Expert: Brian Benosky - 10/7/2010

Question
QUESTION: When I start my PC (Windows XP Pro, version 2002, SP3), a screen with "Peak Protection 2010" appears, wanting me to start it up by selecting the "Safe Startup" button. Instead, I open the Task Manager and End The Process. I don't have an install CD - bought the PC (used) with OS already installed.

It hijacks my FireFox (version 3.6.10) browser (especially when I click on links to whatever URL's) to random sites and also causes lockup upon PC start up (locks on the Welcome screen when starting up the first time). I then have to shut down the PC and start it up again, which is when the Peak Protection 2010 screen appears.

Then FireFox opens ok and Instead of clicking links for URL's, I have to enter the URL in the address bar, then it takes me there ok.

I tried the free security scan at symantec.com, but it showed my PC to be "Safe."  

Spybot killed some other malware, but didn't find Peak Protection 2010.

Can't run Lavasoft's free Ad-Aware because of Peak Protection, I'm guessing. Locks it up at splash screen.

Tried to run AVG Free Antivirus (didn't have it running when I got this malware), but it pops up a box saying, "The application failed to start because the application configuration is incorrect. Reinstalling the application may fix the problem." I haven't tried reinstalling it yet - guessed it wouldn't work.

I have Google Chrome installed and sitting on my Quick Launch Toolbar. When I attempt to run it, I get a dialogue box (title bar: Google Chrome) with the message "The following pages have become unresponsive. You can wait for the pages to become responsive or kill them" (words very close to that ,if not exact). Two buttons at the bottom of the dialogue box are: Kill Pages and Wait.

I also have IE 7.0 installed and when I run it, initially I get "about:blank" in the address bar (remains on that page until I enter a URL into the address bar - takes me there ok, but it's slow loading.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:29 PM, on 10/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MouseAway\MouseAway.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\8200\Desktop\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MouseAway.lnk = C:\Program Files\MouseAway\MouseAway.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

Please recommend programs to avoid malware of all types.

Thx for your help.





ANSWER: Hello

Your copy of HJT is out of date, and you have only included a portion of the log, so I am unable to directly assist you.  However, removal instructions for Peak Protection are found here:

http://www.bleepingcomputer.com/virus-removal/remove-peak-protection-2010

In summary, you must first run the rkill.com tool found here:

http://download.bleepingcomputer.com/grinler/rkill.com

Then download and install Malwarebytes Anti-Malware:

http://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malware

Run a full scan, remove the offending files, and Peak Protection should be gone.

Afterwords, if you wish, you can install an updated copy of HijackThis and submit a log for me to review for leftover malware entries.  The link is here:

http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msi

Good luck!

Brian

---------- FOLLOW-UP ----------

QUESTION:  I have already answered this question for you once before.


Your Question was:

Just want to correct a small error. In my question to you, yesterday, I said upon startup, I have to open windows Task Manager (Ctrl+Alt+Delete) and End Process, but that's incorrect. I click on the Applications tab in Task Manager, then choose End Task.

Above, you told that you had answered this question once before (as if I were asking the same question once again)..  It wasn't a question, only a comment added to the original question.  

Answer
I understand it was only an addendum to your original question.  I was just trying to keep the question to one thread.  AllExperts is not like a forum thread, so keeping to one is a bit more difficult, and the only option I had was to decline your second question as a duplicate.  Be assured that I read your comment and took it into consideration when replying to the first thread.  

Brian