single-digit number
•
Reloadmedude.exe
These files will have a random date and a size of 60 KB (61,440 bytes). Known names of the spyware files include the following file names:
•
Msupd.exe
•
Msupd4.exe
•
Msupd5.exe
•
Reloadmedude.exe
9.
If one or more of these files exist, the computer is infected with the spyware. Follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.
For more information about the Microsoft AntiSpyware product, click the following article numbers to view the articles in the Microsoft Knowledge Base:
892279 (http://support.microsoft.com/kb/892279/)
How to obtain Microsoft Windows AntiSpyware (Beta)
892340 (http://support.microsoft.com/kb/892340/) Microsoft Windows AntiSpyware (Beta) identifies a program as a spyware threat
For more information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base:
49500 (http://support.microsoft.com/kb/49500/)
List of antivirus software vendors
Need More Help? Contact a Support professional by Email, Online or Phone.
Customer Service For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
Newsgroups Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
Back to the top
