Browser opens by itself on system startup.

I’m not sure if it’s malware, or remains of a malware, or some PUP that got through, but every time my system starts, firefox (or other default browser) loads up and tries to load this adress hxxp://83.102.180.167/?url=hxxp://go.microsoft.com/fwlink/?LinkID=219472&clcid=0x409 (replace x for t). And I can’t find from where it’s loading, there is nothing suspicious in autoruns, malwarebytes, adwxcleaner and Hitman pro find nothing. I did boot event logging with process monitor, and I see that firefox starts with command prompt “C:\Program Files (x86)\Mozilla Firefox\firefox.exe” -osint -url “hxxp://go.microsoft.com/fwlink/?LinkID=219472&clcid=0x409” parent process is listed as explorer.exe and curent directory is C:\Windows\system32. But I don’t know Procmon good enough to figure out from where exactly it starts.

So, help please.

Hi Maniak2000,
Sounds like something is trying to open a site during boot, which in turn is calling your default browser to open.

Does Autoruns or Autoruns analyser under login or boot show any suspicious entries?
Depening on your OS, does MSConfig or Windows Task Manager show anything suspicious under startup?
Are there any suspicious additions to your ‘Programs and Features’?

Thanks.

I don’t see anything suspicious in autorun sections, in autorun analyzer every entry is marked as trusted. I removed 2 programs I installed recently, but that did not fixed the problem. OS is Win8.1 x64

Hello,

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

Paste the results here

Hi Maniak2000,
Please see the 2 external links below, as they sound related to your issue.
Use Caution with the following suggestions and any action taken to be done at your own risk.
Preventing Bing Page Popping on Windows 8-computerworldblog4u
[url=https://answers.microsoft.com/en-us/windows/forum/windows_8-networking/clean-install-browser-windows-keep-opening-to/99c3f698-e996-4fa2-a6cf-c3d90aa5c8e9]Clean Install - browser windows keep opening to MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos

Hope the links help.

That took a while.

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Alexey on 23.05.2015 at 15:25:55,46.
Майкрософт Windows 8.1 Профессиональная 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: D:\1\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

23.05.2015 15:27:40 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\AVS4YOU deleted successfully
C:\PROGRA~2\Razer deleted successfully
C:\PROGRA~2\VideoLAN deleted successfully
C:\PROGRA~2\COMMON~1\Wise Installation Wizard deleted successfully
C:\Program Files\HitmanPro deleted successfully
C:\PROGRA~3\HTC deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\PROGRA~3\Shared Space deleted successfully
C:\Users\Alexey\AppData\Roaming\HTC deleted successfully
C:\Users\Alexey\AppData\Roaming\Opera Software deleted successfully
C:\Users\Alexey\AppData\Local\Opera Software deleted successfully
C:\Users\Alexey\AppData\Local\pangu deleted successfully
C:\Users\Alexey\AppData\Local\Pirates deleted successfully
C:\Users\Alexey\AppData\Local\Secunia PSI deleted successfully
C:\Users\Alexey\AppData\Local\Unity deleted successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\CrashDumps deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-4040991952-1135544902-487757382-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{BFF1FF83-D72B-46DC-AC26-DEE8D1BD8B3F} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== FireFox Fix ======================

ProfilePath: C:\Users\Alexey\AppData\Roaming\Mozilla\Firefox\Profiles\9zrn5jjf.default-1410387137178

user.js not found
---- Lines search.com removed from prefs.js ----
user_pref(“noscript.untrusted”, "acint.net adfox.ru facebook.net jquery.com newgrounds.com ngfiles.com nocookie.net quantserve.com rackcdn.com scoreca
---- FireFox user.js and prefs.js backups ----

prefs__1600_.backup

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\AVS4YOU not found
C:\PROGRA~2\Razer not found
C:\PROGRA~2\VideoLAN not found
C:\Users\Alexey\AppData\Roaming\Aegisub deleted
C:\windows\SysNative\Tasks\KMSAutoNet deleted
C:\Users\Alexey.android deleted
C:\PROGRA~2\Paradox Interactive deleted
C:\Users\Alexey\AppData\Roaming\AlawarEntertainment deleted
C:\Users\Alexey\AppData\Roaming\ProductData deleted
C:\PROGRA~3\AlawarWrapper deleted
C:\PROGRA~3\fontcacheev1.dat deleted
C:\PROGRA~3\ProductData deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\d3dx9_11.dll.tmp deleted
C:\Windows\Syswow64\lMMLDeleteUserData42107612FX.tmp deleted
C:\Users\Public\Documents\AlawarWrapper deleted
C:\Users\Alexey\AppData\Roaming\Mozilla\Firefox\Profiles\9zrn5jjf.default-1410387137178\jetpack deleted
“C:\Users\Alexey\AppData\Local{4A9B24D2-460E-4540-9937-2C91F02063C9}” deleted
“C:\Users\Alexey\AppData\Local{51A629A9-A034-4EDD-9C7F-553EFE8AAD7F}” deleted
“C:\Users\Alexey\AppData\Local{A604A938-E460-4CFC-9BFE-2C351CDBA06B}” deleted
“C:\Users\Alexey\AppData\Local{D7521666-6F29-485E-BF2E-D263FE91A1E1}” deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Alexey\AppData\Roaming\Mozilla\Firefox\Profiles\9zrn5jjf.default-1410387137178
user_pref(“browser.startup.homepage”, “https://www.yandex.ru/”);
user_pref(“browser.search.defaultenginename”, “Google”);

==== Firefox Proxy Settings ======================

ProfilePath: C:\Users\Alexey\AppData\Roaming\Mozilla\Firefox\Profiles\9zrn5jjf.default-1410387137178
user_pref(“extensions.charles.settings.disabled.network.proxy.http”, “127.0.0.1”);
user_pref(“extensions.charles.settings.disabled.network.proxy.http_port”, 8888);
user_pref(“extensions.charles.settings.disabled.network.proxy.no_proxies_on”, “”);
user_pref(“extensions.charles.settings.disabled.network.proxy.share_proxy_settings”, false);
user_pref(“extensions.charles.settings.disabled.network.proxy.socks”, “”);
user_pref(“extensions.charles.settings.disabled.network.proxy.socks_port”, 0);
user_pref(“extensions.charles.settings.disabled.network.proxy.ssl”, “127.0.0.1”);
user_pref(“extensions.charles.settings.disabled.network.proxy.ssl_port”, 8888);
user_pref(“extensions.charles.settings.disabled.network.proxy.type”, 0);
user_pref(“extensions.charles.settings.enabled.network.proxy.http”, “127.0.0.1”);
user_pref(“extensions.charles.settings.enabled.network.proxy.http_port”, 8888);
user_pref(“extensions.charles.settings.enabled.network.proxy.no_proxies_on”, “”);
user_pref(“extensions.charles.settings.enabled.network.proxy.share_proxy_settings”, false);
user_pref(“extensions.charles.settings.enabled.network.proxy.socks”, “”);
user_pref(“extensions.charles.settings.enabled.network.proxy.socks_port”, 0);
user_pref(“extensions.charles.settings.enabled.network.proxy.ssl”, “127.0.0.1”);
user_pref(“extensions.charles.settings.enabled.network.proxy.ssl_port”, 8888);
user_pref(“extensions.charles.settings.enabled.network.proxy.type”, 1);
user_pref(“network.proxy.http”, “127.0.0.1”);
user_pref(“network.proxy.http_port”, 8888);
user_pref(“network.proxy.no_proxies_on”, “”);
user_pref(“network.proxy.ssl”, “127.0.0.1”);
user_pref(“network.proxy.ssl_port”, 8888);
user_pref(“network.proxy.type”, 0);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
fiddlerhook@fiddler2.com”=“C:\Program Files (x86)\Fiddler4\FiddlerHook” [02.05.2015 20:27]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Alexey\AppData\Roaming\Mozilla\Firefox\Profiles\9zrn5jjf.default-1410387137178

  • FiddlerHook - C:\Program Files (x86)\Fiddler4\FiddlerHook
  • United States English Spellchecker - %ProfilePath%\extensions\en-US@dictionaries.addons.mozilla.org
  • HTTPS-Everywhere - %ProfilePath%\extensions\https-everywhere@eff.org
  • LastPass - %ProfilePath%\extensions\support@lastpass.com
  • ZenMate Security amp; Privacy VPN - %ProfilePath%\extensions\firefox@zenmate.com.xpi
  • VKontakte.ru Downloader - %ProfilePath%\extensions\vk@sergeykolosov.mp.xpi
  • Adblock Plus - %ProfilePath%\extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox

  • Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Alexey\AppData\Roaming\Mozilla\Firefox\Profiles\9zrn5jjf.default-1410387137178
9AE02005247DA91AB1743F5208DBEF76 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll - Shockwave Flash
2E661988463BCFA1B95D4DAAB9B0B6FA - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_188.dll - Shockwave Flash
725C6AB29E52A2724042D43BFB42D638 - C:\Users\Alexey\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player
0B42C250F2884CE5AC8FBE26B81D02A5 - C:\Users\Alexey\AppData\Local\Radvision\Installer\1.5.0.5\npClientInstMgr.dll - Conference Client Dispatcher

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
hdokiejnpimakedhajhdlcegeplioahd - No path found[]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://www.google.com

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“{searchTerms} - Google Search
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“{searchTerms} - Search

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Policies\Chromium deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BreakawayPersonalForWindows deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\IE\BQN22Y34 will be deleted at reboot
C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\IE\DMI00LRW will be deleted at reboot
C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\IE\ZAEN08AP will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Alexey\AppData\Local\Mozilla\Firefox\Profiles\9zrn5jjf.default-1410387137178\cache2 emptied successfully
C:\Users\Alexey\AppData\Local\Mozilla\Firefox\Profiles\xqwx2o33.default\Cache emptied successfully
C:\Users\Alexey\AppData\Local\Mozilla\Firefox\Profiles\xqwx2o33.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=921 folders=178 53499301 bytes)

==== Empty Temp Folders ======================

C:\Users\Alexey\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Alexey\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\IE\BQN22Y34” not found
“C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\IE\DMI00LRW” not found
“C:\Users\Alexey\AppData\Local\Microsoft\Windows\INetCache\IE\ZAEN08AP” not found

==== EOF on 23.05.2015 at 16:15:23,32 ======================

Captainsticks, thank you, that registry trick seems to work. No more firefox opening on it’s own. I thought I caught something, but it seems just Microsoft meddling.

You are welcome, let us hope it continues behaving. :slight_smile:

Kind regards.