"Windows File Protection"

Discussion in 'adware, spyware & hijack cleaning' started by AllstarOSA, Jul 14, 2004.

Thread Status:
Not open for further replies.
  1. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    I have had the following pop-ups show up on my screen, all with the title "WINDOWS FILE PROTECTION", and each time displaying one of 3 messages:

    Windows detects that this computer is infected with a spyware called "SubSearch","MoneyTree","Aornum","Win32/Aspam.Trojan"!

    Windows detects that this computer is infected with a spyware called "AccessPlugin", "IEMonit", Whazit/Rnd", "GoHip"!

    Windows detected that this computer is infected with a spyware called "Wurldmedia", "Gator", "GoHip/Browserenh", "Httper"!

    it gives the option to download software to get rid of the spyware.
    If I hit yes, it takes me to a search page with the inquiry of "spyware" already inputed, so the page is just the results.

    If I hit no, it simply closes. Whatever option I choose, it adds the following "favorites" to IE:

    -Web Hosting
    -VIAGRA
    -Spyware Removal
    -Pop Up Blocker
    -Gift Certificate
    -Easy Search
    -CASINO
    -BEST SEARCH

    Occasionally while online, my page gets redirected to: http://download.spywarespykiller.com/spyware6 rather than to whatever page I was going to.

    I've had this problem for awhile now, ran many spyware/adware programs, including Spybot S&D, Ad-Aware 6.0, and Spy Sweeper and still have it.
    I followed the directions for posting logs, ran Spybot S&D, restarted my computer, and ran "Hijack This". Here's the Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:56:07 PM, on 7/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\WINDOWS\System32\WLANSTA.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\System32\EXSHOW95.EXE
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\System32\EXSHOW.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\Pelmiced.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Palm\HOTSYNC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Documents and Settings\George Mixco\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Billminder.lnk.disabled
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
    O4 - Global Startup: Quicken Startup.lnk.disabled
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AOL Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01e5615875294268c223/netzip/RdxIE601.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/ISPEActiveChat.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.3490393519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://maxebrdi.fnismls.com/Paragon/Codebase/SystemChecker.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8C51A164-D279-47B2-84DB-7CF9F2924AB8}: Domain = FREMONT.COM
     
  2. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
  3. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
  4. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    an update on this problem,
    Everytime I run Spybot S&D, it finds "DSO EXPLOIT"

    Also, now my page has been directed twice to a site called Casino Palazzo.
    "http://www.casinopalazzo.com/index.php?sourceid=102174" (Dont go there)

    Maybe its all related. I've seen posts regarding Casino Palazzo problems, but when I scan using HijackThis, it doesnt seem to locate anything familiar.
    Maybe some one sees something I dont, or knows something new to try. Please help!
     
  5. free@tlast

    free@tlast Spyware Expert

    Joined:
    Jun 15, 2004
    Posts:
    32
    Restart your computer in safe mode, find and delete this file:

    WINDOWS\System32\winnet.dll<

    Re-run hijackthis and fix checked:

    O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll (it might say 'no file, file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    To quickly check whether you have another problem (although I don't think so..)
    Download and unzip:
    >>AppRead.zip-AppInit_Viewer made by IMM<<
    From here:
    http://freeatlast100.100free.com/
    Double Click on "regread" file, copy and post the
    contents of "regread.log" file created in the folder, along with fresh hijackthis log.

    ***Edit:
    In addition, (Courtesy of My good bud Expert Bulldog)
    Search for this file:
    -taskmgn.exe in \Windows\System32 folder (Don't confuse with
    taskmgr.exe! ) And delete the taskmgn if found, as it was
    confirmed to be the probable cause.
     
    Last edited: Jul 17, 2004
  6. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Alright, Heres what happened:
    I could not find the winnet.dll file. There was a wininet.dll file, I dont know if its the same or not, but it could not be deleted (in use or something) even in safemode.

    When I ran HijackThis I found the first "o2" file but couldnt find:
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    it didnt show up on the scan.
    Here's the contents of the REGREAD.LOG file:

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : ""
    0000 00 00 | ..

    And here's the HijackThis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:51:28 PM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\WINDOWS\System32\WLANSTA.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\System32\EXSHOW95.EXE
    C:\WINDOWS\System32\ICO.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\Pelmiced.exe
    C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\EXSHOW.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\Program Files\Common Files\Aol\aoltpspd.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\George Mixco\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Billminder.lnk.disabled
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
    O4 - Global Startup: Quicken Startup.lnk.disabled
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AOL Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01e5615875294268c223/netzip/RdxIE601.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/ISPEActiveChat.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.3490393519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://maxebrdi.fnismls.com/Paragon/Codebase/SystemChecker.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8C51A164-D279-47B2-84DB-7CF9F2924AB8}: Domain = FREMONT.COM
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE3F0DD-BE56-4202-A967-969A5E87D6E0}: NameServer = 205.188.146.146

    Here's another kicker,
    A program "encountered an error" while the computer was booting up.
    The error window described it as avifil32.exe and it had the same icon as the X that was placed on the desktop by Casino Palazzo.
    I did a search on the program, and found other files that seem to be related to it:
    C:\WINDOWS\system32
    avifil32.exe
    avifil32.dll
    avifile.dll
    avicap32.dll
    avicap32.dll

    C:\i386
    AVICAP.DL_
    AVICAP32.DL_
    AVIFIL32.DL_
    AVIFILE.DL_

    C:\WINDOWS\Prefetch
    AVIFIL32.EXE-06DE7B7E

    I deleted them, deleted the X icon on the desktop. On a restart it tried to place the X on the desktop again, but there was no icon for it, so it placed a generic icon instead. I deleted that icon, and it hasnt come back, yet (usually takes awhile for it to come back, we'll see.)
    Anyway, theres the info.
     
  7. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Sorry, this is the HijackThis Log, the one posted before was before fixing the problem, although, maybe you can see the other item I couldnt find.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:11:12 PM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\WINDOWS\System32\WLANSTA.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\System32\EXSHOW95.EXE
    C:\WINDOWS\System32\ICO.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\Pelmiced.exe
    C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\EXSHOW.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Program Files\Common Files\Aol\aoltpspd.exe
    C:\Documents and Settings\George Mixco\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Billminder.lnk.disabled
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
    O4 - Global Startup: Quicken Startup.lnk.disabled
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AOL Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01e5615875294268c223/netzip/RdxIE601.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/ISPEActiveChat.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.3490393519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://maxebrdi.fnismls.com/Paragon/Codebase/SystemChecker.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8C51A164-D279-47B2-84DB-7CF9F2924AB8}: Domain = FREMONT.COM
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE3F0DD-BE56-4202-A967-969A5E87D6E0}: NameServer = 205.188.146.146

    Thanks by the way. :D
     
  8. free@tlast

    free@tlast Spyware Expert

    Joined:
    Jun 15, 2004
    Posts:
    32
    Well, that's a bit unfortunate.
    I specified the file(s) to look for and delete.
    Anything else you did on your own is... :doubt:
    http://www.liutilities.com/products/wintaskspro/dlllibrary/avicap32/

    And it's unlikely for pests to reside in the \i386 folder...
    Hopefully you will be able to restore the damage..
    Good luck! :ninja:
     
  9. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    The files were easily restored. I only placed them in the recycle bin.
    So far though, the problem hasnt come up. Thanks again for the help.
     
  10. AllstarOSA

    AllstarOSA Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Take a look at this though,
    [​IMG]
    the file avifil32.exe has the same icon Casino Palazzo placed on my desktop...
    perhaps keep that file deleted?
     

    Attached Files:

Thread Status:
Not open for further replies.