A diagnostic program may immediately close and you may receive a "Stop error code 0x00000050" (PAGE_FAULT_IN_NONPAGED_AREA) or "Stop error code 0x0000000A" (IRQL_NOT_LESS_OR_EQUAL) error message in Windows Server 2003, Windows 2000, or Windows XP

Article translations Article translations
Article ID: 897079 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When you try to run one of the following diagnostic programs, the program may immediately close:
  • Registry Editor (Regedit.exe)
  • Task Manager (Taskmgr.exe)
  • System Configuration Utility (Msconfig.exe)
  • System Information (Msinfo32.exe)
You may also experience any one of the following symptoms:
  • The computer automatically restarts.
  • After you log on, you receive the following error message:
    Microsoft Windows
    The system has recovered from a serious error.
    A log of this error has been created.
    Please tell Microsoft about this problem.
    We have created an error report that you can send to help us improve Microsoft Windows. We will treat this report as confidential and anonymous.
    To see what data this error report contains, click here.
    When you click the click here link at the bottom of the message box, you see error signature information that may be similar to one of the following data samples:

    Data sample 1

    BCCode : 00000050 BCP1 : ffffff60 BCP2 : 00000000 BCP3 : 804fa26f 
    BCP4 : 00000000 OSVer : 5_1_2600 SP : 0_0 Product : 256_1

    Data sample 2

    BCCode : 0000000A BCP1 : ffffff94 BCP2 : 00000000 BCP3 : 00000000 
    BCP4 : 804e15ef OSVer : 5_1_2600 SP : 0_0 Product : 256_1
  • You receive one of the following Stop error messages:

    Message 1

    A problem has been detected and Windows has been shut down to prevent damage to your computer...
    Technical information:

    *** STOP: 0x00000050 (0xffffff60, 0x00000000, 0x804fa26f, 0x00000000) PAGE_FAULT_IN_NONPAGED_AREA address 0x804fa26f in 0x50_nt!ObReferenceObjectSafe+e

    Message 2

    A problem has been detected and Windows has been shut down to prevent damage to your computer...
    Technical information:

    *** STOP: 0x0000000A (0xffffff94, 0x00000000, 0x00000000, 0x804e15ef) IRQL_NOT_LESS_OR_EQUAL address 0x804fa26f in 0xA_nt!ExpCopyThreadInfo+a
  • When you view the System log in Event Viewer, you may see an entry that is similar to one of the following:

    Entry 1

    Date: date
    Source: System
    Error Time: time
    Category: (102)
    Type: Error
    Event ID: 1003
    User: N/A
    Computer: COMPUTER
    Description: Error code 00000050, parameter1 ffffff60, parameter2 00000000, parameter3 804fa26f, parameter4 00000000. For more information, see Help and Support Center at http://support.microsoft.com.
    Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 0000050 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c

    Entry 2

    Date: date
    Source: System
    Error Time: time
    Category: (102)
    Type: Error
    Event ID: 1003
    User: N/A
    Computer: COMPUTER
    Description: Error code 0000000A, parameter1 ffffff94, parameter2 00000000, parameter3 00000000, parameter4 804e15ef. For more information, see Help and Support Center at http://support.microsoft.com.
    Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 000000A 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c

Notes

  • The symptoms of a Stop error vary according to your computer's system failure options. For more information about how to configure system failure options, click the following article number to view the article in the Microsoft Knowledge Base:
    307973 How to configure system failure and recovery options in Windows
  • The four parameters that are inside the parentheses of the Stop error message vary according to the computer's configuration.
  • Not all "Stop 0x0000000A" errors are caused by the problem that is described in this article. For more information about how to troubleshoot Stop 0x0000000A errors in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
    314063 Troubleshooting a Stop 0x0000000A error in Windows XP

CAUSE

This problem may occur if the computer is infected with a variant of the Sdbot virus.

The Sdbot virus creates a hidden process. This process closes programs that system administrators use for diagnostic and configuration purposes. The process may also prevent these programs from running.

The file name of the Sdbot virus varies. Many variants of this virus put a driver that is named Msdirectx.sys or Haxdrv.sys on the computer. This driver is used to hide the virus process. The file names that the virus frequently uses include Msdrv.exe and Sdkcore.exe. These virus variants can restore the virus if you delete the files.

