Guest Vince Posted September 5, 2007 Posted September 5, 2007 I've no idea how I managed this, but somehow between 7/16/06 when I installed Security Update for Windows 98 (KB917344) and now, I've updated and added notepad.exe, according to system file checker. Previous run of sfc - Microsoft System File Checker Log file generated on 7/16/06 at 9:19 Started verify scan using verification data file: "C:\WINDOWS\Default.sfc" Previous Previous New New CRC File Change Version Date Version Date Match ---------------- ----------- ----------- --------- ----------- --------- ------ [C:\WINDOWS\SYSTEM] jscript.dll Updated 5.6.0.8513 1/13/03 5.6.0.8831 5/17/06 No 151 folders examined. 1680 files examined. 0 files added to verification data file. 0 files removed from verification data file. 1 files updated in verification data file. 0 files restored. 0 file changes ignored. most recent run of sfc - Microsoft System File Checker Log file generated on 8/28/07 at 5:52 Started verify scan using verification data file: "C:\WINDOWS\Default.sfc" Previous Previous New New CRC File Change Version Date Version Date Match ---------------- ----------- ----------- --------- ----------- --------- ------ [C:\WINDOWS] notepad.exe Updated 4.10.1998 4/23/99 4.00.950 4/23/99 Yes REGEDIT.COM Added 4.10.1998 4/23/99 R.COM Added 4.10.1998 4/23/99 [C:\WINDOWS\SYSTEM] NOTEPAD.EXE Added 4.00.950 9/9/06 PSAPI.DLL Added 5.00.2134.1 12/7/99 [C:\Program Files\Common Files\Microsoft Shared\VGX] VGX.DLL Updated 6.00.2800.1 3/10/04 6.00.2800.1 9/18/06 No 151 folders examined. 1684 files examined. 4 files added to verification data file. 0 files removed from verification data file. 2 files updated in verification data file. 0 files restored. 0 file changes ignored. I find this latest run of sfc disturbing, as I can't remember what I might've done to cause the addition of NOTEPAD.EXE PSAPI.DLL REGEDIT.COM R.COM and the update (appears to be regressive) of notepad.exe from 4.10.1998 to 4.00.95 There are two copies of notepad that I can find - C:\windows\system\NOTEPAD.EXE md5sum = 40ff8ccbb79b0d60cf619885dad6f896 file size = 34304 date = Sep 9 2006 C:\windows\notepad.exe md5sum = 7654c9f931b39b3e4f52411913f8a0e6 file size = 53248 date = Apr 23 1999 A full anti-virus scan with F-Prot (Files: "Dumb" scan of all files - Switches: -ARCHIVE -PACKED -SERVER -APPEND -AI) reported - Results of virus scanning: Files: 32188 MBRs: 0 Boot sectors: 0 Objects scanned: 64404 Time: 14:09 No viruses or suspicious files/boot sectors were found. Ignoring, for right now, the issues with PSAPI.DLL, REGEDIT.COM and R.COM, what should I have for notepad.exe on a fully updated Windows 98SE (updated at end of life, but haven't been to Windows Update since then)? What folder(s) should the correct version of notepad be in? What should the file size be for the correct version of notepad? Date? md5sum? Thanks for any light you can shed on this "problem".
Guest Ingeborg Posted September 5, 2007 Posted September 5, 2007 Re: Ruh Roh - Notepad added and updated Vince wrote: > I've no idea how I managed this, but somehow between 7/16/06 when I > installed Security Update for Windows 98 (KB917344) and now, I've > updated and added notepad.exe, according to system file checker. > > Previous run of sfc - > Microsoft System File Checker > Log file generated on 7/16/06 at 9:19 > > Started verify scan using verification data file: > "C:\WINDOWS\Default.sfc" > > Previous Previous New New > CRC > File Change Version Date Version Date > Match > ---------------- ----------- ----------- --------- ----------- > --------- ------ > [C:\WINDOWS\SYSTEM] > jscript.dll Updated 5.6.0.8513 1/13/03 5.6.0.8831 5/17/06 > No > > 151 folders examined. > 1680 files examined. > 0 files added to verification data file. > 0 files removed from verification data file. > 1 files updated in verification data file. > 0 files restored. > 0 file changes ignored. > > most recent run of sfc - > Microsoft System File Checker > Log file generated on 8/28/07 at 5:52 > > Started verify scan using verification data file: > "C:\WINDOWS\Default.sfc" > > Previous Previous New New > CRC > File Change Version Date Version Date > Match > ---------------- ----------- ----------- --------- ----------- > --------- ------ > [C:\WINDOWS] > notepad.exe Updated 4.10.1998 4/23/99 4.00.950 4/23/99 > Yes > REGEDIT.COM Added 4.10.1998 4/23/99 > R.COM Added 4.10.1998 4/23/99 > [C:\WINDOWS\SYSTEM] > NOTEPAD.EXE Added 4.00.950 9/9/06 > PSAPI.DLL Added 5.00.2134.1 12/7/99 > [C:\Program Files\Common Files\Microsoft Shared\VGX] > VGX.DLL Updated 6.00.2800.1 3/10/04 6.00.2800.1 9/18/06 > No > > 151 folders examined. > 1684 files examined. > 4 files added to verification data file. > 0 files removed from verification data file. > 2 files updated in verification