Thread: Win7: Browser launching at startup, virus with a sense of humor?

I am at my wit's end here. Earlier today I was unable to accomplish something which has never been a problem for me in the past. Simple file transfers over a local network between two Windows 7 PC's (thread posted to this same forum). I still haven't got to the bottom of it, but a newer problem has sprung up which would be pretty damn funny if it wasn't so frustrating.

So, in the middle of all my earlier networking problems, it was mentioned I should be using homegroups (which I still disagree with), and at some point after that, I rebooted my computer, and upon windows startup, a browser launched on its own and connected to homegroup.com (a bogus site). Hilarious... after an hour discussing homegroups, I get a strange never before seen bug (virus??) where my PC connects to homegroup.com on startup. Truly hilarious.

I've run full system scans with:
MBAM
MSE
Ad-Aware

The browser is Firefox (my default) if it matters. I've checked my startup folder, and msconfig. Also, note that homegroup.com is NOT my browser's homepage (it is still google.com as it's always been). I've checked running services... they are all accounted for.

This is hardly a catastrophic problem, the easy solution is to just close the browser. However it bothers me in general to have any unexpected behavior on my PC, and this one is extra special because of the whole homegroup ordeal. I am not sure how I could have a virus already... I just formatted this PC yesterday and have only installed trusted software (and MSE was one of my first installs as always).

Truly going crazy here. Is it possible while mucking around in all the advanced networking settings, I somehow typed the word homegroup in somewhere and caused this to happen? I doubt it... but I really have no other ideas. Help!

Thanks!

Spybot S&D: The home of Spybot-S&D!
Malwarebytes: Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at CNET Download.com

Process Explorer: Process Explorer

Hijack this (run and post up): HijackThis - Trend Micro USA

Originally Posted by Phyrelight

I thought he said he did that already but reading it again I don't see it. Good call.

type in msconfig.exe in the start menu of windows 7 and go to the start up tab.

Yeah, I mentioned both those things in my OP. :-/

I've tried a bunch of other things suggested here and on other forums... no luck. So weird. :-(

Well... here is something interesting! I removed FF for grins.

With FF gone, IE was my default again. Sure enough, it did launch... but it only tried to connect to http://homegroup/

Which means FF was adding in the www and com... which makes me even more suspicious this is not a virus but something I did in my network mucking. But I am pretty damn sure I never typed the word homegroup in anywhere... the only thing I did regarding homegroups was disable them everywhere I saw them!

Originally Posted by Veovis

Well... here is something interesting! I removed FF for grins.

With FF gone, IE was my default again. Sure enough, it did launch... but it only tried to connect to http://homegroup/

Which means FF was adding in the www and com... which makes me even more suspicious this is not a virus but something I did in my network mucking. But I am pretty damn sure I never typed the word homegroup in anywhere... the only thing I did regarding homegroups was disable them everywhere I saw them!

That's it...u disabled it, now it wats to come back...sounds to me like a poltergeist....call steven king....

Sent from my phone, because obviously I am not at home...using TapaTalk

I just created a new user to see if it happened with him, and sure enough it doesn't happen with the new user. So, I got out Wingrep and searched the old user folder (which was small enough that it didn't crash Wingrep like an entire C: search did), and I found one entry that made me suspicious:

Code:

C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms
00007: fldr.dll,-11411SPSâXFL8Cü&mÎÀFLÀFç U^GÊU^GÊÐSj Ê(üÿÿKPàOÐ ê:iØ+00/C:\R1þ>ÔEWindows<ïî:þ>ÔE*WindowsV1ÿ>8System32>ïî:ÿ>8*System32t2(î:Ë GettingStarted.exeRïí:í:*EEGettingStarted.exe"U-TJC:\Windows\System32\GettingStarted.exe)@%systemroot%\system32\oobefldr.dll,-1162b{D36AFB67-9043-4714-B4A3-E9E9481750A1} %systemroot%\system32\control.exe /name Microsoft.HomeGroup"%systemroot%\system32\imageres.dll%SystemRoot%\system32\GettingStarted.exe

I deleted that file, and it solved the problem! No more http://homegroup/ browser launches!

Now, anybody have a good explanation for what that file is and how it got there?

Furthermore... I still am not able to get network shares working properly with my main account, and as an insult I noticed that my new dummy account I made for testing does network shares perfect right out of the box, with what appear to be the same exact settings I have on my main account. Grr. I guess if it bothers me enough I'll migrate the account somehow.