CertCities.com -- The Ultimate Site for Certified IT Professionals
Visit CertCities.com Forums and Ost Your Mind Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets


CertCities.com
Let us know what you
think! E-mail us at:



 
 
...Home ... Editorial ... Features ..Feature Story Friday: April 4, 2014


What's That Trojan Doing on My Server?
Root cause of some inexplicable reboots or other strange events on your systems might be a rootkit.


by Zubair Alexander - courtesy of MCPmag.com

5/17/2006 -- If you have ever experienced your Windows Server 2003, or even a Windows 2000 or Windows XP computer rebooting automatically, or if you have received a "serious error" message or a blue screen of death, your computer may be infected with a Spyware.Service.MiscrosoftUpdate (Trojan) rootkit spyware.

Discovering a Trojan on a production server can be a frightening experience for any network administrator. In order to remove the Trojan virus, you need to identify the files that may be causing the problem. Once you've identified the files, you can rename or delete the files so they are rendered useless.

The root cause of all these problems is typically a kernel driver that's installed by a couple of known rootkit spyware programs: msupd5.exe and reloadmedude.exe. To resolve this problem, you need to rename the kernel driver by using one of the following methods. You can either rename it using Windows Explorer while you're logged on to your computer, or rename it in Safe Mode. In Safe Mode, you can either use Windows Explorer or use the command prompt.

The first step in the process is to ensure that your system is infected. If it is, then you need to figure out which system files are the culprits. Once you know which files you're dealing with, you need to decide which method you should use to rename the malicious driver. The process may seem more complicated than it actually is. The difficult part is to identify the exact files that are infected. Let's look at the entire process of cleaning such a virus in a systematic order.

To prepare your computer, start Windows Explorer and make sure that your hidden and protected operating system files are visible. This can be confirmed by going to the View tab under Tools, Folder Options (see Figure 1). Remember to unhide file extensions because you will be searching for files with a specific extension.

Alt text here
Figure 1. Showing hidden files and folders.

Verifying Spyware Infection
To verify that your computer is infected with the spyware, start Windows Explorer and go to C:\%windir%\system32\drivers folder. Locate any files with the .sys extension that have the following characteristics:

  • A randomly generated file name that consists of eight lowercase letters. Some examples of files that have been found to contain spyware include:

    gbqxmhia.sys
    upzvlbvv.sys
    jsbmefvk.sys

  • A file with a date of January 11, 2005.
  • A file that doesn't have a version, product name, or name of the manufacturer listed.
  • A file with the size of 14 KB (13,824 bytes).
  • A file that has its hidden attribute set.

If you find files that meet the above criteria, you may have an infected system.

Cleaning Your Infected Computer
To clean your spyware-infected computer, first try to rename the infected system files in Windows Explorer. Simply rename the files by adding an extension, such as ".bad" to these files. In addition, also rename any of the following files if they exist on your computer:

  • Msupd.exe
  • Msupd4.exe
  • Msupd5.exe
  • Reloadmedude.exe

Reboot your computer and then scan your system for spyware using your anti-spyware software that has been updated with the latest definition files. Microsoft Windows Defender, which is still in beta, is one of the anti-spyware product that will detect this spyware.

If you're unable to rename the infected files using the above method, then use Safe Mode to rename the files. The procedure for renaming the malicious driver in Safe Mode is exactly the same as described above, except that you will boot into the Safe Mode by restarting your computer and pressing F8.

If you prefer to use command prompt, you can also reboot your computer into Safe Mode with Command Prompt and rename the files. At the command prompt in Safe Mode, type CD %windir%\system32\drivers. Type DIR /AH to look at the hidden attributes. You may see an output that looks something like this.

Directory of C:\WINDOWS\system32\drivers

01/11/2005 09:18 AM 13,824 gbqxmhia.sys
1 File(s) 13,824 bytes
0 Dir(s) 961,425,408 bytes free

Use the Attrib command to remove system and hidden attributes and then use the Ren command to rename the malicious files. Also, remember to rename the following files"

  • Msupd.exe
  • Msupd4.exe
  • Msupd5.exe
  • Reloadmedude.exe

Reboot your computer and then scan your system for spyware using your anti-spyware software that has been updated with the latest definition files.

Microsoft KnowledgeBase article 894278, "The computer may automatically restart, or you may receive a 'serious error' message or a Stop error message in Windows Server 2003, in Windows XP, or in Windows 2000," contains more details on this topic and also includes several stop error messages that you may encounter. Microsoft also lists several anti-spyware products that are supposed to detect this spyware.


Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at .
More articles by Zubair Alexander:


There are 45 CertCities.com user Comments for “What's That Trojan Doing on My Server?”
Page 1 of 5
5/18/06: GARBOT from Ramstein, Germany says: My first thought when I read the title "What's That Trojan Doing on My Server" is that maybe it was due to a cute new summer hire working in the server room?
5/25/06: prasad from india says: Iam using Xp professional (operating system) .my problem was when i run my system i fed up with with system shutdown problem.it is comming that IT HAS ENCOURED AN ERROR LIKE FILE "LASHELL" PLEASE SEND ME THE CURRECT SOLUTION
9/8/06: ele127 from philippines says: Now I know! That's exactly what happened to my pc. I am using Xp and well one day it just created a lot of problems. At first, i doubted it if it was really infected. Now I'm pretty sure that it is. http://www.urmbickleton.com
9/11/07: Hikmatullah from Helmand, Afghanistan says: The following information regarding the trojan and spyware infection is very useful. I kindly request to give me suggestion how do i find a fully trusted protection for my server. So that should protect my server. Thanks.
10/29/12: Bertie05 from Norway says: I greatly appreciate every one of the informative read on certcities.com. I most certainly will spread the phrase about your site with people. Cheers. regards
11/27/12: Etsuko.snyder from Cameroon says: As a Newbie, I am always browsing online for articles that can be of assistance to me. Thank you wish you all the best
1/10/13: Femke from FmAKsCEEMqNw says: I had the same thing happen. I bleveie it said it was Windows Registry and it LOOKS like something Windows made to protect you from viruses but indeed it is a virus. It was awhile ago when I had it but I have both spyware protecting and virus protection. I just ran my spyware program (webroot) and it seemed to take care of it. If you have a spyware program then run it. If you do not own one I would get one anyhow..spyware can really mess up your comptuer. I would urge Webroot but there are a ton of spyware removers. Hope this helped!
7/1/13: louis vuitton outlet online from [email protected] says: nice articles louis vuitton outlet online http://www.louisvuittonttoutlet.com
7/4/13: gucci outlet store from [email protected] says: ths gucci outlet store http://www.guccioutletstore-online.com
7/5/13: christianlouboutinoutleta.com from [email protected] says: ths christianlouboutinoutleta.com http://www.christianlouboutinoutleta.com
First Page   Next Page   Last Page
Your comment about: “What's That Trojan Doing on My Server?”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top