Ad Pop-Up - No Virus Found

Discussion in 'malware problems & news' started by baumgrenze, Aug 31, 2015.

  1. baumgrenze

    baumgrenze Registered Member

    Feb 24, 2005
    While searching yesterday I had a screen pop-up. It was headed "August Opinion Survey>>>AT&T U-verse California." The associated URL was:

    http://2015survey 'dot' com-visitor3t3o 'dot' link/

    (I hope the 'dot' edits in the URL will prevent it from opening.)

    AT&T had installed a U-verse gateway recently to establish FTTN service for me with Sonic, so I cautiously poked my way down through it. Here is the list of service premiums they offered.

    Anti-Aging System
    Keranique Hair Regrowth for Women
    Permium #-Cig Vape Kit
    Pure Garcinia Cambogia Weight Loss Kit
    Neuro Elite - Brain Supplement
    Getting Sleepy - All Natural Sleep Aid
    Pearl-e-Whites - Teeth Whitening System
    High Potency Wrinkle Reduction Cream

    I left no personal information other than the numeric URL of my router which they harvested. I don't doubt that they wanted me to "claim my prize."

    I was so offended by the list of premiums that I sent a note to Sonic support and was told that I was infected with "Data Room 2015 Survey " virus or browser add-on. I ran Malwarebytes and found nothing. I checked all my browser add-ons and found nothing. I searched and tried to connect "Data Room 2015 Survey " and the URL above and found nothing.

    I thought I'd document my experience here and ask if I should continue to search for a virus or take any other steps.


    Last edited by a moderator: Sep 1, 2015
  2. ronjor

    ronjor Global Moderator

    Jul 21, 2003
  3. Daveski17

    Daveski17 Registered Member

    Nov 11, 2008
    It's a bit worrying that MBAM couldn't find this PUP.
  4. baumgrenze

    baumgrenze Registered Member

    Feb 24, 2005
    I was brought back to this post while doing maintenance today.

    I've not experienced a second instance of the unwanted survey. Could there be a version that runs once as one is web-surfing?

    Here is what I found in my browser search history

    (User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35
    Build identifier: 20150827182544)

    FWIW I learned that I could copy a line from the history file, paste it into Word where it appeared as the 'text description' of a hypertext link. That let me select the link and 'edit' the hypertext which let me copy the entire URL in the edit box, cancel the edit, and paste it.

    I found this url just before the 'survey' popped up:


    just before that was:

    " 6 THHN Building Wire The Home Depot Blog&ai=IBMq6lU2f2ecgtGWdaKx8LwYy1y78Rqwu2xnOzPWnFCC4s7ihFjHs3Sa8xZfh-vkI7JzGFzuKsSSUMM"

    It all traces back to this Google search:""+"copper"+"19+strand"&oq=+thhn+6/1+stranded+""+"copper"+"19+strand"&gs_l=serp.3...51089.51089.0.51348.

    Google search for [thhn 6/1 stranded "" "copper" "19 strand"]

    7 results (0.25 seconds)

    ~ Removed Posted Search Results. Already Included in Above Google link ~

    Does this mean anything to malware experts?

    I did scroll down through 'add/remove programs' carefully and also searched the terms in the blog link. The list is mercifully short. I found nothing I thought was 'odd.' There was " Everything " and "7-Zip 9.22beta" which have no publisher but make sense to me.

    I concluded that it might be a "useful utility" if MS allowed on to select all the information in the 'add/remove programs' display and paste it into a document/spreadsheet for searching, etc. Copy and paste would allow quick searches.

    Is there a way to do this?

    Thanks again,

    Last edited by a moderator: Sep 25, 2015
  5. J_L

    J_L Registered Member

    Nov 6, 2009
    By blog link, do you mean MalwareTips? Well, they did state this at the end of that section: