Ruh Roh - Notepad added and updated

[Vince]

I've no idea how I managed this, but somehow between 7/16/06 when I
installed Security Update for Windows 98 (KB917344) and now, I've
updated and added notepad.exe, according to system file checker.

Previous run of sfc -
Microsoft System File Checker
Log file generated on 7/16/06 at 9:19

Started verify scan using verification data file:
"C:\WINDOWS\Default.sfc"

Previous Previous New New
CRC
File Change Version Date Version Date
Match
---------------- ----------- ----------- --------- -----------
--------- ------
[C:\WINDOWS\SYSTEM]
jscript.dll Updated 5.6.0.8513 1/13/03 5.6.0.8831 5/17/06
No

151 folders examined.
1680 files examined.
0 files added to verification data file.
0 files removed from verification data file.
1 files updated in verification data file.
0 files restored.
0 file changes ignored.

most recent run of sfc -
Microsoft System File Checker
Log file generated on 8/28/07 at 5:52

Started verify scan using verification data file:
"C:\WINDOWS\Default.sfc"

Previous Previous New New
CRC
File Change Version Date Version Date
Match
---------------- ----------- ----------- --------- -----------
--------- ------
[C:\WINDOWS]
notepad.exe Updated 4.10.1998 4/23/99 4.00.950 4/23/99
Yes
REGEDIT.COM Added 4.10.1998 4/23/99
R.COM Added 4.10.1998 4/23/99
[C:\WINDOWS\SYSTEM]
NOTEPAD.EXE Added 4.00.950 9/9/06
PSAPI.DLL Added 5.00.2134.1 12/7/99
[C:\Program Files\Common Files\Microsoft Shared\VGX]
VGX.DLL Updated 6.00.2800.1 3/10/04 6.00.2800.1 9/18/06
No

151 folders examined.
1684 files examined.
4 files added to verification data file.
0 files removed from verification data file.
2 files updated in verification data file.
0 files restored.
0 file changes ignored.

I find this latest run of sfc disturbing, as I can't remember what I
might've done to cause the addition of
NOTEPAD.EXE
PSAPI.DLL
REGEDIT.COM
R.COM
and the update (appears to be regressive) of
notepad.exe from 4.10.1998 to 4.00.95

There are two copies of notepad that I can find -
C:\windows\system\NOTEPAD.EXE
md5sum = 40ff8ccbb79b0d60cf619885dad6f896
file size = 34304
date = Sep 9 2006
C:\windows\notepad.exe
md5sum = 7654c9f931b39b3e4f52411913f8a0e6
file size = 53248
date = Apr 23 1999

A full anti-virus scan with F-Prot (Files: "Dumb" scan of all files -
Switches: -ARCHIVE -PACKED -SERVER -APPEND -AI) reported -
Results of virus scanning:
Files: 32188
MBRs: 0
Boot sectors: 0
Objects scanned: 64404
Time: 14:09
No viruses or suspicious files/boot sectors were found.

Ignoring, for right now, the issues with PSAPI.DLL, REGEDIT.COM and
R.COM, what should I have for notepad.exe on a fully updated Windows
98SE (updated at end of life, but haven't been to Windows Update since
then)?
What folder(s) should the correct version of notepad be in?
What should the file size be for the correct version of notepad?
Date?
md5sum?

Thanks for any light you can shed on this "problem".

 

[Ingeborg]

Vince wrote:

