Unknown Entry in HiJackThis log

Posted on 2011-03-16
Last Modified: 2013-12-06
Attached is a hijackthis log from a client. I do not understand what this entry is.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

The client is having IE issues where he opens IE and IE freezes. He then uses task manager to kill the process. He clicks IE to open it again and everything runs fine. This happens with any process that tries to run IE, for example an icon on his desktop that is a link to a web page. Other then this the pc runs fine and i can't figure out the problem. I did submit the log to virus total and it came up with nothing. Active antivirus is on the machine and it doesn't seem that there is a virus.


Win XP
IE 8

If someone could review the log and give me a second opinion that would be much appreciated.

Question by:new435
  • 3
  • 2
  • 2
  • +1

Expert Comment

Comment Utility
...Internet Connection Wizard,ShellNext = is odd but is accessed when IE fumbles for a network connection, or if you click setup in internet options. If you are on a LAN it should not make any difference.
bomgar-scc.exe can take high cpu resources and could freeze your system, its being run from appdata which is unusual, it appears to be remote config software for net admin?
   The "O17" section with zai.local seems odd.
   The BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll seems to indicate an online disk storage possibly it would interact with the antivirus.
    Antivirus won't always takeout Spyware, I've had Browser Helper Object (BHO) problems and 900 number autodialers (in Internet Connection Wizard) that were found and removed by Anti-Spyware utils like AdAware and Spybot S&D.

   I've never found hijack this very useful. Task manager, look for stuff running out of strange directories. Administrative Tools/Services. Try "Safe Mode with Networking" and see if browser hickup occurs. Selective Startup using Msconfig at the run line (you have a lot of "help" software running). Try manage browser add-ons in the internet explorer options.


Author Comment

Comment Utility
This machine has several issues, one being safe mode won't boot. The zai is the domain and preconditioned in the system.

The bomgr is the remote access program my company uses and was only running because I was connected at the time.

Thanks for the response, I'll take another look at msconfig when I get the chance, but I don't recall it having any weird entries.
LVL 38

Accepted Solution

younghv earned 167 total points
Comment Utility
This entry indicates a minor kind of spyware application that gets installed with some downloads from the Internet. I've seen it on several computers and removed it without any adverse affects.

O4 - Startup: PowerReg Scheduler V3.exe

If this is actually something you know (and use), don't remove it - but tell if it is.

As always, try to remove it from Control Panel/Add-Remove programs first.

I have seen several Expert here recommend "Revo Uninstaller" - although I have personally never had to use it.

When I have a particularly tough program, I will delete all of the related files/folders I can find, then use the "Reqistry" function from

Give either/both a try.
LVL 47

Assisted Solution

rpggamergirl earned 167 total points
Comment Utility
Nothing out of ordinary is showing in the log, but then many nasties can now hide from its scan, so a clean Hijackthis log doesn't mean a clean system.
What other scanners have you tried?

>>"R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =<<<"

The above entry is not malicious, that's his webmail login page at Advanced Networks where he is a member or client.
They are supposedly an authorized Novell, SCO UNIX and Microsoft Solution Providers. I don't know much about them.

For the safe mode not working, it could be due to nasties present before(or maybe still there). Some nasties like sality deletes safeboot keys causing safe mode not to work.

Try this one and see if it fixes his safe mode problem.
Download and run
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the File tab and then click on "System restore"
Put a checkmark next to number 10 "Restore SafeBoot registry keys"
Click on "Execute selected operations"

Hi younghv, :)
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

LVL 38

Expert Comment

Comment Utility
Howdy young lady.

It's a great day on EE!

Assisted Solution

shjacks55 earned 166 total points
Comment Utility
Very bad if safe mode doesn't work.
Try Microsoft Malicious Software Removal Tool, it will run before win32.
If the Virus is in the Master Boot Record (or EFI) or Native Mode then it will protect itself in any boot mode.
Avast, F-secure, AVG, et al let you download an .iso  that contains an antivirus that runs from the Knoppix Linux CD. There are other rescue disks that run on WinPE (or BartPE). May need to run scandisk (NTFS keeps a record/journal and will know something got changed without windows knowing about it) after the Linux CD, but Linux won't run Windows Malware. The CD boots and is pretty automatic so don't need to know Linux.
LVL 38

Expert Comment

Comment Utility

Note that the recommendation here (http:#a35156377) is specifically targeted at those malware variants that attack the "Safe Mode" configuration.

To my knowledge, "MSRT" is not the weapon of choice in this situation.

Author Closing Comment

Comment Utility
His machine had a slew of problems, beginning with virus's. His hard disk is also failing, The event log says there are bad sectors. a chkdsk was run but i do not know the results yet. The drive may need to be replaced and that could have been causing the issue the entire time.
Thanks for the help.

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

To Remove Security Suite for Windows Malware from a Windows XP Machine:  Restart computer in Safe Mode (to do this see Login as Administrator Go to My Computer /Tools/ Folder Options/ View/  check mark the selectio…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now