Computer keeps restarting!

You have a variant of the W32/SDBot worm, as evidenced by the "lockx.exe" file mentioned in your HJT log. Please do the following:

1. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally

2. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. Run HijackThis again and post the new log.

I appreciate the rapid response and time spent answering my question and finding me a solution to this problem.

Preparation:
Downloaded LQfix.zip (while in Safe mode with networking), extracted, shut down, pulled internet cable, turned on and boot into safe mode without networking.

Removal:
Removed all of the entries, boot into safe mode, removed all files found from start menu search, boot into normal mode, and ran Trend Micro Housecall - COmplete Scan using IE.
*****************************************************************
Virus Scan 0 virus cleaned, 3 viruses deleted

Results:
We have detected 3 infected file(s) with 3 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 3 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ID29SNI7\director_install[1].exe TROJ_DLOADER.ZT Deletion successful
C:\Program Files\Common Files\InetGet\mc-62-602-0000156.exe TROJ_DLOADER.ZT Deletion successful
C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe TROJ_DLOADER.ZT Deletion successful
*****************************************************************
Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken
*****************************************************************

Spyware Check 2 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 3 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 1 spyware(s) passed, 0 spyware(s) no action available
- 2 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
HKTL_ENTRY.27 Hacking Tool Removal successful
COOKIE_3237 Cookie Pass
SPYW_FPTLBAR.100 Spyware Removal successful
****************************************************************
Microsoft Vulnerability Check 6 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 6 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004
Critical This remote code execution vulnerability exists in the processing of PNG image formats. An attacker who successfully exploits this vulnerability could take complete control of an affected system. MS05-009
Important A remote code execution vulnerability exists in Message Queuing that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. MS05-017
Critical This security bulletin resolves the following vulnerabilities affecting Internet Explorer.; The PNG Image Rendering Memory Corruption vulnerability could allow an attacker to execute arbitrary code on the system because of a vulnerability in the way Internet Explorer handles PNG images.; The XML Redirect Information Disclosure vulnerability could allow an attacker to read XML data from another Internet Explorer domain because of a vulnerability in the way Internet Explorer handles certain requests to display XML content. MS05-025
Important A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit this vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news. MS05-030
Critical This security bulletin resolves the following vulnerabilities found in Internet Explorer: (1) JPEG Image Rendering Memory Corruption vulnerability, which allows remote code execution when exploited by a remote malicious user, (2) Web Folder Behaviors Cross-Domain vulnerability, allows information disclosure or remote code execution on an affected system, and (3) COM Object Instantiation Memory Corruption vulnerability, which exists in the way Internet Explorer lists the instances of COM Objects that are not intended to be used in Internet Explorer. MS05-038

***************************************************************
Results (in the following order: Trend Micro House Call, Hijack This log, description)

We have detected 6 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004
Critical This remote code execution vulnerability exists in the processing of PNG image formats. An attacker who successfully exploits this vulnerability could take complete control of an affected system. MS05-009
Important A remote code execution vulnerability exists in Message Queuing that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. MS05-017
Critical This security bulletin resolves the following vulnerabilities affecting Internet Explorer.; The PNG Image Rendering Memory Corruption vulnerability could allow an attacker to execute arbitrary code on the system because of a vulnerability in the way Internet Explorer handles PNG images.; The XML Redirect Information Disclosure vulnerability could allow an attacker to read XML data from another Internet Explorer domain because of a vulnerability in the way Internet Explorer handles certain requests to display XML content. MS05-025
Important A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit this vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news. MS05-030
Critical This security bulletin resolves the following vulnerabilities found in Internet Explorer: (1) JPEG Image Rendering Memory Corruption vulnerability, which allows remote code execution when exploited by a remote malicious user, (2) Web Folder Behaviors Cross-Domain vulnerability, allows information disclosure or remote code execution on an affected system, and (3) COM Object Instantiation Memory Corruption vulnerability, which exists in the way Internet Explorer lists the instances of COM Objects that are not intended to be used in Internet Explorer.
***************************************************************
HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:45:05 AM, on 10/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\Explorer.EXE
C:\GAMESetc\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\GAMESetc\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\GAMESETC\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\GAMESetc\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Computer Maintenance Programs\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPZinw12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\GAMESETC\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\GAMESetc\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Computer Maintenance Programs\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-62-602-0000156.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm957YYUS
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward &Links - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000</a>
O8 - Extra context menu item: Si&milar Pages - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\GAMESetc\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
***************************************************************
DESCRIPTION OF STATUS QUO

My computer has stopped it's annoying habit of displaying the "Windows has had a critical error and must shut down now" window, so I can actually use it in normal mode. There are pop-ups still but otherwise the computer is functional. Thanks a lot for all your help. I tried to format the text so that it would be easier to read.

Please print out these instructions, as you will have to disconnect from the Internet for some of the following cleaning procedure.

1. Run HijackThis again and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-62-602-0000156.exe

2. Reboot into Safe mode again.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate the following files and delete them if found :

C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe
C:\Program Files\Common Files\mc-62-602-0000156.exe
C:\WINDOWS\System32\lockx.exe
C:\WINDOWS\System32\msdirectx.sys
C:\xz.bat

- Locate and delete the following folder entirely:

C:\Program Files\DNS

- Empty your Recycle Bin and reboot normally.

3. Run HJT again and post the new log.