The HaxDoor virus may cause a "STOP 0x00000050" or "STOP 0x0000008e" error message (903251)
The information in this article applies to:
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
- Microsoft Windows XP Tablet PC Edition
- Microsoft Windows XP Professional
- Microsoft Windows XP Media Center Edition
- Microsoft Windows XP Home Edition
- Microsoft Windows XP 64-Bit Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows registry SYMPTOMS You may experience one or more of the following symptoms on a Microsoft Windows Server 2003-based, Microsoft Windows XP-based, or Microsoft Windows 2000-based computer:
- The computer automatically restarts.
- After you log on, you receive the following error message:
Microsoft Windows
The system has recovered from a
serious error.
A log of this error has been created.
Please tell
Microsoft about this problem.
We have created an error report that you can
send to help us improve Microsoft Windows. We will treat this report as
confidential and anonymous.
To see what data this error report contains,
click here. To see what the error report contains, click click here. When you click the click here link at the bottom of the message box, you will see error signature information that is similar to one of the following data samples.
Data sample 1BCCode : 00000050 BCP1 : f8655000 BCP2 : 00000001 BCP3 : fc7cc465
BCP4 : 00000000 OSVer : 5_1_2600 SP : 0_0 Product : 256_1 Data sample 2BCCode : 0000008e BCP1 : c0000005 BCP2 : 00000120 BCP3 : fd28eaa4
BCP4 : 00000000 OSVer : 5_1_2600 SP : 0_0 Product : 256_1 - You receive one of the following "Stop" error
messages.
Message 1
A problem has been detected and Windows has been shut down to
prevent damage to your computer...
Technical information:
STOP:
0x00000050 (0xf8655000, 0x00000001, 0xfc7cc465, 0x00000000)
PAGE_FAULT_IN_NONPAGED_AREA (50)
Message 2A problem has been detected and Windows has been shut down to
prevent damage to your computer...
Technical information:
STOP:
0x0000008e (0xc0000005, 0x00000120, 0xfd28eaa4, 0x00000000)
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) - Error messages that are similar to the following are logged in the System event log:
Date:
date
Source: System
Error Time:
time
Category: (102)
Type: Error
Event
ID: 1003
User: N/A
Computer:
COMPUTER
Description: Error code 00000050,
parameter1 f8655000, parameter2 00000001, parameter3 fc7cc465, parameter4
00000000. For more information, see Help and Support Center at
http://support.microsoft.com. Data: 0000: 53 79 73 74 65 6d 20 45
System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65
ror code 0018: 20 30 30 30 30 30 30 35 0000050 0020: 30 20 20 50 61 72 61 6d 0
Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c
Date:
date
Source: System
Error Time:
time
Category: (102)
Type: Error
Event
ID: 1003
User: N/A
Computer:
COMPUTER
Description: Error code 0000008e,
parameter1 c0000005, parameter2 00000120, parameter3 fd28eaa4, parameter4
00000000. For more information, see Help and Support Center at
http://support.microsoft.com. Data: 0000: 53 79 73 74 65 6d 20 45
System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65
ror code 0018: 20 30 30 30 30 30 30 35 000008e 0020: 30 20 20 50 61 72 61 6d 0
Param 0028: 65 74 65 72 73 20 66 66 eters ff 0030: 66 66 66 66 64 31 2c
Notes- The symptoms of a Stop error vary according to your computer's system failure options.
For more information
about how to configure system failure options, click the following article number to view the article in the Microsoft Knowledge Base:
307973
How to configure system failure and recovery options in Windows
- The four parameters that are inside the parentheses of the Stop error message vary according to the computer's configuration.
CAUSEThis problem may occur if the computer is infected with a
variant of the HaxDoor virus.
The HaxDoor virus creates a hidden
process. Additionally, the virus hides files and registry keys. The executable file name of the
HaxDoor virus may vary, but the file name is frequently Mszx23.exe. Many variants of
this virus put a driver that is named Vdmt16.sys or Vdnt32.sys on the computer.
This driver is used to hide the virus process. The HaxDoor virus variants can
restore these files if you delete them. RESOLUTIONWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To solve this problem, follow these steps: - Print the following Microsoft Knowledge Base article. Use the article as a guide
to this procedure.
307654 How to install and use the Recovery Console in Windows XP
- Click Start, click Run,
type regedit, and
then click OK.
- Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogin\Notify - Locate and delete any
entries in the registry subkey that reference "drct16" or "draw32".
For example, you may see entries that are similar to the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\drct16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\draw32 - Insert the Windows XP installation CD, and then restart the computer
from the CD.
- At the Welcome to Setup screen, press R
(repair) to start the Windows Recovery Console.
- Select the number that corresponds to the
Windows installation that you want to repair. This number is typically 1.
- If prompted, type the administrator password. If an
administrator password does not exist, press ENTER.
- At the command prompt, move to the
C:\Windows\System32 folder. For example, type cd
C:\Windows\System32.
- Use the ren (rename) command to
rename the following files as shown. Remember to press ENTER after each command. If you
see a "File not found" message, move to the next file in the
list.
ren 1.a3d 1.a3d.bad
ren cm.dll cm.dll.bad
ren cz.dll cz.dll.bad
ren draw32.dll draw32.dll.bad
ren drct16.dll drct16.dll.bad
ren dt163.dt dt163.dt.bad
ren fltr.a3d fltr.a3d.bad
ren hm.sys hm.sys.bad
ren hz.dll hz.dll.bad
ren hz.sys hz.sys.bad
ren i.a3d i.a3d.bad
ren in.a3d in.a3d.bad
ren klo5.sys klo5.sys.bad
ren klogini.dll klogini.dll.bad
ren memlow.sys memlow.sys.bad
ren mszx23.exe mszx23.exe.bad
ren p2.ini p2.ini.bad
ren ps.a3d ps.a3d.bad
ren redir.a3d redir.a3d.bad
ren tnfl.a3d tnfl.a3d.bad
ren vdmt16.sys vdmt16.sys.bad
ren vdnt32.sys vdnt32.sys.bad
ren w32tm.exe w32tm.exe.bad
ren WD.SYS WD.SYS.bad
ren winlow.sys winlow.sys.bad
ren wmx.a3d wmx.a3d.bad
ren wz.dll wz.dll.bad
ren wz.sys wz.sys.bad
If you want to delete these files when you are finished, type del *.bad. - Remove the Windows XP installation CD, and then type
Exit to restart the computer.
- When the computer restarts, click
Start, click Run, type regedit, and then click
OK.
- Locate and delete the following registry subkeys and any entries that may be present under each subkey. If any registry subkeys from this list are
not present, move to the next subkey in the
list.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdnt32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VFILT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdnt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VFILT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\memlow
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_VDMT16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_VDNT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_WINLOW
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_MEMLOW - Locate and delete any
entries that contain the Mszx23.exe file name under the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices - Quit Registry Editor.
- Make sure that your antivirus and anti-spyware programs are
updated with the latest definitions, and then perform a complete system
scan.
The following malware has been identified by antivirus vendors.
| Symantec: | Backdoor.Haxdoor.D | | Trend Micro: | BKDR_HAXDOOR.BC, BKDR_HAXDOOR.BN,
BKDR_HAXDOOR.BA, BKDR_HAXDOOR.AL | | PandaLabs: | HAXDOOR.AW | | F-Secure: | Backdoor.Win32.Haxdoor,
Backdoor.Win32.Haxdoor.al | | Sophos: | Troj/Haxdoor-AF, Troj/Haxdoor-CN,
Troj/Haxdoor-AE | | Kaspersky Lab: | Backdoor.Win32.Haxdoor.bg | | McAfee: | BackDoor-BAC |
| Modification Type: | Major | Last Reviewed: | 9/22/2006 |
|---|
| Keywords: | kbvirus kbprb kbtshoot kberrmsg kbbluescreen KB903251 kbAudDeveloper kbAudOEM kbAudITPRO kbAudEndUser |
|---|
|