Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

msiexec and svchost


  • This topic is locked This topic is locked
20 replies to this topic

#1 lenioffe

lenioffe

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 30 September 2011 - 02:39 PM

My IE and the whole computer is very slow with msiexec and svchost taking a lot of CPU although the usage fluctuates every second with the total CPU usage going from 0 to 100. I may have had one of installs crashed a few weeks ago and msiexec is now activated at every reboot although I might be totally wrong with this assumption.
How do I fix the problem?

On possibly a related note every time I close a tab on IE all other tabs crash and need to recover which they do.

Thank you in advance!

Edited by Orange Blossom, 01 October 2011 - 01:08 AM.
Moved to AII from log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:12 PM

Posted 01 October 2011 - 08:03 AM

Hi lenioffe,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer Log Errors
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

:step2: Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

:step3: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

:step4: Let's try repairing corrupt operating system files.
Please follow the directions here: http://www.bleepingcomputer.com/forums/topic43051.html


In your next reply, please include:
MiniToolBox log
Malwarebytes log
GMER log
How's your computer running now?

Edited by jntkwx, 01 October 2011 - 08:04 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 lenioffe

lenioffe
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 01 October 2011 - 10:43 AM

Jason,

thank you very much for getting back to me. I greatly appreciate. Here's the log from MiniToolBox log


MiniToolBox by Farbar 
Ran by Leon (administrator) on 01-10-2011 at 11:33:03
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
ProxyServer: http=127.0.0.1:23012
========================= Hosts content: =================================


127.0.0.1       localhost

========================= IP Configuration: ================================

# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration

 


Windows IP Configuration

 

        Host Name . . . . . . . . . . . . : LEON_MAIN

        Primary Dns Suffix  . . . . . . . : 

        Node Type . . . . . . . . . . . . : Mixed

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

 

Ethernet adapter Local Area Connection:

 

        Connection-specific DNS Suffix  . : 

        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection

        Physical Address. . . . . . . . . : 00-11-11-1E-D6-F0

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.105

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 167.206.251.129

                                            167.206.251.130

        Lease Obtained. . . . . . . . . . : Saturday, October 01, 2011 11:16:39 AM

        Lease Expires . . . . . . . . . . : Sunday, October 02, 2011 11:16:39 AM

Server:  vdns1.srv.whplny.cv.net
Address:  167.206.251.129

Name:    google.com
Addresses:  74.125.226.115, 74.125.226.114, 74.125.226.113, 74.125.226.112
   74.125.226.116

 

Pinging google.com [74.125.226.115] with 32 bytes of data:

 

Reply from 74.125.226.115: bytes=32 time=19ms TTL=55

Reply from 74.125.226.115: bytes=32 time=11ms TTL=55

 

Ping statistics for 74.125.226.115:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 11ms, Maximum = 19ms, Average = 15ms

Server:  vdns1.srv.whplny.cv.net
Address:  167.206.251.129

Name:    yahoo.com
Addresses:  98.139.180.149, 209.191.122.70, 67.195.160.76, 72.30.2.43
   98.137.149.56

 

Pinging yahoo.com [67.195.160.76] with 32 bytes of data:

 

Reply from 67.195.160.76: bytes=32 time=18ms TTL=53

Reply from 67.195.160.76: bytes=32 time=86ms TTL=53

 

Ping statistics for 67.195.160.76:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 18ms, Maximum = 86ms, Average = 52ms

 

Pinging 127.0.0.1 with 32 bytes of data:

 

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 11 1e d6 f0 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.105   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      169.254.0.0      255.255.0.0    192.168.1.105   192.168.1.105   20
      192.168.1.0    255.255.255.0    192.168.1.105   192.168.1.105   20
    192.168.1.105  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.1.255  255.255.255.255    192.168.1.105   192.168.1.105   20
        224.0.0.0        240.0.0.0    192.168.1.105   192.168.1.105   20
  255.255.255.255  255.255.255.255    192.168.1.105   192.168.1.105   1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/01/2011 11:29:35 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x09c939a8.
Processing media-specific event for [iexplore.exe!ws!]

Error: (10/01/2011 11:27:30 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2203. The arguments are: C:\WINDOWS\Installer\382a1.ipi, -2147287035,

Error: (10/01/2011 11:20:07 AM) (Source: Application Error) (User: )
Description: Faulting application devdetect.exe, version 3.1.45.1, faulting module mfc71.dll, version 7.10.3077.0, fault address 0x00010e8d.
Processing media-specific event for [devdetect.exe!ws!]

Error: (10/01/2011 11:14:38 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (10/01/2011 11:14:36 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (10/01/2011 11:14:34 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (10/01/2011 11:14:31 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (10/01/2011 11:14:29 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (10/01/2011 11:14:27 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (10/01/2011 11:14:08 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.


