Win7: Browser launching at startup, virus with a sense of humor?

[The111]

I am at my wit's end here. Earlier today I was unable to accomplish something which has never been a problem for me in the past. Simple file transfers over a local network between two Windows 7 PC's. I still haven't got to the bottom of it, but a newer problem has sprung up which would be pretty damn funny if it wasn't so frustrating.

So, in the middle of all my earlier networking problems, several people mentioned I should be using homegroups (which I still disagree with), and at some point after that, I rebooted my computer, and upon windows startup, a browser launched on its own and connected to homegroup.com (a bogus site). Hilarious... after an hour discussing homegroups, I get a strange never before seen bug (virus???) where my PC connects to homegroup.com on startup. Truly hilarious.

I've run full system scans with:
MBAM
MSE
Ad-Aware

The browser is Firefox (my default) if it matters. I've checked my startup folder, and msconfig. Also, note that homegroup.com is NOT my browser's homepage (it is still google.com as it's always been). I've checked running services... they are all accounted for.

This is hardly a catastrophic problem, the easy solution is to just close the browser. However it bothers me in general to have any unexpected behavior on my PC, and this one is extra special because of the whole homegroup ordeal. I am not sure how I could have a virus already... I just formatted this PC yesterday and have only installed trusted software (and MSE was one of my first installs as always).

Truly going crazy here. Is it possible while mucking around in all the advanced networking settings, I somehow typed the word homegroup in somewhere and caused this to happen? I doubt it... but I really have no other ideas. Help! 😕

Thanks! 🙂

 

[Nothinman]

Truly going crazy here. Is it possible while mucking around in all the advanced networking settings, I somehow typed the word homegroup in somewhere and caused this to happen? I doubt it... but I really have no other ideas. Help!

That's my guess too, but don't have any data to back it up since I haven't actually used Homegroups since my only Win7 VM is domain joined for work. Did you do a search in the registry for homegroup.com to see if anything odd jumps out?

 

[The111]

That's my guess too, but don't have any data to back it up since I haven't actually used Homegroups since my only Win7 VM is domain joined for work. Did you do a search in the registry for homegroup.com to see if anything odd jumps out?

Yeah, I also tried to wingrep my entire HDD for homegroup.com, but it just kept crashing wingrep, I guess it can't deal with such a large search set. :-/

 

[mikeymikec]

Just as a point of curiosity, I would remove Firefox (keep your config though) and see whether the system does the same thing with IE.

Something I would check even though I can't back it up with logic is your hosts file:
C:\windows\system32\drivers\etc\hosts

I've seen a bit of malware in my line of work a few times before which is just a Firefox add-on, but of course that would still need an entry in the registry to start Firefox.

The sysinternals tool 'autoruns' can be quite helpful in picking out things that ought not to be there.

 

[The111]

Just as a point of curiosity, I would remove Firefox (keep your config though) and see whether the system does the same thing with IE.

Haha, I literally am in the process of doing that right now... great minds think alike, hopefully! Will report back.

 

[The111]

Haha, I literally am in the process of doing that right now... great minds think alike, hopefully! Will report back.

Well... here is something interesting!

With FF gone, IE was my default again. Sure enough, it did launch... but it only tried to connect to http://homegroup/

Which means FF was adding in the www and com... which makes me even more suspicious this is not a virus but something I did in my network mucking. But I am pretty damn sure I never typed the word homegroup in anywhere... the only thing I did regarding homegroups was disable them everywhere I saw them!

 

[The111]

oops dupe post :-(
please delete

 

[JesseKnows]

It seems like you have homegroup.com in your startup sequence, and it gets parsed as a web address and gets invoked with the default browser. Check the usual startup suspects in the registry.

 

[The111]

It seems like you have homegroup.com in your startup sequence, and it gets parsed as a web address and gets invoked with the default browser. Check the usual startup suspects in the registry.

Agreed... but it's not IN any of those startup places. :-/

 

[Level_1]

Try HijackThis or Autorun, see if they find the setting you want to remove.

 

[bruceb]

See if this helps:

http://www.startupsmart.com.au/tech...to-remove-homegroup-feature-in-windows-7.html

You can also download Autoruns (from here) Run it and deselect the Browser from running at startup. It will work with XP / Win 7 and Vista

http://technet.microsoft.com/en-us/sysinternals/bb963902

 

[mikeymikec]

One other thing, try creating another Windows user and see whether the homegroup bit appears for that user too. Then you'll know if it's a per-user setting or a global one.

 

[The111]

One other thing, try creating another Windows user and see whether the homegroup bit appears for that user too. Then you'll know if it's a per-user setting or a global one.

You know, I considered doing this myself but never did, for whatever reason. So I just did it, and sure enough it doesn't happen with the new user. So, I got out Wingrep and searched the old user folder (which was small enough that it didn't crash Wingrep like an entire C: search did), and I found one entry that made me suspicious:

C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms
00007: fldr.dll,-11411SPS&#226;XFL8C&#252;&m&#206;&#192;FL&#192;F&#231; U^G&#202;U^G&#202;&#208;Sj &#202;(&#252;&#255;&#255;KP&#224;O&#208; &#234;:i&#216;+00/C:\R1&#254;>&#212;EWindows<&#239;&#238;:&#254;>&#212;E*WindowsV1&#255;>8System32>&#239;&#238;:&#255;>8*System32t2(&#238;:&#203; GettingStarted.exeR&#239;&#237;:&#237;:*EEGettingStarted.exe"U-TJC:\Windows\System32\GettingStarted.exe)@&#37;systemroot%\system32\oobefldr.dll,-1162b{D36AFB67-9043-4714-B4A3-E9E9481750A1} %systemroot%\system32\control.exe /name Microsoft.HomeGroup"%systemroot%\system32\imageres.dll%SystemRoot%\system32\GettingStarted.exe

I deleted that file, and it solved the problem! No more http://homegroup/ browser launches!

Now, anybody have a good explanation for what that file is and how it got there?

Furthermore... I still am not able to get network shares working properly with my main account, and as an insult I noticed that my new dummy account I made for testing does network shares perfect right out of the box, with what appear to be the same exact settings I have on my main account. Grr. I guess if it bothers me enough I'll migrate the account somehow.

 

[mikeymikec]

That file is in a location that controls Win7's jump lists and recent items.

Re: network shares from main account
Have you tried accessing the share from the Run prompt (keyboard shortcut: Windows key + R):

\\computername\sharename

Or just \\computername

or \\IPaddressofcomputer

?