michael_aussie Posted May 7, 2009 Hi Everyone, My computer appeared to have some sort of malware (it was trying to go to a strange Chinese Google web site). I ran SAS. When I restarted the computer I immediately received a warning message: "winlogon.exe- Unable to Locate Component" - and the same message for heaps of other windows applications. "This application has failed to start because msorkf.dll was not found. Re-installing the application may fix the problem." A search of the hard drive revealed that the dll wasn't there. A search of the internet for msorkf.dll brought up zero results. A search in regedit showed that the dll in question was in SAS??? (DEFAULT/software/SUPERantispyware.com) I uninstalled and reinstalled SAS. Now I still have the same error message. A new search of regedit comes up with no instances of the dll now (not even in SAS). Can someone shed some light???? What is msorkf.dll? Has SAS deleted it and I need it?? Has SAS deleted it and some malware needs it?? Has SAS deleted it and Windows needs it? Why doesn't msorkf.dll come up in an internet search?? Why did msorkf.dll originally show up in a regedit search under SAS??? (DEFAULT/software/SUPERantispyware.com) My computer is now unuseable as most software doesn't work. Sad user, Michael_Aussie. Share this post Link to post Share on other sites
siliconman01 Posted May 7, 2009 Can someone shed some light????What is msorkf.dll? Has SAS deleted it and I need it?? Has SAS deleted it and some malware needs it?? Has SAS deleted it and Windows needs it? Why doesn't msorkf.dll come up in an internet search?? Why did msorkf.dll originally show up in a regedit search under SAS??? (DEFAULT/software/SUPERantispyware.com) The reason it showed up in regedit was because it was in SAS's Quarantine folder and the SAS registry keys were pointing to it in that folder. When you removed SAS, it removed the Quarantine folder as well...thus it's no longer in the registry. msorkf.dll is an infection and not part of standard issue Windows. The probability is always very high that if you Google a DLL and nothing shows up, the DLL is a new infection. What appears to have happened is that this infection integrated itself into various areas of your system and SAS did not totally remove/repair the infected areas. It is recommended that you submit a customer support ticket and let the SAS gurus fix you up. This will fix your system as well as permit SAS to repair their detection/removal rules for this specific infection so that SAS properly removes it the next time around. https://www.superantispyware.com/precreateticket.html Share this post Link to post Share on other sites
michael_aussie Posted May 7, 2009 Thankyou siliconman, I'm in a Catch22 situation. I can't run the diagnostics tool because IE crashes out with the missing dll?? I have run HiJackThis. Here is the log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:43:03 PM, on 7/05/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\connectivity.windowsservice.jobdispatch.exe C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\connectivity.edmws.server.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe C:\Program Files\Trend Micro\Client Server Security Agent\tmproxy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\PDF Complete\pdfsty.exe C:\WINDOWS\SMINST\Scheduler.exe C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\hijackthis.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\wlloginproxy.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Safetech Pty Ltd R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.10:8080 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {1fecba15-c205-0a7e-96a4-286652732873} - C:\WINDOWS\ihefapoyo.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe" O4 - HKLM\..\Run: [sDMSSplash] "C:\Program Files\HP_SDMS\SDMSSplash\launcher.exe" "launchdir=C:\Program Files\HP_SDMS\SDMSSplash" O4 - HKLM\..\Run: [setRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe O4 - HKLM\..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe O4 - HKLM\..\Run: [Xyoweq] rundll32.exe "C:\WINDOWS\Nveho.dll",e O4 - HKLM\..\Run: [Hyetudaf] rundll32.exe "C:\WINDOWS\ihefapoyo.dll",e O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\yahoomessenger.exe" -quiet (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [RegistryCleanerPro] C:\Program Files\iXi Tools\Registry Cleaner Pro\registrycleanerpro.exe -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://safetech1:4343/officescan/conso ... nNTChk.cab O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://safetech1:4343/officescan/conso ... /setup.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} (XeWare Control) - http://server3/sage1000/Plugin/eWarePluginX.cab O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://safetech1:4343/officescan/conso ... veCtrl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7732722084 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9662912731 O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://safetech1:4343/SMB/console/html/root/AtxEnc.cab O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://safetech1:4343/SMB/console/html ... onsole.cab O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intsafetech.com.au O17 - HKLM\Software\..\Telephony: DomainName = intsafetech.com.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intsafetech.com.au O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intsafetech.com.au O20 - AppInit_DLLs: xbxmmb.dll aweqnb.dll btfjge.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe -- End of file - 10771 bytes Share this post Link to post Share on other sites
michael_aussie Posted May 12, 2009 May 12 2009 (Tue) 2:01:58 AM PDT MICHAEL_AUSSIE Wrote: I am very grateful for your time, and sorry to mess you around. The system administrator decided the best result would be reformat the computer. Therefore, the virus or whatever it was is now gone. Thankyou for your time. You have a great product. I SUGGEST THIS THREAD SHOULD BE CLOSED?? Share this post Link to post Share on other sites