> I've no idea how I managed this, but somehow between 7/16/06 when I
> installed Security Update for Windows 98 (KB917344) and now, I've
> updated and added notepad.exe, according to system file checker.
>
> Previous run of sfc -
> Microsoft System File Checker
> Log file generated on 7/16/06 at 9:19
>
> Started verify scan using verification data file:
> "C:\WINDOWS\Default.sfc"
>
> Previous Previous New New
> CRC
> File Change Version Date Version Date
> Match
> ---------------- ----------- ----------- --------- -----------
> --------- ------
> [C:\WINDOWS\SYSTEM]
> jscript.dll Updated 5.6.0.8513 1/13/03 5.6.0.8831 5/17/06
> No
>
> 151 folders examined.
> 1680 files examined.
> 0 files added to verification data file.
> 0 files removed from verification data file.
> 1 files updated in verification data file.
> 0 files restored.
> 0 file changes ignored.
>
> most recent run of sfc -
> Microsoft System File Checker
> Log file generated on 8/28/07 at 5:52
>
> Started verify scan using verification data file:
> "C:\WINDOWS\Default.sfc"
>
> Previous Previous New New
> CRC
> File Change Version Date Version Date
> Match
> ---------------- ----------- ----------- --------- -----------
> --------- ------
> [C:\WINDOWS]
> notepad.exe Updated 4.10.1998 4/23/99 4.00.950 4/23/99
> Yes
> REGEDIT.COM Added 4.10.1998 4/23/99
> R.COM Added 4.10.1998 4/23/99
> [C:\WINDOWS\SYSTEM]
> NOTEPAD.EXE Added 4.00.950 9/9/06
> PSAPI.DLL Added 5.00.2134.1 12/7/99
> [C:\Program Files\Common Files\Microsoft Shared\VGX]
> VGX.DLL Updated 6.00.2800.1 3/10/04 6.00.2800.1 9/18/06
> No
>
> 151 folders examined.
> 1684 files examined.
> 4 files added to verification data file.
> 0 files removed from verification data file.
> 2 files updated in verification data file.
> 0 files restored.
> 0 file changes ignored.
>
> I find this latest run of sfc disturbing, as I can't remember what I
> might've done to cause the addition of
> NOTEPAD.EXE
> PSAPI.DLL
> REGEDIT.COM
> R.COM
> and the update (appears to be regressive) of
> notepad.exe from 4.10.1998 to 4.00.95
>
> There are two copies of notepad that I can find -
> C:\windows\system\NOTEPAD.EXE
> md5sum = 40ff8ccbb79b0d60cf619885dad6f896
> file size = 34304
> date = Sep 9 2006
> C:\windows\notepad.exe
> md5sum = 7654c9f931b39b3e4f52411913f8a0e6
> file size = 53248
> date = Apr 23 1999
>
> A full anti-virus scan with F-Prot (Files: "Dumb" scan of all files -
> Switches: -ARCHIVE -PACKED -SERVER -APPEND -AI) reported -
> Results of virus scanning:
> Files: 32188
> MBRs: 0
> Boot sectors: 0
> Objects scanned: 64404
> Time: 14:09
> No viruses or suspicious files/boot sectors were found.
>
> Ignoring, for right now, the issues with PSAPI.DLL, REGEDIT.COM and
> R.COM, what should I have for notepad.exe on a fully updated Windows
> 98SE (updated at end of life, but haven't been to Windows Update since
> then)?
> What folder(s) should the correct version of notepad be in?
> What should the file size be for the correct version of notepad?
> Date?
> md5sum?
>

Your 'new' notepad seems to be the original one from W95A. What did you
do on Sept 9 2006?

Have you ever had a virus? Some viruses hijack the .exe entry in the
registry. Renaming regedit.exe to regedit.com is a way to workaround
this.

 

[Vince]

On 05 Sep 2007 14:59:10 GMT, Ingeborg <a@b.invalid> wrote:

>Your 'new' notepad seems to be the original one from W95A. What did you
>do on Sept 9 2006?

To the best of my recollection -
woke up - had two cups of coffee - went to work -
blah, blah, blah . . .
Have no idea what I did on the computer that day.

>Have you ever had a virus?

Not that I know of. Anti-virus scans have all been clean. Regular
runs of HiJackThis haven't shown anything unexpected/unknown.

>Some viruses hijack the .exe entry in the
>registry. Renaming regedit.exe to regedit.com is a way to workaround
>this.

At this point I'm not too concerned about those other three files,
including regedit. I actually use notepad and if/when it's known to
be clean, I'll move on to the others (R.COM is a huge concern, that
I'm trying to ignore for the time being).

 

[PCR]

"Vince" <nobody@home.invalid> wrote in message
newseetd3l7m8mmjvd8rg2dh51je2uvfj49kl@4ax.com
| I've no idea how I managed this, but somehow between 7/16/06 when I
| installed Security Update for Windows 98 (KB917344) and now, I've
| updated and added notepad.exe, according to system file checker.
|
| Previous run of sfc -
| Microsoft System File Checker
| Log file generated on 7/16/06 at 9:19
|
| Started verify scan using verification data file:
| "C:\WINDOWS\Default.sfc"
|
| Previous Previous New New
| CRC
| File Change Version Date Version Date
| Match
| ---------------- ----------- ----------- --------- -----------
| --------- ------
| [C:\WINDOWS\SYSTEM]
| jscript.dll Updated 5.6.0.8513 1/13/03 5.6.0.8831 5/17/06
| No
|
| 151 folders examined.
| 1680 files examined.
| 0 files added to verification data file.
| 0 files removed from verification data file.
| 1 files updated in verification data file.
| 0 files restored.
| 0 file changes ignored.
|
| most recent run of sfc -
| Microsoft System File Checker
| Log file generated on 8/28/07 at 5:52
|
| Started verify scan using verification data file:
| "C:\WINDOWS\Default.sfc"
|
| Previous Previous New New
| CRC
| File Change Version Date Version Date
| Match
| ---------------- ----------- ----------- --------- -----------
| --------- ------
| [C:\WINDOWS]
| notepad.exe Updated 4.10.1998 4/23/99 4.00.950 4/23/99
| Yes
| REGEDIT.COM Added 4.10.1998 4/23/99
| R.COM Added 4.10.1998 4/23/99
| [C:\WINDOWS\SYSTEM]
| NOTEPAD.EXE Added 4.00.950 9/9/06
| PSAPI.DLL Added 5.00.2134.1 12/7/99
| [C:\Program Files\Common Files\Microsoft Shared\VGX]
| VGX.DLL Updated 6.00.2800.1 3/10/04 6.00.2800.1 9/18/06
| No
|
| 151 folders examined.
| 1684 files examined.
| 4 files added to verification data file.
| 0 files removed from verification data file.
| 2 files updated in verification data file.
| 0 files restored.
| 0 file changes ignored.
|
| I find this latest run of sfc disturbing, as I can't remember what I
| might've done to cause the addition of
| NOTEPAD.EXE
| PSAPI.DLL
| REGEDIT.COM
| R.COM
| and the update (appears to be regressive) of
| notepad.exe from 4.10.1998 to 4.00.95
|
| There are two copies of notepad that I can find -
| C:\windows\system\NOTEPAD.EXE
| md5sum = 40ff8ccbb79b0d60cf619885dad6f896
| file size = 34304
| date = Sep 9 2006
| C:\windows\notepad.exe
| md5sum = 7654c9f931b39b3e4f52411913f8a0e6
| file size = 53248
| date = Apr 23 1999

