Virus & Spyware
Troubleshooting for Dell Software
Posts
Unsolved
This post is more than 5 years old
1 Message
0
143836
March 17th, 2005 01:00
Dr. Watson Postmortem Debugger
My computer keeps locking up and I get the above message. Please help.
Responses(16)
34
0
2
61
0
2
100
0
4
29
0
4
27
0
1
No Events found!
ora1313
27 Posts
0
March 26th, 2005 11:00
It is not hard to fix...Print this out
It is not a virus, nor do you have to down-load anything to fix it. And for God Sake, do not re-format your pc.......or mess with your registry!
A Tech informed me it is a microsoft problem, don’t know if it is true, it seems to be. Problems are from an update from microsoft with the SP2....Tech didn’t know how to fix it, but this worked for me........
When the error box pops up, click on the link in the box see error file........You will see a path or 2 that looks something like this:
c:\docume~1\user\locals~1\Temp\werabbb.dir00\DRWTSN32.exe.mdmp
Write it down
Now, Re-Boot computer in safe-mode.............press F8 as soon as it starts to re-boot: This brings you into safe-mode. Here, you can get into your files.
Go into Windows Explorer, follow the path and delete the file: DRWTSN32.exe.
Now step 2: Go into the control panel, then add/remove programs. Find the program.........SP2 and click uninstall. This is the up-date from microsoft. You don’t need it anyway. If you don’t do both steps, it will just re-load.
Then, Re-boot system in normal mode, it should be ok.
Hope this helps, it worked for me....Let me know
Donna
Message Edited by ora1313 on 04-09-2005 07:37 AM
jwatt
4.4K Posts
0
March 26th, 2005 16:00
DRWTSN32.exe is part of Microsoft Windows. I wouldn't be so quick to remove it! There have been several reports of malware causing symptoms like this. I'd suggest following the instructions for malware removal contained in the post entitled "I think my system is infected. What do I do first?". The post is referenced in the pinned post entitled Special Interest-Virus Information and Removal FAQ (Frequently Asked Questions)
Jim
ora1313
27 Posts
0
April 8th, 2005 01:00
Message Edited by ora1313 on 04-11-2005 09:33 AM
ora1313
27 Posts
0
April 9th, 2005 11:00
Message Edited by ora1313 on 04-11-2005 09:34 AM
SpotCheckBilly
932 Posts
0
April 9th, 2005 20:00
The problem that you are describing has been linked to a variant of the CoolWebSearch infection. The problem that Donna (ora1313 ) is referring to is actually a Trojan horse installed at the described malicious web site.
Cool Web Search infections are often quite difficult to remove-just search this board and you'll see what I mean. You will be posting a HijackThis log at the Dell HijackThis forum .
First, download HijackThis from: Here , then follow these instructions:
Create a folder on the root drive, (Usually C:\), called C:\HJT HijackThis will create a backup file to use if a restore is necessary, so please DO NOT run HijackThis from a temporary location or your desktop.
1. Go to "My Computer" (Windows key+e), or by double-clicking on the "My Computer" icon on your desktop.
2. Double click on "C:"
3. Right click and select New ->Folder. Name it HJT.
Unzip HijackThis to its permanent folder. Don't run it yet
Next, download Ad-Awareand Spybot Search & Destroy. Please install, update and run according to the Ad-Aware Tutorial and Spybot S&D Tutorial.
After you have run Ad-Aware and Spybot S&D, please launch HijackThis by double-clicking on "HijackThis.exe".
Click the "Do a system scan only" button.
When scan is finished, click the "Save log" button and save to a convenient location.
A Notepad windowill open with the contents of the scan.
Hit Ctrl+a to select the entire contents.
Hit Ctrl+c to copy it.
Next, go to rhe Dell HijackThis forum and start a new thread.
Hit Ctrl+v to paste contents of your log into the message body.
Someone will analyze your log and get back to with the results as soon as possible.:smileyhappy:
George a.k.a. SpotCheckBilly
ora1313
27 Posts
0
April 10th, 2005 12:00
Message Edited by ora1313 on 04-11-2005 09:35 AM
SpotCheckBilly
932 Posts
0
April 10th, 2005 23:00
"When a user attempts to perform the update, a Trojan horse virus is installed that allows hackers access to the infected computers, the company said."
People are not getting a "bad" sp2 update. They are getting the Trojan horse mentioned above. (Quote taken directly from page at the link that you provided.). Simply removing the executable from the temp folder does not necessarily mean that the action caused by the launch of that executable will be removed as well. At the very least, a HijackThis log analysis should be performed.
Additionally, the removal of the sp2 update and its subsequent patches WILL leave the security of ones computer at a much higher risk. Unless one is running programs that absolutely WILL NOT function with the sp2 update installed , removing (or not installing it at all) should not even be considered.
I believe that you can find workarounds for some of these programs at the Microsoft web site, as well as at the software manufacturers web site.
