I believe I may have 2 possibly related issues.
1. a redirect virus
2. a "recommended for you" popup that shows up in the lower right hand corner of my screen. Appears as a smartphone with various advertisements. I'm guessing I got this as a result of my redirect virus.
I have AVG 2011 Free Edition installed and I'm working in Firefox 11.0 My OS is x86 (if that matters).
I noticed the redirect virus about 3 weeks ago but the recommended for you popup just started 2 days ago. I came across a discussion around this very issue that appears to have been solved on Norton's forum. (I can post a link if that is allowed...) That thread was started 5 days ago so it looks like several of us have been hit with the same thing recently.
Can you help? If so, let me know what additional information you need from me.
Please try to reset your browser settings to default and then run it in safe mode(without any addons).
Also try to search using different browser.
Do the redirects persist in safe mode and in different browser?
2. DNS settings:
Check your DNS settings, make sure automatic DNS server is used as described in this MS article.
3. Hosts file:
Make sure that hidden files are displayed and then navigate to this location:
Open "hosts" file in any text editor (e.g. notepad) and check its contents.
It should only contain lines similar to these:
#This is an example of the hosts file
127.0.0.1 localhost loopback
I have tried running my current browser (Mozilla) in safe mode and also worked in internet explorer and did not have any redirect or popup issues. That said, the issues happen randomly and somewhat infrequently so I wouldn't say with 100% certainty that it doesn't affect them in safe mode or other browsers. I did spend considerable time trying to get it to happen (a couple hours each) and did not experience any issues. Just after first discovering the redirect virus I uninstalled Mozilla and deleted all associated files then redownloaded and installed. The problem came back and a month later the popups started.
Attached is the result of the full anti-rootkit scan but I was unable to get the autoscan to work. I followed the directions given but nothing happened when I clicked on the scan button and nothing displayed when I selected "show all". I also tried changing the gmer filename and running it but it still did not work.
My AVG scan results are attached.
To address your list of items to check:
1. I have reset the proxy settings
2. My DNS settings appear to be fine
3. There are a few additional lines in my host file. It is attached.
Although I am not the original poster. I am having the exact same problem (even the time frames are about the same, as far as I can remember).
Originally the popup always used an iphone template, but lately the popup has looked more professional. Here are some screenshots.
As the original poster said, the popup seems random.. but lately its been more frequent. I find that it occurs on some sites 100% of the time, and others 0%.
Here is a cropped screenshot of it
first one is on reddit.come
second one is on stackoverflow.com
both safe sites
the 3rd one is what it shows when you hit the close button.
Also note if you ever click the link in the popup.. it either just "refreshes" (probably does more, but thats all it appears to do) the page you are on or goes to google.com
EDIT 1: Safe mode.. I ran firefox in safemode, and went to some of the sites that I notice it almost all the time and havent seen it yet. So whatever it is doesn't run in safemode as far as I can tell. I will keep doing it for a bit and post an update.
EDIT 2: actually ignore this. Another thing I noticed is that when you restart firefox it always goes away for a bit. I generally keep firefox open all the time, so thats probably why I noticed it being more frequent, because the "delay" start it has never has to kick in for me since I dont restart firefox.
My popups look exactly like the screenshots provided by cb1234. Thanks for posting those! I've attached a screenshot of my Resident Shield Detection summary. Cb1234- would you, by any chance, have anything similar to mine showing up in yours? On 2-25-12 my AVG found a virus that was not moved to the vault. When I navigate to the location given the .exe file is not there so it must have moved somehow.