Mine matches that second one in all ways & is in the same folder...
NOTEPAD.EXE 7654c9f931b39b3e4f52411913f8a0e6
....Therefore, it contains no virus.

The other isn't in my machine. Did you upgrade from Win95, as Ingeborg
has said it is a Win95 version (which might explain its existence)?
Still, I don't know why it would suddenly show up. It looks like you
certainly have not just added its folder to SFC's consideration, as it
was mentioned back in the 7/16/06 run.

How do you start Notepad when you run it? Can you tell which one
actually starts? Do you ever notice the others to be running on their
own at...?...

"START button, Run, MSInfo32, Software Environment, Running Tasks"

| A full anti-virus scan with F-Prot (Files: "Dumb" scan of all files -
| Switches: -ARCHIVE -PACKED -SERVER -APPEND -AI) reported -
| Results of virus scanning:
| Files: 32188
| MBRs: 0
| Boot sectors: 0
| Objects scanned: 64404
| Time: 14:09
| No viruses or suspicious files/boot sectors were found.

That's very encouraging! Nevertheless, perhaps send the files in
question one at a time to...
http://www.virustotal.com/xhtml/index_en.html

Each will be examined by 30 virus scanners! I personally have found
their results to be more clear by attaching the file(s) into an E-Mail
to them. I think you just get a dash (-) when doing it at the site,
where an E-Mail comes back with words, such as "found nothing" for each
virus scanner.

| Ignoring, for right now, the issues with PSAPI.DLL, REGEDIT.COM and
| R.COM,

Ingeborg is right that some will rename Regedit.exe to Regedit.com to
undo a virus attack. Others will rename it preemptively. You say you
haven't done it, & I don't see evidence in your SFCLog.txt that some app
newly installed has done that for you. However, if the app was installed
entirely into a folder(s) that is not under SFC's consideration (at
"START, Run, SFC, Settings, Search Criteria tab") it wouldn't show up in
the log.

| what should I have for notepad.exe on a fully updated Windows
| 98SE (updated at end of life, but haven't been to Windows Update since
| then)?

The one in C:\Windows is in the right place & matches mine exactly.

| What folder(s) should the correct version of notepad be in?
| What should the file size be for the correct version of notepad?
| Date?
| md5sum?
|
| Thanks for any light you can shed on this "problem".

You are welcome.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

 

[Vince]

On Sat, 8 Sep 2007 19:41:59 -0400, "PCR" <pcrrcp@netzero.net> wrote:

>Mine matches that second one in all ways & is in the same folder...
>NOTEPAD.EXE 7654c9f931b39b3e4f52411913f8a0e6
>...Therefore, it contains no virus.
>
>The other isn't in my machine. Did you upgrade from Win95, as Ingeborg
>has said it is a Win95 version (which might explain its existence)?

No, this was a clean install to a new hard drive using an OEM copy of
Windows 98 SE.

>How do you start Notepad when you run it? Can you tell which one
>actually starts? Do you ever notice the others to be running on their
>own at...?

The shortcut I use starts the C:\windows\notepad.exe (now known to be
a good copy). Have never noticed the C:\windows\system\NOTEPAD.EXE
(the questionable copy) running, either on it's own or from me
starting it. Looked back through the HiJackThis logs that have been
saved and there's no instance of C:\windows\system\NOTEPAD.EXE in the
logs.

>Ingeborg is right that some will rename Regedit.exe to Regedit.com to
>undo a virus attack. Others will rename it preemptively. You say you
>haven't done it, & I don't see evidence in your SFCLog.txt that some app
>newly installed has done that for you.

c:\windows\regedit.exe, c:\windows\REGEDIT.COM and c:\windows\R.COM
all have the same md5sum, 8d7116df0a8b034c06b647616bbb6f50 and file
size. Took quick look at the code in those three files and they look
to be identical (didn't look too close since the md5sums matched, just
wanted a warm, fuzzy feeling the were identical).

Guess the question now is are those good, or have they all been
altered in some way.

>That's very encouraging! Nevertheless, perhaps send the files in
>question one at a time to...
>http://www.virustotal.com/xhtml/index_en.html

I'm inclined to just delete the questionable copy of notepad, but
learning to use virustotal sounds like something I should do. If I
can figure out how, will submit notepad and R.COM. Thanks for the
tip.

Now it's time for some Googling to see what I can find out about
PSAPI.DLL. Don't be surprised if I show up with more questions.

And thanks for the help.

 

[PCR]

"Vince" <nobody@home.invalid> wrote in message
news:cfd8e353gvp21k99do29e717337p9bg2gi@4ax.com
| On Sat, 8 Sep 2007 19:41:59 -0400, "PCR" <pcrrcp@netzero.net> wrote:
|
|>Mine matches that second one in all ways & is in the same folder...
|>NOTEPAD.EXE 7654c9f931b39b3e4f52411913f8a0e6
|>...Therefore, it contains no virus.
|>
|>The other isn't in my machine. Did you upgrade from Win95, as Ingeborg
|>has said it is a Win95 version (which might explain its existence)?
|
| No, this was a clean install to a new hard drive using an OEM copy of
| Windows 98 SE.

Hmm. That's mysterious! It doesn't come naturally with Win98!

|>How do you start Notepad when you run it? Can you tell which one
|>actually starts? Do you ever notice the others to be running on their
|>own at...?
|
| The shortcut I use starts the C:\windows\notepad.exe (now known to be
| a good copy). Have never noticed the C:\windows\system\NOTEPAD.EXE
| (the questionable copy) running, either on it's own or from me
| starting it. Looked back through the HiJackThis logs that have been
| saved and there's no instance of C:\windows\system\NOTEPAD.EXE in the
| logs.

That isn't the behavior of a virus. A virus would want to be the one
that runs. Also, your SFC report just doesn't show enough ugliness (such
as the deletion of important files) for me to be overly concerned you
are infected.

|>Ingeborg is right that some will rename Regedit.exe to Regedit.com to
|>undo a virus attack. Others will rename it preemptively. You say you
|>haven't done it, & I don't see evidence in your SFCLog.txt that some
|>app newly installed has done that for you.
|
| c:\windows\regedit.exe, c:\windows\REGEDIT.COM and c:\windows\R.COM
| all have the same md5sum, 8d7116df0a8b034c06b647616bbb6f50 and file
| size. Took quick look at the code in those three files and they look
| to be identical (didn't look too close since the md5sums matched, just
| wanted a warm, fuzzy feeling the were identical).

They are identical, & they all match my own...
REGEDIT.EXE 8d7116df0a8b034c06b647616bbb6f50

| Guess the question now is are those good, or have they all been
| altered in some way.

They all match my own-- but I have only one!

|>That's very encouraging! Nevertheless, perhaps send the files in
|>question one at a time to...
|>http://www.virustotal.com/xhtml/index_en.html
|
| I'm inclined to just delete the questionable copy of notepad, but
| learning to use virustotal sounds like something I should do. If I
| can figure out how, will submit notepad and R.COM. Thanks for the
| tip.

Yea, try it. But I'm certain it is uninfected. It better be! Yea, delete
the extras. I guess... possibly... "START button, Run, RegEdit".... &
search your Registry for mention of R.COM & RegEdit.com too.

| Now it's time for some Googling to see what I can find out about
| PSAPI.DLL. Don't be surprised if I show up with more questions.

I have one of those that came with Compaq's Connection Helper. It is an
MS .dll, but is not in the Win98 .cabs. It only comes with some extra,
added application.

| And thanks for the help.

You are welcome.

(a) Does anyone else have access to your computer?
(b) Have you been to a WEB site & clicked something that
promised to innoculate you?
(c) Did you run an innoculator like maybe SpyBot?
(But I'm not sure renaming RegEdit.exe is one of its doings.)
(d) Did R.COM or RegEdit.com show up in the Registry?

 

[Vince]

On Sun, 9 Sep 2007 15:57:08 -0400, "PCR" <pcrrcp@netzero.net> wrote:

Got results back from virustotal for R.COM, NOTEPAD.EXE and PSAPI.DLL.
"found nothing" for all scanners on all three files.
I'm still uninfected!!

>(a) Does anyone else have access to your computer?

Not this one, although I suppose anything is possible, no matter how
unlikely.

