Solved

Unknown Entry in HiJackThis log

Posted on 2011-03-16
8
563 Views
Last Modified: 2013-12-06
Attached is a hijackthis log from a client. I do not understand what this entry is.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/


The client is having IE issues where he opens IE and IE freezes. He then uses task manager to kill the process. He clicks IE to open it again and everything runs fine. This happens with any process that tries to run IE, for example an icon on his desktop that is a link to a web page. Other then this the pc runs fine and i can't figure out the problem. I did submit the log to virus total and it came up with nothing. Active antivirus is on the machine and it doesn't seem that there is a virus.

Running:

Win XP
IE 8

If someone could review the log and give me a second opinion that would be much appreciated.

Thanks.
hijackthis-JOEL-Zimmel.log
0
Comment
Question by:new435
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:shjacks55
ID: 35150400
...Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/ is odd but is accessed when IE fumbles for a network connection, or if you click setup in internet options. If you are on a LAN it should not make any difference.
bomgar-scc.exe can take high cpu resources and could freeze your system, its being run from appdata which is unusual, it appears to be remote config software for net admin?
   The "O17" section with zai.local seems odd.
   The BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll seems to indicate an online disk storage possibly it would interact with the antivirus.
    Antivirus won't always takeout Spyware, I've had Browser Helper Object (BHO) problems and 900 number autodialers (in Internet Connection Wizard) that were found and removed by Anti-Spyware utils like AdAware and Spybot S&D.

   I've never found hijack this very useful. Task manager, look for stuff running out of strange directories. Administrative Tools/Services. Try "Safe Mode with Networking" and see if browser hickup occurs. Selective Startup using Msconfig at the run line (you have a lot of "help" software running). Try manage browser add-ons in the internet explorer options.

.
0
 

Author Comment

by:new435
ID: 35150590
This machine has several issues, one being safe mode won't boot. The zai is the domain and preconditioned in the system.

The bomgr is the remote access program my company uses and was only running because I was connected at the time.

Thanks for the response, I'll take another look at msconfig when I get the chance, but I don't recall it having any weird entries.
0
 
LVL 38

Accepted Solution

by:
younghv earned 167 total points
ID: 35150951
This entry indicates a minor kind of spyware application that gets installed with some downloads from the Internet. I've seen it on several computers and removed it without any adverse affects.

O4 - Startup: PowerReg Scheduler V3.exe

If this is actually something you know (and use), don't remove it - but tell if it is.

As always, try to remove it from Control Panel/Add-Remove programs first.

I have seen several Expert here recommend "Revo Uninstaller" - although I have personally never had to use it.

http://www.revouninstaller.com/

When I have a particularly tough program, I will delete all of the related files/folders I can find, then use the "Reqistry" function from www.ccleaner.com

Give either/both a try.
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 167 total points
ID: 35156377
Nothing out of ordinary is showing in the log, but then many nasties can now hide from its scan, so a clean Hijackthis log doesn't mean a clean system.
What other scanners have you tried?


>>"R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/<<<"

The above entry is not malicious, that's his webmail login page at Advanced Networks where he is a member or client.
They are supposedly an authorized Novell, SCO UNIX and Microsoft Solution Providers. I don't know much about them.
http://www.aemx.net/flash/intro.swf

For the safe mode not working, it could be due to nasties present before(or maybe still there). Some nasties like sality deletes safeboot keys causing safe mode not to work.

Try this one and see if it fixes his safe mode problem.
Download and run avz4en.zip
http://z-oleg.com/avz4en.zip
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the File tab and then click on "System restore"
Put a checkmark next to number 10 "Restore SafeBoot registry keys"
Click on "Execute selected operations"


Hi younghv, :)
0
 
LVL 38

Expert Comment

by:younghv
ID: 35157707
Howdy young lady.
:)

It's a great day on EE!
0
 
LVL 3

Assisted Solution

by:shjacks55
shjacks55 earned 166 total points
ID: 35165164
Very bad if safe mode doesn't work.
Try Microsoft Malicious Software Removal Tool, it will run before win32.
If the Virus is in the Master Boot Record (or EFI) or Native Mode then it will protect itself in any boot mode.
Avast, F-secure, AVG, et al let you download an .iso  that contains an antivirus that runs from the Knoppix Linux CD. There are other rescue disks that run on WinPE (or BartPE). May need to run scandisk (NTFS keeps a record/journal and will know something got changed without windows knowing about it) after the Linux CD, but Linux won't run Windows Malware. The CD boots and is pretty automatic so don't need to know Linux.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35165492
shjacks55,

Note that the recommendation here (http:#a35156377) is specifically targeted at those malware variants that attack the "Safe Mode" configuration.

To my knowledge, "MSRT" is not the weapon of choice in this situation.
0
 

Author Closing Comment

by:new435
ID: 35172345
His machine had a slew of problems, beginning with virus's. His hard disk is also failing, The event log says there are bad sectors. a chkdsk was run but i do not know the results yet. The drive may need to be replaced and that could have been causing the issue the entire time.
Thanks for the help.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question