was this intended to be the response to a problem you saw posted elsewhere? if so, you should
post it in THAT thread, so the person inquiring will find it easier (and hopefully, be notified by e-mail that you've responded).
I did that so it would stay at the top and be seen. Sooooo many people are having problems with this and I have not seen one certain fix anyplace on the internet. Everyone has suggestions of things you can download and check, do this and do that but it is all trial and error. It was common sense when the problems started, so I just back-tracked and figured it out. Instead of people going thru all kinds of things they don't have to, this is much easier. And yes, I did resopnd to several threads concerning this. This is an agrivating problem, I'm just trying to help.
So far, yes...the people that have writen me have been soooo happy to have the computers run. The fix I am suggesting is reversible if not successfull, but so far, anyone that has tried it has fixed the problem. So far as I can tell, this is the only true fix to this problem.........I am not a computer nerd, I just love computers and it is a challenge to me to fix one--and I fixed it. So, Yes, try it.
This fix worked for me and many others. I will not argue the point anymore, It's not worth all the agrivation trying to help others with this problem......ora
I've been in touch with SpotCheckBilly, and with his permission, I think it's important to bring out what I believe to be some critical points here. The quotes (in blue) are his. Please do not take this as a personal attack... rather, my only intent here is to be helpful to other readers in this forum.
First, as I know you're already aware, there is aFake Microsoft Security Trojan on the Loose -- a spam e-mail which advocates that one should "Update your windows machine" by downloading an "Urgent Windows Update". Upon clicking on the supplied link, you are transferred to a Web site which fakes the appearance of the Microsoft Windows Update Site, but in reality, is operated by hackers, and installs a Trojan horse program (called DSNX-05) on your system. This alleged "update" is in fact a phony update... it is NOT legitimate. But as a consequence of this bad download, people have indeed been experiencing some very severe problems, and blaming their troubles on downloading/updating XP SP2.
In contrast, the legitimate "sp2 update (from the real Microsoft Windows Update site) and its subsequent patches should ALWAYS be installed, unless there is some very compelling reason not to" do so. By removing SP2, you are in fact compromising your PC's security. In fact, at some future point, in order to get later updates, XP users will have to install SP2 first. For those who've already installed it (from the legitimate sites), it's "ill-advised" to advocate they remove it. In short, SP2 is a highly important/valuable addition to the Windows XP operating system, and should NOT be removed.
As for removing Dr. Watson: "Every case of the 'Dr. Watson postmortem debugger' problem that" Billy has "come across has been a result of one of the CWS (Cool Web Search) variants". It should be kept in mind that "Dr. Watson is a legitimate diagnostic tool for the Windows operating system". As such, it shouldn't be simply discarded.
Now Ora, I understand your desire to step-in and argue (paraphrasing what I believe to be your contention) "But my fix really works... several people have all told me that, by removing Dr. Watson, they no longer experienced this error". And yes, you're correct... as far as the literal meaning here. But here's the analogy to your advice, as crazy as this may seem to you: Suppose a person came to you, in great pain, suffering from a broken arm. You COULD tell that person he/she needs an amputation. That certainly would 'work', in the sense that it would take care of their pain. No more pain.... And no more broken arm. But the problem now is, much more simply, no more ARM! That person can no longer reach for things, or write, or do the usual tasks that had been performed with that arm. And, by analogy, THIS is what you're advocating when you tell people to remove (i.e., cut off) Dr. Watson. They will lose access to a potentially valuable debugging tool. I'm sure we all would agree that instead of amputating one's arm, the far-preferable approach is to set it... likewise, rather than removing Dr. Watson, it would be far-better to repair it.
So, I would suggest that all readers out there take SpotCheckBilly's good advice... find the proper fix for Dr. Watson... don't just settle for its "amputation".
I do have a couple of questions for you, and a few comments:
I do run norton and I keep it updated, how did this slip through if it is a Trojan? Also, why didn't it pick it up when I ran a scan after the problem started?
The update I installed was not through e-mail, my computer prompted me to update, and I did. When I couldn't figure out what was wrong, I called dell. That is when a tech told me it was the sp2 update. I asked him what was wrong with it, he told me the update released from Microsoft was not compatible with all systems and it was causing lots of problems. Since my warranty was up with dell, I would be charged a fee so I decided to try to fix it myself. I went all over the web to find a fix. I did try downloading all the things you say to download, but it didn't work. I spent 2 weeks, every day downloading programs, running them and getting aggravated. Tax time was almost here, I needed to fix my computer or borrow one.
when I clicked on the link in the dr. watson error box, it led me to a temp. folder. I went into safe mode and deleted the drwtsn.exe file. This alone didn't work, it just reloaded. So, I went into safe mode again: This time I deleted the drwtsn.exe in the temp. folder and also went into add-remove programs and removed the sp2 update. This time it worked. Since it did work, I figured what the tech told me was true.
