I am attempting to use the psapi.dll installer that Pieter Arntz found to install this file onto my computer, as it is necessary for Windows Updates and several other things. However, I am having BIG problems with the installer. I have been told to put psapi.dll into the System folder. The problem is that I cannot do this, for the simple reason that THE INSTALLER IS NOT INSTALLING ANYTHING ANYWHERE!!! I run the installer, click yes, and it takes all of 0.1 seconds (I'm not kidding, I measured it), giving me no chance at all to type in the directory to intall it to. According to Spybot 1.3's TeaTimer, the installer does change the registry, deleting a file called "grpconv.exe -o" (no, the "-o" is not a typo), but THE PSAPI.DLL FILE DOES NOT APPEAR ANYWHERE!!! Not in System32 (I do have, and always have had, a c:\Windows\System32 folder), not in System, freakin' NOWHERE! No matter how I try to search for it using Find -> Files or Folders, I CANNOT FIND THE BLOODY THING!!! As far as I can tell, there is NOT ONE THING I CAN DO TO GET THE [expletive deleted] THING TO ACTUALLY [expletive deleted] INSTALL!!!

So, could someone please take a minute to give me some freaking HELP?!! ???

Googled it, and came up with this,

http://frontier.userland.com/stories/storyReader$1040

Try following the install instructions.

Hope it helps.


snowbound

It seems you do not understand. I use Win98, which also requires psapi.dll. Because it should go the the System folder in Win98, I was told to install it to the system folder. As I said before: I DO NOT HAVE THE OPTION OF CHANGING THE DIRECTORY; HOWEVER, THAT DOES NOT REALLY MATTER, AS THE PSAPI.DLL FILE DOES NOT APPEAR ANYWHERE WHEN INSTALLATION IS FINISHED. And do not tell me to log on as the administrator: I am not running a network, and my computer does not have the log-on passowrd thing on, because I am the only user.

-{ Quote: "-{ Quote: "It seems you do not understand." }-

Oh but i do. ;) Until i saw your other thread here,

http://www.wilderssecurity.com/showthread.php?t=32372

basically asking the same question, i had no idea what O/S u were running. ;)


-{ Quote: "And do not tell me to log on as the administrator:" }-

Ok, i won't. ;)

Just thought it might help. :)


snowbound

-{ Quote: "As I said before: I DO NOT HAVE THE OPTION OF CHANGING THE DIRECTORY; HOWEVER, THAT DOES NOT REALLY MATTER, AS THE PSAPI.DLL FILE DOES NOT APPEAR ANYWHERE WHEN INSTALLATION IS FINISHED." }-
Okay, here's a direct link the the PSAPI.DLL itself, extracted from the installer you are using...

Right-click on the link below and do a Save As... to your system, and you'll have a copy of the file that you can put wherever you need to. See if this works.

http://www.wilderssecurity.com/supportfiles/PSAPI.DLL

psapi.dll is not usually found in Win98...it is a WinNT file.Microsoft process status helper (PSAPI.DLL) is a small dynamic
link library that makes it easier to obtain information about
processes and device drivers running under Microsoft® Windows
NT®.

And it is certainly not needed for the OS..

Since you do have win98...Some Win98SE could have two copies installed by 3rd party software.
example:

C:\Util2\PrcView\PSAPI.DLL
C:\Program Files\eTrust EZ Antivirus\PSAPI.DLL

I 'assume' the dll was included to ensure their programs work
properly on NT systems, and they have no real use on Win98.

If you are running Win98 FE/SE then you should not have any
actual written program calling for psapi.dll. I would 'assume'
therefore, that since you have added new software lately,
your error message could be caused by one of them..especially some AV scanners.

But I think your psapi.dll error message might also be a poorly written piece of spyware on your system.

especially if your message was like this one..


When I start my computer I get a message box. It is
an "Error Starting Program" box. It says "A required .DLL
file, PSAPI.DLL, was not found". I click OK and it runs
ok. But I have started getting unwanted entries in my
favorites. What can I do?

I think you ar wasting your time trying to find and install that .dll

You could have also downloaded a program that is really only for Win2000 or XP and you might have thought it would work on 98... a program like that would be Atitool. It requires Psapi.dll, but if one tries to install atitool on win98..you would get a error message also. So after reading manyof your posts and problems..I think you are on the wrong track thinking you must find a copy of it and install it on that machine.

After one of those MS Update errors, programs like Spybot not only tell me that they need psapi.dll, they refuse to run. The computer says, "This program has performed an illegal action and will shut down."

I am really wondering if this is some sort of virus attack or something.

Well, I tried doing Win Update with psapi.dll, and the same error happened. (And yeah, those programs still asked for psapi.dll.) But this time, with the file in my System folder, Windows Explorer also crashed.

I think this might be a bit more than lack of a file. Aftereffects of infection by a virus, perhaps? Symptoms of an as-yet-undetected torjan?

I will tell you once again that Psapi.dll is not needed for Win98...trust me.

If you had win2000 or XP you might find that file here..

Dynamic libraries:
for win2000


0x76BB0000 - 0x76BBB000 C:\WINDOWS\System32\PSAPI.DLL

:)

Now start looking for this bad boy on your PC..


Win32.HLLM.Lovgate - 4 more instances are reported In the Wild



[May 13, 2003]
Virus Alert Service of DialogueScience, Inc. informs on appearance in the Internet of 3 new instances of the mass-mailing worm the Win32.HLLM.Lovgate family. At present the worm has been traced disseminating across Japan and South Korea. The Internet segment of Russia has not been hit by the worm yet, still, almost all international anti-virus market players raised an alarm.

We have already reported in our news dated February 25, 2003 the appearance and impetuous proliferation of the ancestor of the present malicious modifications of the Lovgate family worms.

In contrast to its previous variants new Win32.HLLM.Lovgate worms target computers operating under Windows NT/2000/XP only. If the worm is run under Windows 95/98/Me an error message stating the absense PSAPI.DLL file, obligatory for the worm’s launch, will be displayed to the user.

What makes Lovgate worms exceptionally dangerous is their ability to launch Trojan backdoors in the address space of extremely important Windows-subsystem LSASS.EXE. Running "under cover" of a usual windows-process these procedures may trick firewalls thus allowing to remotely access the target computer, which may result in the system compromising and releasing of sensitive for the infected user information.


Having injected its malicious copies into a PC (after a user clicks on a viral attachment) it also drops there several backdoor components (all of them are files with .dll extensions) and secures its automatic execution at every Windows start-up and when any executable or text file is opened in the invaded system. Eventually, to spread across the local shared drives the worm places its numerous malicious copies in the form of .exe and .pif files. One instance of Lovgate worm is especially dangerous as it infects all executable files on hard disks of the victimized computer.

I think you figured out my problem! Just one question, though: how do I go about looking for this sucker? F-Prot is the only free AV with heuristics that I can run on my comp, and as far as I know, there is no way to make an AV scan for a specified worm/virus. What exactly do I do?

Also, does this thing happen to come with the Enterprise trojan? (You know, the one with the files dl.exe and dlm.exe.) Because I recently got my comp infected with that. (Don't worry, I got rid of it.)

no..that stuff was spyware from coolshader


O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe



Most likley you have the new lovegate.W there is a tool for it here.

http://www.symantec.com/avcenter/venc/data/w32.lovgate.w@mm.html


I think it will work on ME.


In the other OS's..


When the infected attachment is executed, the worm copies itself to Windows system folder as

WinGate.exe
WinDriver.exe
Winrpc.exe
Winhelp.exe
Iexplore.exe
Kernel66.dll
NetServices.exe
Ravmond.exe

Lovegate worm creates new keys in the registry Run section to load automatically. It also modifies the registry to load whenever a text file is opened.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinHelp = "C:\WINNT\System32\WinHelp.exe"
WinGate initialize = "C:\WINNT\System32\WinGate.exe -remoteshell"
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"

HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
CurentVersion>Windows
run RAVMOND.EXE

HKEY_CLASS_ROOT\txtfile\shell\open\command
winrpc.exe %1

The Symantec website says they have a removal tool, but they don't have any way to download it.

And again, how do I remove it if the Symantec removal tool works only for Win ME? I downloaded and ran Stinger, but it didn't find the worm, even when set to scan all files.

And also, those files you listed are not in c:\Windows.

First of all, nothing you read in my post or at that symantec site stated it was only for WinME...and on that page was a link to the tool and it would bring you to this page..


http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.removal.tool.html


But I think you have solved your problem already ;)

Instead of IE, I use Firefox, and I use the download page at microsoft.com instead of Windows Update.

Now that sounds like two good ideas