System errors:
=============
Error: (10/01/2011 11:18:39 AM) (Source: DCOM) (User: Leon)
Description: DCOM got error "%%1053" attempting to start the service iPod Service with arguments ""
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error: (10/01/2011 11:18:28 AM) (Source: Service Control Manager) (User: )
Description: The iPod Service service failed to start due to the following error: 
%%1053

Error: (10/01/2011 11:18:28 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the iPod Service service to connect.

Error: (10/01/2011 11:17:55 AM) (Source: Service Control Manager) (User: )
Description: The System Restore Service service terminated with the following error: 
%%2

Error: (10/01/2011 11:16:55 AM) (Source: SRService) (User: )
Description: The System Restore initialization process failed.


Microsoft Office Sessions:
=========================
Error: (10/01/2011 11:29:35 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.009c939a8

Error: (10/01/2011 11:27:30 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2203. The arguments are: C:\WINDOWS\Installer\382a1.ipi, -2147287035, (NULL)(NULL)(NULL)

Error: (10/01/2011 11:20:07 AM) (Source: Application Error)(User: )
Description: devdetect.exe3.1.45.1mfc71.dll7.10.3077.000010e8d

Error: (10/01/2011 11:14:38 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.(NULL)(NULL)(NULL)

Error: (10/01/2011 11:14:36 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.(NULL)(NULL)(NULL)

Error: (10/01/2011 11:14:34 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.(NULL)(NULL)(NULL)

Error: (10/01/2011 11:14:31 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.(NULL)(NULL)(NULL)

Error: (10/01/2011 11:14:29 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.(NULL)(NULL)(NULL)

Error: (10/01/2011 11:14:27 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.(NULL)(NULL)(NULL)

Error: (10/01/2011 11:14:08 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: ProductContext -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.(NULL)(NULL)(NULL)


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 3.1.1)
8500A909_eDocs (Version: 1.00.0000)
8500A909_Help (Version: 1.00.0000)
8500A909g (Version: 50.0.165.000)
ACDSee for PENTAX 3.0 (Version: 9.0.34)
Adaptec UDF Reader
Adobe Acrobat 4.0 (Version: 4.0)
Adobe Bridge 1.0 (Version: 001.000.004)
Adobe Common File Installer (Version: 1.00.0000)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.14)
Adobe Help Center 1.0 (Version: 001.000.000)
Adobe Photoshop CS2 (Version: 9.0)
Adobe Reader 8.2.6 (Version: 8.2.6)
AIM Toolbar 5.0 (Version: 5.7.3.2)
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Apple Application Support (Version: 1.5.1)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.1.116)
Avira AntiVir Premium (Version: 10.2.0.731)
Backyard Hockey (Version: 1.00.0000)
Banctec Service Agreement (Version: 1.00.00)
Banctec Service Agreement (Version: 1.00.0005)
Bonjour (Version: 2.0.5.0)
BPD_DSWizards (Version: 1.00.0000)
bpd_scan (Version: 3.00.0000)
BPDSoftware (Version: 50.0.165.000)
BPDSoftware_Ini (Version: 1.00.0000)
BufferChm (Version: 120.0.194.000)
Canon Camera Access Library (Version: 8.4.0.1)
Canon Digital Camera Solution Disk 40-46 Software Starter Guide (Version: 1.1.0.1)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.7.0.4)
Canon Internet Library for ZoomBrowser EX (Version: 1.6.3.9)
Canon MOV Decoder (Version: 1.3.0.14)
Canon MOV Encoder (Version: 1.1.0.18)
Canon MovieEdit Task for ZoomBrowser EX (Version: 3.1.0.27)
Canon Personal Printing Guide (Version: 1.0.0.1)
Canon PhotoRecord (Version: 02.00.00029)
Canon RAW Image Task for ZoomBrowser EX (Version: 0.9.0)
Canon RemoteCapture Task for ZoomBrowser EX (Version: 1.0.1)
Canon Utilities CameraWindow (Version: 7.2.0.2)
Canon Utilities CameraWindow DC (Version: 7.4.0.9)
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX (Version: 6.5.0.3)
Canon Utilities MyCamera (Version: 7.2.0.4)
Canon Utilities MyCamera DC (Version: 7.2.0.5)
Canon Utilities PhotoStitch (Version: 3.1.22.46)
Canon Utilities RemoteCapture Task for ZoomBrowser EX (Version: 1.8.0.1)
Canon Utilities ZoomBrowser EX (Version: 6.3.0.7)
Canon ZoomBrowser EX Memory Card Utility (Version: 1.2.2.11)
Chinese Traditional Fonts Support For Adobe Reader 8 (Version: 8.0.0)
Citrix Presentation Server Client - Web Only (Version: 10.200.1122)
Citrix Web Client
Compact Wireless-G USB Adapter
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Copy (Version: 45.4.157.000)
CP_AtenaShokunin1Config (Version: 45.4.131.000)
cp_dwShrek2Albums1 (Version: 45.4.157.000)
cp_dwShrek2Cards1 (Version: 45.4.157.000)
CreativeProjects (Version: 45.4.157.000)
CreativeProjectsTemplates (Version: 45.4.157.000)
CueTour (Version: 45.4.157.000)
DeductionPro 2007 (Version: 14.19)
DeductionPro 2008 (Version: 16.04)
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide (Version: 1.00.0001)
Dell Solution Center (Version: 1.00.0000)
Dell Support Center (Support Software) (Version: 2.2.09085)
DellSupport (Version: 6.0.3062)
Destination Component (Version: 110.0.0.0)
DeviceDiscovery (Version: 120.0.194.000)
DocMgr (Version: 120.0.000.000)
DocProc (Version: 12.0.0.0)
DocumentViewer (Version: 45.4.157.000)
EarthLink Setup Files (Version: 2003.3.84.0)
Easy CD Creator 5 Basic (Version: 5.1.0.98)
Garmin Communicator Plugin (Version: 2.6.4)
Garmin USB Drivers (Version: 1.0.0.0)
Get High Speed Internet! (Version: 1.00.0000)
Google Earth (Version: 6.0.3.2197)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.69)
GPBaseService2 (Version: 130.0.371.000)
H&R Block Colorado 2010 (Version: 1.10.2901)
H&R Block New York 2009 (Version: 1.09.4801)
H&R Block New York 2010 (Version: 1.10.4901)
H&R Block Premium + Efile + State 2009 (Version: 09.06.6901)
H&R Block Premium + Efile + State 2010 (Version: 10.06.6402)
Help and Support Customization (Version: 1.00.0000)
HP Document Manager 2.0 (Version: 2.0)
HP Extended Capabilities 4.7 (Version: 4.7)
HP Image Zone 4.7 (Version: 4.7)
HP Imaging Device Functions 12.0 (Version: 12.0)
HP Photo Printing Software
HP Share-to-Web
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 13.0 (Version: 13.0)
HP Update (Version: 5.002.006.003)
HPProductAssistant (Version: 130.0.371.000)
HPSSupply (Version: 120.0.194.000)
HPSystemDiagnostics (Version: 1.6.0.0)
InstantShare (Version: 45.4.157.000)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver (Version: 6.14.10.4396)
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet (Version: 6.05.2001)
Internet Explorer Default Page (Version: 1.00.03)
iPhone Configuration Utility (Version: 2.1.0.163)
ItsDeductible7
iTunes (Version: 10.2.2.14)
J2SE Runtime Environment 5.0 Update 10 (Version: 1.5.0.100)
Jasc Paint Shop Photo Album (Version: 4.0.3)
Jasc Paint Shop Pro 8 Dell Edition (Version: 8.10.0000)
Java 2 Runtime Environment, SE v1.4.2_03 (Version: 1.4.2_03)
Java Auto Updater (Version: 2.0.2.4)
Java(TM) 6 Update 23 (Version: 6.0.230)
Java(TM) 6 Update 3 (Version: 1.6.0.30)
KODAK EASYSHARE Gallery Upload ActiveX Control
Learn2 Player (Uninstall Only)
LEGO Chess
LiveReg (Symantec Corporation) (Version: 2.2.5.1678)
LiveUpdate 2.5 (Symantec Corporation) (Version: 2.5.55.0)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MarketResearch (Version: 45.4.158.000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Encarta Encyclopedia Standard 2004 (Version: 2004)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004 (Version: 12.0.50)
Microsoft Money 2004 System Pack (Version: 12.0.80)
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MobileMe Control Panel (Version: 3.1.6.0)
Modem Event Monitor
Modem Helper (Version: 2.25)
Modem On Hold (Version: 1.12)
MPM (Version: 1.00.0000)
MSVCSetup (Version: 1.00.0000)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Network (Version: 120.0.194.000)
OCR Software by I.R.I.S. 12.0 (Version: 12.0)
Officejet Pro 8500 A909 Series (Version: 12.0)
PanoStandAlone (Version: 45.4.157.000)
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhotoGallery (Version: 45.4.157.000)
Pop-Up Stopper Free Edition (Version: 3.1)
PowerDVD 5.1
ProductContext (Version: 50.0.165.000)
QFolder (Version: 1.00.0000)
QuickTime (Version: 7.69.80.9)
RAW Image Task (Version: 0.9.0)
RealPlayer Basic
RemoteCapture Task 1.0.1 (Version: 1.0.1)
RescuePRO  (Version: 3.3)
Safari (Version: 5.33.21.1)
Scan (Version: 12.0.0.0)
ScannerCopy (Version: 4.5.0.0)
SetupPPUpdater (Version: 4.3)
Shop for HP Supplies (Version: 12)
SkinsHP1 (Version: 45.4.157.000)
Smart PDF Converter 4.2 (Version: 4.2)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 130.0.373.000)
Sonic DLA (Version: 4.90)
Sonic RecordNow! (Version: 7.10)
Sonic Update Manager (Version: 2.9)
Sound Blaster Live!
Spybot - Search & Destroy 1.3 (Version: 1.3)
Status (Version: 120.0.194.000)
SUPERAntiSpyware Free Edition (Version: 4.24.0.1004)
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut New York 2007 (Version: 1.07.5501)
TaxCut New York 2008 (Version: 1.08.4701)
TaxCut Premium + State + Efile 2008 (Version: 08.07.7101)
TaxCut Premium + State 2007 (Version: 07.04.0000)
TaxCut Premium 2006
Toolbox (Version: 120.0.194.000)
TrayApp (Version: 120.0.194.000)
U3Launcher (Version: 1.0.0)
Uninstall Startup Inspector
Unload (Version: 4.5.0)
UnloadSupport (Version: 11.0.0)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
ViewSonic Monitor Drivers
WebEx
WebFldrs XP (Version: 9.50.6513)
WebReg (Version: 120.0.194.000)
WinBoard
Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (03/08/2007 2.2.1.0) (Version: 03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Genuine Advantage v1.3.0254.0 (Version: 1.3.0254.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows XP Service Pack 3 (Version: 20080414.031525)
WordPerfect Office 12 (Version: 12.0.0.238)
Yahoo! Toolbar

