Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Have Drwatson.32 But Cant Find It

  • Please log in to reply
3 replies to this topic

#1 CrisGer


  • Members
  • 306 posts
  • Gender:Male
  • Location:Colorado and California
  • Local time:04:02 AM

Posted 07 September 2008 - 06:32 PM

I am having trouble removing Drwatson.32..it is showing on my programs running program manager window but i cant find it in a search of my computer using the find function. I have run AVG twice, Spybot a number of times, and AntiMalware a bunch of times and none of them find it. I just got a "serious error" pop up about drwatson so that is how i noticed it was in there somehwere.

I run Outpost and AVG 7.5 and use Antimalware regularly.

I post the log from Antimalware here:

Malwarebytes' Anti-Malware 1.26
Database version: 1119
Windows 5.1.2600 Service Pack 2

9/7/2008 5:26:34 PM
mbam-log-2008-09-07 (17-26-34).txt

Scan type: Quick Scan
Objects scanned: 44109
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

my system specs are posted in my profile, as you guys have helped me before with much appreciatoin. I have an AMD 3300 with Windows XP Pro SP2, etc. and am having memory problems and got help on that in the XP section but i am wondering if some of that may be hidden viruses too. So, i want to try to get drwatson out to be sure.

I dl Autorun and scanned but could not find an entry for drwatson....

i am doing a full Malwarebytes anti-malware scan while i am waiting to hear from you all. thanks again.

can you help? thanks

PS I may have jumped the gun on this, there ARE two drwatson exe's in my System32 folder, and they may be official windows after all, one is drwatson.exe and the other is DrWtsn32.exe both dated at my last system install, so perhaps they are valid. I was nervous as i tried to shut it down in the program manager and it would not shut down and i had an error pop up with that name on it and i did not recognize it. I have had a ton of BSOD's over the past week and with the help of your guys in the XP section it appears to be either faulty memory or a dying motherboard. I still wonder tho if it may be some hidden viruses.

the error report and the program running in the program manager was definitely spelled differntly, DrWatson.32.exe and it is listed in the data base here as a virus installed by a maware.

I found this post in my research on this on line...

"From: ilago 11/08/2008 10:56:08 PM

Subject: re: drwatson32.exe post id: 636059

Dr Watson is part of Windows troubleshooting. At a guess it's been enabled due to a problem.

There was a rash of malware a few years ago where the only clue to type was that Dr Watson appeared for no reason. If you think you might have a problem of some kind you can post a log for checking.

Read the notes about what HijackThis does.

from Techtalk

i did some more hunting and found where the REAL dr watson log file is, and indeed there is a error log from today...so maybe i am jumping the gun here:

here is the entry:

Application exception occurred:
App: C:\WINDOWS\Explorer.EXE (pid=264)
When: 9/7/2008 @ 16:35:07.671
Exception number: 80000007

*----> System Information <----*
Computer Name: CHRIS-25CB808AE
User Name: Chris
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 15 Model 12 Stepping 0
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Uniprocessor Free
Registered Organization:
Registered Owner: Chris Gerlach

*----> Task List <----*
0 System Process
4 System
628 smss.exe
692 csrss.exe
716 winlogon.exe
760 services.exe
780 lsass.exe
936 svchost.exe
1016 svchost.exe
1108 svchost.exe
1152 svchost.exe
1204 svchost.exe
1504 spoolsv.exe
1632 avgamsvr.exe
1648 avgupsvc.exe
1660 avgemc.exe
1772 nvsvc32.exe
1804 outpost.exe
1900 ScsiAccess.exe
1944 svchost.exe
616 alg.exe
264 Explorer.EXE
1404 wscntfy.exe
500 iTunesHelper.exe
516 avgcc.exe
1144 CloneCDTray.exe
1096 Skype.exe
1740 ctfmon.exe
1340 TeaTimer.exe
1236 iPodService.exe
3036 skypePM.exe
1400 fraps.exe
1872 avgwb.dat
2708 drwtsn32.exe

