You are currently offline, waiting for your internet to reconnect

You may receive an error message on a Windows-based computer: "STOP 0x00000050" or "STOP 0x0000008e"

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

SYMPTOMS
You may experience one or more of the following symptoms on a Microsoft Windows Server 2003-based, Microsoft Windows XP-based, or Microsoft Windows 2000-based computer:
  • The computer automatically restarts.
  • After you log on, you receive the following error message:
    Microsoft Windows
    The system has recovered from a serious error.
    A log of this error has been created.
    Please tell Microsoft about this problem.
    We have created an error report that you can send to help us improve Microsoft Windows. We will treat this report as confidential and anonymous.
    To see what data this error report contains, click here.
    To see what the error report contains, click click here. When you click the click here link at the bottom of the message box, you will see error signature information that is similar to one of the following data samples.

    Data sample 1
    BCCode : 00000050 BCP1 : f8655000 BCP2 : 00000001 BCP3 : fc7cc465 BCP4 : 00000000 OSVer : 5_1_2600 SP : 0_0 Product : 256_1
    Data sample 2
    BCCode : 0000008e BCP1 : c0000005 BCP2 : 00000120 BCP3 : fd28eaa4 BCP4 : 00000000 OSVer : 5_1_2600 SP : 0_0 Product : 256_1
  • You receive one of the following "Stop" error messages.

    Message 1

    A problem has been detected and Windows has been shut down to prevent damage to your computer...
    Technical information:

    STOP: 0x00000050 (0xf8655000, 0x00000001, 0xfc7cc465, 0x00000000)
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Message 2
    A problem has been detected and Windows has been shut down to prevent damage to your computer...
    Technical information:

    STOP: 0x0000008e (0xc0000005, 0x00000120, 0xfd28eaa4, 0x00000000)
    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
  • Error messages that are similar to the following are logged in the System event log:
    Date: date
    Source: System
    Error Time: time
    Category: (102)
    Type: Error
    Event ID: 1003
    User: N/A
    Computer: COMPUTER
    Description: Error code 00000050, parameter1 f8655000, parameter2 00000001, parameter3 fc7cc465, parameter4 00000000. For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 0000050 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c
    Date: date
    Source: System
    Error Time: time
    Category: (102)
    Type: Error
    Event ID: 1003
    User: N/A
    Computer: COMPUTER
    Description: Error code 0000008e, parameter1 c0000005, parameter2 00000120, parameter3 fd28eaa4, parameter4 00000000. For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 35 000008e 0020: 30 20 20 50 61 72 61 6d 0 Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c

Notes

  • The symptoms of a Stop error vary according to your computer's system failure options.

    For more information about how to configure system failure options, click the following article number to view the article in the Microsoft Knowledge Base:
    307973 How to configure system failure and recovery options in Windows
  • The four parameters that are inside the parentheses of the Stop error message vary according to the computer's configuration.
CAUSE
This problem may occur if the computer is infected with a variant of the HaxDoor virus.

The HaxDoor virus creates a hidden process. Additionally, the virus hides files and registry keys. The executable file name of the HaxDoor virus may vary, but the file name is frequently Mszx23.exe. Many variants of this virus put a driver that is named Vdmt16.sys or Vdnt32.sys on the computer. This driver is used to hide the virus process. The HaxDoor virus variants can restore these files if you delete them.
RESOLUTION
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


To solve this problem, follow these steps:
  1. Print the following Microsoft Knowledge Base article. Use the article as a guide to this procedure.

    307654 How to install and use the Recovery Console in Windows XP
  2. Click Start, click Run, type regedit, and then click OK.
  3. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  4. Locate and delete any entries in the registry subkey that reference "drct16" or "draw32".

    For example, you may see entries that are similar to the following:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32
  5. Insert the Windows XP installation CD, and then restart the computer from the CD.
  6. At the Welcome to Setup screen, press R (repair) to start the Windows Recovery Console.
  7. Select the number that corresponds to the Windows installation that you want to repair. This number is typically 1.
  8. If prompted, type the administrator password. If an administrator password does not exist, press ENTER.
  9. At the command prompt, move to the C:\Windows\System32 folder. For example, type cd C:\Windows\System32.
  10. Use the ren (rename) command to rename the following files as shown. Remember to press ENTER after each command. If you see a "File not found" message, move to the next file in the list.
    ren 1.a3d 1.a3d.badren cm.dll cm.dll.badren cz.dll cz.dll.badren draw32.dll draw32.dll.badren drct16.dll drct16.dll.badren dt163.dt dt163.dt.badren fltr.a3d fltr.a3d.badren hm.sys hm.sys.badren hz.dll hz.dll.badren hz.sys hz.sys.badren i.a3d i.a3d.badren in.a3d in.a3d.badren klo5.sys klo5.sys.badren klogini.dll klogini.dll.badren memlow.sys memlow.sys.badren mszx23.exe mszx23.exe.badren p2.ini p2.ini.badren ps.a3d ps.a3d.badren redir.a3d redir.a3d.badren tnfl.a3d tnfl.a3d.badren vdmt16.sys vdmt16.sys.badren vdnt32.sys vdnt32.sys.badren w32tm.exe w32tm.exe.badren WD.SYS WD.SYS.badren winlow.sys winlow.sys.badren wmx.a3d wmx.a3d.badren wz.dll wz.dll.badren wz.sys wz.sys.bad

    If you want to delete these files when you are finished, type del *.bad.
  11. Remove the Windows XP installation CD, and then type Exit to restart the computer.
  12. When the computer restarts, click Start, click Run, type regedit, and then click OK.
  13. Locate and delete the following registry subkeys and any entries that may be present under each subkey. If any registry subkeys from this list are not present, move to the next subkey in the list.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdnt32

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow


    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdnt32

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\memlow


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_VDMT16

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_VDNT32

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_WINLOW

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_MEMLOW
  14. Locate and delete any entries that contain the Mszx23.exe file name under the following registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  15. Quit Registry Editor.
  16. Make sure that your antivirus and anti-spyware programs are updated with the latest definitions, and then perform a complete system scan.
The following malware has been identified by antivirus vendors.
Symantec:Backdoor.Haxdoor.D
Trend Micro:BKDR_HAXDOOR.BC, BKDR_HAXDOOR.BN, BKDR_HAXDOOR.BA, BKDR_HAXDOOR.AL
PandaLabs:HAXDOOR.AW
F-Secure:Backdoor.Win32.Haxdoor, Backdoor.Win32.Haxdoor.al
Sophos:Troj/Haxdoor-AF, Troj/Haxdoor-CN, Troj/Haxdoor-AE
Kaspersky Lab:Backdoor.Win32.Haxdoor.bg
McAfee:BackDoor-BAC
steal username password credentials vdmt16 vdnt32 memlow winlow trojan downloader
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 903251 - Last Review: 07/01/2010 03:27:00 - Revision: 6.0

Microsoft Windows Server 2003, Web Edition, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems, Microsoft Windows XP Tablet PC Edition, Microsoft Windows XP Professional, Microsoft Windows XP Media Center Edition 2005 Update Rollup 2, Microsoft Windows XP Home Edition, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Security Essentials

  • kbresolve kbvirus kbprb kbtshoot kberrmsg kbbluescreen KB903251
Feedback
var varAutoFirePV = 1; var varClickTracking = 1; var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write("