config.ini

Discussion in 'SpywareBlaster & Other Forum' started by ranbro, Nov 6, 2003.

Thread Status:
Not open for further replies.
  1. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    I just recently downloaded & installed "Spyware Guard v. 2.2.0" (already
    installed "Spyware Blaster v.2.6.1"), & am satisfied w/ performance of both
    products, however I am having a nuisance problem connected with Spyware
    Guard on reboot...
    My OS is WinME & I have 3 profiles set up...
    I installed both above programs on my "main identity", then provided
    shortcuts on the other profiles.
    The programs work on all profiles, however, when I log off or reboot to
    profile #2 (only) I get a notepad display of config.ini
    when it comes up.
    I have repeatedly used "msconfig" to take it out of startup, & windows
    explorer to delete it from the startup folder on all
    profiles with no success.
    I did a "search for" & found it is a file in "Spyware Guard"...
    Soooo.... is this a file I can safely delete from the "Spyware Guard"
    folder, or is this something that is necessary to run for the program, & if
    so, is there a way to disable the display on reboot or logon in WinMe?
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Config.ini shouldn't be deleted - it stores various SpywareGuard settings. (Plus it will be recreated if it is deleted.)

    I'm not sure why it seems to be opening on startup. Is your path to Notepad.exe normal? I'll look into this further.

    Best regards,

    -Javacool
     
  3. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    javacool,
    Thanks for your help,
    I understand about not being deleted...
    I expected that.
    The path displayed on my identity profile is:

    C:\WINDOWS\NOTEPAD.EXE

    Looks ok to me.

    Waiting for any info. you can throw my way,
    Ranbro
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi ranbro,

    I would like to see how that startup entry looks.
    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  5. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    Pieter,
    Many thanks for taking the time to get involved in my problem.
    However, I have just had something come up in my personal life that demands my attention right now that I need to attend to.
    I'm replying to let you know I read your reply & will follow through on your suggestion, but it may take me a few days to devote the time to do it.
    As soon as I can complete your instructions I will post the results.
    Thanks again,
    ranbro
     
  6. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    Hi, to Pieter
    Did what you said, but felt uncomfortable with taking up a lot of posting space with a long log file, so rather than copy & paste, I included the file as an attachment.
    I looked it over & saw 2 entries for "config.ini" connected w/startup. If you look at my original post, you'll see I attempted to remove it from startup by using msconfig & selective startup, & also removing it from my startup folder in my start menu. However, it keeps reinstalling itself. And, only does this on MY profile side, not the other two. Help me get out of the Twilight Zone!
    PS. Have not taken any action yet, am waiting for your reply. BTW, I like the Hijack app., looks like a good tool.
     

    Attached Files:

  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    ranbro,

    Are you sure that's your latest HijackThis log? This is the header from the attachment:

    That doesn't look right. Can you just paste the text in a post here. That's what almost everyone does (and we've had hundreds of these logs posted here, so don't worry about the size).
     
  8. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    Latest one, comin' to ya.

    Logfile of HijackThis v1.97.6
    Scan saved at 11:44:00 PM, on 11/12/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISSERV.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\IAMAPP.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP OFFICEJET V SERIES\BIN\HPOANT07.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\PROFILES\RANDY\START MENU\PROGRAMS\STARTUP\SGBHP.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\PROFILES\RANDY\START MENU\PROGRAMS\STARTUP\POW.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
    C:\WINDOWS\SYSTEM\HPOIPM07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~2\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [CookieWall] C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: sgbhp.exe
    O4 - Startup: config.ini
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: pow.exe
    O4 - User Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - User Startup: sgbhp.exe
    O4 - User Startup: config.ini
    O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - User Startup: pow.exe
    O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security1.norton.com/ssc/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi ranbro,

    Have HijackThis Fix these entries:
    O4 - Startup: config.ini
    O4 - User Startup: sgbhp.exe <= Note: only the User Startup
    O4 - User Startup: config.ini

    Then reboot. Does that solve it?

    Regards,

    Pieter
     
  10. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    :D
    Success!!!
    Pieter, You da Man!!!
    I got it fixed, but not without difficulty...
    1. Used the "Hijack This" to "fix" the entries you specified
    2. Got an error message in re. to "User Startup: sgbhp.exe" -- "unable to delete file may be in use"
    3. Rebooted to my profile & the entries for "config.ini" were deleted, but not sgbhp.exe...
    4. When I logged off & logged back on, the "config.ini"
    display repeated.
    5. Attempted to use msconfig & windows explorer to delete the identified problem file, "sgbhp.exe", on my profile side w/no success.
    6. Then followed the suggestion of "Hijack This" to use a process killer like "ProcView", used "Google" to find the right download...
    7. Used it to "kill" the specified file, THEN ran "Hijack This" to delete, & Bingo, Bongo, it worked!!!!
    8. I repeatedly logged off/logged on & rebooted after this to confirm, & at this point in time, it still works.
    9. Many thanks for pointing me in the right direction.
    Ranbro
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi ranbro,

    Glad I could help. :)

    One thing I am not sure about after reading your solution: is SpywareGuard still starting up properly?

    Regards,

    Pieter
     
  12. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    Hi, Pieter,
    Answer is yes, it is still loading in my system tray, & APPEARS to be functioning normally.
    Is there something I should be looking for (behind the scenes [so to speak]) to confirm that everything is as it should be?
    Randy
    PS. By now I hope you realize I'm a tweaker & twiddler & I'll let you know I cut my computer teeth on DOS & Win 3.11 (self-taught) & if I have the correct command, I can fix anything.
    The challenge is in finding the correct command. Sooo,
    if there is something I need to look for under the carpet, don't hesitate to tell me, I'm used to the grunge, & I know how to protect myself.
    PPS. I also respect those who have gone before me, & take their advice.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi ranbro,

    Testing if SpywareGuard is working properly is easy.
    Rightclick the icon in the systray and see if the three components are checkmarked in green.

    Then in IE > Tools > Internet Options > General tab
    change your homepage. As soon as you click OK after that SpywareGuard should jump up and ask if you want to keep the new value or restore the old one.

    Regards,

    Pieter
     
  14. ranbro

    ranbro Registered Member

    Joined:
    Nov 4, 2003
    Posts:
    8
    Location:
    Baltimore, Maryland
    Hi, Pieter,
    Been there, done that...
    My home page is set to MSN, used Google to change, & got the alert.
    I'm feeling lucky!! :D
    No worries, mate.
    Just used "Hijack This" to kill another nuisance display --
    POW.dat
    I think I may insert a line at the bottom of any further posts by me...
    Control is everything
    Back when I had Win3.11, I changed my "C>" to read:
    "Yes, Master, what is thy command?"
    My daughter, whom is an NT qualified technician, says I am her worst nightmare, because when I screw it up, I
    REALLY screw it up. Then I call her for help. She doesn't answer my calls anymore.
    However, I have managed to pull my system out of the fire when everyone has told me to just dump it & start over. It's all in knowing which commands to execute.
    Many thanks once again,
    ranbro
     
Thread Status:
Not open for further replies.