If this is a trojan horse, why have I not had anymore problems with my computer?
I have also updated from norton almost everyday since and ran scans but nothing comes up. If you know about the dsnx-05, why is norton not finding it?
I will in the near future visit microsoft and reload the sp2 update, but I was waiting until they figured out what was wrong. As I said in many of my replies, you can go directly to microsoft and re-download the update. I just choose not to at this time.
I know that dr. watson is in the computer, in the registry because I found it. I have seen others disable it from the registry. Why would a drwtsn.exe file be in the internet temp. folder? So, I never suggested to delete the dr. watson program, just the file in the temp. folder. I have also seen someone try to re-format the entire computer-and get what I have seen called: The blue screen of death.
So, if the drwtsn.exe file has no business being in the temp. folder, and the real one is in the registry, what is the harm in deleting it? Also, If you remove the sp2 update, and go directly to microsoft and re-download another update, your computer is safe: (assuming it is not the update that is bad). It only takes a minute or two to download another update.... So what is the harm in doing that? If these 2 simple things work, with no other problems, I don't understand why not do it. I spent 2 weeks with no results, and spent 20 minutes doing what I did and it worked. So, if I have a trojan, how do I find it? But, if I have no further problems, do I keep searching for it? I will however re-download the sp2 update in the next week or two and see if I have the same problem. But like I said, I did not update from an e-mail, and I am the only one that uses this computer, so that remains a mystery.
First let me commend you for a well-thought-out reply. You've helped make this a highly interesting, informative, and enlightening thread. I believe many of the people here reading this will benefit from our "give and take".
You've raised some good points, and I don't know that I can adequately reply to them all.
How could a trojan (any trojan, not necessarily this particular one) slip thru your updated Norton program, as well as a subsequent scan? I can only speculate here: Since the trojan and phony Microsoft "update" were only newly announced --- the two articles that I've seen were dated April 8th and 9th --- and moreover, since the Anti-Virus company to discover/report this problem was Sophos (not Norton), it's at least
possible that the trojan got into your system before Norton/Symantec added it to their virus signatures. And since you already applied your "fix", when/if Norton eventually did (or will) add this virus-detection to its program, it wont find it on your system anymore. I can't say definitively this is what happened in your case, but it's certainly
plausible. Perhaps, one of the other free online scans (Trend-Micro, Computer Associates e-trust, or Panda) would be more successful in locating and removing this problem (if it still exists).
Yes, there have indeed been some incompatibility issues with SP2. (I don't have XP on the machine I'm using at the moment, but) I believe SP2 has a feature which allows the user to run specific programs as if an alternative/simulated version of windows were controlling them. And this feature often solves the compatibility issues.
In my opinion, I find it quite unfortunate that technicians at Dell all-too-readily take an "overkill" approach to solving problems: UNinstall SP2, REinstall Windows, and/or REformat your hard drive. The last two approaches are highly radical, and should be done only as an absolute last resort. Most software problems, no matter how agonizing and "hair-pulling" they may seem at the time, lend themselves to less-radical solutions... albeit with a great deal of patience. I don't know how many times I've told someone who was ready to reformat, NOT TO, and was able to offer them a simple software fix as an alternative. (Unfortunately, no, I do not know of such a simple fix in this case... but that doesn't mean there isn't one we have yet to discover.)
The fact that (the "bad") Dr. Watson continued to come back, even after you deleted its file, is not unusual. There are many 'resilient' viruses/worms/trojans, that strategically place more than one copy of themselves on a system (in several differently named files)... and if any one copy is removed, the others have the capability of restoring it. (i've dealt with this repeatedly, for example, when combating the w32.serflog.a worm, which places itself in (at least) 3 files: msmbw.exe, formatsys.exe, and serbw.exe --- if you delete any one (or two), the others will just replace it.) this being the case, what we should try to do is find out whether there are any other "bad" files, working "in conjunction" with Dr. Watson, that keep on bringing it back. here's a thought/possibility: it may be something as simple as System Restore that's bringing back Dr. Watson. Again, I can't say this for certain. But if so, by temporarily turning off System Restore, deleting the "bad" Dr. Watson (in the Temp folder) in safe mode, rebooting, and then turning System Restore back on, *MIGHT* just successfully delete (the "bad") Dr. Watson, withOUT having to get rid of SP2. I think this approach is certainly worth a try.
