The HaxDoor virus may cause a "STOP 0x00000050" or "STOP 0x0000008e" error message
View the products this article applies to.
Article number: 903251
Last review: August 8, 2005
Version: 1.1
Important This article contains relevant information Modify login related information. Before modifying your login, be sure to back it up and learn how to restore your login if a problem occurs. For more information on how to back up, restore, and edit logins, click the document number below to view the document in the Microsoft Knowledge Base:
256986 (/kb/256986/) Microsoft Windows Logins Description
On this page
Symptoms
Notes
Causes
Solutions
p>The information in this article applies to:
Symptoms
You may experience this on a Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000 computer One of the following symptoms: ? The computer will automatically restart. After logging in, you will receive the following error message:
Microsoft Windows
The system has been repaired from a critical error state.
A log file for this error has been created.
Please report this issue to Microsoft.
We have created bug reports that you can report to improve the quality of Microsoft Windows. The report will remain anonymous and considered confidential.
To view the data contained in this error report, click here.
To view the data contained in this error, click [click here]. When you click the "Click here" link at the bottom of the message box, you'll see error signature information that looks like one of the sample data below.
Data example 1BCCode:00000050 BCP1:f8655000 BCP2:00000001 BCP3:fc7cc465 BCP4:00000000 OSVer:5_1_2600 SP:0_0 Product:256_1
Data example 2BCCode:0000008e BCP1:c00000 05 BCP2: 00000120 BCP3 :fd28eaa4 BCP4 :00000000 OSVer :5_1_2600 SP :0_0 Product :256_1 You will receive one of the following Stop error messages.
Message 1
A problem has been detected and Windows has been shut down to prevent damage to your computer... (A problem has been detected, so Windows must be shut down to prevent damage to your computer... Your computer has been damaged...)
Technical Information:
STOP:0x00000050 (0xf8655000, 0x00000001, 0xfc7cc465, 0x00000000)
PAGE_FAULT_IN_NONPAGED_AREA (50)< /p>
Message 2
A problem has been detected and Windows has been shut down to prevent damage to your computer... Your computer has been damaged...)
Technical information:
STOP:0x0000008e (0xc0000005, 0x00000120, 0xfd28eaa4, 0x00000000)
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) You may You see errors similar to the following in the system event log:
Date: Date
Source: System
Error Time: Time
Category Directory: (102)
Type: Error
Event ID: 1003
User: N/A
Computer: COMPUTER
Description: Error code 00000050, parameter1 f8655000, parameter2 00000001, parameter3 fc7cc465, parameter4 00000000 00). For more information, see the Help and Support Center at /fwlink/events.asp. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008:72 72 6f 72 20 20 45 72 rror Er 0010:72 6f 72 20 63 6f 64 65 ror code 0018:20 30 30 30 30 30 30 35 0000050 0020 : 30 20 20 50 61 72 61 6d 0 Param 0028:65 74 65 72 73 20 66 66 eters ff 0030:66 66 66 66 64 31 2c
Date: Date
Source : System
Error time: Time
Category: (102)
Type: Error
Event ID: 1003
User: N/A
Computer: COMPUTER
Description: Error code 0000008e, parameter1 c0000005, parameter2 00000120, parameter3 fd28eaa4, parameter4 00000000 (error code 0000008e, parameter 1 c0000005, parameter 2 00000120, parameter 3 fd28eaa4, parameter 4 00000000). For more information, see the Help and Support Center at /fwlink/events.asp.
Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008:72 72 6f 72 20 20 45 72 rror Er 0010:72 6f 72 20 63 6f 64 65 ror code 0018:20 30 30 30 30 30 30 35 000008e 0020 :30 20 20 50 61 72 61 6d 0 Param 0028:65 74 65 72 73 20 66 66 eters ff 0030:66 66 66 66 64 31 2c
Return to the top of this page
Note that the results of the Stop error message may vary depending on the failure options of your computer system.
For more information on how to set system failure options, click the document number below to view the document in the Microsoft Knowledge Base:
307973 (/kb/ 307973/) HOW TO: Set system failure and repair options in Windows. The four parameters in brackets in the Stop error message will vary depending on the computer's settings.
Return to the top of this page
Cause of occurrence
The reason for this problem is that the computer has been infected by a variant of the HaxDoor virus.