>(b) Have you been to a WEB site & clicked something that
> promised to innoculate you?

No

>(c) Did you run an innoculator like maybe SpyBot?
> (But I'm not sure renaming RegEdit.exe is one of its doings.)

Innoculator?
I've run SpyBot Search&Destroy on demand, but no part of it is allowed
to start at boot and run in the background all the time (teatimer?).

>(d) Did R.COM or RegEdit.com show up in the Registry?

No.

Checked my file association for .txt files and it opens with
c:\windows\notepad.exe. I'm sure there are some other file types
associated with notepad, but I'm just going to delete the questionable
copy and deal with anything that pops up after it's gone.

Took a look at PSAPI.DLL and according to the properties, it's a
Microsoft file for Windows 2000. Wish I could figure out what I did
to get it installed on my system. May rename it and see what, if
anything, breaks.

 

[MEB]

"Vince" <nobody@home.invalid> wrote in message
news:al6ae35b9qhjihcp4f5u41u22tl852bq8o@4ax.com...
| On Sun, 9 Sep 2007 15:57:08 -0400, "PCR" <pcrrcp@netzero.net> wrote:
|
| Got results back from virustotal for R.COM, NOTEPAD.EXE and PSAPI.DLL.
| "found nothing" for all scanners on all three files.
| I'm still uninfected!!
|
| >(a) Does anyone else have access to your computer?
|
| Not this one, although I suppose anything is possible, no matter how
| unlikely.
|
| >(b) Have you been to a WEB site & clicked something that
| > promised to innoculate you?
|
| No
|
| >(c) Did you run an innoculator like maybe SpyBot?
| > (But I'm not sure renaming RegEdit.exe is one of its doings.)
|
| Innoculator?
| I've run SpyBot Search&Destroy on demand, but no part of it is allowed
| to start at boot and run in the background all the time (teatimer?).
|
| >(d) Did R.COM or RegEdit.com show up in the Registry?
|
| No.
|
| Checked my file association for .txt files and it opens with
| c:\windows\notepad.exe. I'm sure there are some other file types
| associated with notepad, but I'm just going to delete the questionable
| copy and deal with anything that pops up after it's gone.
|
| Took a look at PSAPI.DLL and according to the properties, it's a
| Microsoft file for Windows 2000. Wish I could figure out what I did
| to get it installed on my system. May rename it and see what, if
| anything, breaks.

Do not mess with psapi.dll, it IS installed on a per application basis, and
should ONLY be in an individual application folder.
IF found in an application's folder, the programmers have used it during
their coding. Without the file the program will error or not run.

OTOH, if its located in *WINDIR* or SYSTEM then you MIGHT be able to rename
it, temporarily, to test for applications which might use it, then transfer
it to that folder/application directory. There MAY however, have been
modifications made to the file per some application specific use, or
perhaps, a different version used.

The test, however, may not actually work when expected. I have done this
type of activity before, only to find [after deletion] that some program I
forgot to run, needed that now deleted file [of course that was a long time
ago, one does get smarter [hopefully] over time] ....

You could *profile* the applications using Dependency Walker, though that
takes awhile to do [per number of installed programs].

You can also run File monitor or Reg monitor [Sysinternals/Microsoft] while
using your applications to see if it is actually used.

http://peoplescounsel.orgfree.com/ref/gen/sys_diagnos.htm
http://peoplescounsel.orgfree.com/ref/gen/sys_diag2.htm

--
MEB
http://peoplescounsel.orgfree.com
________

 

[PCR]

"Vince" <nobody@home.invalid> wrote in message
news:al6ae35b9qhjihcp4f5u41u22tl852bq8o@4ax.com
| On Sun, 9 Sep 2007 15:57:08 -0400, "PCR" <pcrrcp@netzero.net> wrote:
|
| Got results back from virustotal for R.COM, NOTEPAD.EXE and PSAPI.DLL.
| "found nothing" for all scanners on all three files.
| I'm still uninfected!!

That is good news!

|>(a) Does anyone else have access to your computer?
|
| Not this one, although I suppose anything is possible, no matter how
| unlikely.

Hmm. OK. Probably not that. No foul deed appears to have been done,
anyhow. If anyone else did it, probably it was a sloppy attempt to make
the computer safer.

Do you know the file OPTLOG.TXT in C:\WINDOWS\APPLOG? It is refreshed
each time you Defrag. Every program that has been run at least twice
will be listed in it. Do you see any of the apps in question listed
there or any strange app?

|>(b) Have you been to a WEB site & clicked something that
|> promised to innoculate you?
|
| No

OK.

|>(c) Did you run an innoculator like maybe SpyBot?
|> (But I'm not sure renaming RegEdit.exe is one of its doings.)
|
| Innoculator?
| I've run SpyBot Search&Destroy on demand, but no part of it is allowed
| to start at boot and run in the background all the time (teatimer?).

