msorkf.dll

[michael_aussie]

Hi Everyone,

My computer appeared to have some sort of malware (it was trying to go to a strange Chinese Google web site).

I ran SAS.

When I restarted the computer I immediately received a warning message:

"winlogon.exe- Unable to Locate Component" - and the same message for heaps of other windows applications.

"This application has failed to start because msorkf.dll was not found. Re-installing the application may fix the problem."

A search of the hard drive revealed that the dll wasn't there.

A search of the internet for msorkf.dll brought up zero results.

A search in regedit showed that the dll in question was in SAS??? (DEFAULT/software/SUPERantispyware.com)

I uninstalled and reinstalled SAS.

Now I still have the same error message.

A new search of regedit comes up with no instances of the dll now (not even in SAS).

Can someone shed some light????

What is msorkf.dll?

Has SAS deleted it and I need it??

Has SAS deleted it and some malware needs it??

Has SAS deleted it and Windows needs it?

Why doesn't msorkf.dll come up in an internet search??

Why did msorkf.dll originally show up in a regedit search under SAS??? (DEFAULT/software/SUPERantispyware.com)

My computer is now unuseable as most software doesn't work.

Sad user,

Michael_Aussie.

[siliconman01]

Can someone shed some light????

What is msorkf.dll?

Has SAS deleted it and I need it??

Has SAS deleted it and some malware needs it??

Has SAS deleted it and Windows needs it?

Why doesn't msorkf.dll come up in an internet search??

Why did msorkf.dll originally show up in a regedit search under SAS??? (DEFAULT/software/SUPERantispyware.com)

The reason it showed up in regedit was because it was in SAS's Quarantine folder and the SAS registry keys were pointing to it in that folder. When you removed SAS, it removed the Quarantine folder as well...thus it's no longer in the registry.

msorkf.dll is an infection and not part of standard issue Windows. The probability is always very high that if you Google a DLL and nothing shows up, the DLL is a new infection.

What appears to have happened is that this infection integrated itself into various areas of your system and SAS did not totally remove/repair the infected areas. It is recommended that you submit a customer support ticket and let the SAS gurus fix you up. This will fix your system as well as permit SAS to repair their detection/removal rules for this specific infection so that SAS properly removes it the next time around.

https://www.superantispyware.com/precreateticket.html

[michael_aussie]

Thankyou siliconman,

I'm in a Catch22 situation.

I can't run the diagnostics tool because IE crashes out with the missing dll??

I have run HiJackThis.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:43:03 PM, on 7/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\connectivity.windowsservice.jobdispatch.exe

C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\connectivity.edmws.server.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmproxy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\PDF Complete\pdfsty.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\wlloginproxy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Safetech Pty Ltd

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.10:8080

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {1fecba15-c205-0a7e-96a4-286652732873} - C:\WINDOWS\ihefapoyo.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"

O4 - HKLM\..\Run: [sDMSSplash] "C:\Program Files\HP_SDMS\SDMSSplash\launcher.exe" "launchdir=C:\Program Files\HP_SDMS\SDMSSplash"

O4 - HKLM\..\Run: [setRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe

O4 - HKLM\..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe

O4 - HKLM\..\Run: [Xyoweq] rundll32.exe "C:\WINDOWS\Nveho.dll",e

O4 - HKLM\..\Run: [Hyetudaf] rundll32.exe "C:\WINDOWS\ihefapoyo.dll",e

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\yahoomessenger.exe" -quiet (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [RegistryCleanerPro] C:\Program Files\iXi Tools\Registry Cleaner Pro\registrycleanerpro.exe -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://safetech1:4343/officescan/conso ... nNTChk.cab

O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://safetech1:4343/officescan/conso ... /setup.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} (XeWare Control) - http://server3/sage1000/Plugin/eWarePluginX.cab

O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://safetech1:4343/officescan/conso ... veCtrl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7732722084

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9662912731

O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://safetech1:4343/SMB/console/html/root/AtxEnc.cab

O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://safetech1:4343/SMB/console/html ... onsole.cab

O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intsafetech.com.au

O17 - HKLM\Software\..\Telephony: DomainName = intsafetech.com.au

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intsafetech.com.au

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intsafetech.com.au

O20 - AppInit_DLLs: xbxmmb.dll aweqnb.dll btfjge.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe

O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe

--

End of file - 10771 bytes

[michael_aussie]

[michael_aussie]

May 12 2009 (Tue)

2:01:58 AM PDT

MICHAEL_AUSSIE Wrote:

I am very grateful for your time, and sorry to mess you around.

The system administrator decided the best result would be reformat the computer.

Therefore, the virus or whatever it was is now gone.

Thankyou for your time.

You have a great product.

I SUGGEST THIS THREAD SHOULD BE CLOSED??