# startup errors



## sewer_breath (Apr 22, 2003)

hello,looked through the search and found similar but mine is a little different,when i start my computer i ALWAYS get the "windows has encountered an error accessing the system registry,windiws will restart and repair the registry for you"click yes or no ,ok i click yes and then it restarts and loads until i get a grey and black box error (sorry i forget what it says) and i have to hit "enter" to restart my computer again!i read about the control ,alt,delete thing and all that is running is what is supposed to be there(i looked it up) and msconfig is ok except for "HOLDDR.32" LOCATED IN C:/WINDOWS/SYSTEM/HOLDDR.32.THAT IS THERE 3 TIMES,my computer once started runs ok and i think is fast enough ,so any ideas.thanks


----------



## Jeerajat (Sep 5, 2002)

ok start up in safe mode and run scandisk fully and let it fix any errors then reeboot and it shoud be ok
http://www.microsoft.com/windows98/usingwindows/maintaining/tips/beginner/scandisk.asp


----------



## sewer_breath (Apr 22, 2003)

tks jeerajat,do that weekly and always the same error at startup !anything else ?


----------



## Jeerajat (Sep 5, 2002)

have a look here http://www.windows-help.net/windows98/start-145.shtml


----------



## sewer_breath (Apr 22, 2003)

do you mean to try one of these ?

filename= Scans the registry file specified and displays a message indicating whether or not any errors were found. This switch does not back up the registry 

/fix = Repairs any damaged portions of the registry, and optimizes it by rebuilding it without unused space. 

scanonly = Scans the registry and displays a message if any errors are found. This switch does not back up the registry.


----------



## TonyKlein (Aug 26, 2001)

Would you please do this for us?

Go to http://www.spywareinfo.com/downloads.php#det, and download 'Hijack This!'.

Unzip it, launch Hijack This, then press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log"

This will generate a text file that will list all running processes, _all_ applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post its contents here.


----------



## sewer_breath (Apr 22, 2003)

and were off to the races:

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
D:\NEW FOLDER\NORTON CLEANSWEEP\CSINJECT.EXE
D:\NEW FOLDER\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\FREE SURFER\FS20.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
D:\CRAZY BROWSER\CRAZY BROWSER.EXE
D:\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Mirabilis ICQ = C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
freesurfer = D:\FREE SURFER\fs20.exe
Run StartupMonitor = StartupMonitor.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NPROTECT = D:\New Folder\Norton Utilities\NPROTECT.EXE
HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
CSINJECT.EXE = D:\New Folder\Norton CleanSweep\CSINJECT.EXE
NPROTECT = D:\New Folder\Norton Utilities\NPROTECT.EXE
HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TClockEx = D:\TCLOCKEX\TCLOCKEX.EXE
HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[KeyMaestro]
RepeatFlag = 
PowerEnable = 

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 22/4/2003, 15:9:40)

[Rename]
NUL=C:\WINDOWS\WIN386.SWP
C:\PROGRA~1\WINDOW~1\INSTAL~1\MPSETUP.EXE=C:\PROGRA~1\WINDOW~1\INSTAL~1\SETB1.TMP
C:\PROGRA~1\WINDOW~1\INSTAL~1\MPSETUP.EXE=C:\PROGRA~1\WINDOW~1\INSTAL~1\SETB0.TMP
C:\WINDOWS\system.bak=C:\WINDOWS\system.dat
C:\WINDOWS\user.bak=C:\WINDOWS\user.dat
C:\WINDOWS\system.dat=C:\WINDOWS\system.pak
C:\WINDOWS\user.dat=C:\WINDOWS\user.pak

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
SET Path=%Path%;"D:\New Folder\Norton Ghost\"

--------------------------------------------------

Enumerating Browser Helper Objects:

Activater - (no file) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
(no name) - (no file) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F}
(no name) - D:\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - D:\New Folder\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[SnoopyCtrl Class]
InProcServer32 = C:\PROGRAM FILES\EACOM\UPDATE\NPSNPY.DLL
CODEBASE = http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/12cf054460d88f2ab123/netzip/RdxIE.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[ForumChat]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://objects.compuserve.com/chat/RTCChat.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.3313425926

[{78960E0E-0B0C-11D4-8997-00104BD12D94}]
CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,480 bytes
Report generated in 0.307 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## sewer_breath (Apr 22, 2003)

and were off to the races:

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
D:\NEW FOLDER\NORTON CLEANSWEEP\CSINJECT.EXE
D:\NEW FOLDER\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\FREE SURFER\FS20.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
D:\CRAZY BROWSER\CRAZY BROWSER.EXE
D:\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Mirabilis ICQ = C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
freesurfer = D:\FREE SURFER\fs20.exe
Run StartupMonitor = StartupMonitor.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NPROTECT = D:\New Folder\Norton Utilities\NPROTECT.EXE
HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
CSINJECT.EXE = D:\New Folder\Norton CleanSweep\CSINJECT.EXE
NPROTECT = D:\New Folder\Norton Utilities\NPROTECT.EXE
HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TClockEx = D:\TCLOCKEX\TCLOCKEX.EXE
HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

HOLDDIR32 = C:\WINDOWS\SYSTEM\HOLDDIR32.EXE

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[KeyMaestro]
RepeatFlag = 
PowerEnable = 