data file. > 0 files restored. > 0 file changes ignored. > > I find this latest run of sfc disturbing, as I can't remember what I > might've done to cause the addition of > NOTEPAD.EXE > PSAPI.DLL > REGEDIT.COM > R.COM > and the update (appears to be regressive) of > notepad.exe from 4.10.1998 to 4.00.95 > > There are two copies of notepad that I can find - > C:\windows\system\NOTEPAD.EXE > md5sum = 40ff8ccbb79b0d60cf619885dad6f896 > file size = 34304 > date = Sep 9 2006 > C:\windows\notepad.exe > md5sum = 7654c9f931b39b3e4f52411913f8a0e6 > file size = 53248 > date = Apr 23 1999 > > A full anti-virus scan with F-Prot (Files: "Dumb" scan of all files - > Switches: -ARCHIVE -PACKED -SERVER -APPEND -AI) reported - > Results of virus scanning: > Files: 32188 > MBRs: 0 > Boot sectors: 0 > Objects scanned: 64404 > Time: 14:09 > No viruses or suspicious files/boot sectors were found. > > Ignoring, for right now, the issues with PSAPI.DLL, REGEDIT.COM and > R.COM, what should I have for notepad.exe on a fully updated Windows > 98SE (updated at end of life, but haven't been to Windows Update since > then)? > What folder(s) should the correct version of notepad be in? > What should the file size be for the correct version of notepad? > Date? > md5sum? > Your 'new' notepad seems to be the original one from W95A. What did you do on Sept 9 2006? Have you ever had a virus? Some viruses hijack the .exe entry in the registry. Renaming regedit.exe to regedit.com is a way to workaround this.
Guest Vince Posted September 5, 2007 Posted September 5, 2007 Re: Ruh Roh - Notepad added and updated On 05 Sep 2007 14:59:10 GMT, Ingeborg <a@b.invalid> wrote: >Your 'new' notepad seems to be the original one from W95A. What did you >do on Sept 9 2006? To the best of my recollection - woke up - had two cups of coffee - went to work - blah, blah, blah . . . Have no idea what I did on the computer that day. >Have you ever had a virus? Not that I know of. Anti-virus scans have all been clean. Regular runs of HiJackThis haven't shown anything unexpected/unknown. >Some viruses hijack the .exe entry in the >registry. Renaming regedit.exe to regedit.com is a way to workaround >this. At this point I'm not too concerned about those other three files, including regedit. I actually use notepad and if/when it's known to be clean, I'll move on to the others (R.COM is a huge concern, that I'm trying to ignore for the time being).
Guest PCR Posted September 8, 2007 Posted September 8, 2007 Re: Ruh Roh - Notepad added and updated "Vince" <nobody@home.invalid> wrote in message news:oeetd3l7m8mmjvd8rg2dh51je2uvfj49kl@4ax.com | I've no idea how I managed this, but somehow between 7/16/06 when I | installed Security Update for Windows 98 (KB917344) and now, I've | updated and added notepad.exe, according to system file checker. | | Previous run of sfc - | Microsoft System File Checker | Log file generated on 7/16/06 at 9:19 | | Started verify scan using verification data file: | "C:\WINDOWS\Default.sfc" | | Previous Previous New New | CRC | File Change Version Date Version Date | Match | ---------------- ----------- ----------- --------- ----------- | --------- ------ | [C:\WINDOWS\SYSTEM] | jscript.dll Updated 5.6.0.8513 1/13/03 5.6.0.8831 5/17/06 | No | | 151 folders examined. | 1680 files examined. | 0 files added to verification data file. | 0 files removed from verification data file. | 1 files updated in verification data file. | 0 files restored. | 0 file changes ignored. | | most recent run of sfc - | Microsoft System File Checker | Log file generated on 8/28/07 at 5:52 | | Started verify scan using verification data file: | "C:\WINDOWS\Default.sfc" | | Previous Previous New New | CRC | File Change Version Date Version Date | Match | ---------------- ----------- ----------- --------- ----------- | --------- ------ | [C:\WINDOWS] | notepad.exe Updated 4.10.1998 4/23/99 4.00.950 4/23/99 | Yes | REGEDIT.COM Added 4.10.1998 4/23/99 | R.COM Added 4.10.1998 4/23/99 | [C:\WINDOWS\SYSTEM] | NOTEPAD.EXE Added 4.00.950 9/9/06 | PSAPI.DLL Added 5.00.2134.1 12/7/99 | [C:\Program Files\Common Files\Microsoft Shared\VGX] | VGX.DLL Updated 6.00.2800.1 3/10/04 6.00.2800.1 9/18/06 | No | | 151 folders examined. | 1684 files examined. | 4 files added to verification data file. | 0 files removed from verification data file. | 2 files updated in verification data file. | 0 files restored. | 0 file changes ignored. | | I find this latest run of sfc disturbing, as I can't remember what I | might've done to cause the addition of | NOTEPAD.EXE | PSAPI.DLL | REGEDIT.COM | R.COM | and the update (appears to be regressive) of | notepad.exe from 4.10.1998 to 4.00.95 | | There are two copies of notepad that I can find - | C:\windows\system\NOTEPAD.EXE | md5sum = 