Avast Antivirus pop-up, can’t remove. Malware?

Yo.

I’m getting this crazy annoying pop-up now on my laptop whenever I’m on’t web. It pops up more than ‘We value your privacy’ on here!

I have Windows 10 and Avast free antivirus running.

It looks like the below screenshot, and if I dismiss it, it pops back up within 10 seconds.

Capture by blackteaonesugar[/url], on Flickr

I’ve tried uninstalling Avast, but have hit problems there too as when my machine goes to reboot in ‘safe mode’, it asks for my password, which I enter (having just reset it via a texted code to my mobile to verify me) and all it says is password incorrect… Very annoying.

I’ve no idea what ‘comtakelink.xyz’ is, but assume it’s some sort of nasty redirect type thing.

Anyone got any ideas to help? I came in early this morning to get some computery work done, and have spent two hours doing bugger all because of this.

I’m connected via a wifi hotspot on my android, but I think it does it on the home wifi too.

Obviously, you can’t just go and contact Avast about it…oh no… :-/

This is probably quite a deep rabbit hole that you’ll have to Google around to find out what’s going on.

From my PoV you have a couple of tasks:

1: Understand ‘cometakelink.xyz’ to know if its malware, and remove if so.
2: Remove Avast (unless you’ve paid for it or something)
3: Install a less intrusive AV.

First step is to download the free version of this:
https://www.malwarebytes.com/

Install and run that. It’ll be interesting to see what comes up.

If all clear I’d have a high confidence that the report is a false-positive. You might want to look into other malware scanners but MalwareBytes has always been on top of the game.

I’d then look around how to remove Avast – this might be an incredibly difficult task. These AV companies are basically scum.

And then finally, I’d install Microsoft Security Essentials:
https://support.microsoft.com/en-gb/help/14210/security-essentials-download

If you’re on Windows 8 or above it’s called Windows Defender and is included with Windows, just switch it on. MSE/Defender is really all you need to keep you safe as long as you keep it updated.

Cheers both.

Plyphon I had already installed and run Malwarebytes actually, and it showed as all clear.

I do believe I have Windows Defender as it’s quite a new laptop and is running Windows 10

I’ll do some more digging when I’ve got a mo. Thanks!

So when you are getting a pop-up saying that your Anti-Virus is blocking a connection attempt to a blacklisted URL, uninstalling said AV program probably isn’t the correct approach.

The reason it keeps popping up every 10 seconds is because something on your machine is trying to connect to that website every 10 seconds. So it you uninstall AV, and all of a sudden whatever it is can connect to comtakelink.xyz, who knows? Worse case it could be the trigger for a ransomware attack and the next thing you are looking at a machine full of encrypted files.

I don’t know Avast, but if it has a full scan option, do that. Check the options and make sure that you have everything being scanned. Also look for ropey extensions and toolbars in your browsers – get rid of those. Might be worth clearing out your browsing caches too.

If you really want to get rid of Avast before you find out what is causing the issue open C:\Windows\System32\Drivers\etc\hosts (as an administrator) and add a line: 127.0.0.1 comtakelink.xyz

This will resolve that URL back to your local machine, killing the connection to that website. Actually, to be on the safe side, disconnect your machine from the internet while you are doing the uninstall and install of a new product.

Just to double check. I’ve had a similar issue before. The ‘enter password’ screen that keeps saying wrong password. Are you on the Pin number enter page instead?

Cheers torsoinalake and chrisdw.

I’ve done multiple scans with Avast. I also did scans with Malwarebytes and CC-Cleaner, and got rid of anything it suggested although neither really suggested anything sinister.

I also scanned with Windows Defender.

I kept trying to uninstall Avast, but again, when it rebooted in safe mode and asked me for my password, it kept saying it was wrong, despite the fact I’d recently changed it. It wasn’t on the PIN screen. I think that only comes up after Sleep mode. I tried an old password that I’m sure I’ve changed a couple of times since, and it worked. I then uninstalled Avast. I then ran another scan with Windows Defender, Malwarebytes and CC Cleaner, both showing as fine.

I’d already done that before I saw your post about the line as an administrator.

Weirdly though today a forum member contacted me and said that when they clicked on my post and on my user id, they got the same pop-up message, only with AVG (antivirus) which they say is apparently a sister-company of Avast.

It’s all a bit strange…

Remember when avast was the best and least intrusive?….

These days I just let windows defender do it’s thing and most of my browsing is via Android.

