Resolution of system Stop 0x00000050 (Stop 0x00000050) Error

Source: evil

Note:
Note: solution steps 2 and 3 require that you start your computer in safe mode to delete the driver in malicious core mode.
This page
Symptom
Cause
More information
Solution
Method 1: rename a malicious driver by using Internet Explorer
Method 2: Security Mode: rename a malicious driver by using "my computer"
Method 3: Safe Mode: rename a malicious driver by using a command prompt
Reference
The information in this article applies:

Symptom
On the blue screen, you will receive the following "Stop" error message:
* ** STOP: 0x00000050 (0xeb7ff002, 0x00000000, 0x8054af32, 0x00000001) PAGE_FAULT_IN_NONPAGED_AREA nt! ExFreePoolWithTag + 237
When you view system logs in the event viewer, you may see the event ID 1003 entry. The information of this entry is similar to the following:
Date: Date
Source: System
Error time: Time
Category: (102)
Type: Error
Event ID: 1003
User: N/
COMPUTER: Computer
Description: Error Code 00000050, parameter1 eb7ff002, parameter2 00000000, parameter3 8054af32, parameter4 00000001. For more information, see Help and Support Center: asp> http://go.microsoft.com/fwlink/events.asp (http://go.microsoft.com/fwlink/events.asp ).
Back to Top

Cause
This error message is caused by the following known Spyware-installed core drivers: Rootkit/Spyware: msupd5.exe Reloadmedude.exe.

This spyware is currently available for the following security products: name of the product report
Microsoft AntiSpyware Spyware. Service. MiscrosoftUpdate (Trojan)
Computer Associates Win32/benui! Downloader! Trojan
Doctor Web DrWebCL Trojan. Medude
F-Secure: Trojan. Win32.Agent. aw
Kaspersky Lab AVPDOS32 Trojan. Win32.Agent. aw
McAfee Downloader-va
Panda Trj/Agent. FO and Adware/Apropos
Trend Micro VScan TROJ_LODMEDUD.A

Back to Top

More information
To verify that your computer is infected with this spyware, follow these steps: 1. Start Internet Explorer.
2. in Internet Explorer's address bar, type % windir % system32drivers and press Enter.
3. Enable viewing hidden files. To do this, follow these steps: a. On the Tools menu, click Folder Options ".
B. click "View" and click to clear the "Hide protected operating system files (recommended)" check box. If you receive a warning message indicating that you have chosen to display the hidden operating system files, click "yes ".
C. Click to select the show all files and folders check box, and then click to clear the "Hide extensions of known file types" check box.
D. Click to clear the apply to all folders check box, and then click OK ".
 
4. Press F5 to update the screen, and then find any. sys file that has randomly generated a file name consisting of eight lower-case letters. The following lists examples of these file names: • gbqxmhia. sys
• Upzvlbvv. sys
• Jsbmefvk. sys
 
5. Verify the properties of the suspicious file after finding the Suspicious File. Right-click the file and click "properties" to find the following content: • The file date is January 1, January 11, 2005.
• The file size is 14 KB (13,824 bytes)
• You have set the hidden attribute (the "hide" check box contains a check mark)
• The document contains no version, product name, or manufacturer information
Click OK to close the Properties dialog box.
 
6. in Internet Explorer's address bar, type % windir % system32 and press Enter.
7. Search for executable files (.exe) similar to the following: • msupd *. exe, where * may be different numbers
• Reloadmedude.exe
The size of these files is 60 KB (61,440 bytes) and the date is random.
Examples of such files are known: • msupd.exe
• Msupd4.exe
• Msupd5.exe
• Reloadmedude.exe
 
If the. sys file and the msupd *. exe or Reloadmedude.exe file are randomly named, your computer is infected with this spyware.
Back to Top

Solution
To solve this problem, use one of the following methods.
Back to Top

Method 1: rename a malicious driver by using Internet Explorer
1. in Internet Explorer's address bar, type % windir % system32drivers and find the. sys file named randomly.
2. Right-click the file and select "RENAME ". Rename the file to malware. old and press Enter.
3. In the address bar, type WINDOWSsystem32 and press Enter.
4. Find and rename the following files (if they exist): • msupd5.exe (renamed to msupd5.old)
• Msupd4.exe (renamed as msupd4.old)
• Msupd.exe (renamed as msupd. old)
• Reloadmedude.exe (renamed Reloadmedude. old)
 
5. Disable Internet Explorer.
6. restart the computer.
7. Make sure that the software for anti-virus/Anti-Spyware (antivirus/antispyware) is updated with the latest signature, and then perform a complete system scan.

Back to Top

Method 2: Security Mode: rename a malicious driver by using "my computer"
1. Start the computer in safe mode. To do this, follow these steps: a. restart the computer.
B. Press F8 repeatedly when the computer is started (once per second ). This displays the Microsoft Windows Advanced Startup menu options.
C. Use the up and down arrow keys to highlight "safe mode" and press Enter.
 
2. Open Internet Explorer and type C: WINDOWSsystem32drivers in the address bar.
3. Enable viewing hidden files. To do this, follow these steps: a. Click start, my computer, and tools, and then click Folder Options ".
B. Click View ".
C. Click to clear the "Hide protected operating system files (recommended)" check box.
D. Click to select "show all files and folders", and then click to clear "Hide extensions of known file types ".
E. Click to select "apply to all folders", and then click "OK ".
 
4. Search for the folder named C: WINDOWSsystem32drivers.
5. Find any. sys file with the following features: a. randomly generate a file name consisting of eight lower-case letters, such as gbqxmhia. sys, upzvlbvv. sys, or jsbmefvk. sys.
B. The file date is December 1, January 11, 2005.
C. The file size is 14 KB (13,824 bytes)
D. You have set the Hidden attribute.
E. The file does not contain version, product name, or manufacturer information.
 
6. Right-click the file and select "RENAME ". Rename the file to malware. old and press Enter.
7. Find WINDOWSsystem32.
8. Rename the following files (if they exist): • msupd5.exe (Rename to msupd5.old)
• Msupd4.exe (renamed as msupd4.old)
• Msupd.exe (renamed as msupd. old)
• Reloadmedude.exe (renamed Reloadmedude. old)
 
9. restart the computer.
10. Make sure that the software for anti-virus/Anti-Spyware (antivirus/antispyware) is updated with the latest signature, and then perform a complete system scan.

Back to Top

Method 3: Safe Mode: rename a malicious driver by using a command prompt
1. Start the computer in safe mode at the command prompt. To do this, follow these steps: a. restart the computer.
B. Press F8 repeatedly when the computer is started (once per second ).
C. This displays the Microsoft Windows Advanced Startup menu options.
D. Use the up and down arrow keys to select "safe mode with command line prompts" and press Enter.
 
2. Click Start, click Run, type cmd, and click OK ".
3. At the command prompt, type CD % windir % system32drivers and press Enter.
4. Type Dir/ah and press Enter.
5. You will see text similar to the following text (. sys file names will be randomly generated ):

Directory of C: WINDOWSsystem32drivers

01/11/2005 AM 13,824 gbqxmhia. sys
1 File (s) 13,824 bytes
0 Dir (s) 961,425,408 bytes free

6. Type Attrib-s-h, which is the name of the. sys file shown above, and press Enter. For example, the command used to display the file name is as follows: Attrib-s-h gbqxmhia. sys. This will delete the "system" and "hidden" attributes from the file.
7. Type Ren malware. old, which is the file name mentioned above, and press Enter. This will rename the randomly named file.
8. Type CD and press Enter. This will change the command line to the WindowsSystem32 directory.
9. type the following command line by line (one line at a time), and then press Enter after entering each line:
Ren msupd5.exe msupd5.old
Ren msupd4.exe msupd4.old
Ren msupd.exe msupd. old
Ren Reloadmedude.exe Reloadmedude. old
Note: If you receive the following error message, ignore it because it indicates that the file does not exist:
The system cannot find the file specified.
10. Type Exit, and then press Enter