Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The computer may automatically restart, or you may receive a "serious error" message or a Stop error message in Windows Server 2003, in Windows XP, or in Windows 2000


View products that this article applies to.

Summary

This article describes several symptoms that you may experience if the computer is running the Spyware.Service.MiscrosoftUpdate (Trojan) rootkit spyware. To remove the Trojan virus, you must identify the files that cause this problem and then rename the files.

The user-mode (spyware) components Msupd*.exe and Reloadmedude.exe can be cleaned by some antivirus or anti-spyware programs as soon as the hidden driver is renamed. The hidden driver may be named "gbqxhia.sys," "upzvlbvv.sys," "jsbmefvk.sys," or some other random file name that contains only lowercase letters.

Several anti-spyware programs that can detect this virus are listed in the "More Information" section.

↑ Back to the top


Symptoms

You may experience one or more of the following symptoms:
  • The computer automatically restarts.
  • After you log on, you receive the following error message:
    Microsoft Windows

    The system has recovered from a serious error. A log of this error has been created. Please tell Microsoft about this problem. We have created an error report that you can send to help us improve Microsoft Windows. We will treat this report as confidential and anonymous. To see what data this error report contains, click here.
    If the error message remains on the screen, click the "click here" link at the bottom of the message box if you want to see the data that the error report contains. If you do this, you see error signature information that may be similar to the following:
    BCCode : 00000050 BCP1 : 0xeb7ff002 BCP2 : 0x00000000 BCP3 : 0x8054af32 BCP4 : 0x00000001 OSVer : 5_1_2600 SP : 0_0 Product : 256_1
  • You receive the following Stop error message:
    A problem has been detected and Windows has been shut down to prevent damage to the computer Technical information: *** STOP: 0x00000050 (0xeb7ff002, 0x00000000, 0x8054af32, 0x00000001) PAGE_FAULT_IN_NONPAGED_AREA nt!ExFreePoolWithTag+237
  • The System log records an event that is similar to the following:

Notes

The symptoms of a Stop error vary according to the failure options of the computer system.For more information about how to configure system failure options, click the following article number to view the article in the Microsoft Knowledge Base:

307973 How to configure system failure and recovery options in Windows

The four parameters that are included in the error signature information (BCPn) and inside the parentheses of the technical information for the Stop error may vary according to the computer's configuration.

Not all stop 0x00000050 errors are caused by the problem that is described in the "Cause" section.

↑ Back to the top


Cause

This error message is caused by a kernel driver that is installed by the following known rootkit spyware programs:
  • Msupd5.exe
  • Reloadmedude.exe

↑ Back to the top


Resolution

To resolve this problem, use one or more of the following methods. The methods are listed in the preferred order.

Method 1: Rename the malicious driver by using Internet Explorer

  1. Open Internet Explorer.
  2. In the Address box, type %windir%\system32\drivers, and then press ENTER.
  3. Locate the randomly named .sys file, right-click the file, and then select Rename.
  4. Type malware.old to rename the file, and then press ENTER.
  5. In the Address box, type \WINDOWS\system32, and then press ENTER.
  6. Locate and then rename the following files, if they exist:
    • Msupd5.exe. Rename this file Msupd5.old.
    • Msupd4.exe. Rename this file Msupd4.old.
    • Msupd.exe. Rename this file Msupd.old.
    • Reloadmedude.exe. Rename this file Reloadmedude.old.
  7. Close Internet Explorer.
  8. Restart the computer.
  9. Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

Method 2: In Safe Mode, rename the malicious driver by using My Computer

  1. Start the computer in Safe Mode. To do this, follow these steps:
    1. Restart the computer.
    2. As the computer starts, press the F8 key repeatedly (one time per second).This action will cause the Microsoft Windows Advanced Startup Menu options to appear.
    3. Use the UP ARROW and DOWN ARROW keys to highlight Safe Mode, and then press ENTER.
  2. Open Internet Explorer
  3. In the Address box, type %windir%\system32\drivers, and then press ENTER.

  4. Enable the viewing of hidden files. To do this, follow these steps:
    1. Click Start, and then click My Computer.
    2. On the Tools menu, click Folder Options.
    3. On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.
    4. Under Hidden files and folders, click Show hidden files and folders.
    5. Click to clear the Hide extensions for known file types check box.
    6. In the Folder views area, click Apply to All Folders, and then click OK.

  5. Locate the folder named C:\%windir%\System32\Drivers.
  6. Locate any .sys file that has the following characteristics:
    1. A randomly generated file name that is made up of eight lowercase letters, such as "gbqxmhia.sys," "upzvlbvv.sys," or "jsbmefvk.sys"
    2. A date of January 11, 2005
    3. A size of 14 KB (13,824 bytes)
    4. A hidden attribute that is set

      Note A file that has its hidden attribute set displays an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b of the procedure that is described in the "More information" section.
    5. It has no version, product name, or manufacturer information.
  7. For each file that you locate, right-click the file, and then select Rename.
  8. Type malware1.old to rename the first file, and then press ENTER.

    Note Type malware2.old to rename the second file, type malware3.old to rename the third file, and so on.
  9. Locate the %windir%\System32 folder.
  10. Rename the following files, if they exist:
    • Msupd5.exe. Rename this file msupd5.old.
    • Msupd4.exe. Rename this file Msupd4.old.
    • Msupd.exe. Rename this file Msupd.old.
    • Reloadmedude.exe. Rename this file Reloadmedude.old.
  11. Restart the computer.
  12. Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

Method 3: In Safe Mode, rename the malicious driver by using the command prompt

  1. Start the computer in Safe Mode. To do this, follow these steps:
    1. Restart the computer.
    2. As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.
    3. Use the UP ARROW and the DOWN ARROW keys to select Safe Mode with Command Prompt, and then press ENTER.
  2. Click Start, click Run, type cmd in the Open box, and then click OK.
  3. At the command prompt, type CD %windir%\system32\drivers, and then press ENTER.