========================= Memory info: ===================================

Percentage of memory in use: 87%
Total physical RAM: 509.98 MB
Available physical RAM: 63.75 MB
Total Pagefile: 1242.39 MB
Available Pagefile: 650.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.99 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:145.51 GB) (Free:43.79 GB) NTFS
5 Drive g: (WD Passport) (Fixed) (Total:111.76 GB) (Free:52.3 GB) FAT32

========================= Users: ========================================

User accounts for [url="file://\\LEON_MAIN"]\\LEON_MAIN[/url]

Administrator            ASPNET                   Guest                    
HelpAssistant            Leon                     SUPPORT_388945a0         
SUPPORT_3f151ab9         


**** End of log ****


Should I wait for you to review it before moving to step 2?
Also, I already have MalwareBytes Anti-Malware downloaded a fe months ago. Should I just run it and update or download a new version?

Than kyou again and I'll wait for your reply before taking any other steps.



#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:12 PM

Posted 01 October 2011 - 03:31 PM

Hi lenioffe,

Go ahead and update Malwarebytes. There will be a program update as well as a definition update. You'll probably be prompted to restart your computer. Please do so. After making sure you have the latest updates, run a Full System Scan. Then post the log file.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 lenioffe

lenioffe
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 01 October 2011 - 09:48 PM

Jason,

thank you very much again.
Sorry for not introducing myself. My name is Len.

Here is the log from MBAM.


Malwarebytes' Anti-Malware 1.51.2.1300
[url="http://www.malwarebytes.org"]www.malwarebytes.org[/url]

Database version: 7843

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/1/2011 10:28:55 PM
mbam-log-2011-10-01 (22-28-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 385049
Time elapsed: 5 hour(s), 24 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\ere94fe5o32 (Trojan.FakeAV) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Should I use GMER now or would you take a look at these two logs?
Thank you.



#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:12 PM

Posted 02 October 2011 - 05:12 PM

Hi lenioffe,

Go ahead and post the GMER log.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 lenioffe

lenioffe
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 October 2011 - 05:29 PM

Jason,

I tried to run GMER three times. It froze twice after running for a fe whours and then eneded on a "delayed write failed". When I tried to save the log after that it froze again and I had to re-boot. It there anything you can see from MBAM log? If not what would you suggest, trying to rerun GMER again? Is GMER previous run log saved anywhere?

The CPU usage still jumps from 50% to 100% every second on the Task Manager perfomance screen.

Thanks a lot.

Len.

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:12 PM

Posted 02 October 2011 - 05:33 PM

Hi lenioffe,

:step1: Have you tried running GMER in Safe Mode?

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu with several options. Press the down arrow key on your keyboard until Safe Mode with Networking is selected. Press Enter. Please see here for additional details.
  • Identify infections and the signs showing in the logs
  • Provide links with explanation of the infections (if available)

:step2: Once in Safe Mode, rerun GMER:
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 lenioffe

lenioffe
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 October 2011 - 09:05 PM

Jason,


sorry for asking but I ran into a really strange problem. When I start Windows in a safe mode it starts with a resolution 640 by 480. With that resolution GMER window does not fit on the screen so that SAVE and COPY buttons simply can't be seen. As there is no scroll bar I can't see them. So I can run a scan but won't be able to save and copy the results. Any idea what I should do?

Thanks again,

Len.

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:12 PM

Posted 02 October 2011 - 09:08 PM

Hi lenioffe,

Yes, Safe Mode changes the resolution. If you right click anywhere on the desktop and click on properties, and click on the Settings tab. Can you change the resolution so that the GMER window fits on the screen?

Edited by jntkwx, 02 October 2011 - 09:09 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 lenioffe

lenioffe
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 October 2011 - 09:33 PM

I assume that's the same as going to Display on the Control panel and trying to change settings. I can't do that as 640 by 480 is the only option. Is there are other way to save a log after a scan in GMER without using SAVE and COPY?

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:12 PM

Posted 02 October 2011 - 09:44 PM

lenioffe,

Yes, that is the same way of changing the display resolution. I don't think there's another way to save a GMER log file. Can you click and drag the top of the GMER window to move the window high enough on the screen to allow you to click on the Save and Copy buttons?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 lenioffe

lenioffe
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 October 2011 - 05:15 AM

Jason,

thanks again. I could not run GMER in a safe mode but it finally ran again with a regular start-up. I got an error "The Windows unable to save all data for the file \Device\HardDiskVolume2\Windows\System32\Config\AppEvent.evt The data has been lost.The errormay be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere."
I was able to sane GMER.log. I copied it but then the computer crashed with a memory dump. Once I restarted it everything was back to "normal" with the high CPU usage. Here is the text from GMER.log. It looks like the run finished.
Please, let me know if you see anything. Thank you again.
Can it just be that there is not enough space of the hard drive or that it is corrupted?


GMER 1.0.15.15641 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-10-03 05:49:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST3160023AS rev.8.05
Running: gysprvr6.exe; Driver: C:\DOCUME~1\Leon\LOCALS~1\Temp\pgrirpog.sys


---- System - GMER 1.0.15 ----

SSDT            F63E806C                                                                                                               ZwClose
SSDT            F63E8026                                                                                                               ZwCreateKey
SSDT            F63E8076                                                                                                               ZwCreateSection
SSDT            F63E801C                                                                                                               ZwCreateThread
SSDT            F63E802B                                                                                                               ZwDeleteKey
SSDT            F63E8035                                                                                                               ZwDeleteValueKey
SSDT            F63E8067                                                                                                               ZwDuplicateObject
SSDT            F63E8053                                                                                                               ZwLoadDriver
SSDT            F63E803A                                                                                                               ZwLoadKey
SSDT            F63E8008                                                                                                               ZwOpenProcess
SSDT            F63E800D                                                                                                               ZwOpenThread
SSDT            F63E8044                                                                                                               ZwReplaceKey
SSDT            F63E803F                                                                                                               ZwRestoreKey
SSDT            F63E807B                                                                                                               ZwSetContextThread
SSDT            F63E8058                                                                                                               ZwSetSystemInformation
SSDT            F63E8030                                                                                                               ZwSetValueKey
SSDT            F63E8017                                                                                                               ZwTerminateProcess
SSDT            F63E8012                                                                                                               ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!_abnormal_termination + 4A1                                                                               804E2B0D 3 Bytes  [80, 3E, F6] {CMP BYTE [ESI], 0xf6}
init            C:\WINDOWS\System32\DRIVERS\mohfilt.sys                                                                                entry point in "init" section [0xF8C3B760]

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\UdfReadr_xp \Device\UdfReadr_XP                                                                            tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device          \Driver\prodrv06 \Device\ProDrv06                                                                                      E1AC46B0
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                     prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                            prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                     prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                            prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17                                                                           prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\prohlp02 \Device\ProHlp02                                                                                      E100F800
Device                                                                                                                                 mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device          \FileSystem\cdudf_xp \Device\CdUdf_XP                                                                                  tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device                                                                                                                                 B8AF0D20
Device                                                                                                                                 B8B00428

AttachedDevice                                                                                                                         fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device          \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer                                                                     tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device          \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer                                                                      tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device          \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer                                                                          tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device          \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer                                                                       tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device          \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer                                                                      tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device          \FileSystem\Cdfs \Cdfs                                                                                                 tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet Pro 8500 A909g Series (Copy 1)@ChangeID  5243187

---- Files - GMER 1.0.15 ----

File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\ccomesfr.htm                                               4406 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cdisclse.htm                                               7104 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cdlists.htm                                                6049 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\centryin.htm                                               6618 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cfeaturenotavailable.htm                                   4499 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cfpaper.htm                                                5337 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cgoesto.htm                                                4688 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cimport.htm                                                6373 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cimptrpt.htm                                               6494 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\clytyrpt.htm                                               5550 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cmemo.htm                                                  5008 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cmultfrm.htm                                               8619 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\covrcaln.htm                                               5312 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cpasswrd.htm                                               5683 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cprntfrm.htm                                               4469 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cprntrtn.htm                                               6982 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cpurchasetaxcut.htm                                        7725 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\crfind.htm                                                 5465 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cshoebox.htm                                               5955 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\ctips.htm                                                  7082 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\ctips3.htm                                                 4871 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\ctwoforms.htm                                              5775 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cupdateerror.htm                                           8911 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\cupdatewithoutinternet.htm                                 4490 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\dir.txt                                                    23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Dialog_Boxes_cs\unavail.htm                                                4096 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\cqacheck.htm                                                     4680 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\DeleteFormCopies.htm                                             6284 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\dir.txt                                                          23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\FrmHide.htm                                                      6079 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\FrmMcopy2.htm                                                    7106 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\IntCutCopyPaste.htm                                              5299 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\InterviewEditMenu.htm                                            5782 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\Navigation_Bar.htm                                               6373 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\qafullint.htm                                                    6907 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\QAProg.htm                                                       5105 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\QASelect.htm                                                     7306 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Interview\QIntro.htm                                                       8729 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\dir.txt                                                           23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MaciDiskBackup.htm                                                8557 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MaciDiskPassword.htm                                              6194 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MaciDiskRestore.htm                                               8145 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MBackup.htm                                                       6302 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MCreate.htm                                                       6484 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MDelete.htm                                                       4966 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\minfo.htm                                                         5441 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MOpen.htm                                                         6696 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MPasswrd.htm                                                      6471 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\mrestore.htm                                                      4955 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MSave.htm                                                         7099 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\MSavePDF.htm                                                      7298 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Managing\OAutoSve.htm                                                      6605 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\amttaxcalculator.htm                                              5705 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\cnxtyear.htm                                                      5937 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\dir.txt                                                           23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\nyedfinplan.htm                                                   5445 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\nyest.htm                                                         6030 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\NYIRA.htm                                                         5887 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\nyretfinplan.htm                                                  5584 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Planning\taxestimatorcalculator.htm                                        6217 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Printing\dir.txt                                                           23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Printing\PForms.htm                                                        5115 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Printing\PFormsFc.htm                                                      5635 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Printing\PFormsFM.htm                                                      7490 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Printing\PFormsInt.htm                                                     5633 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Printing\PMiniWS.htm                                                       6160 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Printing\PSelect.htm                                                       5748 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\cfiveyr.htm                                                      5749 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\cpersplan.htm                                                    5798 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\cqtaxsum.htm                                                     5633 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\ctaxsavings.htm                                                  5222 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\dir.txt                                                          23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\hlprevret.htm                                                    5563 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\MTSMeter.htm                                                     5293 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\nyaverages.htm                                                   5835 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\rrpts.htm                                                        9210 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\standardreportsintro.htm                                         4785 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Reviewing\THintro2.htm                                                     5587 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\cstate.htm                                                           6742 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\Cstateinstall.htm                                                    5616 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\CStAvail.htm                                                         7266 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\CStPurch.htm                                                         10249 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\dir.txt                                                              23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\hlpprepstret.htm                                                     4882 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\HlpStIntr.htm                                                        6397 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\State\insintro.htm                                                         5214 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\Alerts.htm                                                        5133 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\AuditSupport.htm                                                  7058 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\dir.txt                                                           23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\HLPGETANS.htm                                                     6241 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\lifechanges.htm                                                   6149 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\PlainTalkTips.htm                                                 4927 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\QMMedia.htm                                                       4972 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\thchng.htm                                                        4745 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\thgetpub.htm                                                      4433 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\THIntro.htm                                                       5315 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tax_Help\THWebSite.htm                                                     5754 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\dir.txt                                                              23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\DLCreate.htm                                                         8489 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\DLDelete.htm                                                         6236 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\DLMove.htm                                                           5851 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\DLOpen.htm                                                           5126 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\DLPrint.htm                                                          5972 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\DLTitle.htm                                                          5698 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\dlusing.htm                                                          5946 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\FrmCalc.htm                                                          4945 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\FrmFind2.htm                                                         5985 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\hlpusingoptions.htm                                                  5278 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Tools\mimemo.htm                                                           5302 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\ctefile.htm                                                8064 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\cupdate1.htm                                               8753 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\dir.txt                                                    23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\MUninsta.htm                                               5668 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\Proxy_Settings_Tool.htm                                    6363 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\TCheck.htm                                                 6524 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\TForms.htm                                                 9117 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\tgen.htm                                                   13142 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\TImport.htm                                                9188 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\TNavigate.htm                                              12368 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\tnum.htm                                                   7645 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\TPRINT.htm                                                 20762 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\Trouble.htm                                                5721 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\Troubleshooting\TState.htm                                                 9735 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments                                                   0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Alimony_Paid.htm                                  4912 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\dir.txt                                           23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Domestic_Prod_Activities_Ded.htm                  4848 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Educator_Expenses.htm                             4749 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\IRA_Contributions.htm                             4866 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Keough_SEP_SIMPLE_Cont.htm                        4965 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Miscellaneous_Adjustments.htm                     4924 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Moving_Expenses.htm                               4881 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\MSAs_and_LongTerm_Care.htm                        4907 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Self_Employed_Health_Ins.htm                      4954 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Adjustments\Student_Loan_Interest.htm                         4926 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits                                                       0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Adoption_Expenses.htm                                 4876 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Child_and_Depend_Care_Expen.htm                       5099 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Child_Tax_Credit.htm                                  4883 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\DC_Home_Buyer_Credit.htm                              4759 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\dir.txt                                               23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Earned_Income_Credit.htm                              4920 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Education_Credit.htm                                  4887 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Elderly_and_Disabled_Credit.htm                       4928 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Excess_Social_Security.htm                            4925 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Foreign_Tax_Credit.htm                                4882 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Fuel_Tax_Credit.htm                                   4866 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Health_Insurance_Credit.htm                           4772 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Hybrid_Car_Altern_Vehicle_Cr.htm                      4870 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Investment_Credit.htm                                 4870 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Low-IncHousingForm8609.htm                            5469 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\LowIncome_Housing_Credit.htm                          6682 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Mortgage_Interest_Credit.htm                          4915 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Other_Business_Credit.htm                             4905 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Prior_Year_Alt_Min_Tax_Cr.htm                         4927 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Residential_Energy_Credit.htm                         4812 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Retirement_Sav_Cont_Credit.htm                        5159 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Credits\Telephone_Tax_Rebate_Credit.htm                       4903 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions                                                    0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Cash_Contributions.htm                             4895 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Casualty_and_Theft_Losses.htm                      4920 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Charitable_Contributions.htm                       5032 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Depreciation_Investment.htm                        4905 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\dir.txt                                            23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Health_Savings_Account.htm                         4917 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Home_Mortgage_Interest.htm                         4911 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Investment_Interest_Expense.htm                    4932 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\JobRelated_Expenses.htm                            5927 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Medical_and_Dental_Expenses.htm                    4927 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Miscellaneous_Deductions.htm                       4932 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Miscellaneous_Ded_2Percent.htm                     4940 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Misellaneous_Contributions.htm                     4928 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\New_Vehicle_Sales_Tax.htm                          5273 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Non-Cash_Contributions.htm                         4910 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Property_Tax.htm                                   4979 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Standard_vs_Itemized.htm                           5267 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\State_and_Local_Taxes.htm                          4915 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Deductions\Vehicle_Used_in_Investment.htm                     4918 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Default_Getting_Ready.htm                                     5620 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Default_Summary.htm                                           5250 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Dependents                                                    0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Dependents\Dependents.htm                                     5831 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Dependents\dir.txt                                            23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\dir.txt                                                       23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Error_Check                                                   0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Error_Check\Checking_For_Errors.htm                           5017 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Error_Check\dir.txt                                           23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File                                                          0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\Checking_the_Status.htm                                  5505 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\dir.txt                                                  23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\E-Filing_State_and_Federal.htm                           6309 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\E-Filing_State_Separately.htm                            6718 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\Filing_An_Extension.htm                                  5781 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\Filing_On_Paper.htm                                      5712 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\Filing_Options.htm                                       5496 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\Finishing_Up.htm                                         5667 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\File\Submitting_Your_Return.htm                               5608 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Getting_To_Know                                               0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Getting_To_Know\dir.txt                                       23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Getting_To_Know\Getting_to_Know_You.htm                       5896 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\How_do_I.htm                                                  5241 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Import                                                        0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Import\dir.txt                                                23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Import\Importing_1099s.htm                                    4429 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Import\Importing_Financial_Info.htm                           5163 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income                                                        0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Hurricane_Distributions.htm                            4822 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Alimony_Received.htm                                   4902 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\At_Risk_Limitations.htm                                4860 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Cancelation_of_Debt.htm                                4760 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Capital_Gains_and_Losses.htm                           4886 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Childs_Income_Your_Return.htm                          4955 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\dir.txt                                                23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Dividend_Income.htm                                    4882 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Employee_Stock_Options.htm                             4804 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Estates_and_Trusts.htm                                 4892 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Farm_Depreciation.htm                                  4882 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Farm_Income.htm                                        4840 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Farm_Income_Averaging.htm                              4876 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Farm_Rentals.htm                                       4826 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Farm_Vehicle.htm                                       4832 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Foreign_Accounts_and_Trusts.htm                        4930 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Foreign_Earned_Income_Excl.htm                         5295 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Gambling_Income.htm                                    4792 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Government_Payments.htm                                5223 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Income_From_Your_Job.htm                               4899 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Installment_Sales.htm                                  4868 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Interest_Income.htm                                    4897 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\IRA,_Pension_Income.htm                                4909 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\IRA_Distributions.htm                                  4851 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Like_Kind_Exchanges.htm                                4878 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Miscellaneous_Income.htm                               4875 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Other_Income.htm                                       4842 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Partnership_or_SCorps.htm                              5367 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Rents_and_Royalties.htm                                5231 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Sale_of_Business_Property.htm                          4924 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Sale_of_Home.htm                                       4854 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Scholar_and_Fellow_Grants.htm                          5008 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Section_1256_Cont_and_Strad.htm                        4956 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Series_EE_and_I_Sav_Bonds.htm                          4929 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Short_Term_Long_Term_Carry.htm                         4948 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Social_Security_Income.htm                             4900 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Tax_Shelter_Registration.htm                           4908 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Undistributed_Capital_Gain.htm                         5013 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Income\Your_Own_Business.htm                                  4892 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways                                                0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\Default_Bus_Gateway.htm                        5259 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\Default_Income_Gateway.htm                     5376 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\Default_Invest_Gateway.htm                     5602 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\Default_MiscInvest_Gateway.htm                 5136 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\Default_OtherIncome_Gateway.htm                4620 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\Default_Retire_Gateway.htm                     4870 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\Default_SalesTrans_Gateway.htm                 5153 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\IncomeGateways\dir.txt                                        23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous                                                 0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Additional_Extension.htm                        4882 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Amended_Return.htm                              4863 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Apply_Refund_to_NYr.htm                         4928 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Attachments.htm                                 4833 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Choosing_Which_1040.htm                         6090 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Deceased_Taxpayer_Refund.htm                    5025 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\dir.txt                                         23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Filing_Extension.htm                            4869 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Injured_Spouse_Claim.htm                        4760 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Intallment_Payment_Tax.htm                      4913 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\M_Filing_Joint_vs_Separate.htm                  4966 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Payment_Voucher.htm                             4886 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Miscellaneous\Third_Party_Designee.htm                        4936 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Plan                                                          0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Plan\dir.txt                                                  23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Plan\Education_Planning.htm                                   4941 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Plan\Introduction.htm                                         5048 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Plan\Retirement_Planning.htm                                  5140 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Plan\Tax_Planning.htm                                         5721 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Plan\W4_Certificates.htm                                      5079 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Review                                                        0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Review\dir.txt                                                23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Review\Review_Options.htm                                     5473 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\State                                                         0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\State\dir.txt                                                 23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\State\Get_State_Program.htm                                   5228 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\SuperC                                                        0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\SuperC\BusinessMileageSupC.htm                                4854 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\SuperC\dir.txt                                                23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\SuperC\NextYearFilingStatus.htm                               6104 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\SuperC\Your_Own_Business_SupC.htm                             6728 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties                                                 0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Alternative_Minimum_Tax.htm                     4888 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Child_with_Investments.htm                      4908 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\dir.txt                                         23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Excess_Contributions.htm                        4964 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Household_Help.htm                              4877 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Miscellaneous_Taxes.htm                         4889 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Recapture_of_Invest_Credit.htm                  4932 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Retire_Plan_IRA_Other_Penal.htm                 4984 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Self_Employment_Tax.htm                         4899 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Tax_Payments.htm                                4863 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Underpayment_Penalty.htm                        4880 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Tax_Penalties\Unreported_Tip_Income.htm                       4904 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Welcome                                                       0 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Welcome\dir.txt                                               23 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Welcome\Getting_Started.htm                                   5336 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Welcome\Welcome.htm                                           5254 bytes
File            C:\Program Files\HRBlock2009\Help\MM\Us\hlp\What_Help_cs\Welcome\Which_Return.htm                                      5007 bytes

---- EOF - GMER 1.0.15 ----







#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:12 PM

Posted 03 October 2011 - 08:48 AM

lenioffe,

msiexec and svchost are still the two processes that are taking up a high amount of CPU usage, correct?

It's possible the hard drive is corrupted, or that certain critical files are corrupted.

Lets open up a command prompt with elevated rights:

Go to Start > All Programs > Accessories > right click on command prompt hit Run As Administrator

In the box that comes up perform the following:

chkdsk /r

On the resulting question hit yes.

Reboot the computer.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 lenioffe

lenioffe
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 16 October 2011 - 12:51 PM

Jason,

thank you again. Sorry for not responding sooner. I was away for a few days and now I'm leaving again for a week.
I ran chkdsk /r in a safe mode as it did not run after a regular reboot. It ran for a several hours and finally completed. Then I restarted Windows normally and for the first time it did not have CPU hijacked by msiexec. But the next time it was back again. Is there a way to trace what it is and how it starts? Is there a way to stop it after it starts without crashing the system? Is there anything else I can do?
Can it be that some parameters of Windows are not set up optimally (virtual memory, anythnig else)?

Len.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users