40ff8ccbb79b0d60cf619885dad6f896 | file size = 34304 | date = Sep 9 2006 | C:\windows\notepad.exe | md5sum = 7654c9f931b39b3e4f52411913f8a0e6 | file size = 53248 | date = Apr 23 1999 Mine matches that second one in all ways & is in the same folder... NOTEPAD.EXE 7654c9f931b39b3e4f52411913f8a0e6 ....Therefore, it contains no virus. The other isn't in my machine. Did you upgrade from Win95, as Ingeborg has said it is a Win95 version (which might explain its existence)? Still, I don't know why it would suddenly show up. It looks like you certainly have not just added its folder to SFC's consideration, as it was mentioned back in the 7/16/06 run. How do you start Notepad when you run it? Can you tell which one actually starts? Do you ever notice the others to be running on their own at...?... "START button, Run, MSInfo32, Software Environment, Running Tasks" | A full anti-virus scan with F-Prot (Files: "Dumb" scan of all files - | Switches: -ARCHIVE -PACKED -SERVER -APPEND -AI) reported - | Results of virus scanning: | Files: 32188 | MBRs: 0 | Boot sectors: 0 | Objects scanned: 64404 | Time: 14:09 | No viruses or suspicious files/boot sectors were found. That's very encouraging! Nevertheless, perhaps send the files in question one at a time to... http://www.virustotal.com/xhtml/index_en.html Each will be examined by 30 virus scanners! I personally have found their results to be more clear by attaching the file(s) into an E-Mail to them. I think you just get a dash (-) when doing it at the site, where an E-Mail comes back with words, such as "found nothing" for each virus scanner. | Ignoring, for right now, the issues with PSAPI.DLL, REGEDIT.COM and | R.COM, Ingeborg is right that some will rename Regedit.exe to Regedit.com to undo a virus attack. Others will rename it preemptively. You say you haven't done it, & I don't see evidence in your SFCLog.txt that some app newly installed has done that for you. However, if the app was installed entirely into a folder(s) that is not under SFC's consideration (at "START, Run, SFC, Settings, Search Criteria tab") it wouldn't show up in the log. | what should I have for notepad.exe on a fully updated Windows | 98SE (updated at end of life, but haven't been to Windows Update since | then)? The one in C:\Windows is in the right place & matches mine exactly. | What folder(s) should the correct version of notepad be in? | What should the file size be for the correct version of notepad? | Date? | md5sum? | | Thanks for any light you can shed on this "problem". You are welcome. -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest Vince Posted September 9, 2007 Posted September 9, 2007 Re: Ruh Roh - Notepad added and updated On Sat, 8 Sep 2007 19:41:59 -0400, "PCR" <pcrrcp@netzero.net> wrote: >Mine matches that second one in all ways & is in the same folder... >NOTEPAD.EXE 7654c9f931b39b3e4f52411913f8a0e6 >...Therefore, it contains no virus. > >The other isn't in my machine. Did you upgrade from Win95, as Ingeborg >has said it is a Win95 version (which might explain its existence)? No, this was a clean install to a new hard drive using an OEM copy of Windows 98 SE. >How do you start Notepad when you run it? Can you tell which one >actually starts? Do you ever notice the others to be running on their >own at...? The shortcut I use starts the C:\windows\notepad.exe (now known to be a good copy). Have never noticed the C:\windows\system\NOTEPAD.EXE (the questionable copy) running, either on it's own or from me starting it. Looked back through the HiJackThis logs that have been saved and there's no instance of C:\windows\system\NOTEPAD.EXE in the logs. >Ingeborg is right that some will rename Regedit.exe to Regedit.com to >undo a virus attack. Others will rename it preemptively. You say you >haven't done it, & I don't see evidence in your SFCLog.txt that some app >newly installed has done that for you. c:\windows\regedit.exe, c:\windows\REGEDIT.COM and c:\windows\R.COM all have the same md5sum, 8d7116df0a8b034c06b647616bbb6f50 and file size. Took quick look at the code in those three files and they look to be identical (didn't look too close since the md5sums matched, just wanted a warm, fuzzy feeling the were identical). Guess the question now is are those good, or have they all been altered in some way. >That's very encouraging! Nevertheless, perhaps send the files in >question one at a time to... >http://www.virustotal.com/xhtml/index_en.html I'm inclined to just delete the questionable copy of notepad, but learning to use virustotal sounds like something I should do. If I can figure out how, will submit notepad and R.COM. Thanks for the tip. Now it's time for some Googling to see what I can find out about PSAPI.DLL. Don't be surprised if I show up with more questions. And thanks for the help.
