|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
itsdanky
Cadet
Joined: May 05, 2004
Posts: 4
Location: USA
|
 Posted: Sat May 08, 2004 6:35 pm Post subject: Undocumented Entry in HijackThis |
|
|
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
Anyone have an idea what this is? Not so much the program but the "F2" category.
Thanks.
|
|
| Back to top |
|
 |
helpless
Colonel
Joined: Jan 29, 2004
Posts: 1854
|
| Posted: Sat May 08, 2004 7:16 pm Post subject: |
|
|
this is what i could find on it at bleepingcomp
F2(and F3) entries correspond to the equivalent locations as F0 and F1, but they are instead stored in the registry for Windows versions XP, 2000, and NT. These versions of Windows do not generally use the system.ini and win.ini files. Instead of backwards compatibility they use a function called IniFileMapping.IniFileMapping, puts a all the contents of a an .ini file in the registry, with keys for each line found in the .ini key stored there. Then when you run a program that normally reads their settings from an .ini file, it will first check the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping, for an .ini mapping, and if found will read the settings from there instead. You can see that this key is referring to the registry as it will contain REG and then the .ini file which IniFileMapping is referring to.
also notice that when it contains a " , " (comma) then it can be a bad thing and it is for sure when another fille is linked to it.
Another entry commonly found in F2 is the UserInit entry which corresponds to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit which is found in Windows 95 and above. This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your uname. It is possible to add further programs that will launch from this key by separating the programs with a comma. For example: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.
hope it helps
|
|
| Back to top |
|
|
itsdanky
Cadet
Joined: May 05, 2004
Posts: 4
Location: USA
|
| Posted: Sun May 09, 2004 6:46 pm Post subject: |
|
|
Great information. Thanks a lot! 
|
|
| Back to top |
|
|
lilliebet
General
Premium Member
Joined: Dec 03, 2003
Posts: 7014
|
| Posted: Wed Jun 02, 2004 6:09 pm Post subject: |
|
|
Glad we were able to help.
NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
_________________
Lilliebet...another point of view
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