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 22/4/2003, 15:9:40)

[Rename]
NUL=C:\WINDOWS\WIN386.SWP
C:\PROGRA~1\WINDOW~1\INSTAL~1\MPSETUP.EXE=C:\PROGRA~1\WINDOW~1\INSTAL~1\SETB1.TMP
C:\PROGRA~1\WINDOW~1\INSTAL~1\MPSETUP.EXE=C:\PROGRA~1\WINDOW~1\INSTAL~1\SETB0.TMP
C:\WINDOWS\system.bak=C:\WINDOWS\system.dat
C:\WINDOWS\user.bak=C:\WINDOWS\user.dat
C:\WINDOWS\system.dat=C:\WINDOWS\system.pak
C:\WINDOWS\user.dat=C:\WINDOWS\user.pak

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
SET Path=%Path%;"D:\New Folder\Norton Ghost\"

--------------------------------------------------

Enumerating Browser Helper Objects:

Activater - (no file) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
(no name) - (no file) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F}
(no name) - D:\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - D:\New Folder\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[SnoopyCtrl Class]
InProcServer32 = C:\PROGRAM FILES\EACOM\UPDATE\NPSNPY.DLL
CODEBASE = http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/12cf054460d88f2ab123/netzip/RdxIE.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[ForumChat]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://objects.compuserve.com/chat/RTCChat.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.3313425926

[{78960E0E-0B0C-11D4-8997-00104BD12D94}]
CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,480 bytes
Report generated in 0.307 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## TonyKlein (Aug 26, 2001)

Well, it's a worm or trojan for sure.

It has placed Startup entries all over your computer.

If you have a look in Msconfig?Startup you should see 4, not 3 instances of it, and they all need to be unchecked.

Next, click OK, close Msconfig, and reboot.

Now find that C:\WINDOWS\SYSTEM\*HOLDDIR32.EXE* file, and temporarily rename it to HOLDDIR32.*BAK*.

I'd very much like to receive a copy of that file, so would you zip it up, and send it to me as an attachment, please?

I'll PM you with my e-mail addie.

After sending me the file, feel free to nuke it off your system.

TIA!


----------



## TonyKlein (Aug 26, 2001)

Woops, I can't send you a Private Message, as you appear to have disabled that option.  

Would you consider enabling it for a moment, so that I can contact you?


----------



## sewer_breath (Apr 22, 2003)

ok,sorry tonyklein,i was called out for the evening and am just getting bach,get it BACH......now i did the msconfig and found only 3 entries ,unchecked and re-booted,and started with no errors for now...i opened the option you mentioned for the message but looked high and low for the HOLDDIR32 and then the "find files and folders" but it is not listed anywhere ?

it is now 11:45 pm my time ,so i`ll look for a reply in the morning........thanks for all the help...


----------



## TonyKlein (Aug 26, 2001)

I re-checked your log, and the file isn't seen to be running, so you may only have had some orphaned startup entries.

It's entirely possible the file itself was removed previously by an antivirus.


----------



## sewer_breath (Apr 22, 2003)

ok ,now what do you think ?


----------



## Jeerajat (Sep 5, 2002)

ok when did u install nortorn utilities etc...?


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by sewer_breath:_
> *ok ,now what do you think ? *


I think your problem doesn't have anything to do with that virus.

Go to Start > Shutdown, and choose 'Restart the computer in MS-DOS'

At the blinking cursor, type the following commands successively, hitting 'enter' after EACH line:

*cd\
cd windows\command
scanreg /fix*

The Scanreg tool will now proceed to rebuild your registry, which can take some time.

When it finished, type *exit* or *win*, followed by hitting 'enter' to return to Windows.
Ctrl-alt-delete will work as well.

You will have refreshed, compacted and repaired your Registry, and this sometimes fixes this type of error.

Occasionally, this behavior also occurs if the disk that contains the Windows swap file does not have sufficient free disk space.

If it _keeps on_ happening, it may be defective RAM modules that are causing this.
In that case, try checking them with DocMemory or a similar app.

And take a look at these articles:

Err Msg: Windows Encountered an Error Accessing the System Registry

Registry Checker Continues to Detect Registry Damage

You have restored a good registry. Windows found an error in your system files and restored a recent backup of the files to fix the problem

Good luck,


----------



## sewer_breath (Apr 22, 2003)

jeerajat i installed it about 2 months ago as part of norton anti-virus 2003,and this was the first time i ran the utilities part of the program.........the registry rebuild ,will it matter on a partitioned drive(c,d,e) or alter anything on my system ? thank you both


----------



## Jeerajat (Sep 5, 2002)

Ok well do what tony has said and c wat happens, well i thought it was summat to do with norton utilities tho


----------



## sewer_breath (Apr 22, 2003)

jeerajat and tonyklein,everything seems to be working ok ,i didn`t do the registry thing yet as it`s ok for now with no startup errors.maybe if it works don`t fix it .i copied the registry fix instructions for later if needed.

thankyou both for your help


----------



## TonyKlein (Aug 26, 2001)

Glad to hear you're up and running again.

However, it's quite OK and even beneficial to do a Scanreg /fix every now and then.

I dot it about once a month, as part of regular maintenance.


----------

