Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


DR. WATSON POST MORTEM ERROR: hijackThis log included.

Posted on 2006-04-05
Medium Priority
Last Modified: 2008-01-09
I have lost all my files in "my documents." I tried system restore and it didn't restore the files. Then once when i was restarting my pc, an error came up as dr. watsom post mortem. I have never installed this, and when i looked at google, people said it could be a virus. can anyone help me? Below i have a HijackThis log file, hope it helps:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:39 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Chinky\LOCALS~1\Temp\Temporary Directory 1 for KillBox.zip\Killbox.exe
C:\Documents and Settings\Chinky\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Firefox is Better than me
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136585911437
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.39/ttinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WBSrv - C:\WINDOWS\
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Question by:yknihc
  • 6
  • 6
  • 4
LVL 27

Expert Comment

ID: 16386952
Here's an analysis of your log file.
You can post them at this link in the future for free analysis.
It doesn't show anything really malicious.
I would suggest running your anti-virus and antimalware utilities in Safe Mode.
Anti-malware: http://www.ewido.net/en/
Anti-Virus: http://usa.kaspersky.com/downloads/trial-versions.php
(Both are free to try)
LVL 27

Expert Comment

ID: 16386970
Just visited the first link I gave you and the log file was gone.
Locate the first entry in your log file that starts with R1 and copy everything from that point to the last 023 entry. Paste them in this url. Go to the bottom of that link and select Analyze.
LVL 32

Expert Comment

ID: 16387115
Here is a link to the saved analysis:


I can't see anything there that would explain your problem, though the following is a bit odd:

 O20 - Winlogon Notify: WBSrv - C:\WINDOWS\

Can you explain a bit more about how you came to lose files in "My Documents"
FYI: System Restore will not restore user files, only certain system settings and files.

It is possible the files are there in some other folder on your C: drive. I would right-click on the C: drive (in Explorer or My Computer), select "Search" and type in the name of a file that I knew for sure was in "My Documents". Then repeat this for a couple of other files.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 16387761
I turned on my PC a few days ago, and up until then, everything was top notch. Then, when i first logged in, i noticed my wallpaper and all desktop icons exept my computer and recycle bin were gone. when i tried to refresh my destop it said that C:\documents and settings\[user name]\desktop was not found. Then i looked in my music folder and all my songs were gone, and also my files in my documents. when i tried SFC/ SCANNOW in safe mode, it gave me one of those windows error reporting messages.
LVL 32

Expert Comment

ID: 16388059
If your files are/were important, I would use the system as little as possible until they are recovered.

Did you have any luck with "Search" on the C: drive to look for specific files that seem to be missing?

Author Comment

ID: 16391924
No, it didn't find anything, but i am pretty sure that the used disk size is the same from before, which means im the files are probably here.
LVL 32

Expert Comment

ID: 16391998
Here is what I suggest:

Connect your drive as a slave drive to another system, then get and install the demo version of GetDataBack from:


on that other system, and see what files can be recovered with that.

If you install programs on the disk with missing files you'll be putting them at risk.
LVL 27

Expert Comment

ID: 16392288
Have you attempted to create a new user account?
If you can do that and the desktop under that account appears normal then you have some of the answers that we need.

Author Comment

ID: 16394969
I created a new acount and it when i first logged in, the desktop had recycle bin, help and support, and internet explorer icons. there was no my computer. Then as it loaded, a error message came up saying C:\Hp\wallpaper\WBDCC341.DLL was corrupt. Thats all it said.
Note: WBDCC341, the 1 might have been a "l" as in lion.
LVL 32

Accepted Solution

r-k earned 350 total points
ID: 16395108
Depending on how important your lost files were, I would suggest not doing anything on the disk, such as creating new accounts or installing new files/programs. Every new thing you do has the potential to destroy any files that could be recovered.

It is better to boot from another disk and then do troubleshooting or data recovery.

If the files were not important or you have a good backup, then consider reformatting the disk and starting over.
LVL 27

Assisted Solution

David-Howard earned 250 total points
ID: 16404697
At this point (and if this were my system) I would copy desired data (Office files, tax files, IE Favorites, etc.) and either do a repair: http://www.michaelstevenstech.com/XPrepairinstall.htm#warning2
or perform a clean installation. You'll obviously need your XP CD and your CD key for this.
Your problem reminds me of one I've encountered before. IE was corrupted and it affected my desktop icons. I never realized how intertwined IE and the OS were until that issue. A repair of IE solved my problems. If you decide to nuke your hard drive and start completely from scratch you might try a reinstall of IE just for fun.
IE Reinstall:
While you are logged on as an administrator, (Or as a user with Administrative privileges) click Start, and then click Run.
In the Open box, type regedit, and then click OK.
Locate the appropriate registry subkey, right-click the IsInstalled (REG_DWORD) value, and then click Modify.
To reinstall only the Internet Explorer 6 browser component on Windows XP, use the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
To reinstall only Outlook Express 6 on Windows XP, use the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Change the value data from 1 to 0, and then click OK.
Quit Registry Editor, and then install Internet Explorer 6.
To reinstall Windows XP updates, visit the following Microsoft Windows Update Web site:
Remember...save desired data first no matter which action you choose. :-)

LVL 27

Expert Comment

ID: 16404716
One more item. If you haven't performed a search for your data/doucments you can do that easily enough.
Click Start>Search>Files or Folders. Do a search for *.doc and see what you get. If you have Excel and Access items you can search for *.xls and *.db.
LVL 32

Expert Comment

ID: 16404737
Look in the folder named "c:\documents and settings" You may see a couple of user names that are similar to yours. Browse there for the missing files.

Author Comment

ID: 16408825
AppName: explorer.exe       AppVer: 6.0.2900.2180       ModName: occache.dll
ModVer: 6.0.2900.2180       Offset: 00009449
Thats part of the windows error message when windows explorer closes. When i tried to search for my files, it started searching then said windows explorer has encountered a error and needs to close. Thanks for all you details about how to fix my computer, but i really need to recover my files first (or figure out where they are.
LVL 27

Expert Comment

ID: 16431640
If you are unable to browse or search for files I recommend reinstalling IE. Reinstalling IE will not delete any data files. This should allow you to perform a normal search. :-)
LVL 32

Expert Comment

ID: 16431776
If the files are important please refrain from installing anything more on that disk. Instead, either attach that disk to another computer as a slave disk, or boot from a CD that contains data recovery software. If you're not familiar with how to do either of these then try to find a local expert (friend, computer store etc.) who can assist you. It all depends on the importance of the lost files, of course.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question