Suggestion 1: Renaming the malicious driver by using In Safe Mode

STOP: 0x00000050 Error: Rootkit

The 0x00000050 removal methods suggested below are recommended only to experienced users.

Manual Rootkit Removal Instruction (Advanced Users)

1. Start Windows in Safe Mode

  • Restart the computer
  • Start to press the F8 key repeatedly, one time per second, to call Microsoft Windows Advanced Startup Menu.
  • Choose Safe Mode by using the UP ARROW and DOWN ARROW keys and then press ENTER.

2. Start Internet Explorer

  • Type %windir%\system32\drivers In the Address field and press ENTER.

3. Enable the viewing of hidden files:

  • Click Start Button, and then click My Computer.
  • Choose Folder Options from the Tools menu.
  • Uncheck the Hide protected operating system files option On the View tab. You will be shown a a warning message saying that you have chosen to view protected operating system files. Click YES.
  • Click Show hidden files and folders under Hidden files and folders,
  • Click to clear the Hide extensions for known file types check box.
  • Click Apply to All Folders and after that OK in the Folder views area,
  • Find the folder C:\%windir%\System32\Drivers.
  • Find any .sys file that has the following characteristics:
  • Date of January 11, 2005
  • A hidden attribute (shows “HA” in the Attributes column in Windows Explorer). No manufacturer, product name or version information in the attributes.

  • File size of 14 KB (13,824 bytes)
  • A randomly generated name like “flerkfvs.sys,” “wrewcmdq.sys,” or “eospwmrs.sys” that consists exactly of eight

lowercase letters

4. Rename each of these files into malware1.old, malware2.old, malware3.old etc.

  • Find the %windir%\System32 folder.
  • Find and rename the following files:
  • Msupd.exe into Msupd.old.
  • Msupd4.exe into Msupd4.old.
  • Msupd5.exe into msupd5.old.
  • Reloadmedude.exe into Reloadmedude.old.
  • Restart Windows

5. Scan your computer with antivirus software, make sure the program is updated with the latest virus signatures.

Suggestion 2: Renaming the malicious driver in Safe Mode with the help of the command prompt

  • Restart the computer in Safe Mode. To do this, follow these steps:
  • After restarting start to press the F8 key repeatedly, one time per second, to call Microsoft Windows Advanced Startup Menu.
  • Choose Safe Mode by using the UP ARROW and DOWN ARROW keys and then press ENTER.
  • Click Start (left bottom), click Run, type cmd in the opened text field, and then click OK.
  • Type CD %windir%\system32\drivers at the opened command prompt and press ENTER.
  • Type Dir /ah, and then press ENTER.
  • You will be displayed a text is similar to the sample below (The .sys file name will have a randomly generated name).

Directory of C:\WINDOWS\system32\drivers

01/11/2005 09:18 AM 13,824 tdpwytvg.sys

           1 File(s)            13,824 bytes
           0 Dir(s)     961,425,408 bytes free

  • Type “Attrib -s -h RandomFilename” (without quotes), and press ENTER. This step removes the hidden attributes and system attributes from the file.

Important: The RandomFilename stands for the name of the .sys file that is displayed after the step 5.

  • For the sample above, you would have to type “Attrib -s -h tdpwytvg.sys” for the file name (see step 5)
  • To rename the randomly named file type Ren RandomFilename malware.old, and then press ENTER.
  • Type CD, and then press ENTER. To change the command line to the %windir%\System32 folder.
  • Type the following commands, one by one, pressing ENTER after you type each of them:
  • Ren msupd5.exe msupd5.old
  • Ren msupd4.exe msupd4.old
  • Ren msupd.exe msupd.old
  • Ren reloadmedude.exe reloadmedude.old
  • Importnant: If suddenly you are displayed the following error message, don’t panic: you can safely ignore the it. The message indicates that the targeted file does not exist:

The system cannot find the file specified.

  • Type Exit and press ENTER.
  • Restart your computer.
  • Scan your computer with antivirus software, make sure the software has the latest updates of virus signatures.

Suggestion 3: Renaming the malicious driver with the help of Internet Explorer

  • Launch Internet Explorer.
  • Type %windir%\system32\drivers In the Address field and press ENTER.
  • Find the randomly named .sys file, right-click on it, and then click Rename.
  • Rename the file into malware.old to and then press ENTER to save changes.
  • Type \WINDOWS\system32 In the Address field and then press ENTER.
  • Find and then rename as described above the following files, if they exist:
     Msupd.exe. Rename this file Msupd.old. 
     Msupd4.exe. Rename this file Msupd4.old.
     Msupd5.exe. Rename this file Msupd5.old.
     Reloadmedude.exe. Rename this particular file Reloadmedude.old. 
    
  • Close Internet Explorer.
  • Restart Windows.
  • Scan your computer with antivirus software, make sure the software has the latest updates of virus signatures.

We hope that helped you remove STOP 0x00000050.