|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
itsdanky
Cadet
Joined: May 05, 2004
Posts: 4
Location: USA
|
 Posted: Sat May 08, 2004 2:35 pm Post subject: Undocumented Entry in HijackThis |
|
|
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
Anyone have an idea what this is? Not so much the program but the "F2" category.
Thanks. |
|
| Back to top |
|
 |
helpless
1st Responder
Joined: Jan 29, 2004
Posts: 728
Location: Belgium
|
| Posted: Sat May 08, 2004 3:16 pm Post subject: |
|
|
this is what i could find on it at bleepingcomp
F2(and F3) entries correspond to the equivalent locations as F0 and F1, but they are instead stored in the registry for Windows versions XP, 2000, and NT. These versions of Windows do not generally use the system.ini and win.ini files. Instead of backwards compatibility they use a function called IniFileMapping.IniFileMapping, puts a all the contents of a an .ini file in the registry, with keys for each line found in the .ini key stored there. Then when you run a program that normally reads their settings from an .ini file, it will first check the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping, for an .ini mapping, and if found will read the settings from there instead. You can see that this key is referring to the registry as it will contain REG and then the .ini file which IniFileMapping is referring to.
also notice that when it contains a " , " (comma) then it can be a bad thing and it is for sure when another fille is linked to it.
Another entry commonly found in F2 is the UserInit entry which corresponds to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit which is found in Windows 95 and above. This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your uname. It is possible to add further programs that will launch from this key by separating the programs with a comma. For example: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.
hope it helps
_________________
Learning everyday something new.
-----------------------------------------
There are always 2 correct answers, the "Microsoft correct answer" and "answers that work"
|
|
| Back to top |
|
|
itsdanky
Cadet
Joined: May 05, 2004
Posts: 4
Location: USA
|
| Posted: Sun May 09, 2004 2:46 pm Post subject: |
|
|
Great information. Thanks a lot!  |
|
| Back to top |
|
|
lilliebet65
Site Moderator
Premium Member
Joined: Dec 03, 2003
Posts: 2218
Location: UK
|
| Posted: Wed Jun 02, 2004 2:09 pm Post subject: |
|
|
Glad we were able to help.
NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
_________________
I'm Spartacus! |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
