Need help with Comcast scamware browser popup

A couple days ago, I started getting this annoying "popup" in my IE browser.  It looks more like an image than a popup and there is no way to close it.  It will go away on its own sometimes, but will return.  It shows up in Firefox and Chrome too.  Firefox would block it like it was a popup at first, but doesn't anymore.  I have a good knowledge of computers, but this one is putting me to the test.  I have Norton Internet Security and MalwareBytes Anti-Malware.  I talked to Comcast and it's not from them.  The number goes to "MarketLink" and I got a recording to call back M-F from 8-5.  I've tried Norton, Malwarebytes, MS Security Essentials, HiJackThis, SpyBot Search & Destroy, Kaspersky, and SuperAntiSpyware in regular & safe modes.  Nothing catches it.  One interesting detail is that if I switch to a proxy server in my browser, the "popup" goes away immediately and doesn't return.  Obviously, I can't run through a proxy all the time, so I need my normal IP to work normally again.  I'll try to post a screenshot of the "popup".  Really trying to avoid a windows reinstall, so hopefully someone can help!  I'm running XP, service pack 3. 

comcast.jpg

Hi timberwolf,

 

There is a thread on the Comcast forum that you may want to follow to see if this gets resolved.  It does appear to be a phishing attempt.  One poster reported that Kaspersky found a trojan in the Java cache (although it is not clear that it was directly related to the popup).  You may want to try clearing your Java cache to see if that eliminates the popups.

 

http://forums.comcast.com/t5/Connectivity-and-Modem-Help/Help-with-Message-concerning-Subscription-to-Internet-Service/td-p/1313797

Thanks for the replies!  I already checked out the link you mentioned on the comcast forum.  I read another post someone had about it and they said their's just went away, which is odd.  There isn't much info. about this one online.  I tried the Norton Power Eraser as well and it didn't pick up anything.  I also dumped the Java cache, and even uninstalled Java, then reinstalled it.  I did the same thing with Internet Explorer as well.  Cleared all history, tracking cookies, and ran CCleaner, but it still persists.  I would like to think it has to be something simple, since changing to a proxy immediately gets rid of it.  I'll try calling Comcast and see if they can reset my modem.   I'll post again if I make any progress.

I called Comcast and got them to assign me a new IP address, which solved the "popup" issue.  I know this thing is sill on my PC, but unable to work properly.  I would like to get rid of it, but I guess I'll just have to wait for Norton to get it one day.  Hopefully it's not doing any other damage. 


timberwolf wrote:

I called Comcast and got them to assign me a new IP address, which solved the "popup" issue.  I know this thing is sill on my PC, but unable to work properly.  I would like to get rid of it, but I guess I'll just have to wait for Norton to get it one day.  Hopefully it's not doing any other damage. 


Hi,

Have you tried a scan with Malwarebytes free scanner?

http://www.malwarebytes.org/products/malwarebytes_free

It's Norton compatible so you can keep it on your desktop and run it from time to time.

Hope this helps


Hi,

Have you tried a scan with Malwarebytes free scanner?

http://www.malwarebytes.org/products/malwarebytes_free

It's Norton compatible so you can keep it on your desktop and run it from time to time.

Hope this helps



Yes, I have MBytes' full verion.  I run it along with Norton Internet Security.  I've also tried MS Security Essentials, HiJackThis, SpyBot Search & Destroy, Kaspersky, BitDefender, and SuperAntiSpyware in regular & safe modes.  Nothing catches it.

Do you only see the popup when you are on the Comcast home page?

Did you try SendOfJive's suggestion about clearing your Java cache?

 

Clear the cache, then open IE go to tools > manage addons

temporarily disable java plugins

close and reopen IE and see if they stop

 

Dave

IF you have Java installed, I would suggest removing it completely and deleting all folders for it.

 

Then go here http://www.eset.com/us/download/utilities/ and run the online scanner.

 

 

From reading the posts on the Comcast forum about this, I am wondering if the Comcast home page may have been compromised.  The popup is only affecting Comcast subscribers as far as I can tell, and no one on that thread has yet been able to find any malware on their machines with any AV program.  I wouldn't bother doing anything other than maybe disabling active scripting (JavaScript) in the browser and visiting the site to see if that eliminates the popups - in which case, it is a hacked website.


SendOfJive wrote:

Do you only see the popup when you are on the Comcast home page?


No, it was just where I took the screenshot.  It would come up as soon as I opened my browser, didn't matter what page I went to, it was always there.


DaveH wrote:

Did you try SendOfJive's suggestion about clearing your Java cache?

 

Clear the cache, then open IE go to tools > manage addons

temporarily disable java plugins

close and reopen IE and see if they stop

 

Dave


Yes, I tried that.  I even unistalled Java, then reinstalled it.  I tried Eset and it didn't find anything either.  Any AV I try just seems to pickup tracking cookies... Which is good & bad at the same time I guess.  One person on the comcast forum said they had Kaspersky pick it up, but I didn't have any luck with it.  I know my way around a computer and I've manually removed viruses before, far worse than this thing.  Since I had the Comcast tech assign me a new IP#, the popup (which looks like an image, rather than a popup) hasn't returned.  I'm still going to try and get to the bottom of it. 

When I first saw the screenshot and saw how it stopped when you changed your IP or used a proxy, I thought it was the old messenger spam.  Not the messenger chat program but "net send" because your running XP and the messenger spam had a real "flat and basic" look to it.

 

But now I recall that you would get the spam at any time, using a browser was not required.

 

I would be real interested to know whats causing it, especially if it's only happening to Comcast customers.

I remember seeing some posts about a popup box coming from them warning customers that they may be a spam bot or something.  I have no idea if they were doing that through the "constant guard" program or how it was being sent.

 

Best of luck, I hope someone can figure out where it is coming from.

Dave

 

A couple days ago, I started getting this annoying "popup" in my IE browser.  It looks more like an image than a popup and there is no way to close it.  It will go away on its own sometimes, but will return.  It shows up in Firefox and Chrome too.  Firefox would block it like it was a popup at first, but doesn't anymore.  I have a good knowledge of computers, but this one is putting me to the test.  I have Norton Internet Security and MalwareBytes Anti-Malware.  I talked to Comcast and it's not from them.  The number goes to "MarketLink" and I got a recording to call back M-F from 8-5.  I've tried Norton, Malwarebytes, MS Security Essentials, HiJackThis, SpyBot Search & Destroy, Kaspersky, and SuperAntiSpyware in regular & safe modes.  Nothing catches it.  One interesting detail is that if I switch to a proxy server in my browser, the "popup" goes away immediately and doesn't return.  Obviously, I can't run through a proxy all the time, so I need my normal IP to work normally again.  I'll try to post a screenshot of the "popup".  Really trying to avoid a windows reinstall, so hopefully someone can help!  I'm running XP, service pack 3. 

comcast.jpg

Hi Dave,

 

You are aware the Comcast Forum is open to everyone for read only, so everyone can follow the thread SOJ cited:

 

http://forums.comcast.com/t5/Connectivity-and-Modem-Help/Help-with-Message-concerning-Subscription-to-Internet-Service/td-p/1313797

 

It appears the latest post has been by a Comcast Employee (red user name) referring it to the Security Team @ Comcast.

 

 

Hi all,

 

There is another thread on the Comcast Forum in regards to this situation. It is located here:

 

http://forums.comcast.com/t5/Security-and-Anti-Virus/Comcast-Ad-Alert-on-All-WebPages-PCs-amp-Phones-Help-needed/m-p/1316485/message-uid/1316485#U1316485

 

There appears to be some useful info in the last couple of responses:

 

"Thanks to another message board we called Comcast Security (CS) today and they resolved the problem (three prior calls to Customer Service were a waste of time).  CS confirmed that Comcast sent and caused the popup to appear on all of our PC and phones. They send the popup notice to accounts they believe are past due or are illegally receiving Comcast internet service.  We fit neither category so CS contacted "the department" responsible for sending the popup notice and had it stopped/turned off (although they said it could return - great!).  

We are now popup free!"

 

"After over an hour on the phone, I had two people help me, Eric from the help desk,and Vanessa, a specialist from internet services.

The actual cause of this popup, for me, was that I had old rate codes in my account from way back when I had Adelphia. They no longer showed internet service explicitly, so my rate codes needed to be adjusted.

Bizarre? Certainly"



There is also a post in the thread that was cited earlier that contain the following inofrmation:

 

"I also just got off with Comcast Security (888-565-4329 for those wondering). I moved last year to a new house, they had my modem's MAC tied to both locations. Deleted the old and now I'm box free.

So it appears the bottom line is that this is in fact Comcast generated and the occurences are being used by Comcast having some incorrect inofrmation, old address, old codes etc.  It seems like it is all on Comcast - but you need to call Comcast Security to get it sorted out."

 

FYI: Please give them a call in order to straighten this out.

 

Comcast Customer Security Team

 

Normal business hours (6:00 am to 2:00 am EST, 7 days a week)

 

1 - 888-565-4329

 

Please let us know how you get on.

OK, I guess it's a legit alert from MarketLink, who is in fact a vendor of Comcast.  I called their security department after reading the last post and got a similar story.  Turns out they are doing account audits and mine had the wrong modem MAC number listed.  He said this is a new program they are using and not all techs are familiar with it yet, which is why I was originally told by 2 different techs that it wasn't from them.  I asked how it got past my AV programs/Firewall and he said it's something that's pushed through from Comcast and sent directly to the modem.  So, thankfully, this issue is solved. 

I appreciate all of the replies & information!  Thank you!