*----> Module List <----*
(0000000000a90000 - 0000000000a96000: C:\WINDOWS\system32\ctagent.dll
(0000000000d30000 - 0000000000d40000: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
(0000000000dc0000 - 0000000000dd2000: C:\WINDOWS\system32\browselc.dll
(0000000001000000 - 00000000010ff000: C:\WINDOWS\Explorer.EXE
(00000000011b0000 - 00000000011c0000: C:\Program Files\MagicISO\misosh.dll
(0000000001800000 - 0000000001812000: C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
(00000000023f0000 - 0000000002407000: C:\WINDOWS\system32\odbcint.dll
(0000000002610000 - 0000000002795000: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
(0000000002f60000 - 0000000002fbb000: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
(0000000003280000 - 0000000003308000: C:\WINDOWS\system32\shdoclc.dll
(00000000036d0000 - 0000000003f15000: C:\WINDOWS\system32\nvcpl.dll
(0000000003f40000 - 0000000003fa0000: C:\WINDOWS\system32\nvapi.dll
(0000000003fb0000 - 0000000004023000: C:\WINDOWS\system32\nvshell.dll
(0000000004050000 - 0000000004074000: C:\Program Files\Common Files\Adobe\Shell\PSICON.DLL
(0000000004090000 - 00000000040c1000: C:\Program Files\WinAce\arcext.dll
(00000000040d0000 - 00000000041ab000: C:\Program Files\WinAce\ace.dll
(0000000004400000 - 000000000442e000: C:\Program Files\WinRAR\rarext.dll
(0000000004830000 - 0000000004843000: C:\Program Files\7-Zip\7-zip.dll
(000000000ffd0000 - 000000000fff8000: C:\WINDOWS\system32\rsaenh.dll
(0000000010000000 - 000000001009b000: C:\Program Files\VDMSound\LaunchPad.dll
(0000000010930000 - 0000000010979000: C:\WINDOWS\system32\PortableDeviceApi.dll
(00000000109c0000 - 00000000109ec000: C:\WINDOWS\system32\PortableDeviceTypes.dll
(0000000013420000 - 000000001343a000: C:\Program Files\Windows Media Player\wmpband.dll
(0000000016200000 - 0000000016206000: C:\Program Files\WinZip\wzshlstb.dll
(00000000164a0000 - 00000000164c3000: C:\WINDOWS\system32\WPDShServiceObj.dll
(0000000020000000 - 00000000202c5000: C:\WINDOWS\system32\xpsp2res.dll
(000000004d4f0000 - 000000004d548000: C:\WINDOWS\system32\WINHTTP.dll
(000000004ec50000 - 000000004edf3000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
(000000005ad70000 - 000000005ada8000: C:\WINDOWS\system32\UxTheme.dll
(000000005b0a0000 - 000000005b0a7000: C:\WINDOWS\system32\umdmxfrm.dll
(000000005b860000 - 000000005b8b4000: C:\WINDOWS\system32\NETAPI32.dll
(000000005ba60000 - 000000005bad1000: C:\WINDOWS\system32\themeui.dll
(000000005cb70000 - 000000005cb96000: C:\WINDOWS\system32\ShimEng.dll
(000000005cd70000 - 000000005cd77000: C:\WINDOWS\system32\serwvdrv.dll
(000000005d090000 - 000000005d12a000: C:\WINDOWS\system32\comctl32.dll
(000000005e310000 - 000000005e31c000: C:\WINDOWS\system32\pngfilt.dll
(000000005edd0000 - 000000005ede7000: C:\WINDOWS\system32\olepro32.dll
(00000000621a0000 - 00000000621b0000: C:\Program Files\Grisoft\AVG7\avgse.dll
(0000000063560000 - 0000000063597000: C:\Fraps\FRAPS.DLL
(0000000065af0000 - 0000000065af7000: C:\WINDOWS\system32\jsproxy.dll
(0000000066880000 - 000000006688c000: C:\WINDOWS\system32\ImgUtil.dll
(0000000069450000 - 0000000069466000: C:\WINDOWS\system32\faultrep.dll
(000000006c1b0000 - 000000006c1fd000: C:\WINDOWS\system32\DUSER.dll
(000000006c450000 - 000000006c476000: C:\WINDOWS\system32\dskquoui.dll
(000000006f880000 - 000000006fa4a000: C:\WINDOWS\AppPatch\AcGenral.DLL
(0000000071aa0000 - 0000000071aa8000: C:\WINDOWS\system32\WS2HELP.dll
(0000000071ab0000 - 0000000071ac7000: C:\WINDOWS\system32\WS2_32.dll
(0000000071ad0000 - 0000000071ad9000: C:\WINDOWS\system32\WSOCK32.dll
(0000000071b20000 - 0000000071b32000: C:\WINDOWS\system32\MPR.dll
(0000000071bf0000 - 0000000071c03000: C:\WINDOWS\system32\SAMLIB.dll
(0000000071c10000 - 0000000071c1e000: C:\WINDOWS\System32\ntlanman.dll
(0000000071c80000 - 0000000071c87000: C:\WINDOWS\System32\NETRAP.dll
(0000000071c90000 - 0000000071cd0000: C:\WINDOWS\System32\NETUI1.dll
(0000000071cd0000 - 0000000071ce7000: C:\WINDOWS\System32\NETUI0.dll
(0000000071d40000 - 0000000071d5c000: C:\WINDOWS\system32\actxprxy.dll
(0000000072410000 - 000000007242a000: C:\WINDOWS\system32\mydocs.dll
(0000000072a90000 - 0000000072ad8000: C:\WINDOWS\system32\DEVMGR.DLL
(0000000072d10000 - 0000000072d18000: C:\WINDOWS\system32\msacm32.drv
(0000000072d20000 - 0000000072d29000: C:\WINDOWS\system32\wdmaud.drv
(0000000073000000 - 0000000073026000: C:\WINDOWS\system32\WINSPOOL.DRV
(0000000073b30000 - 0000000073b45000: C:\WINDOWS\system32\mscms.dll
(0000000073ba0000 - 0000000073bb3000: C:\WINDOWS\system32\sti.dll
(0000000073f10000 - 0000000073f6c000: C:\WINDOWS\system32\DSOUND.dll
(0000000074320000 - 000000007435d000: C:\WINDOWS\system32\ODBC32.dll
(00000000746c0000 - 00000000746e7000: C:\WINDOWS\system32\msls31.dll
(0000000074720000 - 000000007476b000: C:\WINDOWS\system32\MSCTF.dll
(0000000074ad0000 - 0000000074ad8000: C:\WINDOWS\system32\POWRPROF.dll
(0000000074ae0000 - 0000000074ae7000: C:\WINDOWS\system32\CFGMGR32.dll
(0000000074af0000 - 0000000074afa000: C:\WINDOWS\system32\BatMeter.dll
(0000000074b30000 - 0000000074b76000: C:\WINDOWS\system32\webcheck.dll
(0000000074c80000 - 0000000074cac000: C:\WINDOWS\system32\OLEACC.dll
(0000000075150000 - 0000000075164000: C:\WINDOWS\system32\Cabinet.dll
(00000000754d0000 - 0000000075550000: C:\WINDOWS\system32\CRYPTUI.dll
(00000000755c0000 - 00000000755ee000: C:\WINDOWS\system32\msctfime.ime
(0000000075970000 - 0000000075a67000: C:\WINDOWS\system32\MSGINA.dll
(0000000075cf0000 - 0000000075d81000: C:\WINDOWS\system32\MLANG.dll
(0000000075e90000 - 0000000075f40000: C:\WINDOWS\system32\SXS.DLL
(0000000075f60000 - 0000000075f67000: C:\WINDOWS\System32\drprov.dll
(0000000075f70000 - 0000000075f79000: C:\WINDOWS\System32\davclnt.dll
(0000000075f80000 - 000000007607d000: C:\WINDOWS\system32\BROWSEUI.dll
(0000000076080000 - 00000000760e5000: C:\WINDOWS\system32\MSVCP60.dll
(0000000076280000 - 00000000762a1000: C:\WINDOWS\system32\stobject.dll
(0000000076360000 - 0000000076370000: C:\WINDOWS\system32\WINSTA.dll
(0000000076380000 - 0000000076385000: C:\WINDOWS\system32\MSIMG32.dll
(0000000076390000 - 00000000763ad000: C:\WINDOWS\system32\IMM32.DLL
(00000000763b0000 - 00000000763f9000: C:\WINDOWS\system32\comdlg32.dll
(0000000076400000 - 00000000765a6000: C:\WINDOWS\system32\NETSHELL.dll
(0000000076600000 - 000000007661d000: C:\WINDOWS\System32\CSCDLL.dll
(0000000076980000 - 0000000076988000: C:\WINDOWS\system32\LINKINFO.dll
(0000000076990000 - 00000000769b5000: C:\WINDOWS\system32\ntshrui.dll
(00000000769c0000 - 0000000076a73000: C:\WINDOWS\system32\USERENV.dll
(0000000076b20000 - 0000000076b31000: C:\WINDOWS\system32\ATL.DLL
(0000000076b40000 - 0000000076b6d000: C:\WINDOWS\system32\WINMM.dll
(0000000076bf0000 - 0000000076bfb000: C:\WINDOWS\system32\PSAPI.DLL
(0000000076c00000 - 0000000076c2e000: C:\WINDOWS\system32\credui.dll
(0000000076c30000 - 0000000076c5e000: C:\WINDOWS\system32\WINTRUST.dll
(0000000076c90000 - 0000000076cb8000: C:\WINDOWS\system32\IMAGEHLP.dll
(0000000076d30000 - 0000000076d34000: C:\WINDOWS\system32\WMI.dll
(0000000076d60000 - 0000000076d79000: C:\WINDOWS\system32\iphlpapi.dll
(0000000076e80000 - 0000000076e8e000: C:\WINDOWS\system32\rtutils.dll
(0000000076f50000 - 0000000076f58000: C:\WINDOWS\system32\WTSAPI32.dll
(0000000076f60000 - 0000000076f8c000: C:\WINDOWS\system32\WLDAP32.dll
(0000000076fd0000 - 000000007704f000: C:\WINDOWS\system32\CLBCATQ.DLL
(0000000077050000 - 0000000077115000: C:\WINDOWS\system32\COMRes.dll
(0000000077120000 - 00000000771ab000: C:\WINDOWS\system32\OLEAUT32.dll
(00000000771b0000 - 0000000077256000: C:\WINDOWS\system32\WININET.dll
(00000000773d0000 - 00000000774d3000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
(00000000774e0000 - 000000007761d000: C:\WINDOWS\system32\ole32.dll
(0000000077690000 - 00000000776b1000: C:\WINDOWS\system32\NTMARTA.DLL
(0000000077920000 - 0000000077a13000: C:\WINDOWS\system32\SETUPAPI.dll
(0000000077a20000 - 0000000077a74000: C:\WINDOWS\System32\cscui.dll
(0000000077a80000 - 0000000077b14000: C:\WINDOWS\system32\CRYPT32.dll
(0000000077b20000 - 0000000077b32000: C:\WINDOWS\system32\MSASN1.dll
(0000000077b40000 - 0000000077b62000: C:\WINDOWS\system32\appHelp.dll
(0000000077bd0000 - 0000000077bd7000: C:\WINDOWS\system32\midimap.dll
(0000000077be0000 - 0000000077bf5000: C:\WINDOWS\system32\MSACM32.dll
(0000000077c00000 - 0000000077c08000: C:\WINDOWS\system32\VERSION.dll
(0000000077c10000 - 0000000077c68000: C:\WINDOWS\system32\msvcrt.dll
(0000000077dd0000 - 0000000077e6b000: C:\WINDOWS\system32\ADVAPI32.dll
(0000000077e70000 - 0000000077f02000: C:\WINDOWS\system32\RPCRT4.dll
(0000000077f10000 - 0000000077f57000: C:\WINDOWS\system32\GDI32.dll
(0000000077f60000 - 0000000077fd6000: C:\WINDOWS\system32\SHLWAPI.dll
(0000000077fe0000 - 0000000077ff1000: C:\WINDOWS\system32\Secur32.dll
(0000000078130000 - 00000000781cb000: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
(000000007c340000 - 000000007c396000: C:\WINDOWS\system32\MSVCR71.dll
(000000007c3a0000 - 000000007c41b000: C:\WINDOWS\system32\MSVCP71.dll
(000000007c800000 - 000000007c8f5000: C:\WINDOWS\system32\kernel32.dll
(000000007c900000 - 000000007c9b0000: C:\WINDOWS\system32\ntdll.dll
(000000007c9c0000 - 000000007d1d6000: C:\WINDOWS\system32\SHELL32.dll
(000000007d1e0000 - 000000007d49e000: C:\WINDOWS\system32\msi.dll
(000000007dc30000 - 000000007df21000: C:\WINDOWS\system32\mshtml.dll
(000000007e1e0000 - 000000007e281000: C:\WINDOWS\system32\urlmon.dll
(000000007e290000 - 000000007e3ff000: C:\WINDOWS\system32\SHDOCVW.dll
(000000007e410000 - 000000007e4a0000: C:\WINDOWS\system32\USER32.dll

