Hi malware fighters,

I spotted this recently in my HJT logfile:

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=

I read from the manual that
F2 and F3 entries correspond to the equivalent locations as F0 and F1,
but they are instead stored in the registry for Windows versions XP, 2000, and NT.
These versions of Windows do not generally use the system.ini and win.ini files.
Instead of backwards compatibility they use a function called IniFileMapping.
IniFileMapping, puts a all the contents of a an .ini file in the registry,
with keys for each line found in the .ini key stored there.
Then when you run a program that normally reads their settings from an .ini file,
it will first check the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping for an .ini mapping,
and if found will read the settings from there instead. You can see that this key is referring to the registry as it will contain REG and then the .ini file which IniFileMapping is referring to

Oh, and now I assume they can be ‘fixed’ with HJT as the ones I am pointing to do not designate a file.

Am I right on this assumption? Anyone?

I don’t have any F3 entries in my HJT log and I really can’t see a reason why they are there.

Have you installed anything recently that might require an entry in win.ini ?

Google returns a lot of hits for the F3 string, http://www.google.com/search?q=F3+-+REG%3Awin.ini%3A+load%3D, many relate to the loading of malware, but they have a path and file name after the load=, e.g. F3 - REG:win.ini: load=,c:\windows\system\svchctrl.exe, etc.
This is one of the hits, http://www.extradisambiguator.co.uk/scanakbs.php?m=F3. I guess a google fot the run= F3 entry would returns similar hits.

So it looks like this may be a remnant and should be OK for a fix as HJT does a backup of any fixes.

What exact version of HJT?

Hi Eddy,

The latest Trend Micro 2.0.2 version

pol

Hi malware fighters,

I like this HJTS MDO list: http://www.extradisambiguator.co.uk/scanakbs.php?m=F3

pol

I liked that one too, so much so I posted it on my first reply ;D

Nice listing … page bookmarked … thanks, Polonus!