Guest PCR Posted September 9, 2007 Posted September 9, 2007 Re: Ruh Roh - Notepad added and updated "Vince" <nobody@home.invalid> wrote in message news:cfd8e353gvp21k99do29e717337p9bg2gi@4ax.com | On Sat, 8 Sep 2007 19:41:59 -0400, "PCR" <pcrrcp@netzero.net> wrote: | |>Mine matches that second one in all ways & is in the same folder... |>NOTEPAD.EXE 7654c9f931b39b3e4f52411913f8a0e6 |>...Therefore, it contains no virus. |> |>The other isn't in my machine. Did you upgrade from Win95, as Ingeborg |>has said it is a Win95 version (which might explain its existence)? | | No, this was a clean install to a new hard drive using an OEM copy of | Windows 98 SE. Hmm. That's mysterious! It doesn't come naturally with Win98! |>How do you start Notepad when you run it? Can you tell which one |>actually starts? Do you ever notice the others to be running on their |>own at...? | | The shortcut I use starts the C:\windows\notepad.exe (now known to be | a good copy). Have never noticed the C:\windows\system\NOTEPAD.EXE | (the questionable copy) running, either on it's own or from me | starting it. Looked back through the HiJackThis logs that have been | saved and there's no instance of C:\windows\system\NOTEPAD.EXE in the | logs. That isn't the behavior of a virus. A virus would want to be the one that runs. Also, your SFC report just doesn't show enough ugliness (such as the deletion of important files) for me to be overly concerned you are infected. |>Ingeborg is right that some will rename Regedit.exe to Regedit.com to |>undo a virus attack. Others will rename it preemptively. You say you |>haven't done it, & I don't see evidence in your SFCLog.txt that some |>app newly installed has done that for you. | | c:\windows\regedit.exe, c:\windows\REGEDIT.COM and c:\windows\R.COM | all have the same md5sum, 8d7116df0a8b034c06b647616bbb6f50 and file | size. Took quick look at the code in those three files and they look | to be identical (didn't look too close since the md5sums matched, just | wanted a warm, fuzzy feeling the were identical). They are identical, & they all match my own... REGEDIT.EXE 8d7116df0a8b034c06b647616bbb6f50 | Guess the question now is are those good, or have they all been | altered in some way. They all match my own-- but I have only one! |>That's very encouraging! Nevertheless, perhaps send the files in |>question one at a time to... |>http://www.virustotal.com/xhtml/index_en.html | | I'm inclined to just delete the questionable copy of notepad, but | learning to use virustotal sounds like something I should do. If I | can figure out how, will submit notepad and R.COM. Thanks for the | tip. Yea, try it. But I'm certain it is uninfected. It better be! Yea, delete the extras. I guess... possibly... "START button, Run, RegEdit".... & search your Registry for mention of R.COM & RegEdit.com too. | Now it's time for some Googling to see what I can find out about | PSAPI.DLL. Don't be surprised if I show up with more questions. I have one of those that came with Compaq's Connection Helper. It is an MS .dll, but is not in the Win98 .cabs. It only comes with some extra, added application. | And thanks for the help. You are welcome. (a) Does anyone else have access to your computer? (b) Have you been to a WEB site & clicked something that promised to innoculate you? © Did you run an innoculator like maybe SpyBot? (But I'm not sure renaming RegEdit.exe is one of its doings.) (d) Did R.COM or RegEdit.com show up in the Registry?
