F0, F1, F2, F3 Sections

These sections cover applications that are loaded from your .INI files, system.ini and win.ini, in Windows ME and below or their equivalent places in the registry for Windows NT based versions. The Windows NT based versions are XP, 2000, 2003, and Vista. A F0 entry corresponds to the Shell= statement, under the [Boot] section, of the System.ini file. The Shell= statement in the system.ini file is used to designate what program would act as the shell for the operating system.
Example Listing: Files Used:

F0 - system.ini: Shell=Explorer.exe badprogram.exe c:\windows\system.ini

The Shell is the program that would load your desktop, handle window management, and allow the user to interact with the system. Any program listed after the shell statement will be loaded when Windows starts, and act as the default shell. There were some programs that acted as valid shell replacements, but they are generally no longer used. Windows 95, 98, and ME all used Explorer.exe as their shell by default. Windows 3.X used Progman.exe as its shell. It is also possible to list other programs that will launch as Windows loads in the same Shell = line, such as Shell=explorer.exe badprogram.exe. This line will make both programs start when Windows loads. A F1 entry corresponds to the Run= or Load= entry in the win.ini file. Like the system.ini file, the win.ini file is typically only used in Windows ME and below.
Example Listing Files Used: F1 - win.ini: load=bad.pif F1 - win.ini: run=evil.pif c:\windows\win.ini

Any programs listed after the run= or load= will load when Windows starts. This run= statement was used during the Windows 3.1, 95, and 98 years and is kept for backwards compatibility with older programs. Most modern programs do not use this ini setting, and if you do not use older program you can rightfully be suspicious. The load= statement was used to load drivers for your hardware. On Windows NT based systems (Windows 2000, XP, etc) HijackThis will show the entries found in win.ini and system.ini, but Windows NT based systems will not execute the files listed there. F2 and F3 entries correspond to the equivalent locations as F0 and F1, but they are instead stored in the registry for Windows versions XP, 2000, and NT. These versions of Windows do not use the system.ini and win.ini files. Instead for backwards compatibility they use a function called IniFileMapping. IniFileMapping, puts all of the contents of an .ini file in the registry, with keys for each line found in the .ini key stored there. Then when you run a program that normally reads their settings from an .ini file, it will first check the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping for an .ini mapping, and if found will read the settings from there instead. You can see that these entries, in the examples below, are referring to the registry as it will contain REG and then the .ini file which IniFileMapping is referring to. F2 entries are displayed when there is a value that is not whitelisted, or considered safe, in the registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon under the values Shelland Userinit.

Example Listings:

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe F2 - REG:system.ini: Shell=explorer.exe beta.exe

Registry Keys:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

The Shell registry value is equivalent to the function of the Shell= in the system.ini file as described above. TheUserinit value specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. For example: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from. It should be noted that the Userinit and the Shell F2 entries will not show in HijackThis unless there is a non-whitelisted value listed. F3 entries are displayed when there is a value that is not whitelisted in the registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows under the values load and run. These entries are the Windows NT equivalent of those found in the F1 entries as described above.
Example Listings: F3 - REG:win.ini: load=chocolate.exe F3 - REG:win.ini: run=beer.exe Registry Keys:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

For F0 if you see a statement like Shell=Explorer.exe something.exe, then you can generally delete it, but you should first consult Google and the sites listed below. For F1 entries you should google the entries found here to determine if they are legitimate programs. You can also search at the sites below for the entry to see what it does. For F2, if you see UserInit=userinit.exe, with or without nddeagnt.exe, as in the above example, then you can leave that entry alone. If you see UserInit=userinit.exe (notice no comma) that is still ok, so you should leave it alone. If you see another entry with userinit.exe, then that could potentially be a trojan or other malware. The same goes for F2 Shell=; if you see explorer.exe by itself, it should be fine, if you don't, as in the above example listing, then it could be a potential trojan or malware. You can generally delete these entries, but you should consult Google and the sites listed below. Please be aware that when these entries are fixed HijackThis does not delete the file associated with it. You must manually delete these files. Site to use for research on these entries: Bleeping Computer Startup Database Answers that work Greatis Startup Application Database Pacman's Startup Programs List

Pacman's Startup Lists for Offline Reading Kephyr File Database Wintasks Process Library