config.ini

I just recently downloaded & installed "Spyware Guard v. 2.2.0" (already
installed "Spyware Blaster v.2.6.1"), & am satisfied w/ performance of both
products, however I am having a nuisance problem connected with Spyware
Guard on reboot...
My OS is WinME & I have 3 profiles set up...
I installed both above programs on my "main identity", then provided
shortcuts on the other profiles.
The programs work on all profiles, however, when I log off or reboot to
profile #2 (only) I get a notepad display of config.ini
when it comes up.
I have repeatedly used "msconfig" to take it out of startup, & windows
explorer to delete it from the startup folder on all
profiles with no success.
I did a "search for" & found it is a file in "Spyware Guard"...
Soooo.... is this a file I can safely delete from the "Spyware Guard"
folder, or is this something that is necessary to run for the program, & if
so, is there a way to disable the display on reboot or logon in WinMe?

 

Config.ini shouldn't be deleted - it stores various SpywareGuard settings. (Plus it will be recreated if it is deleted.)

I'm not sure why it seems to be opening on startup. Is your path to Notepad.exe normal? I'll look into this further.

Best regards,

-Javacool

 

javacool,
Thanks for your help,
I understand about not being deleted...
I expected that.
The path displayed on my identity profile is:

C:\WINDOWS\NOTEPAD.EXE

Looks ok to me.

Waiting for any info. you can throw my way,
Ranbro

 

Hi ranbro,

I would like to see how that startup entry looks.
Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Pieter,
Many thanks for taking the time to get involved in my problem.
However, I have just had something come up in my personal life that demands my attention right now that I need to attend to.
I'm replying to let you know I read your reply & will follow through on your suggestion, but it may take me a few days to devote the time to do it.
As soon as I can complete your instructions I will post the results.
Thanks again,
ranbro

 

Hi, to Pieter
Did what you said, but felt uncomfortable with taking up a lot of posting space with a long log file, so rather than copy & paste, I included the file as an attachment.
I looked it over & saw 2 entries for "config.ini" connected w/startup. If you look at my original post, you'll see I attempted to remove it from startup by using msconfig & selective startup, & also removing it from my startup folder in my start menu. However, it keeps reinstalling itself. And, only does this on MY profile side, not the other two. Help me get out of the Twilight Zone!
PS. Have not taken any action yet, am waiting for your reply. BTW, I like the Hijack app., looks like a good tool.

 

Latest one, comin' to ya.

Logfile of HijackThis v1.97.6
Scan saved at 11:44:00 PM, on 11/12/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISSERV.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\IAMAPP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP OFFICEJET V SERIES\BIN\HPOANT07.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\WINDOWS\PROFILES\RANDY\START MENU\PROGRAMS\STARTUP\SGBHP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\PROFILES\RANDY\START MENU\PROGRAMS\STARTUP\POW.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~2\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [CookieWall] C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: sgbhp.exe
O4 - Startup: config.ini
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: pow.exe
O4 - User Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - User Startup: sgbhp.exe
O4 - User Startup: config.ini
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: pow.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security1.norton.com/ssc/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

 

Hi ranbro,

Have HijackThis Fix these entries:
O4 - Startup: config.ini
O4 - User Startup: sgbhp.exe <= Note: only the User Startup
O4 - User Startup: config.ini

Then reboot. Does that solve it?

Regards,

Pieter

 

Success!!!
Pieter, You da Man!!!
I got it fixed, but not without difficulty...
1. Used the "Hijack This" to "fix" the entries you specified
2. Got an error message in re. to "User Startup: sgbhp.exe" -- "unable to delete file may be in use"
3. Rebooted to my profile & the entries for "config.ini" were deleted, but not sgbhp.exe...
4. When I logged off & logged back on, the "config.ini"
display repeated.
5. Attempted to use msconfig & windows explorer to delete the identified problem file, "sgbhp.exe", on my profile side w/no success.
6. Then followed the suggestion of "Hijack This" to use a process killer like "ProcView", used "Google" to find the right download...
7. Used it to "kill" the specified file, THEN ran "Hijack This" to delete, & Bingo, Bongo, it worked!!!!
8. I repeatedly logged off/logged on & rebooted after this to confirm, & at this point in time, it still works.
9. Many thanks for pointing me in the right direction.
Ranbro

 

Hi ranbro,

Glad I could help.

One thing I am not sure about after reading your solution: is SpywareGuard still starting up properly?

Regards,

Pieter

 

Hi, Pieter,
Answer is yes, it is still loading in my system tray, & APPEARS to be functioning normally.
Is there something I should be looking for (behind the scenes [so to speak]) to confirm that everything is as it should be?
Randy
PS. By now I hope you realize I'm a tweaker & twiddler & I'll let you know I cut my computer teeth on DOS & Win 3.11 (self-taught) & if I have the correct command, I can fix anything.
The challenge is in finding the correct command. Sooo,
if there is something I need to look for under the carpet, don't hesitate to tell me, I'm used to the grunge, & I know how to protect myself.
PPS. I also respect those who have gone before me, & take their advice.

 

Hi ranbro,

Testing if SpywareGuard is working properly is easy.
Rightclick the icon in the systray and see if the three components are checkmarked in green.

Then in IE > Tools > Internet Options > General tab
change your homepage. As soon as you click OK after that SpywareGuard should jump up and ask if you want to keep the new value or restore the old one.

Regards,

Pieter

 

Hi, Pieter,
Been there, done that...
My home page is set to MSN, used Google to change, & got the alert.
I'm feeling lucky!!
No worries, mate.
Just used "Hijack This" to kill another nuisance display --
POW.dat
I think I may insert a line at the bottom of any further posts by me...
Control is everything
Back when I had Win3.11, I changed my "C>" to read:
"Yes, Master, what is thy command?"
My daughter, whom is an NT qualified technician, says I am her worst nightmare, because when I screw it up, I
REALLY screw it up. Then I call her for help. She doesn't answer my calls anymore.
However, I have managed to pull my system out of the fire when everyone has told me to just dump it & start over. It's all in knowing which commands to execute.
Many thanks once again,
ranbro