Guest Vince Posted September 10, 2007 Posted September 10, 2007 Re: Ruh Roh - Notepad added and updated On Sun, 9 Sep 2007 15:57:08 -0400, "PCR" <pcrrcp@netzero.net> wrote: Got results back from virustotal for R.COM, NOTEPAD.EXE and PSAPI.DLL. "found nothing" for all scanners on all three files. I'm still uninfected!! >(a) Does anyone else have access to your computer? Not this one, although I suppose anything is possible, no matter how unlikely. >(b) Have you been to a WEB site & clicked something that > promised to innoculate you? No >© Did you run an innoculator like maybe SpyBot? > (But I'm not sure renaming RegEdit.exe is one of its doings.) Innoculator? I've run SpyBot Search&Destroy on demand, but no part of it is allowed to start at boot and run in the background all the time (teatimer?). >(d) Did R.COM or RegEdit.com show up in the Registry? No. Checked my file association for .txt files and it opens with c:\windows\notepad.exe. I'm sure there are some other file types associated with notepad, but I'm just going to delete the questionable copy and deal with anything that pops up after it's gone. Took a look at PSAPI.DLL and according to the properties, it's a Microsoft file for Windows 2000. Wish I could figure out what I did to get it installed on my system. May rename it and see what, if anything, breaks.
Guest MEB Posted September 10, 2007 Posted September 10, 2007 Re: Ruh Roh - Notepad added and updated "Vince" <nobody@home.invalid> wrote in message news:al6ae35b9qhjihcp4f5u41u22tl852bq8o@4ax.com... | On Sun, 9 Sep 2007 15:57:08 -0400, "PCR" <pcrrcp@netzero.net> wrote: | | Got results back from virustotal for R.COM, NOTEPAD.EXE and PSAPI.DLL. | "found nothing" for all scanners on all three files. | I'm still uninfected!! | | >(a) Does anyone else have access to your computer? | | Not this one, although I suppose anything is possible, no matter how | unlikely. | | >(b) Have you been to a WEB site & clicked something that | > promised to innoculate you? | | No | | >© Did you run an innoculator like maybe SpyBot? | > (But I'm not sure renaming RegEdit.exe is one of its doings.) | | Innoculator? | I've run SpyBot Search&Destroy on demand, but no part of it is allowed | to start at boot and run in the background all the time (teatimer?). | | >(d) Did R.COM or RegEdit.com show up in the Registry? | | No. | | Checked my file association for .txt files and it opens with | c:\windows\notepad.exe. I'm sure there are some other file types | associated with notepad, but I'm just going to delete the questionable | copy and deal with anything that pops up after it's gone. | | Took a look at PSAPI.DLL and according to the properties, it's a | Microsoft file for Windows 2000. Wish I could figure out what I did | to get it installed on my system. May rename it and see what, if | anything, breaks. Do not mess with psapi.dll, it IS installed on a per application basis, and should ONLY be in an individual application folder. IF found in an application's folder, the programmers have used it during their coding. Without the file the program will error or not run. OTOH, if its located in *WINDIR* or SYSTEM then you MIGHT be able to rename it, temporarily, to test for applications which might use it, then transfer it to that folder/application directory. There MAY however, have been modifications made to the file per some application specific use, or perhaps, a different version used. The test, however, may not actually work when expected. I have done this type of activity before, only to find [after deletion] that some program I forgot to run, needed that now deleted file [of course that was a long time ago, one does get smarter [hopefully] over time] .... You could *profile* the applications using Dependency Walker, though that takes awhile to do [per number of installed programs]. You can also run File monitor or Reg monitor [sysinternals/Microsoft] while using your applications to see if it is actually used. http://peoplescounsel.orgfree.com/ref/gen/sys_diagnos.htm http://peoplescounsel.orgfree.com/ref/gen/sys_diag2.htm -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted September 11, 2007 Posted September 11, 2007 Re: Ruh Roh - Notepad added and updated "Vince" <nobody@home.invalid> wrote in message news:al6ae35b9qhjihcp4f5u41u22tl852bq8o@4ax.com | On Sun, 9 Sep 2007 15:57:08 -0400, "PCR" <pcrrcp@netzero.net> wrote: | | Got results back from virustotal for R.COM, NOTEPAD.EXE and PSAPI.DLL. | "found nothing" for all scanners on all three files. | I'm still uninfected!! That is good news! |>(a) Does anyone else have access to your computer? | | Not this one, although I suppose anything is possible, no matter how | unlikely. Hmm. OK. Probably not that. No foul deed appears to have been done, anyhow. If anyone else did it, probably it was a sloppy attempt to make the computer safer. Do you know the file OPTLOG.TXT in C:\WINDOWS\APPLOG? It is refreshed each time you Defrag. Every program that has been run at least twice will be listed in it. Do you see any of the apps in question listed there or any strange app? |>(b) Have you been to a WEB site & clicked something that |> promised to innoculate you? | | No OK. |>© Did you run an innoculator like maybe SpyBot? |> (But I'm not sure renaming RegEdit.exe is one of its doings.) | | Innoculator? | I've run SpyBot Search&Destroy on demand, but no part of it is allowed | to start at boot and run in the background all the time (teatimer?). SpyBot has an inoculation feature-- to preemptively make the computer less susceptible to a virus or trojan. Let me Google it... http://www.google.com/search?hl=en&q=SpyBot+inoculation It comes up with about 12,800 "SpyBot inoculation", but the first three don't mention "RegEdit". |>(d) Did R.COM or RegEdit.com show up in the Registry? | | No. OK. It's generally a good idea to check for that before deleting a program. | Checked my file association for .txt files and it opens with | c:\windows\notepad.exe. I'm sure there are some other file types | associated with notepad, but I'm just going to delete the questionable | copy and deal with anything that pops up after it's gone. The Optlog.txt file includes the path of each program it lists. So, you could distinguish between the two Notepad's. | Took a look at PSAPI.DLL and according to the properties, it's a | Microsoft file for Windows 2000. Wish I could figure out what I did | to get it installed on my system. May rename it and see what, if | anything, breaks. OK. My own Psapi.dll is not mentioned in the Registry & is in the folder C:\compaq\CPQInet. I see MEB has taken up the baton on that one. Yours is in C:\WINDOWS\SYSTEM, making it hard to discover what application it came with.
Guest Vince Posted September 11, 2007 Posted September 11, 2007 Re: Ruh Roh - Notepad added and updated On Mon, 10 Sep 2007 15:00:24 -0400, "MEB" <meb@not here@hotmail.com> wrote: > Do not mess with psapi.dll, it IS installed on a per application basis, and >should ONLY be in an individual application folder. > IF found in an application's folder, the programmers have used it during >their coding. Without the file the program will error or not run. > > OTOH, if its located in *WINDIR* or SYSTEM then you MIGHT be able to rename >it, temporarily, to test for applications which might use it, then transfer >it to that folder/application directory. There MAY however, have been >modifications made to the file per some application specific use, or >perhaps, a different version used. > > You could *profile* the applications using Dependency Walker, though that >takes awhile to do [per number of installed programs]. > > You can also run File monitor or Reg monitor [sysinternals/Microsoft] while >using your applications to see if it is actually used. > >http://peoplescounsel.orgfree.com/ref/gen/sys_diagnos.htm >http://peoplescounsel.orgfree.com/ref/gen/sys_diag2.htm Thanks for the advice. Since psapi.dll is installed in c:\windows/system, I'd like to find out who/what put it there. Then I can decide if I want to keep that app. It's waay to easy to get into dll heel with Win98 and apps putting their version of some dll someplace where it can conflict with other dll's. Just need to figure out how that "extra" dll got installed on my system. It's tough having CRS!
Guest Vince Posted September 11, 2007 Posted September 11, 2007 Re: Ruh Roh - Notepad added and updated On Mon, 10 Sep 2007 21:14:26 -0400, "PCR" <pcrrcp@netzero.net> wrote: >Do you know the file OPTLOG.TXT in C:\WINDOWS\APPLOG? It is refreshed >each time you Defrag. Every program that has been run at least twice >will be listed in it. Do you see any of the apps in question listed >there or any strange app? "Program Launch Optimization Log - Created Mon Oct 11 22:42:38 2004" Looks like I haven't defragged in a while. Only saw two entries that I didn't recognise 12 runonce 351 2004.10.11 C:\WINDOWS\SYSTEM\RUNONCE.EXE 18 sucatreg 33 2004.08.03 C:\WINDOWS\SYSTEM\SUCATREG.EXE The only entry for notepad is 6 notepad 985 2004.10.11 C:\WINDOWS\NOTEPAD.EXE but that's not surprising, given the creation date - much before Microsoft System File Checker Log file generated on 8/28/07 at 5:52 Guess I need to map out time for a defrag. Then I'm going to throw caution to the wind. Boot to dos, rename psapi.dll and move it to another partition. Something is going to happen! <Beg>
Guest MEB Posted September 11, 2007 Posted September 11, 2007 Re: Ruh Roh - Notepad added and updated "Vince" <nobody@home.invalid> wrote in message news:ag2de3tgami22eats4sievoqc10oi1og4c@4ax.com... | On Mon, 10 Sep 2007 15:00:24 -0400, "MEB" <meb@not here@hotmail.com> | wrote: | | > Do not mess with psapi.dll, it IS installed on a per application basis, and | >should ONLY be in an individual application folder. | > IF found in an application's folder, the programmers have used it during | >their coding. Without the file the program will error or not run. | > | > OTOH, if its located in *WINDIR* or SYSTEM then you MIGHT be able to rename | >it, temporarily, to test for applications which might use it, then transfer | >it to that folder/application directory. There MAY however, have been | >modifications made to the file per some application specific use, or | >perhaps, a different version used. | > | > You could *profile* the applications using Dependency Walker, though that | >takes awhile to do [per number of installed programs]. | > | > You can also run File monitor or Reg monitor [sysinternals/Microsoft] while | >using your applications to see if it is actually used. | > | >http://peoplescounsel.orgfree.com/ref/gen/sys_diagnos.htm | >http://peoplescounsel.orgfree.com/ref/gen/sys_diag2.htm | | Thanks for the advice. Since psapi.dll is installed in | c:\windows/system, I'd like to find out who/what put it there. Then I | can decide if I want to keep that app. It's waay to easy to get into | dll heel with Win98 and apps putting their version of some dll | someplace where it can conflict with other dll's. | | Just need to figure out how that "extra" dll got installed on my | system. It's