SpyBot has an inoculation feature-- to preemptively make the computer
less susceptible to a virus or trojan. Let me Google it...

http://www.google.com/search?hl=en&q=SpyBot+inoculation
It comes up with about 12,800 "SpyBot inoculation", but the first three
don't mention "RegEdit".

|>(d) Did R.COM or RegEdit.com show up in the Registry?
|
| No.

OK. It's generally a good idea to check for that before deleting a
program.

| Checked my file association for .txt files and it opens with
| c:\windows\notepad.exe. I'm sure there are some other file types
| associated with notepad, but I'm just going to delete the questionable
| copy and deal with anything that pops up after it's gone.

The Optlog.txt file includes the path of each program it lists. So, you
could distinguish between the two Notepad's.

| Took a look at PSAPI.DLL and according to the properties, it's a
| Microsoft file for Windows 2000. Wish I could figure out what I did
| to get it installed on my system. May rename it and see what, if
| anything, breaks.

OK. My own Psapi.dll is not mentioned in the Registry & is in the folder
C:\compaq\CPQInet. I see MEB has taken up the baton on that one. Yours
is in C:\WINDOWS\SYSTEM, making it hard to discover what application it
came with.

 

[Vince]

On Mon, 10 Sep 2007 15:00:24 -0400, "MEB" <meb@not here@hotmail.com>
wrote:

> Do not mess with psapi.dll, it IS installed on a per application basis, and
>should ONLY be in an individual application folder.
> IF found in an application's folder, the programmers have used it during
>their coding. Without the file the program will error or not run.
>
> OTOH, if its located in *WINDIR* or SYSTEM then you MIGHT be able to rename
>it, temporarily, to test for applications which might use it, then transfer
>it to that folder/application directory. There MAY however, have been
>modifications made to the file per some application specific use, or
>perhaps, a different version used.
>
> You could *profile* the applications using Dependency Walker, though that
>takes awhile to do [per number of installed programs].
>
> You can also run File monitor or Reg monitor [Sysinternals/Microsoft] while
>using your applications to see if it is actually used.
>
>http://peoplescounsel.orgfree.com/ref/gen/sys_diagnos.htm
>http://peoplescounsel.orgfree.com/ref/gen/sys_diag2.htm

Thanks for the advice. Since psapi.dll is installed in
c:\windows/system, I'd like to find out who/what put it there. Then I
can decide if I want to keep that app. It's waay to easy to get into
dll heel with Win98 and apps putting their version of some dll
someplace where it can conflict with other dll's.

Just need to figure out how that "extra" dll got installed on my
system. It's tough having CRS!

 

[Vince]

On Mon, 10 Sep 2007 21:14:26 -0400, "PCR" <pcrrcp@netzero.net> wrote:

>Do you know the file OPTLOG.TXT in C:\WINDOWS\APPLOG? It is refreshed
>each time you Defrag. Every program that has been run at least twice
>will be listed in it. Do you see any of the apps in question listed
>there or any strange app?

"Program Launch Optimization Log - Created Mon Oct 11 22:42:38 2004"
Looks like I haven't defragged in a while.

Only saw two entries that I didn't recognise
12 runonce 351 2004.10.11 C:\WINDOWS\SYSTEM\RUNONCE.EXE
18 sucatreg 33 2004.08.03 C:\WINDOWS\SYSTEM\SUCATREG.EXE

The only entry for notepad is
6 notepad 985 2004.10.11 C:\WINDOWS\NOTEPAD.EXE
but that's not surprising, given the creation date - much before
Microsoft System File Checker
Log file generated on 8/28/07 at 5:52

Guess I need to map out time for a defrag.

Then I'm going to throw caution to the wind. Boot to dos, rename
psapi.dll and move it to another partition. Something is going to
happen! <Beg>

 

[MEB]

"Vince" <nobody@home.invalid> wrote in message
news:ag2de3tgami22eats4sievoqc10oi1og4c@4ax.com...
| On Mon, 10 Sep 2007 15:00:24 -0400, "MEB" <meb@not here@hotmail.com>
| wrote:
|
| > Do not mess with psapi.dll, it IS installed on a per application basis,
and
| >should ONLY be in an individual application folder.
| > IF found in an application's folder, the programmers have used it during
| >their coding. Without the file the program will error or not run.
| >
| > OTOH, if its located in *WINDIR* or SYSTEM then you MIGHT be able to
rename
| >it, temporarily, to test for applications which might use it, then
transfer
| >it to that folder/application directory. There MAY however, have been
| >modifications made to the file per some application specific use, or
| >perhaps, a different version used.
| >
| > You could *profile* the applications using Dependency Walker, though
that
| >takes awhile to do [per number of installed programs].
| >
| > You can also run File monitor or Reg monitor [Sysinternals/Microsoft]
while
| >using your applications to see if it is actually used.
| >
| >http://peoplescounsel.orgfree.com/ref/gen/sys_diagnos.htm
| >http://peoplescounsel.orgfree.com/ref/gen/sys_diag2.htm
|
| Thanks for the advice. Since psapi.dll is installed in
| c:\windows/system, I'd like to find out who/what put it there. Then I
| can decide if I want to keep that app. It's waay to easy to get into
| dll heel with Win98 and apps putting their version of some dll
| someplace where it can conflict with other dll's.
|
| Just need to figure out how that "extra" dll got installed on my
| system. It's tough having CRS!
|