RESOLUTION

To resolve this problem, use one of the following methods:

Automatic Removal

To automatically remove some versions of this virus, run the Microsoft Malicious Software Removal Tool.

The April release of this utility can remove some variants of this malware. You can find information and downloads for the Malicious Software Removal Tool at the following locations:
Manual Removal

Important The file name of the Sdbot virus varies. You may have to modify these steps according to the file name that the Sdbot virus uses on your computer.
  1. Follow these steps to start the computer in Safe Mode:
    1. Restart the computer.
    2. As the computer starts, press the F8 key repeatedly at a rate of one time per second.

      The Microsoft Windows Advanced Startup Menu options display.
    3. Use the UP ARROW and DOWN ARROW keys to select Safe Mode, and then press ENTER.
  2. Click Start, click Run, type regedit in the Open box, and then click OK.
  3. In the following registry subkeys, locate and delete any entries that contain the Msdrv.exe file name or the Sdkcore.exe file name:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    For example, if an "Ms Sound Drivers" entry has a value of "msdrv.exe," delete the entry.
  4. In the following registry subkeys, locate and delete any entries that contain Msdirectx or Haxdrv:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  5. Quit Registry Editor.
  6. Click Start, click Run, type cmd in the Open box, and then click OK.
  7. At the command prompt, type the following commands. Press ENTER after each command.
    attrib -r -h -s %systemroot%\system32\msdirectx.sys
    attrib -r -h -s %systemroot%\system32\haxdrv.sys
    attrib -r -h -s %systemroot%\system32\msdrv.exe
    attrib -r -h -s %systemroot%\system32\sdkcore.exe
    Note These files may exist in various folders on the computer. For example, the files have been reported in the following folders:
    • C:\
    • C:\system32\
    • C:\system32\drivers\
    • C:\Documents and Settings\UserName\

    Perform a search to find all instances of Msdirectx.sys and Haxdrv.sys. Then, type the commands in this step, but replace the %systemroot%\system32\ path with the path of each file that you find.
  8. Type the following commands to delete the files. Press ENTER after each command.
    del %systemroot%\system32\msdirectx.sys
    del %systemroot%\system32\haxdrv.sys
    del %systemroot%\system32\msdrv.exe
    del %systemroot%\system32\sdkcore.exe
    If you found other instances of these files in step 7, repeat these commands by using the path of each file that you found.
  9. Restart the computer.
  10. Make sure that your antivirus and anti-spyware programs are updated with the latest definitions. Then, perform a complete system scan. As of April 7, 2005, the following files are detected by the following programs:

    Msdrv.exe
    Collapse this tableExpand this table
    ProgramSdbot virus variant detected
    Norman AVW32/MEWpacked.gen
    PandaLabsW32/MEWpacked.gen
    AVERT LabsNo Detection (inconclusive)
    F-SecureBackdoor.Win32.SdBot.gen
    SophosTroj/NtRootK-F (msdirectx.sys), Troj/Rootkit-U (haxdrv.sys), W32/Sdbot-WR, W32/Sdbot-VJ, W32/Sdbot-WK, W32/Sdbot-WD
    Trend MicroTROJ_ROOTKIT.H (msdirectx.sys), WORM_RBOT.AXU, WORM_SDBOT.BDX
    Msdirectx.sys
    Collapse this tableExpand this table
    ProgramSdbot virus variant detected
    F-SecureTrojan.Win32.Rootkit.h

REFERENCES

For more information about the Microsoft Malicious Software Removal Tool, visit the following Microsoft Web site:
http://www.microsoft.com/security/malwareremove/default.mspx
For more information about the Microsoft AntiSpyware product, click the following article number to view the article in the Microsoft Knowledge Base:
892279 How to obtain Microsoft Windows AntiSpyware (Beta)
892340 Microsoft Windows AntiSpyware (Beta) identifies a program as a spyware threat
For more information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base:
49500 List of antivirus software vendors

Properties

Article ID: 897079 - Last Review: January 15, 2012 - Revision: 5.0
APPLIES TO
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Media Center Edition 2005 Update Rollup 2
Keywords: 
kbocabucket kbvirus kbbluescreen kbsecurity kberrmsg kbtshoot kbprb KB897079

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com