Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dr Watson Postmortem Debugger [CLOSED]


  • This topic is locked This topic is locked

#1
kalone

kalone

    Member

  • Member
  • PipPip
  • 13 posts
Lately I've been getting this error, it freezes up the computer, but am still able to access web browser and already running applications.

But what I can't access is the windows folders. And what I've realised is that this error pops up when ever I open a folder or my computer or my documents etc.

So here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:52 PM, on 26/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [PlayNC Launcher] C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kenny\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1169879312203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1169879291765
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O21 - SSODL: system32 - {A40D19D5-1113-4ACC-87D1-5B9B6AD536A9} - sysprinters.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 9606 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Go to My Computer->Tools->Folder Option->View and check 'Show hidden files and folders' and uncheck 'Hide protected operating system files'. Go to your c: drive. Right click on the boot.ini file and go to Properties. Uncheck the box that says Read-only and click OK. Then double click on the boot.ini file to open it. Change the line that says /NoExecute=OptIn and change it to /NoExecute=AlwaysOff. Now save the file and close it.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O21 - SSODL: system32 - {A40D19D5-1113-4ACC-87D1-5B9B6AD536A9} - sysprinters.dll (file missing)

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
  • 0

#3
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I've done everything. Finished scanning now, but I don't see a "see report" button anywhere.
  • 0

#4
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-28 00:02:23
PROTECTIONS: 0
MALWARE: 6
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\lm1yc6aa.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Kenny\Cookies\[email protected][1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\lm1yc6aa.default\cookies.txt[.tribalfusion.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\lm1yc6aa.default\cookies.txt[.statcounter.com/]
01264355 Trj/Banker.SW Virus/Trojan No 0 Yes No C:\Program Files\Cliprex DVD Player Professional\Capthumb.dll
02946065 Rootkit/Agent.ITL HackTools No 0 Yes No C:\System Volume Information\_restore{50B7DFEA-7105-4CBE-B214-70F2CCCF48C6}\RP460\A0072887.sys
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================





Here is the log sorry mate.
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, you should be set to go.
  • 0

#6
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks for the help mate, I'll reply again if I have any problems, thanks :)
  • 0

#7
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Nop, its not working, still getting the same error.

The log wasn't that clean... don't I have a trogan there?
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That Cliprex program seems to contain adware. If you want, you can uninstall it...

What problem do you still have remaining now?
  • 0

#9
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Still getting the same error, my computer is clean from viruses and malware.

Opening files and folders causes my computer to freeze up and not respond in the task manager, get this error message and then makes the desktop and start windows non-accessible, only able to see the programs already running.

Edited by kalone, 31 July 2008 - 01:32 AM.

  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
One of these methods should fix the Dr. Watson problem:

1. Go to My Computer->Tools->Folder Option->View and check 'Show hidden files and folders' and uncheck 'Hide protected operating system files'. Go to your c: drive. Right click on the boot.ini file and go to Properties. Uncheck the box that says Read-only and click OK. Then double click on the boot.ini file to open it. Change the line that says /NoExecute=OptIn and change it to /NoExecute=AlwaysOff. Now save the file and close it.

2. Right click My Computer and select Properties. Go to Advanced tab->Startup and Recovery and click Settings. Click the drop-down box next to 'Write debugging information' and select none.

3. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Go back to the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug. Double click on 'Auto' (in the right pane) and modify the value to 0.
  • 0

Advertisements


#11
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
1. There is no boot.ini file.

2. There is nowhere that it says 'Write debugging information'.

3. I've done it, guess we'll just have to wait.

Thanks for sticking by me :)
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
1. Are you sure you unchecked the option that says Hide protected operating system files? It should have shown you the boot.ini file in your C: drive.

2. Double check that area. Write debugging information is the bottom area where the drop down box is.
  • 0

#13
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yes I'm 10000000000000000000% positive.
It shows other files that weren't there before, but boot.ini is not there.

But it looks like I haven't had the error since. Wait a week more before you close this just to be sure :)
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Reply back with a progress update within 4-5 days or I will close it and mark it as inactive. I guess two more replies from you should show if it helped out or not.
  • 0

#15
kalone

kalone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yep, the error is still kicking up, every time I open a folder the error either:

1. Exits the folders.

2. Causes the folders to not respond and I can only close them with task manager.

And every time it causes my desktop to freeze so I can't see my desktop.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP