Psapi.dll - FOR GOD'S SAKE, HELP!!!

Discussion in 'other security issues & news' started by Pigman, May 18, 2004.

Thread Status:
Not open for further replies.
  1. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    I am attempting to use the psapi.dll installer that Pieter Arntz found to install this file onto my computer, as it is necessary for Windows Updates and several other things. However, I am having BIG problems with the installer. I have been told to put psapi.dll into the System folder. The problem is that I cannot do this, for the simple reason that THE INSTALLER IS NOT INSTALLING ANYTHING ANYWHERE!!! I run the installer, click yes, and it takes all of 0.1 seconds (I'm not kidding, I measured it), giving me no chance at all to type in the directory to intall it to. According to Spybot 1.3's TeaTimer, the installer does change the registry, deleting a file called "grpconv.exe -o" (no, the "-o" is not a typo), but THE PSAPI.DLL FILE DOES NOT APPEAR ANYWHERE!!! Not in System32 (I do have, and always have had, a c:\Windows\System32 folder), not in System, freakin' NOWHERE! No matter how I try to search for it using Find -> Files or Folders, I CANNOT FIND THE BLOODY THING!!! As far as I can tell, there is NOT ONE THING I CAN DO TO GET THE [expletive deleted] THING TO ACTUALLY [expletive deleted] INSTALL!!!

    So, could someone please take a minute to give me some freaking HELP?!! o_O
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    It seems you do not understand. I use Win98, which also requires psapi.dll. Because it should go the the System folder in Win98, I was told to install it to the system folder. As I said before: I DO NOT HAVE THE OPTION OF CHANGING THE DIRECTORY; HOWEVER, THAT DOES NOT REALLY MATTER, AS THE PSAPI.DLL FILE DOES NOT APPEAR ANYWHERE WHEN INSTALLATION IS FINISHED. And do not tell me to log on as the administrator: I am not running a network, and my computer does not have the log-on passowrd thing on, because I am the only user.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Okay, here's a direct link the the PSAPI.DLL itself, extracted from the installer you are using...

    Right-click on the link below and do a Save As... to your system, and you'll have a copy of the file that you can put wherever you need to. See if this works.

    https://www.wilderssecurity.com/supportfiles/PSAPI.DLL
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    psapi.dll is not usually found in Win98...it is a WinNT file.Microsoft process status helper (PSAPI.DLL) is a small dynamic
    link library that makes it easier to obtain information about
    processes and device drivers running under Microsoft® Windows
    NT®.

    And it is certainly not needed for the OS..

    Since you do have win98...Some Win98SE could have two copies installed by 3rd party software.
    example:

    C:\Util2\PrcView\PSAPI.DLL
    C:\Program Files\eTrust EZ Antivirus\PSAPI.DLL

    I 'assume' the dll was included to ensure their programs work
    properly on NT systems, and they have no real use on Win98.

    If you are running Win98 FE/SE then you should not have any
    actual written program calling for psapi.dll. I would 'assume'
    therefore, that since you have added new software lately,
    your error message could be caused by one of them..especially some AV scanners.

    But I think your psapi.dll error message might also be a poorly written piece of spyware on your system.

    especially if your message was like this one..


    When I start my computer I get a message box. It is
    an "Error Starting Program" box. It says "A required .DLL
    file, PSAPI.DLL, was not found". I click OK and it runs
    ok. But I have started getting unwanted entries in my
    favorites. What can I do?


    I think you ar wasting your time trying to find and install that .dll
     
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    You could have also downloaded a program that is really only for Win2000 or XP and you might have thought it would work on 98... a program like that would be Atitool. It requires Psapi.dll, but if one tries to install atitool on win98..you would get a error message also. So after reading manyof your posts and problems..I think you are on the wrong track thinking you must find a copy of it and install it on that machine.
     
  8. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    After one of those MS Update errors, programs like Spybot not only tell me that they need psapi.dll, they refuse to run. The computer says, "This program has performed an illegal action and will shut down."

    I am really wondering if this is some sort of virus attack or something.
     
  9. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    I am perplexed.

    Well, I tried doing Win Update with psapi.dll, and the same error happened. (And yeah, those programs still asked for psapi.dll.) But this time, with the file in my System folder, Windows Explorer also crashed.

