please help if you can

You need to run CounterSpy again and this time have Remove the below. Last time you ignored them:

NetPumper Adware Bundler more information...
Details: Bundles with a number of adware components.
Status: Ignored

AzeSearch.MWSearch Browser Plug-in more information...
Details: AzeSearch.MWSearch adds a search toolbar to Internet Explorer and hijacks the default search page.
Status: Ignored

Backdoor.Ciadoor Backdoor more information...
Status: Ignored

Trojan-Dropper Trojan Downloader more information...
Status: Ignored

Attach a new log from CounterSpy after doing this.


Now Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Start by downloading a tools we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\System32\svchost.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [Planpeaksoapinter] C:\Documents and Settings\All Users\Application Data\deleteamokplanpeak\Build program.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [itchchic] C:\DOCUME~1\HP_Owner\APPLIC~1\BODYAT~1\soapmp3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\HP_Owner\Desktop\Bit Torrents Folder\Norton 2007 keygen.exe
C:\Documents and Settings\HP_Owner\Application Data\BODYAT~1\soapmp3.exe
C:\Documents and Settings\All Users\Application Data\deleteamokplanpeak\Build program.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\themeupd.exe
C:\WINDOWS\themeui.exe
C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
c:\windows\system32\azebar.xml

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

That should not be. See messages # 6 and number 8 om the below thread where I posted some screen shots of what you should be seeing.

http://forums.majorgeeks.com/showthread.php?t=111581

That was a typo on my part. It was supposed to say

C:\WINDOWS\system32\scvhost.exe

Notice the scv rather than svc!

Sorry about that. The file was deleted anyway by Killbox as we wanted. Now we need to remove the hidden service that showed up from it.

But first, let's uninstall CounterSpy since we don' t need it anymore and it is only a trial. Uninstall it now before continuing!

You have been using MSconfig to disable startups and you are blocking us from seeing certain malware and removing it. Run MSconfig and select Normal Startup. Then reboot!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Windows Firewall/Internet Connection Sharing (ICS)
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSharedAccess into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now re-run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab


After clicking Fix, exit HJT.


Now reboot in normal mode

After reboot attach a new HJT log and tell me how things are running now.

 

My previous directions said

You did not follow this direction!!! Please do this now!!!! Then move on to the below steps to remove some services that are running due to previously having Symantec installed. They do a very bad job of uninstalling.

You also have a lot of other non-malware junk running that is not really needed. I going to ignore most of these right now since they are not malware but you should start taking a hard look at things you are loading at startup.

Also the LOP infection I had you cleanup in message # 3 came back.

Complete the steps below in the order given.

Run this Disable/Remove Windows Messenger to remove Windows Messenger.

• Click on Start, then Run ... type Symantec Core LC into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Microsoft ASPI Manager
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below Service (if you do not find it or get any errors, just continue):
  • Automatic LiveUpdate Scheduler
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Symantec Core LC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below Service (if you do not find it or get any errors, just continue):
  • Automatic LiveUpdate Scheduler
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [itchchic] C:\DOCUME~1\HP_Owner\APPLIC~1\BODYAT~1\soapmp3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Symantec <--- the whole folder
C:\WINDOWS\C:\Program Files\Common Files\Symantec Shared <--- the whole folder
C:\Documents and Settings\HP_Owner\Application Data\BODYAT~1\soapmp3.exe <--- the whole folder. You need to figure out what BODYAT~1 expands into. This is an abbrevaited name.
Now run Ccleaner .

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. Please download the new version (just posted) of ShowNew and get a new log from it.
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Not True! It is still there and it is also in another location. I did tell you that you would have to determine the full name since it is abbreviated. The full name is "Body atom kind".

I will give a more to fix below and the above will be included.

What process or processes are using all of your CPU time? Does it do the same thing in safe mode?

Be careful asking "What programs can I take off of the startup load"! What I need and what you may need are two different things. I would be telling you to remove a whole bunch of things that you may want including PeerGuardian, AIM, Easyshare, and some others. But you may like to load these at startup and always have them running. I am going to include a couple items below to have HJT fix so that they do not run at startup.


Do you know what the below folder from Dec 15th is? What is in this folder?
C:\Documents and Settings\All Users\Application Data\deleteamokplanpeak


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\HP_Owner\Application Data\Body atom kind <--- the whole folder
C:\Documents and Settings\HP_Owner\Application Data\NetPumper <--- the whole folder
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sunbelt Software <--- the whole folder
C:\Program Files\Body atom kind <--- the whole folder
C:\Program Files\NetPumper <--- the whole folder
C:\Program Files\Sunbelt Software <--- the whole folder
C:\WINDOWS\C:\Program Files\Common Files\Symantec Shared <--- the whole folder
C:\\Program Files\\Norton SystemWorks <--- the whole folder
C:\WINDOWS\system32\ckl009.dat <--- the file

Now run Ccleaner!

Now reboot into normal mode!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

How are things running now?

If you still see high CPU usage, tell me which applications are using larger amounts and also make sure you check what happens in safe boot mode.

 

I'm not seeing any malware in your logs. It could be related to things you are loading, but let's first check for rootkits so we can rule them out.

Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

Delete the whole folder !

 

That's what I expected would be found by Blacklight.

Try right clicking on your ZoneAlarm icon in the tray and select Shutdown.

Does shutting it down have any impact on your CPU usage numbers?

If not, try shutting down TrojanGuard (THGuard.exe) any change?

If not, try shutting down the below junk:
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

Any change? If not, I would then suggest you use msconfig for the reason it was designed and that is temporary debugging. Basically you can run MSconfig and on the Startup tab disable all un-necessary processes from loading and if that seems to help, slowly add them back in to see which one may be causing a problem. You can also use MSconfig to do a similar test on the Services tab. (NOTE: while doing these tests, especially the services, you could loose internet access until various items are reenabled - like the service for your wireless card for one example. This is not a problem since you can easily re-run MSconfig and turn them back on. You are just trying to isolate where the problem could be coming from.)