Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

drWatson postmortem debugger error [RESOLVED]

Started by supernoober , Jun 15 2005 06:12 PM

This topic is locked

#1
supernoober

Posted 15 June 2005 - 06:12 PM

Member

Member
120 posts

Can someone help me with this problem?

My computer freezes when I try to access some files on my computer and I get the drWatson postmortem debugger error that says. I have scanned my computer with ad-aware and spybot and antivirus and got nothing. Here is my HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 4:38:03 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Victor C\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117905493881
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0705A66-1E96-4B11-8DD4-93806A1B362A}: NameServer = 206.13.28.12 206.13.29.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#2
greyknight17

Posted 16 June 2005 - 12:22 PM

Malware Expert

Visiting Consultant
16,560 posts

Hi again and welcome to GTG. :tazz:

I don't like this error. Nothing much is showing up in the HijackThis log either.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

No need for a new log. Do this instead:

I want you to go to this folder c:\Windows\system32 and see if you can find any ICO files. Best way to do this is change your view to Detail View and then sort it by file type. Look for ICO files (see when they were created).

Now while still in the system32 folder, double click on drwatson.exe to run it. "In the bottom tray bar on your screen you will see drwatson click on that icon this will give a error message copy the information down and post this back to me."

Now double click on drwtsn32.exe and again copy the information and post this also

#3
supernoober

Posted 16 June 2005 - 04:03 PM

Member

Topic Starter
Member
120 posts

Hi,

I ran a HijackThis scan and fixed the ones you said. I did not find any .ico files. I then clicked on drwatson.exe and got "No faults detected". When I double click drwtsn32.exe, it brings up the settings and I do not know what to post. I then tried to access the folder that brings out the error and the error signature is:

EventType : BEX P1 : drwtsn32.exe P2 : 5.1.2600.0 P3 : 3b7d84a2
P4 : dbghelp.dll P5 : 5.1.2600.2180 P6 : 4110969a P7 : 0001295d
P8 : c0000409 P9 : 00000000

#4
greyknight17

Posted 18 June 2005 - 03:12 PM

Malware Expert

Visiting Consultant
16,560 posts

Hi, do a search for this file -> wininet.dll

Upload that file to this site. Report back what it found.

Run an online virus scan using Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

#5
supernoober

Posted 18 June 2005 - 11:18 PM

Member

Topic Starter
Member
120 posts

Hi,
Hi,
I searched for wininet.dll on my computer and found 9 of them. I tried to upload one to that site but it does not work. It stays at this:

Service load:
0% 100%
File: wininet.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 1a078af3f85d10ba56444c23b3a18e74
Packers detected: -
Scanner results
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...
{SCANNERNAME} Scanning, please wait...

At the bottom of my IE browser, it says "error on page".

As for the Panda ActiveScan, it detected no virusses and did not have a log.

#6
greyknight17

Posted 19 June 2005 - 03:48 PM

Malware Expert

Visiting Consultant
16,560 posts

I am asking another expert/staff here for help on this. As soon as I get a reply back, I will post back here.

#7
greyknight17

Posted 20 June 2005 - 06:26 AM

Malware Expert

Visiting Consultant
16,560 posts

OK, do a search for wininet.dll again. Take note of all 9 locations. Download and install Firefox. Use that as your main browser instead of Internet Explorer. Go to the jotti site and upload all those 9 files (do them one by one :tazz:

). Report back those 9 reports (make sure you use Firefox to do this).

#8
supernoober

Posted 21 June 2005 - 09:59 PM

Member

Topic Starter
Member
120 posts

Hi,
I searched again for wininet.dll and this time I only found 4 of them. I scanned them at the site with firefox. Here are the results.

1. Last file scanned at least one scanner reported something about: Backdoor.Win32.Bifrose.d in trojan.zip, detected by:

Scanner Malware name
AntiVir BDS/Bifrosted.2
ArcaVir Trojan.Bifrose.D
Avast X
AVG Antivirus BackDoor.Small.44.AQ
BitDefender Dropped:Backdoor.Bifrose.D
ClamAV Trojan.Bifro-11.A-srv
Dr.Web Trojan.MulDrop.2268
F-Prot Antivirus X
Fortinet W32/Bifrose.D-bdr
Kaspersky Anti-Virus Backdoor.Win32.Bifrose.d
NOD32 Win32/Bifrose.D
Norman Virus Control X
VBA32 Backdoor.Win32.Bifrose.d