tough having CRS! | That's the problem, you hit that nail dead on the head. Could have been some programmer who failed to understand this file is apparently NOT one which remains static, or which pulls prior support [full compatibility] forward. There are several others [including some used for IE, and crammed into the %windir% and system folder] which carry unsupported aspects, and do cause system/OS errors. That is also why a number of older Win9X applications do NOT work in the 9X/IE 6 environment [iE 6 was never properly ported to 9X/ME and would actual fail pursuant Microsoft's own certification/WHQL standards for second/third party programs]. But this has already been discussed in this group over the last few years. I suppose I should advise, I presently have three (3) distinct versions in various application directories on my system. Version 4 at 14.5k [WinHex], Version 4 at 17.77k [Dreamweaver MX], and Version 5.00.2134.1 at 28.27k.[AVG]. -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted September 11, 2007 Posted September 11, 2007 Re: Ruh Roh - Notepad added and updated "Vince" <nobody@home.invalid> wrote in message news:ae4de3tdc823obsjjffrngkgi6l7h6l2ns@4ax.com | On Mon, 10 Sep 2007 21:14:26 -0400, "PCR" <pcrrcp@netzero.net> wrote: | |>Do you know the file OPTLOG.TXT in C:\WINDOWS\APPLOG? It is refreshed |>each time you Defrag. Every program that has been run at least twice |>will be listed in it. Do you see any of the apps in question listed |>there or any strange app? | | "Program Launch Optimization Log - Created Mon Oct 11 22:42:38 2004" | Looks like I haven't defragged in a while. | | Only saw two entries that I didn't recognise | 12 runonce 351 2004.10.11 C:\WINDOWS\SYSTEM\RUNONCE.EXE | 18 sucatreg 33 2004.08.03 C:\WINDOWS\SYSTEM\SUCATREG.EXE Wow! Neither of those show up in my Optlog.txt at all-- meaning they have not run more than once since the creation of my current Optlog.txt. But, it is possible I did delete a much older Optlog.txt that may have mentioned them-- still, I can't imagine they ever ran as often as your incredible 351 & 33! If so, they should have shown up again! Well... maybe... I guess, they might run a lot during the initial install of Windows & hardly ever again... but 351? Maybe do a Defrag at intervals & see whether their run counts increase above what is showing now. And I guess there could be other legit reasons for you to have so many. Maybe some inoculator has put something into the Registry to do that Runonce.exe at each boot. Check the two Runonce keys, maybe... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce I still do believe you are uninfected with anything. I DO have both of those files in that folder, which are dated 4/23/99. Going by that date, they are as old as Win98SE. Odd, only the first is actually in one of my .cab's, though... Cabinet WIN98_46.CAB 04-23-1999 10:22:00p A--- 36,864 runonce.exe But I'm not overly worried SUCATREG.EXE is suspicious, despite the pornographic overtones in its name. Let me look it up... http://support.microsoft.com/kb/232893/en-us PRB: Setup Cannot Find Catalog Files That Are Manually Copied to the System The Microsoft Knowledge Base (MSKB mentions it just once for Win98. It seems to be legit & has to do with C:\Windows\Inf\Catalog. I have only one file in that folder-- Q299618.cat. Do you have 33? It is possible that SUCATREG.EXE actually is inside one of the Win98SE .cab's, but under a different name. Some files are like that & need to be renamed after extraction. | The only entry for notepad is | 6 notepad 985 2004.10.11 C:\WINDOWS\NOTEPAD.EXE | but that's not surprising, given the creation date - much before | Microsoft System File Checker | Log file generated on 8/28/07 at 5:52 | | Guess I need to map out time for a defrag. Yes. If you run it frequently, it will run quicker. It seems to know how much work to do. JUST... run ScanReg first the first time (at least), & DON'T let either constantly restart. If they try, stop them & post back for instructions! | Then I'm going to throw caution to the wind. Boot to dos, rename | psapi.dll and move it to another partition. Something is going to | happen! <Beg> Well, MEB posted about that & Phillipson often says the same. Ensure yours like mine is not mentioned in the Registry first. Otherwise, there's some possibility of trouble during a reboot.
