Hi everyone, I hate to post this (as it's a not perfectly on the topic of this forum) here, but I rather wanted to get Gavin's and the rest of the DCS crew's attention on this one. I've just witnessed something a bit disturbing on a Windows ME system I myself set up (security wise) for a (somewhat computer-illiterate) friend to use as her working computer. (And don't ask me why I'm up at 2:30 AM...) Long post ahead, and I apologize in advance. Firstly, she's running ZAF 3.7.159 for the firewall and AVP 220.127.116.11 for the on-access AV backed up by F-Prot for DOS 3.14b. RegProt has also been installed since the beginning and is running at startup. Unfortunately, she uses IE 6 SP 1 (with all the patches, but there are those unpatched vulns out there...) Fortunately, the Internet Zone is highly restricted and she only visit a handful of sites, all of which I would trust. Email is Popcorn, and it doesn't even understand the usual html and attachment stuff. She's computer-illiterate, but she's bright, so she wouldn't be fooled easily by any of the blatantly obvious "click m3 i'm a m$ pacth for U" stuff anyway. That, and she doesn't willy-nilly download random stuff, or actually any stuff. She phoned me complaining that whenever she scans her HD with AVP, the screen goes black after a few minutes of scanning and she has to reboot (which often leads to the system freezing at the desktop again after the reboot). Well, I went ahead and tried to find out what the problem is and started a scan with AVP. Two minutes, and it crashes into a BSOD mentioning VXDs (but no filenames) that I in my foolishness did not memorize. I hit the three-finger salute and boot into safe mode. Scan runs from there without any problems, detecting absolutely jack. Then I run F-Prot. It too detects nothing. Now, I reboot again and into normal mode. I run F-Prot and hit the scan button. After a minute, it crashes the system, which reboots itself. Now I'm getting pretty interested. I download TH and TDS-3 trials, update and run. Can you take two guesses as to what happens? I try TH first. The scan runs and completes, but nothing odd is detected. While TH is scanning, I look throught the autostarts with Startuplist, TH's AutostartExplorer and DCS Asviewer. I find nothing that looks out of place. I even play with TH's WindowList and check out just about every hidden window, but nothing seems odd. Time to load TDS. I run a Process Memory Scan first, and it completes without problems. I scan the dlls of the running processes, still no problems. Then I hit the full scan of the C: drive, and BANG. Two minutes into it, and the system reboots itself. HO-HUM. Again in safe mode, I run TDS. The scan is slower than usual because the disks are handled in DOS mode, but the scan completes and nothing is detected (aside the usual suspicious file extensions in the Windows\Recent folder). Repeat with TH, no problems or detections. I go through the autostarts in safe mode, and find nothing strange. I'm starting to think it's just Windows ME being itself. I mean, a trojan would likely kill AVs and ATs before they start scanning, but I can load AVP, F-Prot, TDS and TH all at once and leave them idling for half an hour with nothing going wrong. The system is otherwise stable, but when you start scanning with anything, it dies. It can't be a resource issue, it's an Athlon XP 2200+... I see no strange open ports either, even when I surf a few sites while keeping the other eye on TDIMon. Then, I decide to run a search for *.vxd. Result as usual, a massive (112) load of files. But but, there are two that are completely alien to me called SecDrv02 and 04.vxd (I don't have a ME box of my own anymore, but I'm rather sure I didn't have these files when I did). No company name, no anything. Curiously, created on the same day she installed CIV 3 (and that was a legit copy, in case you want to know). Sizes are 19 and 13 KB respectively. I manually scan these with everything I've got here. Nada, no detections. I open them in a hex editor, and can't make heads or tails out of them. There's the usual MZ, but the rest is Greek to me. Interestingly, there's no company name data or anything. I just don't get it. Is her system infected with some ridiculously clever rootkit-style thing, am I blind, or is Win ME being a buggy pain in the ass (pardon my French)? I just can't see (Ok, I guess I'm blind then) where she could have gotten a trojan... I'll respect anyone who can solve this mystery (and probably give them a big bearhug, but nobody likes that so I'll just leave it unmentioned).