Author Topic: War of the Trojans (Read 2699 times)

Gaute · « **on:** August 12, 2005, 12:24:41 PM »

Hi there!

War of the Trojans!

Could someone please help me to remove a trojan called trojan.mietglieder.bi ?

The irony of it all; this summer I was reading up on old greek mythology, and of course the Trojan horse was a central chapter...

My computer has been working slowly lately, so today I ran a Ad-Aware check and it found that my pc was infected with that trojan.

I've been infected before, and this forum and its members has been very helpful on those occasion.

Regard's

Gaute

Here's my HJT-log:

Logfile of HijackThis v1.99.1
Scan saved at 19:13:33, on 12.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

guestolo · « **Reply #1 on:** August 14, 2005, 10:38:08 PM »

Sorry for the delay, If you still need a hand with your log
Could you please register to the forum and supply a fresh Hijackthis log to this thread
Registering is a simple and free process
If you are a registered user, could you please sign in and then post a new log

askburlefot · « **Reply #2 on:** August 16, 2005, 04:30:49 PM »

Hi Guestsolo! Thanks for helping out!
When I ran an Avast check it found five or six entries of Trojans.

Regard's
Gaute

Here is the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 23:24:14, on 16.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Soulseek\slsk.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

guestolo · « **Reply #3 on:** August 16, 2005, 11:25:11 PM »

Your logs not that bad, but we should run some scans
Can you do the following please

Please ensure you are using the latest version of Ad-Aware
Which is Ad-Aware SE Personal 1.06
If not, download and install the latest version
from this link
Be sure it is updated but don't run a scan yet
Ad-Aware SE Personal 1.06

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
DECLINE to Log off or Restart when scan is done.

==Open Ewido Security Suite
Give it time to load
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do another scan with Hijackthis and put a check next to these entries:

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode
Run another scan with Hijackthis and post a fresh log
Also include the report from Ewidos

askburlefot · « **Reply #4 on:** August 18, 2005, 06:23:42 PM »

Hi Guestsolo!
Thanks for taking the time to help out! Much appriciated!

I've done everything on your list, the ewido found 3 infections and
the Ad-aware scan was clean.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 01:13:38, on 19.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Programfiler\ewido\security suite\ewidoctrl.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

And here's the ewido scan report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         23:15:03, 18.08.2005
+ Report-Checksum:      289B7FA7

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{B825DEE4-D4B5-9286-E839-48249C3E89A6} -> Spyware.CoolWebSearch : Cleaned with backup
   C:\WINDOWS\system32\msbkf32.dat -> TrojanDownloader.Small.acv : Cleaned with backup
   C:\WINDOWS\system32\mswkcdx32.exe -> TrojanDownloader.Small.acv : Cleaned with backup

::Report End

Regard's
Gaute

askburlefot · « **Reply #5 on:** August 20, 2005, 05:30:51 AM »

Hi Guestsolo!

Just a small question;
I started my pc in safemode by using F8. That was no problem. But
when I restarted my pc again to go back to normal mode, the
"look" of XP had changed, the interface looked more like NT or
an older version of Windows. Hard edges, no shadow etc...

I've attached an image of the symatec internet site which has the look
my computer had, the "Old" look and the new design..

Perhaps its just something I need to uncheck or..

Thanks for doing a great job on the forum

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

All the best,
Gaute

guestolo · « **Reply #6 on:** August 21, 2005, 11:12:30 AM »

Hi again Gaute, the log looks good, you may of done some cleaning before I got to see your log

From what you said, it seems you probably did do some cleaning
Can you right click your desktop and left click properties

Under the Themes tab
Are you in Windows Classic mode?
Are you able to select any other mode?

Updating to Service Pack 2 should help replace files if this is the case

Just for a double check can you do the following
Download Find.zip
Unzip the contents to desktop
Double click on Find.bat and post back the contents
Also Double click on Find1.bat and post the contents

Also post a fresh hijackthis log

askburlefot · « **Reply #7 on:** August 22, 2005, 12:38:21 PM »

Hey Guestolo!

I'm in My Current Theme (translated from Norwegian...)

Under Themes tab I have these opportunities:
1. My current theme
2. Windows XP
3. Windows Standard
4. More themes on the internet
5. Search

What is servicepack 2? A Windows update?

Here's the Find.bat:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"

And the Find1.bat:

Volumet i stasjon C er uten navn.
Volumserienummeret er 3839-B830

Innhold i C:\WINDOWS\Resources\Themes

06.08.2003 16:45 <DIR> .
06.08.2003 16:45 <DIR> ..
18.08.2005 22:34 <DIR> Luna
16.09.2002 14:00 1ÿ222 Luna.theme
16.09.2002 14:00 3ÿ025 Windows Classic.theme
2 fil(er) 4ÿ247 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna

18.08.2005 22:34 <DIR> .
18.08.2005 22:34 <DIR> ..
06.08.2003 16:44 <DIR> Shell
0 fil(er) 0 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell

06.08.2003 16:44 <DIR> .
06.08.2003 16:44 <DIR> ..
06.08.2003 16:45 <DIR> Homestead
06.08.2003 16:46 <DIR> Metallic
06.08.2003 16:44 <DIR> NormalColor
0 fil(er) 0 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

06.08.2003 16:45 <DIR> .
06.08.2003 16:45 <DIR> ..
16.09.2002 14:00 362ÿ496 shellstyle.dll
1 fil(er) 362ÿ496 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

06.08.2003 16:46 <DIR> .
06.08.2003 16:46 <DIR> ..
16.09.2002 14:00 362ÿ496 shellstyle.dll
1 fil(er) 362ÿ496 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

06.08.2003 16:44 <DIR> .
06.08.2003 16:44 <DIR> ..
16.09.2002 14:00 361ÿ472 shellstyle.dll
1 fil(er) 361ÿ472 byte

Totalt antall filer:
5 fil(er) 1ÿ090ÿ711 byte
17 mappe® 1ÿ130ÿ815ÿ488 byte ledig

And the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 19:33:30, on 22.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Programfiler\ewido\security suite\ewidoctrl.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

Thanks for all your help! You do a great thing for all us novise users.

Gaute

guestolo · « **Reply #8 on:** August 22, 2005, 09:42:32 PM »

Can you do a search on your computer please for
luna.msstyles
Before searching under the Advanced options ensure the top 3 options are selected

Let me know where you find luna.msstyles if you find it and the size of the file

As mentioned, I believe that updating to SP2 will replace a file you need, from what i remember
You should update anyways

SP2 is the latest service pack for Windows
You should visit Windows updates and install the latest service pack

After installation, restart the computer when prompted
Revisit Windows updates and check for any other High Priority updates (Criticals)

Once that is done come back here and let me know how things are running

More info on SP2
Please see these links
http://www.microsoft.com/windowsxp/sp2/topten.mspx
http://www.microsoft.com/windowsxp/sp2/default.mspx

askburlefot · « **Reply #9 on:** August 23, 2005, 10:25:52 AM »

Hi Guestolo!
Thanks for taking time to help!

My computer didn't find the luna.msstyles, before nor after installation
of SP2. Strange.

And my computer actually seems works slower after the installation.
It feels that it is hanging much more. Strange...

Did my latest HJT log look ok?

Best,
Gaute

guestolo · « **Reply #10 on:** August 23, 2005, 07:48:03 PM »

I can't find no info in English on this trojan
trojan.mietglieder.bi
Can you translate it for me please, if that's possible

Could I see a fresh hijackthis log

Could you also double click on find1.bat again and let me see the contents of the text file that opens

Additionally, from my signature below can you run an online virus scan at Panda's
Scan your whole computer
Save the report when it's done and post it back here

Can you let me know what this is related too
Video perhaps?
C:\MOONS\MPROTECT\PMMODE.EXE

askburlefot · « **Reply #11 on:** August 26, 2005, 10:26:47 AM »

I'm sorry, I spelled it wrong It supposed to be trojan.mitglieder.bi

- Can you let me know what this is related too
Video perhaps?
C:\MOONS\MPROTECT\PMMODE.EXE

It's not video. I think it's some kind of network and virus software, it's called Moonscape.

I'll post the Panda report.

Thanks for everything Guestolo!

Here's the find1.bat:

Volumet i stasjon C er uten navn.
Volumserienummeret er 3839-B830

Innhold i C:\WINDOWS\Resources\Themes

06.08.2003 16:45 <DIR> .
06.08.2003 16:45 <DIR> ..
18.08.2005 22:34 <DIR> Luna
16.09.2002 14:00 1ÿ222 Luna.theme
16.09.2002 14:00 3ÿ025 Windows Classic.theme
2 fil(er) 4ÿ247 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna

18.08.2005 22:34 <DIR> .
18.08.2005 22:34 <DIR> ..
06.08.2003 16:44 <DIR> Shell
0 fil(er) 0 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell

06.08.2003 16:44 <DIR> .
06.08.2003 16:44 <DIR> ..
06.08.2003 16:45 <DIR> Homestead
06.08.2003 16:46 <DIR> Metallic
06.08.2003 16:44 <DIR> NormalColor
0 fil(er) 0 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

06.08.2003 16:45 <DIR> .
06.08.2003 16:45 <DIR> ..
16.09.2002 14:00 362ÿ496 shellstyle.dll
1 fil(er) 362ÿ496 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

06.08.2003 16:46 <DIR> .
06.08.2003 16:46 <DIR> ..
16.09.2002 14:00 362ÿ496 shellstyle.dll
1 fil(er) 362ÿ496 byte

Innhold i C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

06.08.2003 16:44 <DIR> .
06.08.2003 16:44 <DIR> ..
16.09.2002 14:00 361ÿ472 shellstyle.dll
1 fil(er) 361ÿ472 byte

Totalt antall filer:
5 fil(er) 1ÿ090ÿ711 byte
17 mappe® 669ÿ212ÿ672 byte ledig

Here's the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:18:22, on 26.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Programfiler\ewido\security suite\ewidoctrl.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\Opera\Opera.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124801763317
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124807107984
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

askburlefot · « **Reply #12 on:** August 26, 2005, 10:50:47 AM »

Strange....
Just after I finished my latest reply to you I went to Panda's site
to do the online scan. After about 20 seconds the Avast told me that
Panda tried to infect my pc with a worm.

A VIRUS WAS FOUND
http:www.pandasoftware.com/activescan/as5free/motor.cab\...
Malware name: Win32.CTX
Malware type: Virus/ Worm

"Don't worry you haven' t been infected yet, just abort your connection
with the site and the malware download will be cancelled."

The same thing happened when I ran AdAware for the first time in a long time, then the Avast told me the pc was infected by the trojan.mitglieder.bi.
Isn't that strange? Doesn't Avast want me to scan with Panda?
It would be strange if Panda tried to infect my pc....
Any thoughts on this subject?
Should I still try to do a Panda scan, and ignore Avast? What do
you think?

Gaute

guestolo · « **Reply #13 on:** August 27, 2005, 06:57:55 PM »

Sorry for the delay Gaute
It's a false positive Avast is giving you
One of the files that Panda installs is legitimate, but a couple Anti-Virus software peg it as malicious
Believe me it's ok
Here's the file Panda loads on your computer and a multiple scan of that file
I scanned this from my computer

pskavs.dll
AntiVir      Found nothing
ArcaVir     Found nothing
Avast     Found Win32:CTX
AVG Antivirus     Found nothing
BitDefender     Found nothing
ClamAV     Found Sirius.Annihilator.272
Dr.Web     Found nothing
F-Prot Antivirus     Found nothing
Fortinet     Found nothing
Kaspersky Anti-Virus     Found nothing
NOD32     Found nothing
Norman Virus Control    Found nothing
UNA     Found nothing
VBA32     Found nothing

I suggest that before loading up Panda scan again you temporarily disable Avast until the scan is done
Right click the Avast icon in the system tray beside the clock and then
Stop on access protection

Remember to post the report from Panda's after you have ran it

askburlefot · « **Reply #14 on:** September 02, 2005, 02:49:01 PM »

Hi Guestolo!
Sorry for my delay, been away with the school.
I disabled Avast and ran the Panda online scan.
It said my pc had two dialers and one other malware...(?)
Here's the result:

Incident Status Location

Adware:adware/wupd No disinfected Windows Registry
Dialer:Dialer.OK No disinfected C:\Programfiler\backup-20041015-155745-518.inf
Adware:Adware/WUpd No disinfected C:\Programfiler\backup-20041015-155745-670.inf

Are these dialers perhaps some of the reason that the pc is
a little slow?

Regard's
Gaute

guestolo · « **Reply #15 on:** September 02, 2005, 09:16:44 PM »

Can i see a new hijackthis log please
Your last log indicates your didn't install Service Pack 2

Also, you said this

Quote

My computer didn't find the luna.msstyles, before nor after installation
of SP2. Strange.

But your still running Service Pack 1

Can you make sure you have Windows set to show Hidden files and folders
Double check please

Let me know if you can find
Luna.msstyles

Make sure that before you do a search you also look under the Advanced options and check the top 3 entries which include "Search within hidden files and folders"

TheTechGuide Forum

News:

Author Topic: War of the Trojans (Read 2699 times)

Gaute

War of the Trojans

guestolo

War of the Trojans

askburlefot

War of the Trojans

guestolo

War of the Trojans

askburlefot

War of the Trojans

askburlefot

War of the Trojans

guestolo

War of the Trojans

askburlefot

War of the Trojans

guestolo

War of the Trojans

askburlefot

War of the Trojans

guestolo

War of the Trojans

askburlefot

War of the Trojans

askburlefot

War of the Trojans

guestolo

War of the Trojans

askburlefot

War of the Trojans

guestolo

War of the Trojans