Dr. Watson Postmortem Debugger

Virus & Spyware

Virus & Spyware
Perspectives on PC security, including antivirus, anti-spyware and firewall solutions.

Dr. Watson Postmortem Debugger

  • My computer keeps locking up and I get the above message.  Please help.
  • It is not hard to fix...Print this out

    It is not a virus, nor do you have to down-load anything to fix it. And for God Sake, do not re-format your pc.......or mess with your registry!

    A Tech informed me it is a microsoft problem, don’t know if it is true, it seems to be. Problems are from an update from microsoft with the SP2....Tech didn’t know how to fix it, but this worked for me........

    When the error box pops up, click on the link in the box see error file........You will see a path or 2 that looks something like this:

    c:\docume~1\user\locals~1\Temp\werabbb.dir00\DRWTSN32.exe.mdmp

    Write it down

    Now, Re-Boot computer in safe-mode.............press F8 as soon as it starts to re-boot: This brings you into safe-mode. Here, you can get into your files.

    Go into Windows Explorer, follow the path and delete the file: DRWTSN32.exe.

    Now step 2: Go into the control panel, then add/remove programs. Find the program.........SP2 and click uninstall. This is the up-date from microsoft. You don’t need it anyway. If you don’t do both steps, it will just re-load.

    Then, Re-boot system in normal mode, it should be ok.

    Hope this helps, it worked for me....Let me know

    Donna

    Message Edited by ora1313 on 04-09-2005 07:37 AM

  • S McKinley,

    DRWTSN32.exe is part of Microsoft Windows. I wouldn't be so quick to remove it! There have been several reports of malware causing symptoms like this. I'd suggest following the instructions for malware removal contained in the post entitled "I think my system is infected. What do I do first?". The post is referenced in the pinned post entitled Special Interest-Virus Information and Removal FAQ (Frequently Asked Questions)

    Jim
  •  

    This fix worked for me and many others.  I will not argue the point anymore, It's not worth all the agrivation trying to help others with this problem......ora

    Message Edited by ora1313 on 04-11-2005 09:33 AM

  •  
    This fix worked for me and many others.  I will not argue the point anymore, It's not worth all the agrivation trying to help others with this problem......ora

    Message Edited by ora1313 on 04-11-2005 09:34 AM

  • Hello S McKinley,

    The problem that you are describing has been linked to a variant of the CoolWebSearch infection. The problem that Donna (ora1313 ) is referring to is actually a Trojan horse installed at the described malicious web site.

    Cool Web Search infections are often quite difficult to remove-just search this board and you'll see what I mean. You will be posting a HijackThis log at the Dell HijackThis forum .

    First, download HijackThis from:
    Here, then follow these instructions:


    Create a folder on the root drive, (Usually C:\), called C:\HJT HijackThis will create a backup file to use if a restore is necessary, so please DO NOT run HijackThis from a temporary location or your desktop.


    1. Go to "My Computer" (Windows key+e), or by double-clicking on the "My Computer" icon on your desktop.
    2. Double click on "C:"
    3. Right click and select New ->Folder. Name it HJT.


    Unzip HijackThis to its permanent folder. Don't run it yet


    Next, download Ad-Awareand Spybot Search & Destroy. Please install, update and run according to the Ad-Aware Tutorial and Spybot S&D Tutorial.

    After you have run Ad-Aware and Spybot S&D, please launch HijackThis by double-clicking on "HijackThis.exe".

    Click the "Do a system scan only" button.
    When scan is finished, click the "Save log" button and save to a convenient location.


    A Notepad windowill open with the contents of the scan.


    Hit Ctrl+a to select the entire contents.
    Hit Ctrl+c to copy it.
     
    Next, go to rhe
    Dell HijackThis forum and start a new thread.

    Hit Ctrl+v to paste contents of your log into the message body.


    Someone will analyze your log and get back to with the results as soon as possible.:smileyhappy:

    George a.k.a. SpotCheckBilly


    ChrisRLG's Computer Safety Online

    "I was worried 'bout rich and skinny,
    'til I wound up poor and fat"
    - Delbert McClinton

  •  

    This fix worked for me and many others.  I will not argue the point anymore, It's not worth all the agrivation trying to help others with this problem......ora

    Message Edited by ora1313 on 04-11-2005 09:35 AM

  • Hello ora

    "When a user attempts to perform the update, a Trojan horse virus is installed that allows hackers access to the infected computers, the company said."


    People are not getting a "bad" sp2 update. They are getting the Trojan horse mentioned above. (Quote taken directly from page at the link that you provided.). Simply removing the executable from the temp folder does not necessarily mean that the action caused by the launch of that executable will be removed as well. At the very least, a HijackThis log analysis should be performed.

    Additionally, the removal of the sp2 update and its subsequent patches WILL leave the security of ones computer at a much higher risk. Unless one is running programs that absolutely WILL NOT function with the sp2 update installed , removing (or not installing it at all) should not even be considered.
    I believe that you can find workarounds for some of these programs at the Microsoft web site, as well as at the software manufacturers web site.

    If you go to any of the anti-malware sites e.g. SWI, Tom Coyote's, Castle cops, net-integration (home of Spybot S&D), and do a search using "Dr. Watson postmortem debugger", you will see what I mean about it being linked to one of the CVWS variants.

    By the way, some of the variants of the CWS infection are very
    resistant to removal and do, in fact require many steps to get rid of. However, it's very seldom that removal ends up not being successful.

    Hope you find this information helpful.:smileyhappy:

    George a.k.a. SpotCheckBilly


    ChrisRLG's Computer Safety Online

    "I was worried 'bout rich and skinny,
    'til I wound up poor and fat"
    - Delbert McClinton

  • Gee, I wonder if the SP2 CD Microsoft sent me has a trojan horse?


    Seriously, I wouldn't blame SP 2. For the most part, it's been trouble free.
  • Ora,

    I've been in touch with SpotCheckBilly, and with his permission, I think it's important to bring out what I believe to be some critical points here.  The quotes (in blue) are his.  Please do not take this as a personal attack... rather, my only intent here is to be helpful to other readers in this forum.

    First, as I know you're already aware, there is a Fake Microsoft Security Trojan on the Loose -- a spam e-mail which advocates that one should "Update your windows machine" by downloading an "Urgent Windows Update".  Upon clicking on the supplied link, you are transferred to a Web site which fakes the appearance of the Microsoft Windows Update Site, but in reality, is operated by hackers, and installs a Trojan horse program (called DSNX-05) on your system.  This alleged "update" is in fact a phony update... it is NOT legitimate.  But as a consequence of this bad download, people have indeed been experiencing some very severe problems, and blaming their troubles on downloading/updating XP SP2. 

    In contrast, the legitimate "sp2 update (from the real Microsoft Windows Update site) and its subsequent patches should ALWAYS be installed, unless there is some very compelling reason not to" do so.  By removing SP2, you are in fact compromising your PC's security.  In fact, at some future point, in order to get later updates, XP users will have to install SP2 first.   For those who've already installed it (from the legitimate sites), it's "ill-advised" to advocate they remove it.  In short, SP2 is a highly important/valuable addition to the Windows XP operating system, and should NOT be removed.

    As for removing Dr. Watson:  "Every case of the 'Dr. Watson postmortem debugger' problem that" Billy has "come across has been a result of one of the CWS (Cool Web Search) variants".  It should be kept in mind that  "Dr. Watson is a legitimate diagnostic tool for the Windows operating system".  As such, it shouldn't be simply discarded.  

    Now Ora, I understand your desire to step-in and argue (paraphrasing what I believe to be your contention) "But my fix really works... several people have all told me that, by removing Dr. Watson, they no longer experienced this error".  And yes, you're correct... as far as the literal meaning here.  But here's the analogy to your advice, as crazy as this may seem to you:   Suppose a person came to you, in great pain, suffering from a broken arm.  You COULD tell that person he/she needs an amputation.  That certainly would 'work', in the sense that it would take care of their pain.  No more pain....  And no more broken arm.   But the problem now is, much more simply, no more ARM!  That person can no longer reach for things, or write, or do the usual tasks that had been performed with that arm.   And, by analogy, THIS is what you're advocating when you tell people to remove (i.e., cut off) Dr. Watson.  They will lose access to a potentially valuable debugging tool.  I'm sure we all would agree that instead of amputating one's arm, the far-preferable approach is to set it... likewise, rather than removing Dr. Watson, it would be far-better to repair it.

    So, I would suggest that all readers out there take SpotCheckBilly's good advice... find the proper fix for Dr. Watson... don't just settle for its "amputation". 

    And don't give up on SP2.

     

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • I got rid of Dr. Watson. After running several different spyware scans, and an anti-virus scan,(all clean) I found it is just a hassle. I'd be using I-Tunes, and switching to another song, and I-tunes would crash, and post-mortem debugger would cause the PC to freeze.

    However, I can restore it when I get ready.
  • msil,
     
    can you elaborate on the specific steps you took to "get rid" of dr. watson?   the reason why i'm asking is because there is an ongoing debate about the dr. watson problem in another thread, and ora (donna) has maintained that when she tried to delete dr. watson (in safe mode --- the copy of dr watson she found was in a temp folder), it simply came back again.
     
    also, please confirm, you have installed, and kept, sp2 ?
     
    thanks

    Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

    Windows 7 Pro SP1 (64-bit), avast! v2014 Free, MBAM Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, EMET+MBAE, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), CryptoPrevent, Secunia PSI.

    [I believe computer-users who sandbox (Sandboxie) are acting prudently.]

  • I have had SP2 since 8-31-04, and still have it.

    I did not remove it, as thought, but it is disabled.


    How to disable Dr.Watson

    Message Edited by msil217 on 04-13-2005 07:31 AM

  • Hey msil217,
     
    For future reference, the CWS infection that causes the Doctor Watson problem
    cannot be removed by Spybot S&D, Ad-Aware or any antivirus program.

    The CWShredder program also cannot remove it on it's own.  The CoolWebSearch
    people have been making it more and more difficult to remove their "product".:smileyhappy:
     
    George a.k.a. SpotCheckBilly


    ChrisRLG's Computer Safety Online

    "I was worried 'bout rich and skinny,
    'til I wound up poor and fat"
    - Delbert McClinton



  • SpotCheckBilly wrote:
    Hey msil217,
    For future reference, the CWS infection that causes the Doctor Watson problem
    cannot be removed by Spybot S&D, Ad-Aware or any antivirus program.

    The CWShredder program also cannot remove it on it's own. The CoolWebSearch
    people have been making it more and more difficult to remove their "product".:smileyhappy:
    George a.k.a. SpotCheckBilly





    Then how would one know if they had a CWS infection?? I even checked my HiJack This log, and nothing looked suspicious.

    I also use Microsoft Anti-spyware, Spyware Blaster, Avert stinger, etc.

    The only time I had trouble with the post mortem debugger is when I-tunes played 2 songs, for which there is no album art, if that makes any difference.

    I-tunes would sound like the CD was stuck, at certain times. But usually on only 2 songs.