*----> State Dump for Thread Id 0x688 <----*

eax=7c90eb94 ebx=00000000 ecx=0007f7a0 edx=00000000 esi=00090608 edi=00000000
eip=7c90eb94 esp=0007f66c ebp=0007f6f4 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=02b0 es=0000 fs=003b gs=000f efl=00000246

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
FAULT ->ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*

Edited by CrisGer, 07 September 2008 - 07:07 PM.

Game Researcher and Designer
3D Worlds and Game Developers Group Linkedin

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,744 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 08 September 2008 - 09:57 AM

Drwtsn32.exe is related to DrWatson's Postmortem Debugger program.

Dr. Watson for Windows is a program error debugger that gathers information about your computer when an error (or user-mode fault) occurs with a program. Technical support groups can use the information that Dr. Watson obtains and logs to diagnose a program error. When an error is detected, Dr. Watson creates a text file (Drwtsn32.log) that can be delivered to support personnel by the method they prefer. You also have the option of creating a crash dump file, which is a binary file that a programmer can load into a debugger...

Drwatson.exe is an older program error debugger that was included with earlier versions of Windows NT. Microsoft recommends that you use Drwtsn32.exe instead of Drwatson.exe in Windows XP...

Description of the Dr. Watson for Windows (Drwtsn32.exe) Tool
Description of the Dr. Watson (Drwatson.exe) Tool

"Memory Dumps in XP".
"Overview of memory dump file options for Windows 2000/XP/2003".

To disable Dr. Watson via the GUI Interface, go to Start > Run and type: drwtsn32.exe
Press Ok.
Clear all check marks under the Options box.
Click Ok.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CrisGer

  • Topic Starter

  • Members
  • 306 posts
  • Gender:Male
  • Location:Colorado and California
  • Local time:04:02 AM

Posted 08 September 2008 - 12:27 PM

Hooray! Thanks, i was being over anxious i think. You guys are awesome, as usual :thumbsup: thanks very much.
Game Researcher and Designer
3D Worlds and Game Developers Group Linkedin

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,744 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 08 September 2008 - 12:29 PM

You're welcome.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users