Remember when avast was the best and least intrusive?….

Yeah, the level they go to trying to sell you the premium versions drive you nuts 😡

Interesting. I am getting the exact same comtakelink.xyz URL Blacklist message via AVG paid for but only on STW.

Hmmm. Anyone else?

A quick google doesn’t bring up anything that points it to malware – in fact this thread is one of the top results.

Me too. Only on STW and using AVG Free (and Windows 7)

First occurred when I open ‘Netttle Socks’ thread and still does!

First occurred when I open ‘Netttle Socks’ thread and still does!

It is Kayak’s fault.

In his post in that thread with the picture of the bike with a windshield, you will notice there is some whitespace underneath, in there are some URLs:

View post on imgur.com

How those got there is another question, but kayak is looking like patient zero at the moment

An experiment follows below:

Oh, very well spotted. I’ll go purge them. They look like tracking images or something.

Now deleted from those two posts.

How those got there is another question

This is really curious. Purely speculating, I’d guess it’s a rogue browser plugin. But Avast, Defender and MBAM all failed to detect anything…?

Is there anything untoward in chrome://extensions/ perhaps?

Blimey. I’m some kind of genius computer hacker it seems without knowing 😳

My vote would be a dodgy browser extension.

What browser are you using? There’s usually a menu for extension and you can uninstall or disable them.

Is it on all web sites or a particular one, or after having visited a particular one? Or does it occur even when not browsing anything? If the latter then it’s some other malware.

It’s on Chrome. I’ve not noticed if it’s after visiting or during visiting certain websites but, I often have a Singletrack tab open, and a couple for Google Drive open all the time. Otherwise it varies.

The only thing I can think of extension-wise is I tried to add on the Chrome adblock extension the other day (not for here, I’m a P) to see how it affected other sites.

As far as I could see, nothing happened, well except this pop up, but timings could be coincidental of course.

I’ve since uninstalled Avast and made sure Windows Defender is operating, plus installed malwarebytes and cc-cleaner.

Not happened since.

This was all on my Windows laptop. I also run Chrome and Avast on my mobile and have had no such pop ups.

Torsoinalake
Applause

Kayak23
Glad it got sorted – all appears to be back to normal

I have Avast Pro installed, and had the warning while reading the Nettle Socks thread in Firefox/Windows 10. View the page source and searched for the domain but couldn’t find it. I reported it as possible malware to tech@singletrackworld.com. Later I saw this thread but got the same pop-up and closed it down. No problem on any other threads.

Avast is reporting it because it has that domain blacklisted (has does one other vendor that I could find, ESET if memory serves correctly). It’s not exactly clear, but it looks to me like the site is blacklisted because it’s not serving web pages correctly – attempting to browse the site returns a 403 (forbidden) message. Ie, it’s not necessarily a hostile site but rather Avast can’t check to be sure and is erring on the side of caution.

The bigger question as I said earlier is, why are those links being appended to posts? They look to be a form of tracking, far as I can tell it’s phoning home and passing unique identifiers back to that domain.

The add-on mentioned would be the prime candidate for me, this is an inherent risk with any third party extensions, you’re giving up a lot of security based simply on trust. I expect this problem to get a lot worse before it gets better, it’s a huge security hole.

Ah, Googling the script parameters bore fruit.

https://stackoverflow.com/questions/35022828/how-to-remove-js-scripts-from-the-new-empty-mvc-project

https://gist.github.com/neo22s/394a0cfcafb1abb7b328f73ab8448ad2

https://gist.github.com/shivanshu3/45817d2354e41ca858c915b556a7174a

Tapermonkey, Videostream, Page Ruler all listed as potential culprits. It looks like this is generic code which has been reused by different extensions, either maliciously or because their codebase has been compromised. All different domains, though [something].xyz seems to be a common theme.

TL;DR – it’s almost definitely an infected Chrome extension, it could be any of them and uninstalling and testing till the problem goes away is as good a method as any.

I’d be interested to know specifically which extension you removed, you said “the” Chrome ad blocker but there are several.

Weirdly though today a forum member contacted me and said that when they clicked on my post and on my user id, they got the same pop-up message, only with AVG (antivirus)…

Same here: clicking this thread a few days ago, the page was blocked by AVG. No such problems today.

I’d be interested to know specifically which extension you removed, you said “the” Chrome ad blocker but there are several.

Not removed, added.

This one.

https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom