A diagnostic program may immediately close and you may receive a "STOP 0x00000050" or "STOP 0x0000000A" error message in Windows Server 2003, Windows 2000, or Windows XP

When you try to run one of the following diagnostic programs, the program may immediately close:

• Registry Editor (Regedit.exe)
• Task Manager (Taskmgr.exe)
• System Configuration Utility (Msconfig.exe)
• System Information (Msinfo32.exe)

You may also experience any one of the following symptoms:

• The computer automatically restarts.
• After you log on, you receive the following error message:
  Microsoft Windows
  The system has recovered from a serious error.
  A log of this error has been created.
  Please tell Microsoft about this problem.
  We have created an error report that you can send to help us improve Microsoft Windows. We will treat this report as confidential and anonymous.
  To see what data this error report contains, click here.
  When you click the click here link at the bottom of the message box, you see error signature information that may be similar to one of the following data samples:
  Back to the top

  Data sample 1

  BCCode : 00000050 BCP1 : ffffff60 BCP2 : 00000000 BCP3 : 804fa26f 
  BCP4 : 00000000 OSVer : 5_1_2600 SP : 0_0 Product : 256_1

  Back to the top

  Data sample 2

  BCCode : 0000000A BCP1 : ffffff94 BCP2 : 00000000 BCP3 : 00000000 
  BCP4 : 804e15ef OSVer : 5_1_2600 SP : 0_0 Product : 256_1

• You receive one of the following Stop error messages:
  Back to the top

  Message 1

  A problem has been detected and Windows has been shut down to prevent damage to your computer...
  Technical information:
  
  *** STOP: 0x00000050 (0xffffff60, 0x00000000, 0x804fa26f, 0x00000000) PAGE_FAULT_IN_NONPAGED_AREA address 0x804fa26f in 0x50_nt!ObReferenceObjectSafe+e
  Back to the top

  Message 2

  A problem has been detected and Windows has been shut down to prevent damage to your computer...
  Technical information:
  
  *** STOP: 0x0000000A (0xffffff94, 0x00000000, 0x00000000, 0x804e15ef) IRQL_NOT_LESS_OR_EQUAL address 0x804fa26f in 0xA_nt!ExpCopyThreadInfo+a
• When you view the System log in Event Viewer, you may see an entry that is similar to one of the following:
  Back to the top

  Entry 1

  Date: date
  Source: System
  Error Time: time
  Category: (102)
  Type: Error
  Event ID: 1003
  User: N/A
  Computer: COMPUTER
  Description: Error code 00000050, parameter1 ffffff60, parameter2 00000000, parameter3 804fa26f, parameter4 00000000. For more information, see Help and Support Center at http://support.microsoft.com.
  Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 0000050 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c

  Back to the top

  Entry 2

  Date: date
  Source: System
  Error Time: time
  Category: (102)
  Type: Error
  Event ID: 1003
  User: N/A
  Computer: COMPUTER
  Description: Error code 0000000A, parameter1 ffffff94, parameter2 00000000, parameter3 00000000, parameter4 804e15ef. For more information, see Help and Support Center at http://support.microsoft.com.
  Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 000000A 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c

Notes

• The symptoms of a Stop error vary according to your computer's system failure options. For more information about how to configure system failure options, click the following article number to view the article in the Microsoft Knowledge Base:
  307973  (http://support.microsoft.com/kb/307973/ ) How to configure system failure and recovery options in Windows
• The four parameters that are inside the parentheses of the Stop error message vary according to the computer's configuration.
• Not all "Stop 0x0000000A" errors are caused by the problem that is described in this article. For more information about how to troubleshoot Stop 0x0000000A errors in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
  314063  (http://support.microsoft.com/kb/314063/ ) Troubleshooting a Stop 0x0000000A error in Windows XP

This problem may occur if the computer is infected with a variant of the Sdbot virus.

The Sdbot virus creates a hidden process. This process closes programs that system administrators use for diagnostic and configuration purposes. The process may also prevent these programs from running.

