Win7: Browser launching at startup, virus with a sense of humor?

T

The111

n00b
Joined
May 4, 2009
Messages
49
I am at my wit's end here. Earlier today I was unable to accomplish something which has never been a problem for me in the past. Simple file transfers over a local network between two Windows 7 PC's. I still haven't got to the bottom of it, but a newer problem has sprung up which would be pretty damn funny if it wasn't so frustrating.

So, in the middle of all my earlier networking problems, several people mentioned I should be using homegroups (which I still disagree with), and at some point after that, I rebooted my computer, and upon windows startup, a browser launched on its own and connected to homegroup.com (a bogus site). Hilarious... after an hour discussing homegroups, I get a strange never before seen bug (virus???) where my PC connects to homegroup.com on startup. Truly hilarious.

I've run full system scans with:
MBAM
MSE
Ad-Aware

The browser is Firefox (my default) if it matters. I've checked my startup folder, and msconfig. Also, note that homegroup.com is NOT my browser's homepage (it is still google.com as it's always been). I've checked running services... they are all accounted for.

This is hardly a catastrophic problem, the easy solution is to just close the browser. However it bothers me in general to have any unexpected behavior on my PC, and this one is extra special because of the whole homegroup ordeal. I am not sure how I could have a virus already... I just formatted this PC yesterday and have only installed trusted software (and MSE was one of my first installs as always).

Truly going crazy here. Is it possible while mucking around in all the advanced networking settings, I somehow typed the word homegroup in somewhere and caused this to happen? I doubt it... but I really have no other ideas. Help! :confused:

Thanks! :)
 
I'd say get Hitman Pro and run a pass of that, it seems to be useful to some folks. The "installer" will get to the point where you check a box to continue, and if you're paying attention you'll see the option to just run a one-time system scan - that way you don't have to actually install it and it simply runs from RAM.

Also, check the following Registry keys if you haven't done so already:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

and delete anything that really shouldn't be there (typically those 4 keys should be empty unless you have a lot of stuff that normally does run at start up - on my machine, there's only one single entry in the HKLM Run key and that's MSC.exe for Microsoft Security Essentials. Nothing else runs at boot time on my hardware.

If there's an infection it could be something chained to trigger the loading of the browser by firing off a URL someplace, but Hitman Pro should pick up on it if it's in there.

Another suggestion would be try TrendMicro HouseCall, and online scan that runs in the browser (use IE since it has an ActiveX component, or use Firefox if you have Java installed; it requires the actual Java runtime installed, not Javascript which the browser handles natively).

And then finally there's Eset's own online scanner that might find something, you never know.

Can't hurt to try 'em all till something works I suppose.

Worse comes to worse: if you just did the install a day ago, do it again. :D
 
try your last system restore as a first step.
try a different profile to see if it happens
is that the only bad thing happening?
 
Tried every suggestion here, minus the system restore and reinstall. ;-) If I have to I will do a reinstall in a few weeks when I have time. What a stumper. :-(
 
Well... here is something interesting! I removed FF for grins.

With FF gone, IE was my default again. Sure enough, it did launch... but it only tried to connect to http://homegroup/

Which means FF was adding in the www and com... which makes me even more suspicious this is not a virus but something I did in my network mucking. But I am pretty damn sure I never typed the word homegroup in anywhere... the only thing I did regarding homegroups was disable them everywhere I saw them!
 
The111 said:
Well... here is something interesting! I removed FF for grins.

With FF gone, IE was my default again. Sure enough, it did launch... but it only tried to connect to http://homegroup/

Which means FF was adding in the www and com... which makes me even more suspicious this is not a virus but something I did in my network mucking. But I am pretty damn sure I never typed the word homegroup in anywhere... the only thing I did regarding homegroups was disable them everywhere I saw them!
Click to expand...

Check to make sure you have homegroup disabled in network sharing center?
 
You've gone and gotten yourself one of the new "FUN" proxy malwares. Basically the malware operates like this:

A downloader files exists on your computer this file's purpose is to make sure you can not use any browser without being redirected. This file also installed the proxy links.

The proxy is located in one of two "pain in the ars" locations. Both are in the registry and typically NOT in the Run or RunOnce locations listed above. They instead are written to the links that fire off explorer, firefox, chrome, opera....etc. The malware actually makes it so ANY link to the executable will proxy directly to a website that opens up and auto downloads the downloader file listed above.

To remove this bugger you have to:

Step ONE: place your computer offline (completely off and disconnected from the internet)


Step TWO: Remove the proxy extensions from the registry keys

Step THREE: Remove the downloader file


The downloader file can be anything. I've seen it as an executable, a VSB script, a java file sitting in java cache, a rootkit. Almost anything that can run code is a suspect.

There is a pile of relevant information as to how to look for and remove this type of malware. some of the info posted is from me, in the comments of this article http://www.howtogeek.com/57837/how-to-remove-win-7-anti-spyware-2011-fake-anti-malware-infections/

Good Luck
 
check the task scheduler as well, I've seen a bunch of malware lately that create a task to run at startup to download and reinstall itself if it's not running.
 
I just created a new user to see if it happened with him, and sure enough it doesn't happen with the new user. So, I got out Wingrep and searched the old user folder (which was small enough that it didn't crash Wingrep like an entire C: search did), and I found one entry that made me suspicious:

Code: 
C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms
00007: fldr.dll,-11411SPSâXFL8Cü&mÎÀFLÀFç U^GÊU^GÊÐSj Ê(üÿÿKPàOÐ ê:iØ+00/C:\R1þ>ÔEWindows<ïî:þ>ÔE*WindowsV1ÿ>8System32>ïî:ÿ>8*System32t2(î:Ë GettingStarted.exeRïí:í:*EEGettingStarted.exe"U-TJC:\Windows\System32\GettingStarted.exe)@%systemroot%\system32\oobefldr.dll,-1162b{D36AFB67-9043-4714-B4A3-E9E9481750A1} %systemroot%\system32\control.exe /name Microsoft.HomeGroup"%systemroot%\system32\imageres.dll%SystemRoot%\system32\GettingStarted.exe

I deleted that file, and it solved the problem! No more http://homegroup/ browser launches!

Now, anybody have a good explanation for what that file is and how it got there?

Furthermore... I still am not able to get network shares working properly with my main account, and as an insult I noticed that my new dummy account I made for testing does network shares perfect right out of the box, with what appear to be the same exact settings I have on my main account. Grr. I guess if it bothers me enough I'll migrate the account somehow.
 
My screen shot failed. Sounds to me like you've enabled some sort of built in Win7 crap.

My System32 directory contains gettingstarted.exe

07/13/2009 08:39 PM 11,776 GettingStarted.exe
1 File(s) 11,776 bytes
 
It looks like you added "homegroup" to a browser jumplist and had a persistent browser setting in your registry.
 
You must log in or register to reply here.
Back
Top