2. Last file scanned at least one scanner reported something about: Exploit.HTML.Mht in 1[1].htm, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Exploit.Html.MhtRedir.Gen
ClamAV Exploit.HTML.MHTRedir.5n
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Exploit.HTML.Mht
NOD32 X
Norman Virus Control X
VBA32 X

3. Last file scanned at least one scanner reported something about: XMasTreeWorm in Virus.Script.IBM.XMasTreeWorm, detected by:

Scanner Malware name
AntiVir X
ArcaVir Trojan.Virus.Script.Ibm.Xmastreeworm
Avast X
AVG Antivirus X
BitDefender Worm.Xmastree.A
ClamAV Worm.XMasTree
Dr.Web Script.Xmas.2580
F-Prot Antivirus security risk or a "backdoor" program
Fortinet XMasTree.A
Kaspersky Anti-Virus Virus.Script.IBM.XMasTreeWorm
NOD32 X
Norman Virus Control CMS/Christma-exec
VBA32 XMasTreeWorm

4. Last file scanned at least one scanner reported something about: Backdoor.Win32.NetShadow.a in trojan.zip, detected by:

Scanner Malware name
AntiVir BDS/Netshad.A.1
ArcaVir Trojan.Netshadow.A
Avast Win32:Trojan-gen. {Delphi}
AVG Antivirus BackDoor.Small.43.BG
BitDefender Backdoor.Netshadow.A
ClamAV Trojan.Netshadow-2
Dr.Web BackDoor.Netshadow
F-Prot Antivirus X
Fortinet W32/NShadow.A-tr
Kaspersky Anti-Virus Backdoor.Win32.NetShadow.a
NOD32 Win32/NetShad.1_0
Norman Virus Control W32/Delf.LQ
VBA32 Backdoor.Win32.NetShadow.a

By the way, I have not had the drWatson problem for the past couple days when browsing through the directory induced it.

#9
greyknight17

Posted 21 June 2005 - 10:25 PM

Malware Expert

Visiting Consultant
16,560 posts

OK, delete all 4 instances of that wininet.dll file now.

Go to Start->Run and type in sfc /scannow and hit OK. Let it run. If it doesn't find any missing/corrupted files, it should close by itself. If it does find something, it may ask for your Windows CD.

Restart.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

#10
supernoober

Posted 22 June 2005 - 03:08 AM

Member

Topic Starter
Member
120 posts

There is a mistake. When I submitted all four of the wininet.dll files to the site, all of the scanners found nothing. But I thought that the statistics at the bottom of the page were my results. I did not delete any of the wininet.dll and I have not had the drWatson error for days :tazz:

Edited by supernoober, 22 June 2005 - 12:11 PM.

#11
greyknight17

Posted 22 June 2005 - 02:29 PM

Malware Expert

Visiting Consultant
16,560 posts

I think those are the report files. It says what each antivirus program detected it as. It should say Nothing found instead of what you have up there.

Try searching for the wininet.dll files again. See if you still have only 4 files. Upload them and make sure it says nothing found. Otherwise you are still infected but it's just not wreaking havoc yet.

#12
supernoober

Posted 22 June 2005 - 06:20 PM

Member

Topic Starter
Member
120 posts

I searched and found 4 and I uploaded them earlier today and found nothing. The statistics at the bottom are not the results of the scan. They are there whenever I go to the site, even before I upload a file. Noticing this, I uploaded a wininet.dll file and the statistics at the bottom did not refresh.

#13
greyknight17

Posted 22 June 2005 - 06:39 PM

Malware Expert

Visiting Consultant
16,560 posts

supernoober, if you don't mind, could you stay a little longer to help us out here? I have another analyst/staff here who was helping me with this post of your's for a while. This postmortem debugger error is very complicated. From what I was told, you are in the 3rd stage and this is when everything looks like it's working properly.

So if you can stick around longer, that would help us out a lot. Post back if you can stay longer here. We might ask you to run some tests, but I'm not sure. Will await the other analysts reply and yours (if you are interested in helping us).

#14
supernoober

Posted 22 June 2005 - 09:31 PM

Member

Topic Starter
Member
120 posts

Hi,
Yes, I can stay longer and help.

#15
greyknight17

Posted 22 June 2005 - 09:53 PM

Malware Expert

Visiting Consultant
16,560 posts

Thanks, that's great.

OK, we want you to zip all the files in these folders:

c:\windows\
c:\windows\system32\

Give us the two zip files once you are done. Just attach them here.