• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

Unknown Entry in HiJackThis log

Attached is a hijackthis log from a client. I do not understand what this entry is.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/

The client is having IE issues where he opens IE and IE freezes. He then uses task manager to kill the process. He clicks IE to open it again and everything runs fine. This happens with any process that tries to run IE, for example an icon on his desktop that is a link to a web page. Other then this the pc runs fine and i can't figure out the problem. I did submit the log to virus total and it came up with nothing. Active antivirus is on the machine and it doesn't seem that there is a virus.


Win XP
IE 8

If someone could review the log and give me a second opinion that would be much appreciated.

  • 3
  • 2
  • 2
  • +1
3 Solutions
...Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/ is odd but is accessed when IE fumbles for a network connection, or if you click setup in internet options. If you are on a LAN it should not make any difference.
bomgar-scc.exe can take high cpu resources and could freeze your system, its being run from appdata which is unusual, it appears to be remote config software for net admin?
   The "O17" section with zai.local seems odd.
   The BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll seems to indicate an online disk storage possibly it would interact with the antivirus.
    Antivirus won't always takeout Spyware, I've had Browser Helper Object (BHO) problems and 900 number autodialers (in Internet Connection Wizard) that were found and removed by Anti-Spyware utils like AdAware and Spybot S&D.

   I've never found hijack this very useful. Task manager, look for stuff running out of strange directories. Administrative Tools/Services. Try "Safe Mode with Networking" and see if browser hickup occurs. Selective Startup using Msconfig at the run line (you have a lot of "help" software running). Try manage browser add-ons in the internet explorer options.

new435Author Commented:
This machine has several issues, one being safe mode won't boot. The zai is the domain and preconditioned in the system.

The bomgr is the remote access program my company uses and was only running because I was connected at the time.

Thanks for the response, I'll take another look at msconfig when I get the chance, but I don't recall it having any weird entries.
This entry indicates a minor kind of spyware application that gets installed with some downloads from the Internet. I've seen it on several computers and removed it without any adverse affects.

O4 - Startup: PowerReg Scheduler V3.exe

If this is actually something you know (and use), don't remove it - but tell if it is.

As always, try to remove it from Control Panel/Add-Remove programs first.

I have seen several Expert here recommend "Revo Uninstaller" - although I have personally never had to use it.


When I have a particularly tough program, I will delete all of the related files/folders I can find, then use the "Reqistry" function from www.ccleaner.com

Give either/both a try.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Nothing out of ordinary is showing in the log, but then many nasties can now hide from its scan, so a clean Hijackthis log doesn't mean a clean system.
What other scanners have you tried?

>>"R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.aemx.net:3000/<<<"

The above entry is not malicious, that's his webmail login page at Advanced Networks where he is a member or client.
They are supposedly an authorized Novell, SCO UNIX and Microsoft Solution Providers. I don't know much about them.

For the safe mode not working, it could be due to nasties present before(or maybe still there). Some nasties like sality deletes safeboot keys causing safe mode not to work.

Try this one and see if it fixes his safe mode problem.
Download and run avz4en.zip
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the File tab and then click on "System restore"
Put a checkmark next to number 10 "Restore SafeBoot registry keys"
Click on "Execute selected operations"

Hi younghv, :)
Howdy young lady.

It's a great day on EE!
Very bad if safe mode doesn't work.
Try Microsoft Malicious Software Removal Tool, it will run before win32.
If the Virus is in the Master Boot Record (or EFI) or Native Mode then it will protect itself in any boot mode.
Avast, F-secure, AVG, et al let you download an .iso  that contains an antivirus that runs from the Knoppix Linux CD. There are other rescue disks that run on WinPE (or BartPE). May need to run scandisk (NTFS keeps a record/journal and will know something got changed without windows knowing about it) after the Linux CD, but Linux won't run Windows Malware. The CD boots and is pretty automatic so don't need to know Linux.

Note that the recommendation here (http:#a35156377) is specifically targeted at those malware variants that attack the "Safe Mode" configuration.

To my knowledge, "MSRT" is not the weapon of choice in this situation.
new435Author Commented:
His machine had a slew of problems, beginning with virus's. His hard disk is also failing, The event log says there are bad sectors. a chkdsk was run but i do not know the results yet. The drive may need to be replaced and that could have been causing the issue the entire time.
Thanks for the help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now