Vista Blue Screens ("Maybe" a Resolution)

[jholland1964]

Since I had not done this before we ran combofix....

ComboFix 08-03-20.2 - Sharon 2008-03-20 19:16:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.984 [GMT -5:00]
Running from: C:\Users\Sharon\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan



.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-20 21:53 2,260 ----a-w C:\Users\Sharon\AppData\Roaming\wklnhst.dat
2008-03-20 13:00 --------- d-----w C:\ProgramData\avg7
2008-03-16 14:28 --------- d---a-w C:\ProgramData\TEMP
2008-03-16 14:28 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-13 13:41 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-12 12:24 --------- d-----w C:\Program Files\Windows Mail
2008-03-06 00:57 --------- d-----w C:\Program Files\Java
2008-03-06 00:03 --------- d-----w C:\Program Files\Common Files\Java
2008-03-03 21:52 --------- d-----w C:\Program Files\CleanUp!
2008-03-01 04:39 --------- d-----w C:\Users\Sharon\AppData\Roaming\WinBatch
2008-02-29 12:46 --------- d-----w C:\Program Files\Trend Micro
2008-02-23 23:03 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-13 16:16 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 16:16 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 16:16 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 16:16 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 16:16 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 16:16 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 15:51 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 15:49 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 15:49 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 15:49 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 15:49 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 15:49 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 15:49 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 15:49 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 15:49 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-13 15:47 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 15:47 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 15:47 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 15:47 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-13 15:47 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 15:42 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-09 01:46 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-09 01:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 12:50 --------- d-----w C:\Users\Sharon\AppData\Roaming\Grisoft
2008-02-01 12:48 --------- d-----w C:\ProgramData\Grisoft
2008-01-31 17:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 11:42 --------- d-----w C:\Program Files\Google
2007-08-29 11:31 174 --sha-w C:\Program Files\desktop.ini
2007-04-02 22:25 22 --sha-w C:\Windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2008-01-30 20:34 171448]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 20:15 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-10 18:02 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 08:42 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 10:16 65536]
"ATICCC"="c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 20:12 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 06:52 4702208 C:\Windows\RtHDVCpl.exe]
"DPService"="C:\Program Files\HP\DVDPlay\DPService.exe" [2006-11-08 02:52 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:37 579072]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-05-21 18:29 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1925650744-2817293247-260502016-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{12BF8921-9B8D-466C-B0F1-643B65412963}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{24B9FCBD-B393-4379-B8BE-A58A16430EA2}"= Profile=Private|C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{52E05E6F-F5DE-4E4E-8392-832B1C19FB76}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{1CB6A675-5CBB-4160-944B-30E70D88D9E0}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{9B4C4B1C-3BBE-4F28-9CA5-B464E55596A4}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0D1ED38A-DA50-43E6-84C9-FDC60A2B9DB1}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F34996C1-9727-455D-BEA6-8BA77EE0F3D0}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A7228EED-0CCF-4702-B47D-B98B611AC286}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1F6B5D47-348D-455F-AA1B-9AD9DED45919}"= Disabled:UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F715E5F2-8AFE-49D4-B436-01B9D38330D9}"= Disabled:TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A65FCD18-131C-4A43-BB86-3BDE718AEB0E}"= Disabled:UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C9D63C3B-D14B-494C-B8A1-61FDFA4A3227}"= Disabled:TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7E4B6C7F-850B-4B0B-9AC9-521566071239}"= Disabled:C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{FFCD0C8F-7AD1-40DA-A2FE-290ADF04CFC6}"= Disabled:UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{F68D33E1-C4DF-40C4-B135-B37517A4B8D1}"= Disabled:TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A11176A8-BA04-47E7-8BFB-26C30F27B29F}"= Disabled:UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C738BFDC-A81B-49F6-9519-3E9E1E625198}"= Disabled:TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2B97359F-79AE-40F0-8CCC-710BCA227ADD}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{AD1FBD97-05C0-4788-9858-2FD3C20AFDCD}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{78F86F2C-E662-437C-8C40-01BFE2B7116E}"= UDP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{6EE75342-707C-4038-A91E-77DC82DCFFC8}"= TCP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{B0459409-B99C-40A7-904E-D6A10580EAF9}"= UDP:C:\Program Files\Grisoft\AVG7\avgvv.exe:AVG Virus Vault
"{2F520A35-D8BC-4C37-9399-2DDD9AECFBD5}"= TCP:C:\Program Files\Grisoft\AVG7\avgvv.exe:AVG Virus Vault