The file name of the Sdbot virus varies. Many variants of this virus put a driver that is named Msdirectx.sys or Haxdrv.sys on the computer. This driver is used to hide the virus process. The file names that the virus frequently uses include Msdrv.exe and Sdkcore.exe. These virus variants can restore the virus if you delete the files.

To resolve this problem, use one of the following methods:

Automatic Removal

To automatically remove some versions of this virus, run the Microsoft Malicious Software Removal Tool.

The April release of this utility can remove some variants of this malware. You can find information and downloads for the Malicious Software Removal Tool at the following locations:

• http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en)
• http://www.microsoft.com/security/malwareremove/default.mspx (http://www.microsoft.com/security/malwareremove/default.mspx)

Manual Removal

Important The file name of the Sdbot virus varies. You may have to modify these steps according to the file name that the Sdbot virus uses on your computer.

1. Follow these steps to start the computer in Safe Mode:
   1. Restart the computer.
   2. As the computer starts, press the F8 key repeatedly at a rate of one time per second.
      
      The Microsoft Windows Advanced Startup Menu options display.
   3. Use the UP ARROW and DOWN ARROW keys to select Safe Mode, and then press ENTER.
2. Click Start, click Run, type regedit in the Open box, and then click OK.
3. In the following registry subkeys, locate and delete any entries that contain the Msdrv.exe file name or the Sdkcore.exe file name:
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
   For example, if an "Ms Sound Drivers" entry has a value of "msdrv.exe," delete the entry.
4. In the following registry subkeys, locate and delete any entries that contain Msdirectx or Haxdrv:
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
5. Quit Registry Editor.
6. Click Start, click Run, type cmd in the Open box, and then click OK.
7. At the command prompt, type the following commands. Press ENTER after each command.
   attrib -r -h -s %systemroot%\system32\msdirectx.sys
   attrib -r -h -s %systemroot%\system32\haxdrv.sys
   attrib -r -h -s %systemroot%\system32\msdrv.exe
   attrib -r -h -s %systemroot%\system32\sdkcore.exe
   Note These files may exist in various folders on the computer. For example, the files have been reported in the following folders:
   • C:\
   • C:\system32\
   • C:\system32\drivers\
   • C:\Documents and Settings\UserName\
   
   Perform a search to find all instances of Msdirectx.sys and Haxdrv.sys. Then, type the commands in this step, but replace the %systemroot%\system32\ path with the path of each file that you find.
8. Type the following commands to delete the files. Press ENTER after each command.
   del %systemroot%\system32\msdirectx.sys
   del %systemroot%\system32\haxdrv.sys
   del %systemroot%\system32\msdrv.exe
   del %systemroot%\system32\sdkcore.exe
   If you found other instances of these files in step 7, repeat these commands by using the path of each file that you found.
9. Restart the computer.
10. Make sure that your antivirus and anti-spyware programs are updated with the latest definitions. Then, perform a complete system scan. As of April 7, 2005, the following files are detected by the following programs:
    
    Msdrv.exe
    Collapse this tableExpand this table

    Program	Sdbot virus variant detected
    Norman AV	W32/MEWpacked.gen
    PandaLabs	W32/MEWpacked.gen
    AVERT Labs	No Detection (inconclusive)
    F-Secure	Backdoor.Win32.SdBot.gen
    Sophos	Troj/NtRootK-F (msdirectx.sys), Troj/Rootkit-U (haxdrv.sys), W32/Sdbot-WR, W32/Sdbot-VJ, W32/Sdbot-WK, W32/Sdbot-WD
    Trend Micro	TROJ_ROOTKIT.H (msdirectx.sys), WORM_RBOT.AXU, WORM_SDBOT.BDX

    Msdirectx.sys
    Collapse this tableExpand this table

    Program	Sdbot virus variant detected
    F-Secure	Trojan.Win32.Rootkit.h

For more information about the Microsoft Malicious Software Removal Tool, visit the following Microsoft Web site: For more information about the Microsoft AntiSpyware product, click the following article number to view the article in the Microsoft Knowledge Base: For more information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base: