Hi...This problem started a few weeks ago when I downloaded and installed Norton Internet Security 2006. The program simply would not run a virus scan without crashing the computer. No warning, no alert, just an abrupt hard shutoff of the power. Since then, after lots of back and forth with Norton tech support and following their instructions to uninstall/download and run a special Norton removal program/delete the registry keys/reinstall/etc. etc. without solving the problem, I have deleted NIS 2006 and returned the product for a refund. The problem, however, has since continued with other anti-virus products. I have run virus scans using Trend Micro PC-Cillin Internet Security 2006 AND ZoneAlarm Internet Security 2006, and the only improvement is that the hard shutdowns are now intermittent (unlike with the Norton product, where it happened every single time).

I took the computer in for service earlier this week; the technician ran a virus scan from outside the computer, and he found and removed two viruses. It is since those viruses were removed that I installed and began using ZoneAlarm. I have successfully completed one full virus scan. Two other attempts have ended in hard shutoffs of the system.

I have adjusted my computers sleep/hibernation settings to make sure that isn't what's causing the problem. The computer doesn't seem to be overly hot -- though I do note the fan cycling up and down during the virus scan (but it has always done that).

Anybody have any ideas about what might be causing these crashes during virus scans?

Welcome to CTH francofiles. It does sound like a heat related issue. What make and model computer do you have?

Hi, AnnMarie...Sorry, I would have included that information in my post, but I thought somehow you'd be able to read the profile information I entered. I'm brand new to this forum....

I have an IBM Thinkpad T40, 2 years old, running Windows XP Pro with Service pack 2, 1.5 GH, 1 gig of RAM. I've never had any power supply or cooling problems, and the technician who looked at the computer this week didn't mention any (though I have my suspicions that he didn't look too hard for any hardware problems, as he seemed way too interested in selling me a new Norton AV disk.)

BTW, I just ran a successful virus scan using ZAIS 2006, so the problem has definitely become an intermittent one (the most maddening kind!)

I was going to ask if you had a laptop. They are notorious for these kind of issues and they are usually heat related. I have had the same problem on my own laptop (Compaq) and the cause was a failed cooling component.

If I were you, I would take it in to an authorised IBM Service Centre and ask them to look at the issue for you. It might just need a clean.

Thanks for the advice. I'll follow it and report back to the forum.

You are welcome francofiles and we would appreciate an update. :)

I took the computer to a service center today. The technician told me the problem I describe is definitely NOT a cooling problem. He said the shutoffs during virus scans are caused by a worm that shuts off the computer as soon as it senses an AV program running, in order to avoid being found. In his opinion, paying a technician to hunt for the worm would probably end up costing me too much money, since these things take forever to find. He advised me to back up my files (files only, not programs), erase the entire hard drive, re-install Windows and *immediately* go the Microsoft website and install all the updates, then re-install all my other software. Doesn't that sound like fun? Still, what he said makes a lot of sense, because the computer only has the problem when I try to do a virus scan; it runs just fine otherwise.

Hi francofiles. Thanks for the update. Do you have your laptop back now? If so, we could help you find the worm for free.

Yes, I do have it. And I'm open to all your worm-seeking suggestions. It's definitely worth trying before resorting to more drastic measures.

Ok, lets see what is running on your PC. Go here (http://www.cybertechhelp.com/download/section/adware-spyware-removal) and download the latest version of Hijack This. Unzip it and click on scan. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread.

Also go here (http://www.silentrunners.org/) and download Silent Runners.vbs to your Desktop and run it. It generates a log too. Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious.

Okay. Here is the log from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 1:04:53 PM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.ex e
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Le Petit Robert\prhyper.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.ex e
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] C:\Program Files\Le Petit Robert\prhyper.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.npr.org
O15 - Trusted Zone: http://www.rfi.fr
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\bin\IBMAccessSupport\common\inst all\ibmegath.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?315
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have downloaded the Silent Runners script. However, I don't know how to launch it in Windows XP. Could you please explain how to do that? Thanks....

Actually, ignore that last question. I finally figured it out. Here is the Silent Runners log:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Le Petit Robert Hyperappel" = "C:\Program Files\Le Petit Robert\prhyper.exe" [null data]
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"BluetoothAuthenticationAgent" = "rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent" [MS]
"TP4EX" = "tp4ex.exe" ["IBM Corporation"]
"BMMGAG" = "RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor" [MS]
"LWBMOUSE" = "C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [empty string]
"tgcmd" = (empty string)
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"UC_SMB" = (empty string)
"S3TRAY2" = "S3Tray2.exe" ["S3 Graphics, Inc."]
"TPKMAPMN" = "C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [null data]
"TPHOTKEY" = "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [null data]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"StorageGuard" = ""c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"QCWLICON" = "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [null data]
"Motive SmartBridge" = "C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.ex e" ["Motive Communications, Inc."]
"KernelFaultCheck" = "%systemroot%\system32\dumprep 0 -k" [MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"]
"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["IBM Corp."]
"BMMLREF" = "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [null data]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Startup items in "Robin" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Billminder" -> shortcut to: "C:\Program Files\QUICKENW\BILLMIND.EXE -startup" ["Intuit"]
"D-Link AirPlus Xtreme G Configuration Utility" -> shortcut to: "C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe" ["D-Link"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Quicken Startup" -> shortcut to: "C:\Program Files\QUICKENW\QWDLLS.EXE" ["Intuit"]
"Verizon Online Support Center" -> shortcut to: "C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imslsp.dll ["Zone Labs, LLC"], 01 - 06, 31
C:\WINDOWS\system32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 07 - 09, 30
%SystemRoot%\system32\mswsock.dll [MS], 10 - 12, 15 - 29
%SystemRoot%\system32\rsvpsp.dll [MS], 13 - 14


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}\
"ButtonText" = "Software Installer"
"Exec" = "C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe" ["Lenovo Group Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
CA ISafe, CAISafe, "C:\WINDOWS\system32\ZoneLabs\isafe.exe" ["Computer Associates International, Inc."]
IBM PM Service, IBMPMSVC, "C:\WINDOWS\System32\ibmpmsvc.exe" [null data]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
QCONSVC, QCONSVC, "System32\QCONSVC.EXE" [null data]
RegSrvc, RegSrvc, "C:\WINDOWS\System32\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINDOWS\System32\S24EvMon.exe" ["Intel Corporation "]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 11 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 9 seconds.
---------- (total run time: 54 seconds)

Hi francofiles, there is no evidence of a worm or any other type of infection in either log.

Have a look in Event Viewer and see what Error (not Information or Warnings) was recorded when the shutdowns occured. Go to Start > Run and type:

eventvwr.msc

and ok. Post back the Event Source, the Event ID and any other relevant information.

The last time the computer crash occured was about 25 minutes into a scheduled virus scan that began Friday afternoon (12/16) at 12:30. Strangely, neither the "System" nor "Application" Event Logs shows anything between that morning's boot-up at (8:43 am) until just after 1:00 pm, at which point it shows a series of "Service Started" information messages that appear to be associated with the computer's having been turned back on at that time. The only item showing in the "Security" event log dates from July 2003.

Ok, disable your antivirus program and go here (http://www.bitdefender.com/scan8/ie.html) and run an online scan with BitDefender. When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. Post back and let us know what it found (post the log).

If nothing is found, we will check for a rootkit infection.

I started the scan with BitDefender at around 3:35pm. It ran until 4:14 pm, at which point the computer shut off in mid-scan. (I don't know where in the scan it shut off, as I was out of the room. However, based on my experience with this problem to date, the shutoffs occur at differing points during the scan.) After turning the computer back on, I checked the Event Log and found an information message with the Event ID 6009. According to MS Help and Support Center, this means: "The user restarted or shut down the computer by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down." (Which of course, did not happen.) Is that a clue to anything?

Ok, let try DllCompare and see what it finds. This is not an antivirus program, it searches for files that Windows does not See or cannot Access. We really only need to look in your Windows and System32 directories.

Go here (http://downloads.subratam.org/DllCompare.exe ) and download and run DllCompare. Look in the righthand corner and change *.dll to *.* and click on Run Locate.com. When it has finished, click on Compare and let it scan. Click on Make a Log of What was found when finished, save it and post it here.

Exit and repeat for C:\Windows (just type the changes to the directory)

Done. First Log:
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\cdplay~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\logonu~1.man Thu Sep 26 2002 4:15:22p ...HR 488 0.48 K
C:\WINDOWS\SYSTEM32\mfc42.dll Tue Aug 3 2004 11:56:42p A.SH. 1,028,096 1004.00 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Tue Aug 3 2004 11:56:44p ..SH. 54,784 53.50 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Tue Aug 3 2004 11:56:44p A.SH. 413,696 404.00 K
C:\WINDOWS\SYSTEM32\msvcrt.dll Tue Aug 3 2004 11:56:44p A.SH. 343,040 335.00 K
C:\WINDOWS\SYSTEM32\ncpacp~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\nwccpl~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\oleaut32.dll Tue Aug 3 2004 11:56:44p A.SH. 553,472 540.50 K
C:\WINDOWS\SYSTEM32\olepro32.dll Tue Aug 3 2004 11:56:44p A.SH. 83,456 81.50 K
C:\WINDOWS\SYSTEM32\regsvr32.exe Tue Aug 3 2004 11:56:56p ..SH. 11,776 11.50 K
C:\WINDOWS\SYSTEM32\rpaui.gid Tue Sep 16 2003 10:33:06p ...H. 17,002 16.60 K
C:\WINDOWS\SYSTEM32\sapicp~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\vsconfig.xml Tue Dec 20 2005 7:54:14a A..H. 38,360 37.46 K
C:\WINDOWS\SYSTEM32\window~1.man Thu Sep 26 2002 4:15:22p ...HR 488 0.48 K
C:\WINDOWS\SYSTEM32\wuaucp~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\zllictbl.dat Thu Dec 15 2005 5:40:36p ...H. 4,212 4.11 K
________________________________________________

2,410 items found: 2,359 files (17 H/S), 51 directories (3 H/S).
Total of file sizes: 448,364,560 bytes 427.59 M

Administrator Account = True

--------------------End log---------------------
Second log:
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\cdplay~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\logonu~1.man Thu Sep 26 2002 4:15:22p ...HR 488 0.48 K
C:\WINDOWS\SYSTEM32\mfc42.dll Tue Aug 3 2004 11:56:42p A.SH. 1,028,096 1004.00 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Tue Aug 3 2004 11:56:44p ..SH. 54,784 53.50 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Tue Aug 3 2004 11:56:44p A.SH. 413,696 404.00 K
C:\WINDOWS\SYSTEM32\msvcrt.dll Tue Aug 3 2004 11:56:44p A.SH. 343,040 335.00 K
C:\WINDOWS\SYSTEM32\ncpacp~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\nwccpl~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\oleaut32.dll Tue Aug 3 2004 11:56:44p A.SH. 553,472 540.50 K
C:\WINDOWS\SYSTEM32\olepro32.dll Tue Aug 3 2004 11:56:44p A.SH. 83,456 81.50 K
C:\WINDOWS\SYSTEM32\regsvr32.exe Tue Aug 3 2004 11:56:56p ..SH. 11,776 11.50 K
C:\WINDOWS\SYSTEM32\rpaui.gid Tue Sep 16 2003 10:33:06p ...H. 17,002 16.60 K
C:\WINDOWS\SYSTEM32\sapicp~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\vsconfig.xml Tue Dec 20 2005 7:54:14a A..H. 38,360 37.46 K
C:\WINDOWS\SYSTEM32\window~1.man Thu Sep 26 2002 4:15:22p ...HR 488 0.48 K
C:\WINDOWS\SYSTEM32\wuaucp~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\SYSTEM32\zllictbl.dat Thu Dec 15 2005 5:40:36p ...H. 4,212 4.11 K
________________________________________________

2,410 items found: 2,359 files (17 H/S), 51 directories (3 H/S).
Total of file sizes: 448,364,560 bytes 427.59 M

Administrator Account = True

--------------------End log---------------------
Thanks. Hope that helps.

