Random Pop-Ups

Since earlier this year, I have observed periodic but quite regular pop-ups. I can’t work out whether they’re from specific web sites or whether they’re placed on web sites without their knowledge, but most recently, I got this on the bottom right of my screen:

“Further Readings & Images”

Below the above title is displayed varying photos and text below them

Are these pop-ups viruses or malware?

I’ve ticked to block pop-ups, yet these and some identical style ones still come through.

If they’re viruses or malware, what do I need to block them?

There’s little to work out here. Check first if it is from the website. Open up a browser and visit the suspect site. If it pops-up then that’s one. Close it then open it again. Pops-up? Note that. Browser anywhere else. None? It’s from the website. You can block them via extensions/add-ons. Check Adblock Plus.

If it is an adware, then check the list of installations (particularly the ones that run at startup) that you have and research each suspect installations. See if they came with a bundle or if they had a reputation of pushing ads to the user. Antiviruses can usu. detect them if they had a Possible Unwanted Program (PUP) option in their scans. A regular uninstallation of the suspect program should suffice though. If there are still pop-ups even without a browser open, no adware, and the installations are clean, then it’s a possible malware. Post a log generated by HiJackThis here, and we’ll help you work out this problem when there’s time (this is a forum; nearly everyone here’s also an end-user rather than an employee though there are some here with technical expertise, so the degree of help each can offer greatly varies and the time we spend for solving people’s dilemmas are based only on discretion).

There can be no definite answer to the question since insufficient details were given.

PCmag.com is one of the web sites that adds the unwanted pop-up “Recommended for you”, which sprung up vertically on the bottom right hand side of the screen as you scroll down the web page, only while browsing, so it could very well be malware. If I hovered over it, it displayed the web site it would redirect to me. Upon closing PCmag.com, the pop-up would go, but the moment I returned to PCmag, it would reappear.

Since then, I installed the add-on NoScript, which is very useful but very aggressive, so on many occasions, I have to click on a button to give permission to load a page or Youtube which previously loaded automatically. To my surprise, in the program “Forbid Microsoft Silverlight” is ticked. Not sure why, as I thought it was a genuine enriching web site features software service and I’m also unsure why ymtig.com and About:Blank were in NoScript’s Whitelist, given that they are also intrusions, which I’ve since removed. As NoScript was blocking the purpose of Web Inspector, I had to disable it to do a WI scan. This must be why some sites claim that I need to have Javascript activated, even though it already is.

Upon revisiting pcmag.com, I now get a prompt “IceDragon prevented this page from automatically reloading”, as if NoScript is still running, while disabled

While using NoScript, I found that “Recommended for you” stopped, so it must be a Script malware of some kind. Not only this, I reset the Hosts file to block malware that’s affected it. Now, when I disable NoScript (unlike yesterday), the Recommendations no longer appear on PCmag, so this and other undetected malware, if any of the latter, may now all be gone, but certainly the reset has reduced problems.

Also in NoScript, I encountered this earlier while visiting a web site, “A user name and password are being requested by https://gj37765.googlecode.com. The site says: “Google Code Subversion Repository”.

As spywareblockers411.com is listed as safe by Website Malware Scanner | Online Website Virus and Malware Scanner, AVG must have given a false positive, as it detected it as malware. It can get very confusing when scans differ on if a site is safe or dangerous to visit, so on that basis, for the time being, I’ll avoid the two Webuda pages (others safe) that Web Inspector regards safe to visit and AVG doesn’t.

What I have noticed is that, when I visit some web pages, About:Blank appears in the address bar prior to loading the web site links, while on most occasions, Comodo Ice Dragon or nothing at all appears prior to loading the links.

For some reason, this site is completely blank when I try to visit this page: http://blog.anvisoft.com/tag/recommended-for-you-popup-block/

I’ve tried Adblock Plus, but even they haven’t blocked out the Recommendations intrusion.

I don’t know how to find the list of installations that run at Startup to research them, but the only program I can think of, recollecting what I’ve installed to date, that had a bundle, including a Security Search toolbar was AVG. Some sites say this toolbar increases security while others say it can easily be removed without reducing protection alongside the remaining Linkscanner. I don’t think any of these installed programs push ads to the user.