That's the problem, you hit that nail dead on the head.
Could have been some programmer who failed to understand this file is
apparently NOT one which remains static, or which pulls prior support [full
compatibility] forward. There are several others [including some used for
IE, and crammed into the %windir% and system folder] which carry unsupported
aspects, and do cause system/OS errors.

That is also why a number of older Win9X applications do NOT work in the
9X/IE 6 environment [IE 6 was never properly ported to 9X/ME and would
actual fail pursuant Microsoft's own certification/WHQL standards for
second/third party programs]. But this has already been discussed in this
group over the last few years.

I suppose I should advise, I presently have three (3) distinct versions in
various application directories on my system.
Version 4 at 14.5k [WinHex], Version 4 at 17.77k [Dreamweaver MX], and
Version 5.00.2134.1 at 28.27k.[AVG].
--
MEB
http://peoplescounsel.orgfree.com
________

 

[PCR]

"Vince" <nobody@home.invalid> wrote in message
news:ae4de3tdc823obsjjffrngkgi6l7h6l2ns@4ax.com
| On Mon, 10 Sep 2007 21:14:26 -0400, "PCR" <pcrrcp@netzero.net> wrote:
|
|>Do you know the file OPTLOG.TXT in C:\WINDOWS\APPLOG? It is refreshed
|>each time you Defrag. Every program that has been run at least twice
|>will be listed in it. Do you see any of the apps in question listed
|>there or any strange app?
|
| "Program Launch Optimization Log - Created Mon Oct 11 22:42:38 2004"
| Looks like I haven't defragged in a while.
|
| Only saw two entries that I didn't recognise
| 12 runonce 351 2004.10.11 C:\WINDOWS\SYSTEM\RUNONCE.EXE
| 18 sucatreg 33 2004.08.03 C:\WINDOWS\SYSTEM\SUCATREG.EXE

Wow! Neither of those show up in my Optlog.txt at all-- meaning they
have not run more than once since the creation of my current Optlog.txt.
But, it is possible I did delete a much older Optlog.txt that may have
mentioned them-- still, I can't imagine they ever ran as often as your
incredible 351 & 33! If so, they should have shown up again! Well...
maybe... I guess, they might run a lot during the initial install of
Windows & hardly ever again... but 351? Maybe do a Defrag at intervals &
see whether their run counts increase above what is showing now. And I
guess there could be other legit reasons for you to have so many. Maybe
some inoculator has put something into the Registry to do that
Runonce.exe at each boot. Check the two Runonce keys, maybe...

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

I still do believe you are uninfected with anything.

I DO have both of those files in that folder, which are dated 4/23/99.
Going by that date, they are as old as Win98SE. Odd, only the first is
actually in one of my .cab's, though...

Cabinet WIN98_46.CAB
04-23-1999 10:22:00p A--- 36,864 runonce.exe

But I'm not overly worried SUCATREG.EXE is suspicious, despite the
pornographic overtones in its name. Let me look it up...

http://support.microsoft.com/kb/232893/en-us
PRB: Setup Cannot Find Catalog Files That Are Manually Copied to the
System

The Microsoft Knowledge Base (MSKB mentions it just once for Win98. It
seems to be legit & has to do with C:\Windows\Inf\Catalog. I have only
one file in that folder-- Q299618.cat. Do you have 33? It is possible
that SUCATREG.EXE actually is inside one of the Win98SE .cab's, but
under a different name. Some files are like that & need to be renamed
after extraction.

| The only entry for notepad is
| 6 notepad 985 2004.10.11 C:\WINDOWS\NOTEPAD.EXE
| but that's not surprising, given the creation date - much before
| Microsoft System File Checker
| Log file generated on 8/28/07 at 5:52
|
| Guess I need to map out time for a defrag.

Yes. If you run it frequently, it will run quicker. It seems to know how
much work to do. JUST... run ScanReg first the first time (at least), &
DON'T let either constantly restart. If they try, stop them & post back
for instructions!

| Then I'm going to throw caution to the wind. Boot to dos, rename
| psapi.dll and move it to another partition. Something is going to
| happen! <Beg>

Well, MEB posted about that & Phillipson often says the same. Ensure
yours like mine is not mentioned in the Registry first. Otherwise,
there's some possibility of trouble during a reboot.