by the way, i really AM glad that you're no longer experiencing any problems with your computer. if you want to hold off on trying SP2 again, that's certainly your prerogative. For people with cable-like lines, yes, it may take only a minute or two to re-download.... but for someone who's still using a dial-up modem, you don't want to have to download SP2 more than once! (Hopefully, they may offer a CD version, by mail, for dial-up users)
finally, there is one other point where you've made a technical error: when you said the "bad" Dr. Watson file is "in the temp. folder, and the real one is in the registry", the latter statement is not correct. the registry contains "pointers" to files. many of these "pointers" serve as "wake-up calls", to auto-start files upon boot-up. some of these pointers serve to "tell" windows what programs you've already installed on your system. but the actual file is located elsewhere... for example, in the \windowsXX or the \windowsXX\systemYY directory (where XX may represent the version of Windows that you're using, and YY may be either omitted or '32').
in any event, it's been fun, and enlightening, debating these points with you. Keep up the interest!
i will say that ora's fix did help me get my PC operational which in turned let me take teh proper steps to get the trojan cornered and removed. without out these tips my PC was as good as garbage.
To crayphish: can you elaborate on the "proper steps" you took "to get the trojan cornered and removed", after you applied Ora's suggestion? is it something simple/general enough, that can be 'advertised' here?
To Bertha2: does your solution always make essential/inherent use of HJT? (which, if so, is fine....) Or is there any alternative "tool" that can be used instead of HJT?
Thank you so very much for confirming my original contention, that being: the Dr. Watson problem has nothing to do with sp2, but instead is due to a variant of CWS.
I can only hope that very few people will actually uninstall sp2. It would be interesting to talk to the technician who told Donna (oro), in reference to sp2, "You don't need it anyway", and his/her justifications for doing so.
I hope that others who are following this thread and others like it will realize that very often simply removing one ".exe" file does not
> necessarily mean that the problem will go away. Additionally, just because that error message stops doesn't mean that the virus/Trojan/whatever is gone as well.
ky331
3 Apprentice
•
15.6K Posts
0
March 26th, 2005 17:00
DELL-Chris M
Community Manager
•
56.9K Posts
0
March 28th, 2005 11:00
It looks like ora1313 was just posting a general Dr. Watson Fix. I don't think it was in reply to a specific poster.
ora1313
27 Posts
0
April 8th, 2005 02:00
ky331
3 Apprentice
•
15.6K Posts
0
April 8th, 2005 16:00
ora1313
27 Posts
0
April 8th, 2005 21:00
So far, yes...the people that have writen me have been soooo happy to have the computers run. The fix I am suggesting is reversible if not successfull, but so far, anyone that has tried it has fixed the problem. So far as I can tell, this is the only true fix to this problem.........I am not a computer nerd, I just love computers and it is a challenge to me to fix one--and I fixed it. So, Yes, try it.
Donna
crayphish
19 Posts
0
April 8th, 2005 23:00
ora1313
27 Posts
0
April 9th, 2005 11:00
Message Edited by ora1313 on 04-11-2005 09:40 AM
ky331
3 Apprentice
•
15.6K Posts
0
April 12th, 2005 00:00
Ora,
I've been in touch with SpotCheckBilly, and with his permission, I think it's important to bring out what I believe to be some critical points here. The quotes (in blue) are his. Please do not take this as a personal attack... rather, my only intent here is to be helpful to other readers in this forum.
First, as I know you're already aware, there is a Fake Microsoft Security Trojan on the Loose -- a spam e-mail which advocates that one should "Update your windows machine" by downloading an "Urgent Windows Update". Upon clicking on the supplied link, you are transferred to a Web site which fakes the appearance of the Microsoft Windows Update Site, but in reality, is operated by hackers, and installs a Trojan horse program (called DSNX-05) on your system. This alleged "update" is in fact a phony update... it is NOT legitimate. But as a consequence of this bad download, people have indeed been experiencing some very severe problems, and blaming their troubles on downloading/updating XP SP2.
In contrast, the legitimate "sp2 update (from the real Microsoft Windows Update site) and its subsequent patches should ALWAYS be installed, unless there is some very compelling reason not to" do so. By removing SP2, you are in fact compromising your PC's security. In fact, at some future point, in order to get later updates, XP users will have to install SP2 first. For those who've already installed it (from the legitimate sites), it's "ill-advised" to advocate they remove it. In short, SP2 is a highly important/valuable addition to the Windows XP operating system, and should NOT be removed.
As for removing Dr. Watson: "Every case of the 'Dr. Watson postmortem debugger' problem that" Billy has "come across has been a result of one of the CWS (Cool Web Search) variants". It should be kept in mind that "Dr. Watson is a legitimate diagnostic tool for the Windows operating system". As such, it shouldn't be simply discarded.
