"Warning! Potential Spyware Operation!..."

[jade14]

A message that says  "Warning!  Potential Spyware Operation!     Your computer is making unauthorized copies of your system and Internet files.  Run full scan now..... etc etc.." pops up about every 5 minutes.  I've done a few virus scans and whatnot but it's still not gone. 

[Broni]

Install HijackThis: http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
and post its log here.

[jade14]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:26:34 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\proper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Computer\My Documents\HiJackThis_v2.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - S-1-5-18 Startup: infos.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: infos.exe (User 'Default user')
O4 - Startup: infos.exe
O4 - Global Startup: autos.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O15 - Trusted Zone: www.youtube.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)

--
End of file - 3078 bytes

[Broni]

I'll take a look...

[Broni]

First of all, I don't see any firewall, nor antivirus listed on your system. This is inexcusable!
If you're running Windows firewall, let me know.
If not...
Please, download, and install immediately, two following items:
- Comodo free firewall: http://www.personalfirewall.comodo.com/
- Avg free antivirus: http://free.grisoft.com/doc/2/
Run full AVG scan, and post new HJT log.

[jade14]

I have Avast Antivirus ?
I downloaded those programs though.

[Broni]

Wait, do nothing!!!

[Broni]

Two important questions, you have to answer BEFORE you do anything.
1. Do you have Windows firewall turned on?
2. Even, if you have Avast!, HJT shows, that it's not turned on.
Please, explain, and do nothing more.

[jade14]

How do I know if it's turned on?  I didn't even know I had Windows Firewall.

[Broni]

To turn your Windows firewall on:
# Click on the Start Menu
# Click on Control Panel
# Click on Security Center
# Click on Windows Firewall toward the bottom the Security Center Window.
# Choosing between the “On” or “Off” will turn enable or disable Windows Firewall.

As for Avast!, you should have it listed under Start>Program Files.
Open Avast!, and see, if it's set to start when Windows start.

[jade14]

Firewall is now on.  For avast it was checked beside "Test memory during application start up".  If that's what you meant?  It's the only thing I could find that had anything to do with it being on when windows start.

[Broni]

Firewall is now on.

Cool, for now...

For avast it was checked beside "Test memory during application start up".  If that's what you meant?

No, that's not enough.
I'm not that familiar with Avast! program, so let's do this.
Hover your mouse over every icon in notification area of your taskbar (next to clock).
If Avast! is not listed there, go Start>Control Panel>Add\Remove. If Avast! is listed there, uninstall it. If not listed, do nothing.
After that, go ahead, and install AVG.
After installing AVG (it may ask you to restart your computer), right click on its icon (4-color square) in your taskbar, click on Check for updates (if it didn't ask you before). Install updates.
Right click on AVG icon, click on Launch AVG Test Center, click on Scan Computer.
Grab a coffee, or watch some TV. It'll take a while.
Report back, when you're done.

[jade14]

K I'm done, and it found a bunch of 'threats'.  I haven't done anything with them yet.  What should I do?  Move to vault? Heal? 

[Broni]

Very good!!!
Try "heal", first. Whatever can't be healed, move to vault.
Meanwhile, I'll be preparing next step for you.
Let me know, when you're done.

[jade14]

All done!
Most of them couldn't be healed so I just moved them to the vault.