 

[Vince]

On Tue, 11 Sep 2007 15:50:44 -0400, "MEB" <meb@not here@hotmail.com>
wrote:

> I suppose I should advise, I presently have three (3) distinct versions in
>various application directories on my system.
>Version 4 at 14.5k [WinHex], Version 4 at 17.77k [Dreamweaver MX], and
**Version 5.00.2134.1 at 28.27k.[AVG].**

Ding - Ding - Ding
There's a clue!

My copy of psapi.dll is that same version, 5.00.2134.1. And I found
the program that added psapi.dll and notepad in c:\windows\system -
MicroWorld AntiVirus & Spyware Toolkit Utility. Only used that a
couple of times and promptly forgot about it. Don't expect to use it
going forward, so I've deleted c:\windows\system\notepad.exe and
c:\windows\system\psapi.dll. Problem explained.

Thanks for the help.

 

[Vince]

On Tue, 11 Sep 2007 15:52:43 -0400, "PCR" <pcrrcp@netzero.net> wrote:

>"Vince" <nobody@home.invalid> wrote in message
>
>| Then I'm going to throw caution to the wind. Boot to dos, rename
>| psapi.dll and move it to another partition. Something is going to
>| happen! <Beg>
>
>Well, MEB posted about that & Phillipson often says the same. Ensure
>yours like mine is not mentioned in the Registry first. Otherwise,
>there's some possibility of trouble during a reboot.

Finally figured out what happened. I used the MicroWorld AntiVirus &
Spyware Toolkit Utility a couple of times and didn't run SFC before or
after. Then when I did finally run SFC, the extra copy of notepad and
psapi.dll were added to the sfclog. Mystery solved!

Thanks for the help.

 

[MEB]

"Vince" <nobody@home.invalid> wrote in message
news:c25ee3t83e5v170vb5nsiubuhm6rm4g4v9@4ax.com...
| On Tue, 11 Sep 2007 15:50:44 -0400, "MEB" <meb@not here@hotmail.com>
| wrote:
|
| > I suppose I should advise, I presently have three (3) distinct versions
in
| >various application directories on my system.
| >Version 4 at 14.5k [WinHex], Version 4 at 17.77k [Dreamweaver MX], and
| **Version 5.00.2134.1 at 28.27k.[AVG].**
|
| Ding - Ding - Ding
| There's a clue!
|
| My copy of psapi.dll is that same version, 5.00.2134.1. And I found
| the program that added psapi.dll and notepad in c:\windows\system -
| MicroWorld AntiVirus & Spyware Toolkit Utility. Only used that a
| couple of times and promptly forgot about it. Don't expect to use it
| going forward, so I've deleted c:\windows\system\notepad.exe and
| c:\windows\system\psapi.dll. Problem explained.
|
| Thanks for the help.
|

As always, we aim to please <grin> thanks for posting the final answer to
the issue. Perhaps it may help others.

It does leave one to question WHY those programmers thought they could
change things around in YOUR system and put files wherever they wished,
bbbbuuuuuut such happens ...

If you're still playing around installing things [testing stuff for
instance], might want to get an installation monitor like TUN [Total
Uninstall] or In Control.
Do such always makes me wish the old MicroHelp Uninstaller would still work
in 9X / IE 6....

--
MEB
http://peoplescounsel.orgfree.com
________

 

[PCR]

Vince wrote:
| On Tue, 11 Sep 2007 15:52:43 -0400, "PCR" <pcrrcp@netzero.net> wrote:
|
|>"Vince" <nobody@home.invalid> wrote in message
|>
|>| Then I'm going to throw caution to the wind. Boot to dos, rename
|>| psapi.dll and move it to another partition. Something is going to
|>| happen! <Beg>
|>
|>Well, MEB posted about that & Phillipson often says the same. Ensure
|>yours like mine is not mentioned in the Registry first. Otherwise,
|>there's some possibility of trouble during a reboot.
|
| Finally figured out what happened. I used the MicroWorld AntiVirus &
| Spyware Toolkit Utility a couple of times and didn't run SFC before or
| after. Then when I did finally run SFC, the extra copy of notepad and
| psapi.dll were added to the sfclog. Mystery solved!

Very good! It was trying to inoculate you-- but seems to have been very
sloppy about it! I can understand (but haven't myself done) renaming
RegEdit.exe to RegEdit.com. But why did you STILL have a RegEdit.exe?
And why an R.com? Also, why give you a Win95 Notepad.exe (if that's what
it was)? Very sloppy, I think!

MicroWorld must not have put any of itself into a system folder, or SFC
would have spotted it with the other changes done. Long ago, I added
"C:\Program Files" to SFC's search criteria to help with things like
that.

| Thanks for the help.

You are welcome. It was a puzzler!