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Configurable\System]
"Rip-Listener-1"= TCP:520|%SystemRoot%\System32\svchost.exe|Svc=ipri p:@iprip.dll,-200|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|
"SNMP-1"= TCP:%SystemRoot%\system32\snmp.exe|Svc=SNMP:@%Syst emRoot%\system32\snmp.exe,-5|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-11-03 10:29]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.s ys [2007-08-07 06:26]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atik mdag.sys [2007-06-13 20:28]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 08:41]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-06-13 20:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc
ipripsvc REG_MULTI_SZ iprip

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{48bf4476-cead-11dc-9f1f-e25ab51505b4}]
\shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 00:10:55 C:\Windows\Tasks\User_Feed_Synchronization-{4A322068-0DD0-40F9-A585-52DB6EEF200B}.job"
- C:\Windows\system32\msfeedssync.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 19:21:23
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\hp\kbd\kbd.exe
.
************************************************** ************************
.
Completion time: 2008-03-20 19:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 00:23:29

The earthlink listings we assume are ones put in place when she had computer in a shop, he used earthlink.

[jholland1964]

HELP!!!!!!!
Blue screens continue. Have pretty much determined these are not however, BSOD's, but REBOOTING of the computer.
No errors showing in event log at time of shutdown. Always about 30 minutes prior to these though are Warnings showing in event viewer which state;

Tcpip 4227
TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.

Then right after this happens these will show in event viewer;

Event processing
Level: Error
Keywords: Audit Success
User: N/A
Computer: Sharons-PC
Description:
Audit events have been dropped by the transport. The real time backup file was corrupt due to improper shutdown.

This only happens online. 99% of the time while trying to view a photo of some kind...google images, photo on websites, etc.
Had her turn off Windows Defender and things worked for awhile. Only because I had problems with Defender seeming to slow things on my computer. Found several threads last night concerning Vista Firewall and dial-up...so today had her temporarily turn off Vista Firewall.
Her dial-up is terrible so think culprit probably lies there but I am at a total loss now. Everything relating to connections other than dial up on the computer are turned off. I am at a total loss. HELP!!!!!

[Gizmokid2005]

Honestly Judy, I"m not sure what else to tell you.

At this point, it's starting to sound like something possibly hardware related. What exactly I can't say. Could be a bad modem, bad integrated graphics, bad chipset/mobo...I don't know. But it looks like you've covered EVERYTHING in regards to software.......wait a second.

Is there ANYWHERE that you can turn of graphics acceleration?

[jholland1964]

Not sure on Vista. Will have her check. Can't find anywhere that this is available with Vista. Most places seem to say this is disabled on Vista...?
Here is info on her ISP Configuration...anything here look out of order? She is NOT networked to any other computer. She is on crappy dial up, phone lines have not even gone to fiber optic yet. It was suggested by somebody she try wireless but I have no or very little knowledge about this except my daughter uses it on her work laptop. Another suggestion was some sort of connection using her cellphone, which is top of the line but don't know if this can be done AND she says she cannot use her cellphone inside her house because connection is so bad.