By the way, just for fun, I went to the Microsoft website, and downloaded and ran their Malicious Software Removal utility. The log said no malicious software was found.

The DllCompare log doesnt show any problems either francofiles.

We can try Rootkit Revealer. Go here (http://www.sysinternals.com/Utilities/RootkitRevealer.html) and download and RootKit Revealer. Once downloaded, unzip the files to their own folder and rename RootKitRevealer.exe to Find.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.

Close all running programs and when you have done this, click on Options and make sure that "Hide Standard NTFS Metadata Files" and "Scan Registry" are both checked. Click on scan and let it scan your drive (it will take a while so be patient). When it has finished, go to File > Save, save the log and post it in this thread.

I ran Rootkit Revealer twice. The first time it said "no discrepancies found." After I closed Rootkit Revealer, my computer started acting sluggish, so I decided to restart it, then run RR again. The second time I did the scan, I got the following message:

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb 12/20/2005 2:13 PM 64.00 KB Visible in Windows API, MFT, but not in directory index.

Does that shed any light?

While I wait for your reply, I may take another stab at running BitDefender. I'm a little afraid to do so, since it won't run in Mozilla Firefox, and requires me to open Internet Explorer and activate Active X.

That's fine francofiles. It is just a log for a software update (auto update) being written while you were running RR.

I noticed after I posted last time, that you posted the DllCompare log for C:\Windows\System32 folder twice instead of posting the log for C:\Windows. Run DllCompare again using my instructions to change the directory to C:\Windows and post the log.

Okay, will do.... Meanwhile, I did try running BitDefender again from their site. The computer shut off about 36 minutes into the virus scan. The same information message as before appeared in the Event Viewer. ("The user restarted or shut down the computer by clicking Start or pressing CTRL+ALT+DELETE and then clicking Shut Down.") So SOMETHING appears to be giving Windows the message to shut down, making it look like it has been keyed in by an actual user.

Here' the log from the DllCompare of C:\Windows:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\bootstat.dat Tue Dec 20 2005 3:11:56p A.S.. 2,048 2.00 K
C:\WINDOWS\qtfont.qfn Thu Dec 15 2005 10:14:50p A..H. 54,156 52.89 K
C:\WINDOWS\twain.dll Thu Aug 29 2002 4:00:00a ..SH. 94,784 92.56 K
C:\WINDOWS\twain_32.dll Tue Aug 3 2004 11:56:46p ..SH. 50,688 49.50 K
C:\WINDOWS\window~1.man Thu Sep 26 2002 4:15:14p ...HR 749 0.73 K
C:\WINDOWS\winnt.bmp Thu Aug 29 2002 4:00:00a ..SH. 48,680 47.54 K
C:\WINDOWS\winnt256.bmp Thu Aug 29 2002 4:00:00a ..SH. 48,680 47.54 K
________________________________________________

490 items found: 307 files (7 H/S), 183 directories (137 H/S).
Total of file sizes: 37,596,247 bytes 35.85 M

Administrator Account = True

--------------------End log---------------------
It may be worth noting that both of the times I ran DLL Compare for C:\Windows, the program froze for sometime after completing its comparison. It appears that was only able to view a log of that scan the second time around. The first time, it simply returned me to the log for D:\Windows|System32. I thought they looked the same, but sent it anyway in case you might have been able to detect some subtle difference I couldn't see.

That's fine too. Well, I dunno, We have checked every possible startup for a worm and found nothing. You also dont have a rootkit infection.

As you say, something is shutting your laptop down during times of intensive activity and an AV scan probably the most intensive activity that your drive is likely to get.

I can think of a few possible causes but they are not malware related.

1. Your bios is incorrectly calculating the temperature and shutting it down.

2. You have bad sectors on your drive.

3. Maybe your chipset drivers need updating.

I am not an expert in Hardware issues though francofiles. Try posting a new topic in our Hardware forum and see what the gurus think.

Thank you very much for your help, Ann-Marie. I have copied your three possible causes into a message on the Hardware forum. Let's see what they have to say....

Good luck francofiles. :)

PS, dont forget to tell them the make and model of your laptop. :)