Currently having a problem with what I assume is some form of timed virus. Windows boots up, and gets to the logon screen. Once I log in, before the login screen goes away, a textless messagebox with a red circle which has an x in the middle pops up. On the bottom there are the options yes and no. Neither of them seem to make a difference. upon clicking either one, the computer proceeds to go to the desktop, but restart before explorer loads (interestingly enough, sometimes it brings you back to the logon screen, where you can repeat the experiance ad infinitum). Loading in safe mode rectifies the problem, but I can't seem to find the startup entries which are causing the problem. I attempted to load up my oldest system restore point (a little over a week ago), and it did not fix the problem. I am currently virus scanning my harddrive but have had no success. my next move will probably be to use msconfig to turn off all of the startup tasks and see whether I can isolate the individual task. any other suggestions/information is welcome.

Virus scan complete. AVG found no viruses, but claimed there were issues with the MBR, as well as a couple files it couldn't read. The message box had been popping up from time to time in the past, but never making the computer restart. I first began noticing it when I downloaded a tool called spider that somone from the forum linked to a while back. Either way it seems to be hidden pretty well. Edit: I attempted to start up in selective startup mode, turning off all the inessentials, but had no luck. Could the issue be that winlogon has been infected?

That sounds familiar, but I can't place it roight now...

Look for C:\WIN.LOG or C:\WIN2.LOG, in safe mode.

I found no such files. I searched all harddrives for win*.log, and all I got were 3 winmgmt.logs and a windowsupdate.log

Win.log is a sign of Sasser...it can do similar things with shutdowns/reboots. I didn't actually think your problem was Sasser, but it was the easiest to eliminate...now I have to think of the other one that I was was trying to remember...

Look for any of the following files...

MSBLAST.EXE
PENIS32.EXE
TEEKIDS.EXE
MSPATCH.EXE
MSLAUGH.EXE
ENBIEI.EXE

closest thing appearing in any of the searches is mspatcha.dll.

That is a legit file...so that now eliminate Blaster.

A Hijack This log may be helpful, but if you can only run in Safe Mode, it may not show anything...

You may just want to go ahead and run Stinger (http://vil.nai.com/vil/stinger/)...a number of the trheats it kills do stuff like your problem. Sasser and Blaster, while both being a couple of years old now are still rather rampant in the wild and can infect an improperly patched/protected system in seconds...

small problem- my computer won't recognise my pendrive in safemode, and my laptop's cd drive has been busted for quite a while. the log isn't very long, and I can easily pick out the stuff that's not a threat. do I need to type it all out, or is there any other way?

Logfile of HijackThis v1.991
Scan Saves at 3:13:59 AM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running Proscesses:
D:\Windows\System32\smss.exe
D:\Windows\System32\winlogon.exe
D:\Windows\System32\services.exe
D:\Windows\System32\lsass.exe
D:\Windows\Explorer.EXE
D:\Documents and Settings\Stephen\My Documents\Stephen's Diag&Tool disk\Antispyware\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messanger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WB - D:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: Zboard - D:\WINDOWS\SYSTEM32\Winlognotif.dll

I did my best, forgive me for the typing errors.
Edit: missed the caps on 2 of the letters in the strings of numbers. fixed now.

What do you have disabled by MSConfig?

I started out disabling individual programs, then I decided to do a selective startup and only load the absolute minimum of what I need. It showed no effect, and it did not solve the problem.

ok, linux partition is up, I now have network access and other things available, but for the most part, attempting to diagnose the problem seems to take more time than it would to simply reformat. I'll give it another day, and if the problem isn't solved by then I'm going to reformat again.

At this point, if you have access to the network and have a means of transferring the data that you want to keep...then go ahead and reformat...because I know that you don't have a means of transferring the needed utilities to the Windows install.

ok, I really appreciate the help, even if we didn't get the problem solved.

The problem when windows restarts may be that your PC is set to restart on every system error that happens- now a system error is fairly common and so it is kinda long to have to restart every time this happens. To stop windows from restarting every time there is a system error, right hand click on my computer and bring up the advanced tab. Uncheck where it says restart on system error, and hopefully your PC should stay. This is likely to be the problem as your PC seems to stay on in Safe Mode- hope this helps and that you will read this post (it's kinda old i noticed) lol.

ok, August 7, at approximately 3:00, I restarted my computer and when it loaded up, the same error appeared again. I'm at home now, which means I'm on dialup but I have other computers to operate from. I had just installed that X3D system that makes your computer display 3d images with their glasses. I immediately went back to a system restore point on friday with no success. I then moved back to the earliest restore point my computer still has, on last monday. Over last week I regularly updated and ran my antivirus every day with no errors. what now?

For clarification, the computer is not restarting anymore, it simply attempts to log in, and immediately logs out. Safe mode still works.

ok, more interesting information. I tried loading up in safe mode with networking, and it displayed a similar error message, except this time it was an ok box instead of a yes/no box. Thinking that the issue was in the network drivers, i reinstalled the latest version of my chipset drivers (nforce 4) from my HD successfully. I noticed a strange program being forced to shut down as I was restarting for changes to effect. It was something like "should not see this" that it showed as the task name. Does this bring anything more to light?

No, that does not sound good.

In Safe Mode, can you run Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html)...right click on one of the column headers (the bar with column names) and uncheck everything that can be...that should leave the Process name and PID...then File => Save As...and save it as process.txt. Then copy and paste the text file here...

here it is:

Process PID CPU
System Idle Process 0 100.00
Interrupts n/a
DPCs n/a
System 4
smss.exe 184
csrss.exe 236
winlogon.exe 260
services.exe 308
svchost.exe 472
svchost.exe 516
svchost.exe 560
lsass.exe 320
explorer.exe 792
firefox.exe 1184
procexp.exe 1308

What's procexp.exe?

process explorer, I believe

ok, I reformatted again, used avast instead of AVG, and got some positives. There were prodominantly 3 viruses, some version of trojan-gen, CIH-Monaa, and something like VICE family. Found copies of all of them in each system restore directory, so I think that may have been the problem.

nope, got it functional for a month, now I'm beginning to get the message again, but so far it allows me to log in normally. for all I know the next time I try to restart could be the last time it works, but when it originally showed up, the message appeared every time I logged in for about 2 or 3 weeks before the computer wouldn't log in. I have full access to the internet and everything else for now.