ISP configurations...
under properties/networking

(checked) IT protocol version 4 TCP/IPV4
(unchecked) It prot. vers. 8 TCP/IPV6
(unchecked) File and Printer Sharing for MS networks
(checked) QoS Packet Scheduler
(checked) Client for MS Networks

Modem PCI Soft Data Fax Modem with Smart CP (COM3)
...................
(unchecked) under settings isp Automatically detect settings.
.....
Misc. (Incoming POP3/Outgoing SMTP servers)
Internet options/connections

ck'd: Always dial my default connection (current dialup isp)
rest unchecked...........
.....
Auto config...No checks at all.......on that page. eg Auto detect /proxy server.... nothing is checked .
.........
Advanced dial up...
Try to connect: 10 times
Redial : 5 sec.

Never disconnect if idle.
................
Under network and sharing:
PPPconnections:
Enable LCP checked
Enable software compression checked
Negotiate multi link for single link connections UNchecked
....
Under security same sector
Typical Recommended settings is checked..

No other checks...no advanced etc...

Interactive logon and scripting...no checks here either.
...............................................
Internet settings.
Internet...Med/High

Intranet Med Low

Feeds: none allowed.

Any ideas anyone?

[jholland1964]

Wanted to bring all up to date on this for one reason anyway...those of us helping her...there are three of us, one with Vista and two of us with XP, two of us on cable hook-ups, me and the Vista guy and the other XP on dial-up...all have come to the conclusion the initial problem really and truly starts with Vista and it's default connection set up which really assumes a high speed connection will be used. It is almost as if dial-up is in there only as an afterthought. The other problem is the Vista Firewall.

She is connected to the internet via dial-up, on an antiquated rural phone system...cables are still the old copper cables, not been updated to fiber optic and from what she has been able to find out, no plans in the near future to do so either. She has ONE telephone line coming into the house so when she connects to the internet she takes the ONE telephone cable from the telephone and plugs it into the computer. When she goes offline then she removes the plug from the computer and plugs the phone back in!
Here are her system specs;
Model # a1510y
HP Pavilion desk top computer, Direct X version 10.0
H/P intel R Pentium R 4
CPU 3.00 GHz 2.99 GHz
vista home basic 32 bit
22"flat screen monitor
2 GB RAM
ATI RADEON XPRESS 1100 series
ATI Technologies Inc. Driver version 8.383.0.0
All drivers and software are totally up to date...we checked them all because most people, here and the rest of us working on this, felt it to be probably a graphics issue of some kind but we have really ruled this out.
Ran Windows Memory diagnostic tool..NO issues found
Ran checkdisk/fix...nothing found or fixed.

At one time she had Norton Anti-virus but when it expired she uninstalled it and installed AVG Anti-virus, Vista Firewall, Windows Defender, Spybot, SpywareBlaster.
She had done all scans possible, online were next to impossible because blue screens would occur. All other scans came up clean. HJT showed some minor fixes needed which were done.
I had her disable all automatic updates with the exception of her AVG Anti-virus.
Blue screens she thought originally were BSOD's but then had her turn off the Automatically Restart option so she could actually see errors on the blue screen...none showed, just stayed blue and they were not the deep royal blue normally seen with these but the blue restart screen. We decided these were NOT BSOD's but shut down/restarts.

Took a look at here event viewer and virtually ALL the errors shown were from these sources, nothing else showed anywhere, maybe a couple noting her Graphics card, but driver update seemed to fix that as it had not shown since in any errors;
Source: IPRIP
Source: TCP/IP .
Source: ISATAP Adapter
Source: 6TO4 Adapter
Source: Realtek RTL8139/810x Family Fast Ethernet NIC
Source: 6TO4 Adapter
Source: Teredo Tunneling Pseudo-Interface

The three of us working on this problem for her searched for days, checked so many sites that I cannot tell you now exactly where we found this info, though it is listed on MANY sites;

The problem she and others have to do with IPv6 and the transition technologies needed for it at this time in order to transition between it and IPv4. IPv6 support is provided for in XP with SP1 and SP2, Windows Vista, Windows Server 2008, Windows Server 2003. The problem comes with the fact that in Windows Vista and Windows Server 2008 support an integrated IPv4 and IPv6 implementation known as the Next Generation TCP/IP stack and the very items which showed errors on her machine...Tunneling, ISATAP, 6to4, Teredo seem to come automatically enabled on Vista (as I said I could be wrong) but they do not allow for the fact that people on dial-up, for NOW, do not need these enabled. Her dial-up uses IPv4, as do most of them still today, and her machine was attempting to use this software that it had no use for at this time and so it would freeze, shut down, disconnect. The solution found in multiple places, finally, was to do exactly as was recommended here...disable all this stuff. We had her disable all of the above ALONG with the LAN connection which was enabled by DEFAULT on Vista Machine, or by the tech she had look at and update the machine the first week of Jan this year and then maybe forgot to disable. At any rate had her disable it also.

She sailed along for several days and then again another shut down/restart. This time was another TCP/IP error, but that was the ONLY one.
Did more searching and found multiple posts...somewhere...concerning this error, Vista Dial up AND the Vista Firewall. Recommendations, turn off the Vista Firewall. Go with no firewall for several days and see the results. The reason we found for this is the following;

Almost the entire Vista system is built on the supposition that all users are going to be using high speed internet...many of these settings come on the OS all ready enabled, we have all ready found that out and disabled those which only apply to high speed.

Vista Firewall applies a different security profile depending on the type of set up you work with. For example, selecting home as your location applies the private profile to your firewall settings. It also comes preset with "umpteen" rules all ready set up. Messing with those can be a pain in the backside UNLESS you know what you are doing, frankly I didin't and she certainly didn't. Changing one of those rules incorrectly can make a mess of things, at least from all I have been able to find. One rule I have found noted on many sites while trying to find correct configurations is the fact that the way this outbound setting is set it CAN cause problems with dial up so recommendation was disable. So in addition to the other items to disable we had her turn this off too. Also had her turn off Windows Defender too as had found several posts noting Vista people with dial up having problems with it running in the back ground.

Then had her run combofix, frankly for the heck of it, didn't think it would show much. Didn't really except for remainders of some Norton stuff and had her run Norton removal tool and all of that is gone now.
Had her do all of this on March 19th. Both firewall and defender are turned off still...will comment on that later.
She sailed along pretty good until March 28 when she had one more shutdown/restart. No info whatsoever in event log other than it happened unexpectedly.

Somebody suggested maybe an auto update from MS could have brought much of this on....so we began to look at those which she got just before these shutdowns...all of those were installed by the tech she had look the machine over since she is on dial up and updates took so long, plus this is when she wanted to go from Norton to AVG and asked him to do that and do any updates since he uses a high speed connection....
Anyway, her first shutdown/restart occurred on January 16, 2008.
The day after she brought the computer home...with all that LAN stuff still enabled by either Vista default or the tech and 3 days after he installed the following updates which myself and the other two guys thoroughly researched and comments added are OURS;

KB942615>>>multiple problems noted with this update...difficulty surfing, IE crashes. Uninstalls corrected problems

KB942624>>>for people that work binary and it is how the trace the message packets they send and receive it has to do with working with Servers You DO NOT do this.

KB935509>>>doesn't apply to her version of Vista

KB941644>>>mainly for those on DSL. If she is lucky enough ever to get DSL then she can easily reinstall it.

KB943411>>>thus far not many problems with it but huge numbers had problems even installing it and decided not to do so and are doing fine without it. So there is some sort of problem with it.

KB943078>>>this has to do with the Vista Sidebar. Supposedly makes it more secure.Not needed and remember, Sidebar can be a resource hog for those on dial-up and should be turned off.

We had her uninstall all of the above. Her Vista firewall and Windows Defender background scanning are also turned off (decided to hold off on having her turn these back on mainly because she IS using only one phone line, either on the computer or on the phone but never left in the computer) and thus far she has not had anymore shutdown/restarts. She is viewing graphics without difficulty and generally surfing around, using multiple tabs in IE 7 and having no problems....fingers crossed here.
All her spybot, defender and AVG scans are clean.
Any suggestions? Especially concerning firewall and Windows Defender?
Judy