  4. Type Dir /ah, and then press ENTER.
  5. You will see text that is similar to the following text. The .sys file name will be randomly generated.
    Directory of C:\WINDOWS\system32\drivers

    01/11/2005 09:18 AM 13,824 gbqxmhia.sys
    1 File(s) 13,824 bytes
    0 Dir(s) 961,425,408 bytes free
  6. Type Attrib –s –h RandomFilename, and then press ENTER. This action removes the system attributes and the hidden attributes from the file.

    Note The placeholder RandomFilename represents the name of the .sys file that is displayed after you perform step 5. For example, for the file name that is specified in the example in step 5, you would type Attrib –s –h gbqxmhia.sys.
  7. Type Ren RandomFilename malware.old, and then press ENTER. This action renames the randomly named file.
  8. Type CD, and then press ENTER. This changes the command line to the %windir%\System32 folder.
  9. Type the following commands one at a time, and then press ENTER after you type each command:
    Ren msupd5.exe msupd5.old

    Ren msupd4.exe msupd4.old

    Ren msupd.exe msupd.old

    Ren reloadmedude.exe reloadmedude.old
    Note If you receive the following error message, you can safely ignore the message, because it indicates that the targeted file does not exist:

    The system cannot find the file specified.
  10. Type Exit, and then press ENTER.
  11. Restart the computer.
  12. Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

↑ Back to the top


More Information

To verify whether the computer is infected with this spyware, follow these steps:
  1. Start Internet Explorer.
  2. In the Internet Explorer Address box, type %windir%\system32\drivers, and then press ENTER.
  3. Change the way that Windows displays hidden files and protected operating system files. To do this, follow these steps:
    1. On the Tools menu, click Folder Options.
    2. On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.
    3. Under Hidden files and folders, click Show hidden files and folders.
    4. Click to clear the Hide extensions for known file types check box.
    5. Click to select the Display the contents of system folders check box, and then click OK.

    6. On the View menu, click Details.
  4. Press F5 to update the Drivers folder display.
  5. Locate any system files (files that have a .sys extension in the name) that have their hidden attribute set and are missing details regarding product name, company, and file version.

    Note Files that have their hidden attribute set display an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b.

    To do this, follow these steps.

    Note The spyware file may appear to have a randomly generated file name that is made up of eight lowercase letters.
    1. Change the way that Windows Explorer displays details for the files in the folder. To do this, follow these steps:
      1. On the View menu, click Choose Details.
      2. Click to select the Attributes check box.
      3. Click to select the Product Name check box.
      4. Click to select the Company check box.
      5. Click to select the File Version check box.
    2. Click the Attributes column heading to sort the list of files by attributes. Files in the Drivers folder typically contain only the archive attribute (A). Look for any files that also have the hidden attribute (HA).
      The following list contains example names of spyware files that are known to cause this problem:
      • gbqxmhia.sys
      • upzvlbvv.sys
      • jsbmefvk.sys
      After you locate a file that you suspect is a spyware file, verify the properties of the file by using the Properties dialog box. Right-click the file, click Properties, and then look for the following information:
      • On the General tab:
        • Modified : January 11, 2005
        • Size: 14 KB (13,824 bytes)
        • A check mark in the Hidden check box
      • On the Version tab:
        • No file version
        • No description
        • No copyright
        • No company name
        • No product name
    If a file has the hidden attribute set and is also missing details regarding product name, company, and file version, the computer is infected with the spyware.
  6. Click OK to close the Properties dialog box, and then follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.
  7. In the Internet Explorer Address box, type %windir%\system32, and then press ENTER.
  8. Look for application files (files that have an .exe extension in the name) that have names that are similar to the following:
    • Msupd.exe
    • Msupd*.exe

      Note The placeholder * represents a single-digit number
    • Reloadmedude.exe
    These files will have a random date and a size of 60 KB (61,440 bytes).
    Known names of the spyware files include the following file names:
    • Msupd.exe
    • Msupd4.exe
    • Msupd5.exe
    • Reloadmedude.exe


  9. If one or more of these files exist, the computer is infected with the spyware. Follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.

Security products that detect this spyware

Several security products detect this spyware. Examples of these products and the reported spyware names include the following:
ProductReported spyware name
Microsoft AntiSpywareSpyware.Service.MiscrosoftUpdate (Trojan)
Computer AssociatesWin32/Benuti.61440!Downloader!Dr
Doctor Web DrWebCL Trojan.Medude
F-SecureTrojan.Win32.Agent.aw
Kaspersky Lab AVPDOS32Trojan.Win32.Agent.aw
McAfeeDownloader-va
PandaTrj/Agent.FO and Adware/Apropos
Trend Micro VScanTROJ_LODMEDUD.A
Symantec Trojan.Lodmeduod

↑ Back to the top


References

For more information about the Microsoft AntiSpyware product, click the following article numbers to view the articles in the Microsoft Knowledge Base:

892279 How to obtain Microsoft Windows AntiSpyware (Beta)

892340 Microsoft Windows AntiSpyware (Beta) identifies a program as a spyware threat


For more information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base:

49500 List of antivirus software vendors

↑ Back to the top


Keywords: kb, kblangall, kbmustloc, kbsecurity, kbsecantivirus, kbtshoot, kbprb

↑ Back to the top

Article Info
Article ID : 894278
Revision : 4
Created on : 4/17/2018
Published on : 4/17/2018
Exists online : False
Views : 660