I’ve tried a few anti-viruses and “all clear”, so this intrusion is not being detected by anti-virus or anti-malware software. Malwarebytes Anti-Malware and Spyware Blaster are the only programs I’ve had to date which have never detected any unwanted programs and the success of the other programs has been very variable.

I will be very happy to post a log generated by HijackThis here (thanks for the link), but as I’ve never done this before and am a novice user, can you and/or others please give me a link or step-by-step instructions on how I go about this and which section of Comodo’s forum I should list the contents of HijackThis’s scan? If, as I believe, I would need to manually remove some malware from my computer, I want to be extra careful, as I prefer to avoid the registry as a general rule, but on rare occasions, with careful and successfully safe operations, I’ve had to manually delete some stubborn malware that was detected but wasn’t removed, due to lingering around in the memory.

Hopefully, with the aid of Comodo Internet Suite, further malware can be blocked out before it arrives, which i believe CIS can do, which has a quirky Sandbox facility, which I like the sound of for automatically quarantining potential malware. As I’m in the UK, I can’t make use of GeekBuddy, but as I’ve never needed technical assistance from AVG since subscribing to their fee based version of anti-virus, I should be fine with Comodo’s equivalent, but with the addition of the anti-malware incorporated in it. Anything to guarantee or at least considerably increase the chances of detecting and blocking out malware and viruses, etc so my computer is clean to the optimum.

At present, I have a few different programs to block adware, spyware, malware and viruses, but am reviewing this so I can cut down over the next month to save having too many programs and to free up resources. Among them, SuperAntiSpyware is quite good, but it tends to hog up resources while in real time (I have a Free Trial) and on one occasion, it said it had found and quarantined automatically two pieces of malware. When I checked Quarantine, no sign of the malware and no removal of it, upon checking where it was located. Later that day, one of the two pieces of malware was found again, but this time it did go to Quarantine and I successfully removed it.

I don’t know if Blitzableiter or the add-on FlashGot would help, but for the time being, I’ll hold back on these.

Let’s try this one by one…

It’s an ad. Not malware. The word malware literally means malicious software, an umbrella term that encompasses all software that has an explicit intention of infiltrating and causing damage/exploitation of vulnerabilities for the purpose of non-legal harvesting of data. Ads in websites are what they are: advertisements. Though there are cases where ads are loaded with malicious code, the ads at this point are merely vectors than malware. Malicious ads come with malware but are not malware itself. If it executes no malicious code, it’s really just an annoying ad.

Both Silverlight and Javascript are known vulnerabilities that may be used to infiltrate systems. About:Blank makes use of scripts to display data.

The fact that you could still visit PCMag meant that resetting the host did nothing as I’ve discovered, they share the same ip.

I don’t know why you need to visit this, but this site is dedicated to a specific server and cannot be browsed in any other.

As spywareblockers411.com is listed as safe by Website Malware Scanner | Online Website Virus and Malware Scanner, AVG must have given a false positive, as it detected it as malware. It can get very confusing when scans differ on if a site is safe or dangerous to visit, so on that basis, for the time being, I’ll avoid the two Webuda pages (others safe) that Web Inspector regards safe to visit and AVG doesn’t.

That’s normal. About:Blank is the default page prior to loading. If it turned up blank, it’s because it wasn’t rendered fast enough before the redirect.

I did a search on the blog. No page exists. Perhaps this is what you were looking for:

The ad complies with standards and therefore, allowed. You may manually add the suspect page to their list found in its options.

The tool I gave also lists startup entries. at this point, i recommend you do not touch anything.

With your response, the probability of this being an infection is significantly diminished.

The one in majorgeeks should be noted in particular.

I strongly suggest you do not touch anything without establishing cause, Mr. Montana.

In all honesty, no…As I recall, Blitzableiter (what a mouthful) only focuses on flash. The ad is not entirely flash. You do realize FlashGot is a download manager?

Some sites have said “Recommended for you” and similar intrusions are malware, and being the Internet, not all information is accurate, as in their cases, I can’t always tell.

