Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Recommended For You Popup
April 21, 2012 01:10 Recommended For You Popup #198537
Reply with Quote | Quick Reply | Top
msully86

Avatar

Novice
Join Date: 21.4.2012
Posts: 5
I believe I may have 2 possibly related issues.
1. a redirect virus
2. a "recommended for you" popup that shows up in the lower right hand corner of my screen. Appears as a smartphone with various advertisements. I'm guessing I got this as a result of my redirect virus.

I have AVG 2011 Free Edition installed and I'm working in Firefox 11.0 My OS is x86 (if that matters).

I noticed the redirect virus about 3 weeks ago but the recommended for you popup just started 2 days ago. I came across a discussion around this very issue that appears to have been solved on Norton's forum. (I can post a link if that is allowed...) That thread was started 5 days ago so it looks like several of us have been hit with the same thing recently.

Can you help? If so, let me know what additional information you need from me.
April 23, 2012 08:40 Re: Recommended For You Popup #198705
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello msully86,

Please try to reset your browser settings to default and then run it in safe mode(without any addons).
Also try to search using different browser.
Do the redirects persist in safe mode and in different browser?

Please provide us with scan results export and both GMER outputs.

Also check the following:
1. Proxy settings:
How To Reset Internet Browser Proxy Configuration

2. DNS settings:
Check your DNS settings, make sure automatic DNS server is used as described in this MS article.

3. Hosts file:
Make sure that hidden files are displayed and then navigate to this location:
C:\Windows\System32\drivers\etc
Open "hosts" file in any text editor (e.g. notepad) and check its contents.
It should only contain lines similar to these:
#This is an example of the hosts file
127.0.0.1 localhost loopback
::1 localhost

Thank you.



AVG Team
How-To articles | FAQ | Free Support
April 28, 2012 19:24 Re: Recommended For You Popup #199557
Reply with Quote | Quick Reply | Top
msully86

Avatar

Novice
Join Date: 21.4.2012
Posts: 5
Requested information..

I have tried running my current browser (Mozilla) in safe mode and also worked in internet explorer and did not have any redirect or popup issues. That said, the issues happen randomly and somewhat infrequently so I wouldn't say with 100% certainty that it doesn't affect them in safe mode or other browsers. I did spend considerable time trying to get it to happen (a couple hours each) and did not experience any issues. Just after first discovering the redirect virus I uninstalled Mozilla and deleted all associated files then redownloaded and installed. The problem came back and a month later the popups started.

Attached is the result of the full anti-rootkit scan but I was unable to get the autoscan to work. I followed the directions given but nothing happened when I clicked on the scan button and nothing displayed when I selected "show all". I also tried changing the gmer filename and running it but it still did not work.

My AVG scan results are attached.

To address your list of items to check:
1. I have reset the proxy settings
2. My DNS settings appear to be fine
3. There are a few additional lines in my host file. It is attached.

Thank you for your help!!
April 30, 2012 06:59 Re: Recommended For You Popup #199773
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello msully86,

Your Host file looks OK. Gmer scan unfortunately will not be very much helpful to us, because it doesn't indicate anything.

Please try to disable all browser extensions one by one, because they may be also source of redirection.

Should the issue persists, please provide us also with Msinfo output.

Thank you.



AVG Team
How-To articles | FAQ | Free Support
May 1, 2012 23:41 Re: Recommended For You Popup #200041
Reply with Quote | Quick Reply | Top
msully86

Avatar

Novice
Join Date: 21.4.2012
Posts: 5
Redirect Virus..

I don't have any browser extensions installed (should I have some for security?). Attached is my Msinfo file.

Thanks!
May 4, 2012 10:48 Re: Recommended For You Popup #200425
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello msully86,

Please provide us with screenshot of the mentioned popup, Msinfo analysis does not indicate anything suspicious.

Thank you.



AVG Team
How-To articles | FAQ | Free Support
May 5, 2012 15:28 Re: Recommended For You Popup #200627
Reply with Quote | Quick Reply | Top
cb1234

Avatar

Novice
Join Date: 5.5.2012
Posts: 1
Same problem..

Although I am not the original poster. I am having the exact same problem (even the time frames are about the same, as far as I can remember).

Originally the popup always used an iphone template, but lately the popup has looked more professional. Here are some screenshots.

As the original poster said, the popup seems random.. but lately its been more frequent. I find that it occurs on some sites 100% of the time, and others 0%.

Here is a cropped screenshot of it

first one is on reddit.come
second one is on stackoverflow.com
both safe sites

the 3rd one is what it shows when you hit the close button.

Also note if you ever click the link in the popup.. it either just "refreshes" (probably does more, but thats all it appears to do) the page you are on or goes to google.com

EDIT 1: Safe mode.. I ran firefox in safemode, and went to some of the sites that I notice it almost all the time and havent seen it yet. So whatever it is doesn't run in safemode as far as I can tell. I will keep doing it for a bit and post an update.

EDIT 2: actually ignore this. Another thing I noticed is that when you restart firefox it always goes away for a bit. I generally keep firefox open all the time, so thats probably why I noticed it being more frequent, because the "delay" start it has never has to kick in for me since I dont restart firefox.
popups.JPG
May 7, 2012 00:57 Re: Recommended For You Popup #200881
Reply with Quote | Quick Reply | Top
msully86

Avatar

Novice
Join Date: 21.4.2012
Posts: 5
Hi,..

I think there are several of us with this problem. Here is the biggest discussion I can find:

Norton: http://community.norton.com/t5/Norton-Internet-Security-Norton/quot-Recommended-for-you-quot-popup-in-IE-9/td-p/698885

My popups look exactly like the screenshots provided by cb1234. Thanks for posting those! I've attached a screenshot of my Resident Shield Detection summary. Cb1234- would you, by any chance, have anything similar to mine showing up in yours? On 2-25-12 my AVG found a virus that was not moved to the vault. When I navigate to the location given the .exe file is not there so it must have moved somehow.

AVG Resident Shield Detection.png
May 7, 2012 08:13 Re: Recommended For You Popup #200911
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello msully86,

As Norton specialists suggested, and what also non-removable infection indicates, your computer may be infected also with Rootkit.

You may follow removal procedure suggested in thread you have linked, or create updated AVG Rescue CD, restore MBR from here, scan for viruses and clean up your computer.

Thank you.



AVG Team
How-To articles | FAQ | Free Support
May 7, 2012 16:20 Re: Recommended For You Popup #201031
Reply with Quote | Quick Reply | Top
Gary Bee

Avatar

Novice
Join Date: 29.7.2010
Posts: 296
Hi MSully86,

If you, like many others on the Forum, have a difficulty in obtaining or using ("Do you know your Administrator Password?") the Windows Recovery CDs. This post discusses the Alternatives in detail.

Nemethste, what is that other referred forum, and the next one that it referenced indicated a MBR Rootkit? I could find only a slight indication in one of the 3 aswMBR logs.