Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Unknown Entry in HiJackThis log

Posted on 2011-03-16
Medium Priority
Last Modified: 2013-12-06
Attached is a hijackthis log from a client. I do not understand what this entry is.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/

The client is having IE issues where he opens IE and IE freezes. He then uses task manager to kill the process. He clicks IE to open it again and everything runs fine. This happens with any process that tries to run IE, for example an icon on his desktop that is a link to a web page. Other then this the pc runs fine and i can't figure out the problem. I did submit the log to virus total and it came up with nothing. Active antivirus is on the machine and it doesn't seem that there is a virus.


Win XP
IE 8

If someone could review the log and give me a second opinion that would be much appreciated.

Question by:new435
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1

Expert Comment

ID: 35150400
...Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/ is odd but is accessed when IE fumbles for a network connection, or if you click setup in internet options. If you are on a LAN it should not make any difference.
bomgar-scc.exe can take high cpu resources and could freeze your system, its being run from appdata which is unusual, it appears to be remote config software for net admin?
   The "O17" section with zai.local seems odd.
   The BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll seems to indicate an online disk storage possibly it would interact with the antivirus.
    Antivirus won't always takeout Spyware, I've had Browser Helper Object (BHO) problems and 900 number autodialers (in Internet Connection Wizard) that were found and removed by Anti-Spyware utils like AdAware and Spybot S&D.

   I've never found hijack this very useful. Task manager, look for stuff running out of strange directories. Administrative Tools/Services. Try "Safe Mode with Networking" and see if browser hickup occurs. Selective Startup using Msconfig at the run line (you have a lot of "help" software running). Try manage browser add-ons in the internet explorer options.


Author Comment

ID: 35150590
This machine has several issues, one being safe mode won't boot. The zai is the domain and preconditioned in the system.

The bomgr is the remote access program my company uses and was only running because I was connected at the time.

Thanks for the response, I'll take another look at msconfig when I get the chance, but I don't recall it having any weird entries.
LVL 38

Accepted Solution

younghv earned 668 total points
ID: 35150951
This entry indicates a minor kind of spyware application that gets installed with some downloads from the Internet. I've seen it on several computers and removed it without any adverse affects.

O4 - Startup: PowerReg Scheduler V3.exe

If this is actually something you know (and use), don't remove it - but tell if it is.

As always, try to remove it from Control Panel/Add-Remove programs first.

I have seen several Expert here recommend "Revo Uninstaller" - although I have personally never had to use it.


When I have a particularly tough program, I will delete all of the related files/folders I can find, then use the "Reqistry" function from www.ccleaner.com

Give either/both a try.
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

LVL 47

Assisted Solution

rpggamergirl earned 668 total points
ID: 35156377
Nothing out of ordinary is showing in the log, but then many nasties can now hide from its scan, so a clean Hijackthis log doesn't mean a clean system.
What other scanners have you tried?

>>"R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/<<<"

The above entry is not malicious, that's his webmail login page at Advanced Networks where he is a member or client.
They are supposedly an authorized Novell, SCO UNIX and Microsoft Solution Providers. I don't know much about them.

For the safe mode not working, it could be due to nasties present before(or maybe still there). Some nasties like sality deletes safeboot keys causing safe mode not to work.

Try this one and see if it fixes his safe mode problem.
Download and run avz4en.zip
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the File tab and then click on "System restore"
Put a checkmark next to number 10 "Restore SafeBoot registry keys"
Click on "Execute selected operations"

Hi younghv, :)
LVL 38

Expert Comment

ID: 35157707
Howdy young lady.

It's a great day on EE!

Assisted Solution

shjacks55 earned 664 total points
ID: 35165164
Very bad if safe mode doesn't work.
Try Microsoft Malicious Software Removal Tool, it will run before win32.
If the Virus is in the Master Boot Record (or EFI) or Native Mode then it will protect itself in any boot mode.
Avast, F-secure, AVG, et al let you download an .iso  that contains an antivirus that runs from the Knoppix Linux CD. There are other rescue disks that run on WinPE (or BartPE). May need to run scandisk (NTFS keeps a record/journal and will know something got changed without windows knowing about it) after the Linux CD, but Linux won't run Windows Malware. The CD boots and is pretty automatic so don't need to know Linux.
LVL 38

Expert Comment

ID: 35165492

Note that the recommendation here (http:#a35156377) is specifically targeted at those malware variants that attack the "Safe Mode" configuration.

To my knowledge, "MSRT" is not the weapon of choice in this situation.

Author Closing Comment

ID: 35172345
His machine had a slew of problems, beginning with virus's. His hard disk is also failing, The event log says there are bad sectors. a chkdsk was run but i do not know the results yet. The drive may need to be replaced and that could have been causing the issue the entire time.
Thanks for the help.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question