Now Ora, I understand your desire to step-in and argue (paraphrasing what I believe to be your contention) "But my fix really works... several people have all told me that, by removing Dr. Watson, they no longer experienced this error". And yes, you're correct... as far as the literal meaning here. But here's the analogy to your advice, as crazy as this may seem to you: Suppose a person came to you, in great pain, suffering from a broken arm. You COULD tell that person he/she needs an amputation. That certainly would 'work', in the sense that it would take care of their pain. No more pain.... And no more broken arm. But the problem now is, much more simply, no more ARM! That person can no longer reach for things, or write, or do the usual tasks that had been performed with that arm. And, by analogy, THIS is what you're advocating when you tell people to remove (i.e., cut off) Dr. Watson. They will lose access to a potentially valuable debugging tool. I'm sure we all would agree that instead of amputating one's arm, the far-preferable approach is to set it... likewise, rather than removing Dr. Watson, it would be far-better to repair it.
So, I would suggest that all readers out there take SpotCheckBilly's good advice... find the proper fix for Dr. Watson... don't just settle for its "amputation".
And don't give up on SP2.
ora1313
27 Posts
0
April 12th, 2005 12:00
I do have a couple of questions for you, and a few comments:
I do run norton and I keep it updated, how did this slip through if it is a Trojan? Also, why didn't it pick it up when I ran a scan after the problem started?
The update I installed was not through e-mail, my computer prompted me to update, and I did. When I couldn't figure out what was wrong, I called dell. That is when a tech told me it was the sp2 update. I asked him what was wrong with it, he told me the update released from Microsoft was not compatible with all systems and it was causing lots of problems. Since my warranty was up with dell, I would be charged a fee so I decided to try to fix it myself. I went all over the web to find a fix. I did try downloading all the things you say to download, but it didn't work. I spent 2 weeks, every day downloading programs, running them and getting aggravated. Tax time was almost here, I needed to fix my computer or borrow one.
when I clicked on the link in the dr. watson error box, it led me to a temp. folder. I went into safe mode and deleted the drwtsn.exe file. This alone didn't work, it just reloaded. So, I went into safe mode again: This time I deleted the drwtsn.exe in the temp. folder and also went into add-remove programs and removed the sp2 update. This time it worked. Since it did work, I figured what the tech told me was true.
If this is a trojan horse, why have I not had anymore problems with my computer?
I have also updated from norton almost everyday since and ran scans but nothing comes up. If you know about the dsnx-05, why is norton not finding it?
I will in the near future visit microsoft and reload the sp2 update, but I was waiting until they figured out what was wrong. As I said in many of my replies, you can go directly to microsoft and re-download the update. I just choose not to at this time.
I know that dr. watson is in the computer, in the registry because I found it. I have seen others disable it from the registry. Why would a drwtsn.exe file be in the internet temp. folder? So, I never suggested to delete the dr. watson program, just the file in the temp. folder. I have also seen someone try to re-format the entire computer-and get what I have seen called: The blue screen of death.
So, if the drwtsn.exe file has no business being in the temp. folder, and the real one is in the registry, what is the harm in deleting it? Also, If you remove the sp2 update, and go directly to microsoft and re-download another update, your computer is safe: (assuming it is not the update that is bad). It only takes a minute or two to download another update.... So what is the harm in doing that? If these 2 simple things work, with no other problems, I don't understand why not do it. I spent 2 weeks with no results, and spent 20 minutes doing what I did and it worked. So, if I have a trojan, how do I find it? But, if I have no further problems, do I keep searching for it? I will however re-download the sp2 update in the next week or two and see if I have the same problem. But like I said, I did not update from an e-mail, and I am the only one that uses this computer, so that remains a mystery.
Donna
ky331
3 Apprentice
•
15.6K Posts
0
April 12th, 2005 14:00
Message Edited by ky331 on 04-12-2005 10:38 AM
Message Edited by ky331 on 04-12-2005 10:41 AM
crayphish
19 Posts
0
April 12th, 2005 16:00
Bertha2
711 Posts
0
April 12th, 2005 16:00
ky331
3 Apprentice
•
15.6K Posts
0
April 12th, 2005 16:00
SpotCheckBilly
932 Posts
0
April 12th, 2005 21:00
Thank you so very much for confirming my original contention, that being: the Dr. Watson problem has nothing to do with sp2, but instead is due to a variant of CWS.
I can only hope that very few people will actually uninstall sp2. It would be interesting to talk to the technician who told Donna (oro), in reference to sp2, "You don't need it anyway", and his/her justifications for doing so.
I hope that others who are following this thread and others like it will realize that very often simply removing one ".exe" file does not > necessarily mean that the problem will go away. Additionally, just because that error message stops doesn't mean that the virus/Trojan/whatever is gone as well.
George a.k.a. SpotCheckBilly
crayphish
19 Posts
0
April 12th, 2005 22:00