The HaxDoor virus creates hidden handlers. In addition, viruses can also hide files and login codes. The executable name of the HaxDoor virus may vary, but the file name is usually Mszx23.exe. Many variants of this virus place a driver called Vdmt16.sys or Vdnt32.sys on your computer. The purpose of this driver is to hide the virus handler. Even if you delete these handlers, variants of the HaxDoor virus can restore them.
Return to the top of this page
Solution
Warning Serious problems may occur if you use the Login Editor or other methods to improperly modify your login . These issues may require you to reinstall your operating system to resolve. Microsoft does not guarantee that these problems can be solved. Please modify your login at your own risk.
To resolve this issue, follow these steps: 1. Print the following Microsoft Knowledge Base document: Use this document as a guide for performing this procedure.
307654 (/kb/307654/) How to install and use the Windows XP Repair Console
2. Click [Start], then [Execute], enter regedit, Then click OK.
3. Find the following login submachine code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Notify
4. Find and Delete any entries in the login slave code that refer to drct16 or draw32.
For example, you might see an entry similar to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
< p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw325. Insert the Windows XP installation CD, and then restart the computer from the CD.
6. On the Setup Welcome screen, press R (Repair) to launch the Windows Repair Console.
7. Select the number that corresponds to the Windows installation you want to repair. The number is usually 1.
8. When prompted, enter your system administrator password. If the system administrator password does not exist, press ENTER.
9. At the command prompt, move to the C:\Windows\System32 folder. For example, enter cd C:\Windows\System32.
10. Use the ren (rename) command to rename the following files as shown below. Remember to press ENTER after each command. If you see a "File not found" message, move to the next file in the list.
ren 1.a3d 1.a3d.bad ren cm.dll cm.dll.bad ren cz.dll cz.dll.bad ren draw32.dll draw32.dll.bad ren drct16.dll drct16.dll.bad ren dt163.dt dt163 .dt.bad ren fltr.a3d fltr.a3d.bad ren hm.sys hm.sys.bad ren hz.dll hz.dll.bad ren hz.sys hz.sys.bad ren i.a3d i.a3d.bad ren in.a3d in.a3d.bad ren klo5.sys klo5.sys.bad ren klogini.dll klogini.dll.bad ren memlow.sys memlow.sys.bad ren mszx23.exe mszx23.exe.bad ren p2.ini p2. ini.bad ren ps.a3d ps.a3d.bad ren redir.a3d redir.a3d.bad ren tnfl.a3d tnfl.a3d.bad ren vdmt16.sys vdmt16.sys.bad ren vdnt32.sys vdnt32.sys.bad ren w32tm .exe w32tm.exe.bad ren WD.SYS WD.SYS.bad ren winlow.sys winlow.sys.bad ren wmx.a3d wmx.a3d.bad ren wz.dll wz.dll.bad ren wz.sys wz.sys .bad
If you want to delete these files when you are finished, enter del *.bad.
11. Remove the Windows XP installation CD and enter Exit to restart the computer.
12. When your computer restarts, click Start, click Go, enter regedit, and then click OK.
13. Find and delete the following login subkeys and any items that may appear under each subkey. If none of the login handsets in this list appear, move to the next handset in the list.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdnt32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VFILT
p>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdnt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VFILT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\memlow
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_VDMT16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_VDNT 32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_WINLOW
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENUM\ROOT\LEGACY_MEMLOW
14. Find Exit and delete any entries containing the Mszx23.exe file name in the following login subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
15 . End [Login Editor].
16. Please make sure your antivirus/antispyware software is updated with the latest definitions before performing a full system scan.
The following malware has been identified by anti-virus software vendors.
Symantec: Backdoor.Haxdoor.D
Trend Micro: BKDR_HAXDOOR.BC, BKDR_HAXDOOR.BN, BKDR_HAXDOOR.BA, BKDR_HAXDOOR.AL
PandaLabs: HAXDOOR.AW
F-Secure: Backdoor.Win32.Haxdoor, Backdoor.Win32.Haxdoor.al
Sophos: Troj/Haxdoor-AF, Troj/Haxdoor-CN, Troj/Haxdoor-AE
Kaspersky Lab: Backdoor.Win32.Haxdoor.bg
McAfee: BackDoor-BAC