Solved 2 Registry keys + 1 File Infected - how to remove infections?

[lise428]

Lately, my computer's speed got significantly reduced during start up and on my dad's account he wasn't able to get far using IE because an error kept showing up, then he was redirected to OneCare on the internet instead to do a scan. The scan took too long and it wasn't making much progress. I remember it indicating there were 7 items infected and 1 issue found.

The full system scans that I kept conducting using Norton Internet Security couldn't find any threats on my computer when I was logged in my dad's account but normally on my personal account it shows some tracking cookies and other things. & that's what was revealed in the full sys. scan on my account. Strange, why couldn't the other scan on my dad's account reveal that?

I then used Malwarebytes' Antivirus Program to discover that actually 2 registry keys and 1 file is infected. I have a Trojan.Agent and 2 Security.Hijack s

- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\msl.dll (Trojan.Agent)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe (Security.Hijack)

Even when I delete these on reboot, they won't disappear after the next scan.

I'm not sure how I should approach this clean up. I was talking to a Norton representative and they recommended me to use their paid service by having an expert remove the viruses but my dad won't allow it.

My friend recommended me to use ESET NOD32 Antivirus = useless. couldn't detect any threats.

I don't know how to remove these threats, pinpoint the infected registry keys and file without doing corrupt damage to my computer. Can someone please assist through the process?

 

[Bobbye]

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

It works much better when we have the logs from the programs.

 

[lise428]

I followed most of the instructions: here are the attached files.

I however could not complete the scan with GMER. Every time in the middle of the scan, my computer would suddenly automatically restart; therefore, I couldn't save the log. I tried unchecking Devices but I still encountered the same problem. I'm also not sure of how to run GMER in Safe Mode. I tried looking at the FAQs but I don't think it tells me how.

Also, after one of the restarts that my computer did all by itself, I was prompted to run Chkdsk because now the application Google Chrome cannot be accessed. o.o? I did run the Chkdsk and after when I tried running Chrome, a message popped up saying, "C:\Documents and Settings\DOMINA CHI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe is not a valid Win32 application." Should I reinstall Chrome? I normally use it. I'm not sure if the problem with Chrome was caused by the scan, malware/virus or something else.

 

[lise428]

I may not be able to access Internet within 2 weeks since I am going abroad. Hence, I won't be able to follow further given instructions during the next 2 weeks. Please keep this thread open. I am still awaiting for a response from the assistants.

 

[Bobbye]

Sorry- we get backed up at times.

You are running two antivirus programs: AV: Norton Internet Security and AV: ESET NOD32 Antivirus 4.2 . Please decide which you want to keep and remove the other. Multiple AV programs make the system more vulnerable as well as slow it down. Here are tool to help with the uninstall of either:
Norton Removal Tool
Eset Nod32 Uninstall
(NOTE- you do need the password to uninstall Eset- just to reinstall it)

FYI: Re:

My friend recommended me to use ESET NOD32 Antivirus = useless. couldn't detect any threats.

You may be interested to know that the processes egui.exe and ekrn.exein the Registry key is for ESET_Smart_Security Note: Located in \%Program Files%\ESET\ESET Smart Security\
===================================
The problem is that neither AV programs knows how to handle it because the other AV program is trying to do the same thing!
========================================
After you have handled the AV problem and rebooted the computer:
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==========================================
Then run this online scan: NOTE: The Eset programs should have been removed already. this is an online scan only:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please disable or uninstall BitTorrent. Do not use it while I am helping you. File sharing adds adware and spyware to systems.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Edit: Uninstall Java versions v6u2, v6u3,v6u5, v6u7. They present vulnerabilities to the system.
Did you turn off the Restore Points? ==== System Restore Points ===================No restore point in system.

 

[lise428]

I haven't used BiTorrent in a long time but I keep it there for just in case if I need to download files. I'm also going to redownload Chrome after this.

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::
C:\FOUND.041
C:\FOUND.040

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTRegRun] c:\windows\CTRegRun.EXE
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Wedding Dash*]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Trusted Zone: aol.com\free: thus is a security vulnerability for your system. The security lever in the Trusted Zone is lower than the other zones. [Nothing needs to be in the Trusted Zone
========================
Choose v2.0.4:
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[lise428]

Unfortunately I was unable to complete the HiJack This scan because during 04 - Registry & Start Menu autoruns, the program began to unrespond. I tried running it a few more times but it was still unresponsive.

 

[Bobbye]

My router went out Thursday night and I just got it replaced. Sorry for the delay.

during 04 - Registry & Start Menu autoruns, the program began to unrespond.