Guest Vince Posted September 12, 2007 Posted September 12, 2007 Re: Ruh Roh - Notepad added and updated On Tue, 11 Sep 2007 15:50:44 -0400, "MEB" <meb@not here@hotmail.com> wrote: > I suppose I should advise, I presently have three (3) distinct versions in >various application directories on my system. >Version 4 at 14.5k [WinHex], Version 4 at 17.77k [Dreamweaver MX], and **Version 5.00.2134.1 at 28.27k.[AVG].** Ding - Ding - Ding There's a clue! My copy of psapi.dll is that same version, 5.00.2134.1. And I found the program that added psapi.dll and notepad in c:\windows\system - MicroWorld AntiVirus & Spyware Toolkit Utility. Only used that a couple of times and promptly forgot about it. Don't expect to use it going forward, so I've deleted c:\windows\system\notepad.exe and c:\windows\system\psapi.dll. Problem explained. Thanks for the help.
Guest Vince Posted September 12, 2007 Posted September 12, 2007 Re: Ruh Roh - Notepad added and updated On Tue, 11 Sep 2007 15:52:43 -0400, "PCR" <pcrrcp@netzero.net> wrote: >"Vince" <nobody@home.invalid> wrote in message > >| Then I'm going to throw caution to the wind. Boot to dos, rename >| psapi.dll and move it to another partition. Something is going to >| happen! <Beg> > >Well, MEB posted about that & Phillipson often says the same. Ensure >yours like mine is not mentioned in the Registry first. Otherwise, >there's some possibility of trouble during a reboot. Finally figured out what happened. I used the MicroWorld AntiVirus & Spyware Toolkit Utility a couple of times and didn't run SFC before or after. Then when I did finally run SFC, the extra copy of notepad and psapi.dll were added to the sfclog. Mystery solved! Thanks for the help.
Guest MEB Posted September 13, 2007 Posted September 13, 2007 Re: Ruh Roh - Notepad added and updated "Vince" <nobody@home.invalid> wrote in message news:c25ee3t83e5v170vb5nsiubuhm6rm4g4v9@4ax.com... | On Tue, 11 Sep 2007 15:50:44 -0400, "MEB" <meb@not here@hotmail.com> | wrote: | | > I suppose I should advise, I presently have three (3) distinct versions in | >various application directories on my system. | >Version 4 at 14.5k [WinHex], Version 4 at 17.77k [Dreamweaver MX], and | **Version 5.00.2134.1 at 28.27k.[AVG].** | | Ding - Ding - Ding | There's a clue! | | My copy of psapi.dll is that same version, 5.00.2134.1. And I found | the program that added psapi.dll and notepad in c:\windows\system - | MicroWorld AntiVirus & Spyware Toolkit Utility. Only used that a | couple of times and promptly forgot about it. Don't expect to use it | going forward, so I've deleted c:\windows\system\notepad.exe and | c:\windows\system\psapi.dll. Problem explained. | | Thanks for the help. | As always, we aim to please <grin> thanks for posting the final answer to the issue. Perhaps it may help others. It does leave one to question WHY those programmers thought they could change things around in YOUR system and put files wherever they wished, bbbbuuuuuut such happens ... If you're still playing around installing things [testing stuff for instance], might want to get an installation monitor like TUN [Total Uninstall] or In Control. Do such always makes me wish the old MicroHelp Uninstaller would still work in 9X / IE 6.... -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted September 13, 2007 Posted September 13, 2007 Re: Ruh Roh - Notepad added and updated Vince wrote: | On Tue, 11 Sep 2007 15:52:43 -0400, "PCR" <pcrrcp@netzero.net> wrote: | |>"Vince" <nobody@home.invalid> wrote in message |> |>| Then I'm going to throw caution to the wind. Boot to dos, rename |>| psapi.dll and move it to another partition. Something is going to |>| happen! <Beg> |> |>Well, MEB posted about that & Phillipson often says the same. Ensure |>yours like mine is not mentioned in the Registry first. Otherwise, |>there's some possibility of trouble during a reboot. | | Finally figured out what happened. I used the MicroWorld AntiVirus & | Spyware Toolkit Utility a couple of times and didn't run SFC before or | after. Then when I did finally run SFC, the extra copy of notepad and | psapi.dll were added to the sfclog. Mystery solved! Very good! It was trying to inoculate you-- but seems to have been very sloppy about it! I can understand (but haven't myself done) renaming RegEdit.exe to RegEdit.com. But why did you STILL have a RegEdit.exe? And why an R.com? Also, why give you a Win95 Notepad.exe (if that's what it was)? Very sloppy, I think! MicroWorld must not have put any of itself into a system folder, or SFC would have spotted it with the other changes done. Long ago, I added "C:\Program Files" to SFC's search criteria to help with things like that. | Thanks for the help. You are welcome. It was a puzzler!
Recommended Posts