Although adware, those pop-ups are a nuisance. Yep, I’m familiar with what ads and malware are. I have the main bulk of ads blocked out, for security, privacy and to increase browsing, although the “Recommended for you” type was excluded from Adblock Plus. However, I now have two lists within it, so as resetting the Hosts file wasn’t the cause of the ad being blocked after all, the extra ad blocker list must have been what’s since blocked it out, as I’ve had the all clear on each of my anti-viruses scans, both before and after adding the extra ad blocker list.

While NoScript is very useful, I’ve left it disabled, as it was like the equivalent of the original version of ZoneAlarm, constantly requiring me to click on a function to allow access to any web site, instead of instant access, which I prefer, whilst wanting to keep my computer protected to the optimum.

I’ve since uninstalled Silverlight, but it’s very difficult to totally avoid Javascript, while understanding your point, as it’s used in so many programs, and if I deactivated it, I’d have to keep reactivating it, as IceDragon (like Firefox) doesn’t have a Whitelist option to allow Javascript to run on web sites that require it.

As About:Blank turns out to not be a security or privacy issue, as several sites claim, I’ll go by what you’ve said.

I didn’t visit the web site https://gj37765.googlecode.com. A link on another site was trying to redirect me to it. Out of caution, I pulled out of the original site.

While I like AVG, and have a 2 year subscription for their paid version of anti-virus which expires later this year, it seems to me that they keep coming up with false positives, as their observations are the opposite of those of Web Inspector. Having said that, I’ve occasionally found some web sites to be unsafe under AVG and other sites on the URL Void link. Here’s one example which is given the all clear by Web Inspector:

These show up as Clean by all web sites except AVG. When I tried to access them, AVG came up with a warning to avoid them and blanked out the pages:



In contrast, while I won’t be using this add-on, while browsing through potential add-ons earlier, I found complete opposite findings of results for Trueblockplus:

Report Not Found | URLVoid - All the web sites within this link list it as “Clean”

Website Malware Scanner | Online Website Virus and Malware Scanner – This list the link as “Suspicious”

While both URL Void and Web Inspector are invaluable, if I had a choice of sites to go on, I’d opt for Web Inspector every time, also as while clicking on Trend Micro, listed as “Clean” in URL Void, when I typed in the same site in Trend Micro, it said “Untested”. When I tried to click on Trueblockplus’s web site earlier, IceDragon instantly blocked it, offering to “Get me out of here” to the default Comodo browser (as I chose to do) or “I understand the risks” and visit the site.

The Anvisoft link I tried must be out of date. It was a sub-link from another site that came up blank. The one you’ve given me works fine.

It does surprise me that the “Recommendations for you” ad complies with standards, as in most cases, ads are intrusive trackers and often with malware, but in any case, at least so far since, there has been no further sign of it. If it does resurface, I’ll manually add the suspect page to their list. Thanks for this. IceDragon is now requiring me to manually allow PCmag to reload. When I click on “Allow”, it reloads their homepage, and the Recommendations pop-up has resurfaced which then disappeared after about 5 seconds. Despite scans, this adware clearly isn’t being removed after all.

As you think it would be best not to proceed with HijackThis after all, I’ll postpone this for now. I just want my computer to be free of any malicious programs, if any are on it, as the problem with malware is that it’s not always detectable.

With your response, the probability of this being an infection is significantly diminished.

This sounds very promising indeed and is very reassuring.

Thanks for the links for organizing HijackThis. I’ll keep a note of these.

As malware is constantly on the prey, I don’t know if any of us here or outside of Comodo forums can be sure if our computers are 100% clean, but I’ve not noticed any suspicious activity during browsing or outside of browsing, other than what we’ve already covered.

Yes, I am aware that FlashGot is a download manager. I already have a download manager so FlashGot isn’t essential for me, but a useful concept.

Further to my previous message, upon opting for the “Block All Ads” feature of Adblock Plus, I was most surprised to find that all adverts have now resumed.

This is either a fault or a ploy to encourage users of the software to allow some ads. Some web sites’ customers have said that those ads allow Google and Amazon to spy on people. I don’t know if there’s any truth in that, but Google is well known for wanting to monitor users’ web site movements.