If you go to any of the anti-malware sites e.g. SWI, Tom Coyote's, Castle cops, net-integration (home of Spybot S&D), and do a search using "Dr. Watson postmortem debugger", you will see what I mean about it being linked to one of the CVWS variants.
By the way, some of the variants of the CWS infection are very resistant to removal and do, in fact require many steps to get rid of. However, it's very seldom that removal ends up not being successful.
Hope you find this information helpful.:smileyhappy:
George a.k.a. SpotCheckBilly
msil217
2K Posts
0
April 11th, 2005 09:00
Seriously, I wouldn't blame SP 2. For the most part, it's been trouble free.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
April 12th, 2005 00:00
Ora,
I've been in touch with SpotCheckBilly, and with his permission, I think it's important to bring out what I believe to be some critical points here. The quotes (in blue) are his. Please do not take this as a personal attack... rather, my only intent here is to be helpful to other readers in this forum.
First, as I know you're already aware, there is a Fake Microsoft Security Trojan on the Loose -- a spam e-mail which advocates that one should "Update your windows machine" by downloading an "Urgent Windows Update". Upon clicking on the supplied link, you are transferred to a Web site which fakes the appearance of the Microsoft Windows Update Site, but in reality, is operated by hackers, and installs a Trojan horse program (called DSNX-05) on your system. This alleged "update" is in fact a phony update... it is NOT legitimate. But as a consequence of this bad download, people have indeed been experiencing some very severe problems, and blaming their troubles on downloading/updating XP SP2.
In contrast, the legitimate "sp2 update (from the real Microsoft Windows Update site) and its subsequent patches should ALWAYS be installed, unless there is some very compelling reason not to" do so. By removing SP2, you are in fact compromising your PC's security. In fact, at some future point, in order to get later updates, XP users will have to install SP2 first. For those who've already installed it (from the legitimate sites), it's "ill-advised" to advocate they remove it. In short, SP2 is a highly important/valuable addition to the Windows XP operating system, and should NOT be removed.
As for removing Dr. Watson: "Every case of the 'Dr. Watson postmortem debugger' problem that" Billy has "come across has been a result of one of the CWS (Cool Web Search) variants". It should be kept in mind that "Dr. Watson is a legitimate diagnostic tool for the Windows operating system". As such, it shouldn't be simply discarded.
Now Ora, I understand your desire to step-in and argue (paraphrasing what I believe to be your contention) "But my fix really works... several people have all told me that, by removing Dr. Watson, they no longer experienced this error". And yes, you're correct... as far as the literal meaning here. But here's the analogy to your advice, as crazy as this may seem to you: Suppose a person came to you, in great pain, suffering from a broken arm. You COULD tell that person he/she needs an amputation. That certainly would 'work', in the sense that it would take care of their pain. No more pain.... And no more broken arm. But the problem now is, much more simply, no more ARM! That person can no longer reach for things, or write, or do the usual tasks that had been performed with that arm. And, by analogy, THIS is what you're advocating when you tell people to remove (i.e., cut off) Dr. Watson. They will lose access to a potentially valuable debugging tool. I'm sure we all would agree that instead of amputating one's arm, the far-preferable approach is to set it... likewise, rather than removing Dr. Watson, it would be far-better to repair it.
So, I would suggest that all readers out there take SpotCheckBilly's good advice... find the proper fix for Dr. Watson... don't just settle for its "amputation".
And don't give up on SP2.
msil217
2K Posts
0
April 12th, 2005 21:00
However, I can restore it when I get ready.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
April 13th, 2005 10:00
msil217
2K Posts
0
April 13th, 2005 11:00
I did not remove it, as thought, but it is disabled.
How to disable Dr.Watson
Message Edited by msil217 on 04-13-2005 07:31 AM
SpotCheckBilly
932 Posts
0
April 13th, 2005 22:00
cannot be removed by Spybot S&D, Ad-Aware or any antivirus program.
The CWShredder program also cannot remove it on it's own. The CoolWebSearch
people have been making it more and more difficult to remove their "product".:smileyhappy:
msil217
2K Posts
0
April 13th, 2005 23:00
Then how would one know if they had a CWS infection?? I even checked my HiJack This log, and nothing looked suspicious.
I also use Microsoft Anti-spyware, Spyware Blaster, Avert stinger, etc.
The only time I had trouble with the post mortem debugger is when I-tunes played 2 songs, for which there is no album art, if that makes any difference.
I-tunes would sound like the CD was stuck, at certain times. But usually on only 2 songs.
JRosenfeld
2 Intern
2 Intern
•
4.4K Posts
0
April 17th, 2005 14:00
Spotcheckbilly,
Are you sure that the latest version of CWshredder (2.14) can't remove this one?
As you will know, Merijn sold it to Intermute and they have continued to update it:
http://www.intermute.com/spysubtract/cwshredder_download.html