    I think this might be a bit more than lack of a file. Aftereffects of infection by a virus, perhaps? Symptoms of an as-yet-undetected torjan?
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I will tell you once again that Psapi.dll is not needed for Win98...trust me.

    If you had win2000 or XP you might find that file here..

    Dynamic libraries:
    for win2000


    0x76BB0000 - 0x76BBB000 C:\WINDOWS\System32\PSAPI.DLL

    :)

    Now start looking for this bad boy on your PC..


    Win32.HLLM.Lovgate - 4 more instances are reported In the Wild



    [May 13, 2003]
    Virus Alert Service of DialogueScience, Inc. informs on appearance in the Internet of 3 new instances of the mass-mailing worm the Win32.HLLM.Lovgate family. At present the worm has been traced disseminating across Japan and South Korea. The Internet segment of Russia has not been hit by the worm yet, still, almost all international anti-virus market players raised an alarm.

    We have already reported in our news dated February 25, 2003 the appearance and impetuous proliferation of the ancestor of the present malicious modifications of the Lovgate family worms.

    In contrast to its previous variants new Win32.HLLM.Lovgate worms target computers operating under Windows NT/2000/XP only. If the worm is run under Windows 95/98/Me an error message stating the absense PSAPI.DLL file, obligatory for the worm’s launch, will be displayed to the user.

    What makes Lovgate worms exceptionally dangerous is their ability to launch Trojan backdoors in the address space of extremely important Windows-subsystem LSASS.EXE. Running "under cover" of a usual windows-process these procedures may trick firewalls thus allowing to remotely access the target computer, which may result in the system compromising and releasing of sensitive for the infected user information.


    Having injected its malicious copies into a PC (after a user clicks on a viral attachment) it also drops there several backdoor components (all of them are files with .dll extensions) and secures its automatic execution at every Windows start-up and when any executable or text file is opened in the invaded system. Eventually, to spread across the local shared drives the worm places its numerous malicious copies in the form of .exe and .pif files. One instance of Lovgate worm is especially dangerous as it infects all executable files on hard disks of the victimized computer.
     
  11. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Thanks!

    I think you figured out my problem! Just one question, though: how do I go about looking for this sucker? F-Prot is the only free AV with heuristics that I can run on my comp, and as far as I know, there is no way to make an AV scan for a specified worm/virus. What exactly do I do?

    Also, does this thing happen to come with the Enterprise trojan? (You know, the one with the files dl.exe and dlm.exe.) Because I recently got my comp infected with that. (Don't worry, I got rid of it.)
     
  12. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    no..that stuff was spyware from coolshader


    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe



    Most likley you have the new lovegate.W there is a tool for it here.

    http://www.symantec.com/avcenter/venc/data/w32.lovgate.w@mm.html


    I think it will work on ME.


    In the other OS's..


    When the infected attachment is executed, the worm copies itself to Windows system folder as

    WinGate.exe
    WinDriver.exe
    Winrpc.exe
    Winhelp.exe
    Iexplore.exe
    Kernel66.dll
    NetServices.exe
    Ravmond.exe

    Lovegate worm creates new keys in the registry Run section to load automatically. It also modifies the registry to load whenever a text file is opened.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    WinHelp = "C:\WINNT\System32\WinHelp.exe"
    WinGate initialize = "C:\WINNT\System32\WinGate.exe -remoteshell"
    Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
    Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"

    HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
    CurentVersion>Windows
    run RAVMOND.EXE

    HKEY_CLASS_ROOT\txtfile\shell\open\command
    winrpc.exe %1
     
  13. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    The Symantec website says they have a removal tool, but they don't have any way to download it.

    And again, how do I remove it if the Symantec removal tool works only for Win ME? I downloaded and ran Stinger, but it didn't find the worm, even when set to scan all files.

    And also, those files you listed are not in c:\Windows.
     
  14. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  15. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Yes, I have!

    Instead of IE, I use Firefox, and I use the download page at microsoft.com instead of Windows Update.
     
  16. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Now that sounds like two good ideas
     
Loading...
Thread Status:
Not open for further replies.