Can you clarify this for me please? You could try taking the following off of Startup:
StartupFolder: c:\docume~1\domina~1\startm~1\programs\startup\citynews.lnk - c:\program files\citynews\liveonline_3136925.exe
StartupFolder: c:\docume~1\domina~1\startm~1\programs\startup\VIIKII~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

Can you translate this for me please:

*ª`·N* ªÅ¥Õ»P¦Xªk¯Ê¬Ùµn¿ý±N¤£·|³QÅã¥Ü

I would like you to consider this: You want to keep Bit Torrent "in case if I need to download files." The 2 Registry entries you're concerned about are both entries from the Eset program. I don't know why you think you need Bit Torrent for downloads, but IF you download a legitimate program from a file sharing site, or if you get a torrent download for a keygen or crack for a license, you most likely will infect the system.

lise
The instructions for running Combofix are:
Please disable all security programs, such as antiviruses, antispywares, and firewalls.

You aren't doing this: The AV and the FW show running:

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

====================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::
c:\program files\ESET
c:\documents and settings\LocalService\Local Settings\Application Data\ESET
c:\documents and settings\DOMINA CHI\Local Settings\Application Data\ESET
DDS::
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Trusted Zone: aol.com\free

Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

 

[lise428]

Can you clarify this for me please? You could try taking the following off of Startup:
StartupFolder: c:\docume~1\domina~1\startm~1\programs\startup\citynews.lnk - c:\program files\citynews\liveonline_3136925.exe
StartupFolder: c:\docume~1\domina~1\startm~1\programs\startup\VIIKII~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

I'm not sure how to remove those off of Start up but the names of those files seem to be useless to me. However, I'm not sure if it means I should uninstall those programs. microsoft word, city news weather forecast and viikii plugin (for a website)

I have uninstalled BitTorrent.

----
I have an irrelevant question. My new pre-owned laptop's sound card is broken so it can't produce sound, If I decide to connect the laptop to a TV, will I be able to hear sound through the TV's speakers?

 

[Bobbye]

Are you still having any of the original malware symptoms?

You made a good decision in removing Bit Torrent. Here is why:

• Even if you are using a "safe" P2P program, it is only the program that is safe.
• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

The following will remove the left over Bit Torrent entries.
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=-

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leave this log.
====================
To take the files I suggested off of Startup, use the msconfig utility. Uncheck the processes you don't want to start. Look for the files shown at the end of the string I left.

Sorry- I can't help with the sound card. I don't have any experience in that area.

Please try to run the HijackThis scan again so I can make sure there are no bad entries.

 

[lise428]

. .I think I'm still having the same malware symptoms because my computer's speed is still very slow. Now when I access IE, it's very unresponsive. I go on it for less than 1 minute and already an error states that's unresponsive. Then after I permit to end the program the tab I was last on recovers itself but the same problem persists. I think I should uninstall and reinstall IE again.

Usually how long does it take to run a HijackThis scan? I've unchecked processes that I don't want to start but the problem with completing the scan still persists; it's unresponsive. Also, after my computer restarts from making changes using System Configuration Utility, a window states that I am currently in Diagnostic or Selective Startup Mode and that I should choose Normal Startup Mode and to undo the unchecking of the processes. Since HijackThis isn't working out for me, should I choose Normal Startup Mode?

 

[Bobbye]

Lise, I don't want you to make any changes in HijackThis. Please run the scan and paste the log in your next reply. It's my job to tell you what needs to be removed.

To remove entries from Startup using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
• Click on Selective Startup
• Choose the Startup tab:
  This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

Let me know if you need more help.

 

[lise428]

Lise, I don't want you to make any changes in HijackThis. Please run the scan and paste the log in your next reply. It's my job to tell you what needs to be removed.

I don't think I was clear when I mentioned HiJackThis. I didn't make any changes to that program. I only made changes using the msconfig utility according to your instructions but even so, I'm still unable to run a complete scan using HiJackThis because the program always becomes nonresponsive. I'm sorry, but I don't know what I should do to have HiJackThis running properly so I could successfully scan.

 

[Bobbye]

You're going to have to explain to me what "unresponsive" means. Does the scan stop? Does the computer freeze? Do you get an error message? HJT is one of the least problem programs we have users run.

 

[lise428]

The program freezes, sorry for the confusion. I'm not sure if it means the scan stops but I also don't get an error message unless if I manually end it and an "unresponsive program" message appears. When it freezes for a bit, I conclude that it won't respond anymore so I decide to end the program so the computer won't continue to freeze.

 

[Bobbye]

This scan because during 04 - Registry & Start Menu autoruns, the program began to unrespond.

Okay, I think you may have damaged a file when you followed whatever Norton was telling you to do. The only 'speed' problem we handle in this forum is if it's malware related. HijackThis is not a program that causes problems and I'm not remembering anything that included the word 'unresponsive' in the message.

We'll go the following round and I'll check the logs. I will have you remove anything that needs removing. When that is done, I will have you remove the cleaning tools we used. If problems persist after that has been done, I will refer you to the Windows OS forum to troubleshoot system problems;

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

============================
Then download ComboFix again from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
=====================
And lastly, Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please paste the Combofix report in the reply. Even if it takes 2 posts, I need it pasted. You can attach the Eset log.

We've been at this for 3 weeks and to get stuck on the HJT program doesn't make sense.
If you still have the file sharing programs, take them off of startup and do not use them while we finish this up.

It also appears that there is a discrepancy in system problems on your dad's account vs your account so it's difficult to know where to look.

 

[lise428]

The speed of the computer is still very slow.

 

[Bobbye]

These logs are clean. I will have your remove the tools we used. Any remaining slowness is not due to malware. You can control this to some extent by taking any programs off of startup that you do not need to start on boot and run in the background. You would use the msconfig utility to do this:

To remove entries from Startup using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
• Click on Selective Startup
• Choose the Startup tab:
  This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
=======================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you need more help.

 

[lise428]

Can you suggest any very useful tips and advice that will help significantly reduce the speed of my computer? I don't know if there are still risky hidden malware, spyware and virus threats on my computer but after I completed all your instructions, the PC still runs slowly at Startup and when I open new programs even though I've disabled a few programs using the msconfig utility and use Malwarebytes, plus run scans using Norton.

My laptop that is about 3 weeks old is starting to act slow too. Its antivirus protection software is COMODO Internet Security Premium [free version].

 

[Bobbye]

If the computer is slow to load at startup, then it is due to how many processes you have set to start on boot. Keep in mind that this will include how many and what type of addons you have for the browser.

The only processes that are required to always be on startup are:
Antivirus program
Firewall if you have a 3rd party firewall installed.
Touchpad process if using a laptop
Network processes if using something like Network Magic.

You do not need cameras, scanners, printers, media players, messengers and so on to start on boot. If you search this board for 'Slow Startup' you will find many threads discussing this and suggestions for what to remove.

As far as hidden malware being left on the system, the last logs were clean and there is no reason to suspect that malware is slowing you down. I found some irregularities between your account and your dad's account.

If you would like to run HijackThis, I'll take a look and recommend some stops for what I see running.
Please understand that you will have to wait a bit for this extra.

 

[lise428]

Please check this log that was created based on my laptop.

I'm still unable to successfully complete a HiJackThis logfile, is there anything I can do to get pass 04 - Registry and Start Menu Autorun scan?

My desktop computer's speed has been significantly reduced since I manually deleted some files and folders that were identified as infected by SmartShopper. using Malwarebytes. I followed the instructions from http://www.fasterpccleanclean.com/remove-smartshopper#deletefiles and installed AVG to check for further assistance. However it was useless and did not track down any useful information so I uninstalled after I also realized it slowed down my computer even more. Still even now, the PC lags at startup and whenever I start a new program. It feels even more impossible to use my desktop computer now and so I rely on my laptop although its speed is starting to get slower.

 

[Bobbye]

We started this 2 months ago. I cleaned the system and had you remove the cleaning tools. You have gone back and forth about things happening on your account and on your dad's account. You have gone back and forth between a laptop and a desktop.

I explained to you that 'slow' didn't mean malware- there are many reasons for 'slow' including how much RAM is installed on a system.

If you still think there are other malware related problems: Please begin a new thread, only working on one computer.
Run the preliminary cleaning programs again and leave the logs.
Using another cleaning program to remove entries has invalidated previous logs and it was clearly requested that you not use other cleaning program or scans while being helped.

I see the following in this HijackThis log:
O20 - Winlogon Notify: RailNotification - Invalid registry found

I don't know what this is- I could not identify it, but the entry shouldn't be there and HJT doesn't remove 020 entries. It would require running a program like Combofix, possibly others, to get more information.

You have been in the Registry and the program you use for SmartShopper sent you into the Registry. You are suppose to always back up the Registry before doing a Regedit. If you did that, you can try using the backup but my recommendation is to start over.

But I suggest you start over, make a new thread with a reference to this URL. Stay out of the Registry, let someone assist you properly.