Unknown Entry in HiJackThis log

Posted on 2011-03-16
Last Modified: 2013-12-06
Attached is a hijackthis log from a client. I do not understand what this entry is.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

The client is having IE issues where he opens IE and IE freezes. He then uses task manager to kill the process. He clicks IE to open it again and everything runs fine. This happens with any process that tries to run IE, for example an icon on his desktop that is a link to a web page. Other then this the pc runs fine and i can't figure out the problem. I did submit the log to virus total and it came up with nothing. Active antivirus is on the machine and it doesn't seem that there is a virus.


Win XP
IE 8

If someone could review the log and give me a second opinion that would be much appreciated.

Question by:new435
  • 3
  • 2
  • 2
  • +1

Expert Comment

ID: 35150400
...Internet Connection Wizard,ShellNext = is odd but is accessed when IE fumbles for a network connection, or if you click setup in internet options. If you are on a LAN it should not make any difference.
bomgar-scc.exe can take high cpu resources and could freeze your system, its being run from appdata which is unusual, it appears to be remote config software for net admin?
   The "O17" section with zai.local seems odd.
   The BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll seems to indicate an online disk storage possibly it would interact with the antivirus.
    Antivirus won't always takeout Spyware, I've had Browser Helper Object (BHO) problems and 900 number autodialers (in Internet Connection Wizard) that were found and removed by Anti-Spyware utils like AdAware and Spybot S&D.

   I've never found hijack this very useful. Task manager, look for stuff running out of strange directories. Administrative Tools/Services. Try "Safe Mode with Networking" and see if browser hickup occurs. Selective Startup using Msconfig at the run line (you have a lot of "help" software running). Try manage browser add-ons in the internet explorer options.


Author Comment

ID: 35150590
This machine has several issues, one being safe mode won't boot. The zai is the domain and preconditioned in the system.

The bomgr is the remote access program my company uses and was only running because I was connected at the time.

Thanks for the response, I'll take another look at msconfig when I get the chance, but I don't recall it having any weird entries.
LVL 38

Accepted Solution

younghv earned 167 total points
ID: 35150951
This entry indicates a minor kind of spyware application that gets installed with some downloads from the Internet. I've seen it on several computers and removed it without any adverse affects.

O4 - Startup: PowerReg Scheduler V3.exe

If this is actually something you know (and use), don't remove it - but tell if it is.

As always, try to remove it from Control Panel/Add-Remove programs first.

I have seen several Expert here recommend "Revo Uninstaller" - although I have personally never had to use it.

When I have a particularly tough program, I will delete all of the related files/folders I can find, then use the "Reqistry" function from

Give either/both a try.
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

LVL 47

Assisted Solution

rpggamergirl earned 167 total points
ID: 35156377
Nothing out of ordinary is showing in the log, but then many nasties can now hide from its scan, so a clean Hijackthis log doesn't mean a clean system.
What other scanners have you tried?

>>"R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =<<<"

The above entry is not malicious, that's his webmail login page at Advanced Networks where he is a member or client.
They are supposedly an authorized Novell, SCO UNIX and Microsoft Solution Providers. I don't know much about them.

For the safe mode not working, it could be due to nasties present before(or maybe still there). Some nasties like sality deletes safeboot keys causing safe mode not to work.

Try this one and see if it fixes his safe mode problem.
Download and run
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the File tab and then click on "System restore"
Put a checkmark next to number 10 "Restore SafeBoot registry keys"
Click on "Execute selected operations"

Hi younghv, :)
LVL 38

Expert Comment

ID: 35157707
Howdy young lady.

It's a great day on EE!

Assisted Solution

shjacks55 earned 166 total points
ID: 35165164
Very bad if safe mode doesn't work.
Try Microsoft Malicious Software Removal Tool, it will run before win32.
If the Virus is in the Master Boot Record (or EFI) or Native Mode then it will protect itself in any boot mode.
Avast, F-secure, AVG, et al let you download an .iso  that contains an antivirus that runs from the Knoppix Linux CD. There are other rescue disks that run on WinPE (or BartPE). May need to run scandisk (NTFS keeps a record/journal and will know something got changed without windows knowing about it) after the Linux CD, but Linux won't run Windows Malware. The CD boots and is pretty automatic so don't need to know Linux.
LVL 38

Expert Comment

ID: 35165492

Note that the recommendation here (http:#a35156377) is specifically targeted at those malware variants that attack the "Safe Mode" configuration.

To my knowledge, "MSRT" is not the weapon of choice in this situation.

Author Closing Comment

ID: 35172345
His machine had a slew of problems, beginning with virus's. His hard disk is also failing, The event log says there are bad sectors. a chkdsk was run but i do not know the results yet. The drive may need to be replaced and that could have been causing the issue the entire time.
Thanks for the help.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question