pop-under Virus

Nasty, nasty, nasty! This one’s bad not because it does a lot of damage but because it’s hard to find and extract. And I’m not even sure if “virus” is the right word, maybe malware, or malicious code is more accurate. It doesn’t attack your computer, but it does change the code on your website or blog.

(Hi, let me just interrupt the blog-today is MARCH 27 2008 and this piece has gotten about 100 hits in the last 24 hours from the Philippines, Germany, etc., write a comment or email me. I wrote this WAY back in October 2007, is this code spreading?)

Pop-under attacks are strange. See, a long time ago I stopped using Internet Explorer and miraculously almost all the trouble I had with my computers stopped. See when something strange happens I’m really surprised, meaning most of the problems I have now are because I was experimenting with something. And I’ve NEVER had a problem with Firefox, but recently the browser was “sticking” and felt funny. plus whenever I visited my OWN blog right here I was getting a pop-under window to open up.

Now I have Google Adsense running on my blog and I know where the ads are supposed to show up, but I DID have a little problem with setup. But I also know I didn’t install anything that should have pop-ups of ANY kind, so this was definitely a problem (meaning something unintentional and beyond my control) was going on. The first thing I did was I took a look at the source code of the pop-under window and found this;


This is what made me thing it was related to Google. And the source code said it was related to something called CPX interneractive. But then I went and did a search and found a few links at the WordPress site. The WordPress help file said that there was something called that was causing the problem, and that it would hide inside javascript code. So now I could see this was going to take some work to resolve, but let me tell I was committed to solving it because take a look at this.


After only a couple of days my blog was showing up as BEING A DANGEROUS SITE TO GO TO. That code had gotten ME listed as a potential internet threat! So I have a Firefox plugin called Firebug that allows you to examine code very closely. And it allows me to find the code.


Can you see that line with all the u’s and 0’s? Well I did a search and confirmed that THAT was the code I needed to remove. Because here’s the weird thing. If you just pull up the source code of your page you wont see anything out of the ordinary EXCEPT all those u’s and 0’s. And it just looks like a bunch of WordPress code-but it’s not. By the way right now you can get 10% OFF – NEW Norton Internet Security 2009 (code: 10offnis09, ends 6/30/09)


So the good news is that you can get that code out of your site with a little effort but the BAD news is that it seems to be a virus that attacks your web hosting company. In other words your actual server has the bug and then spreads it to all the sites being hosted.


My hosting service, called 3ix, has a problem every week so I’m not even going bother trying to tell them, because they tend to deny they even have problems. But if YOU have this problem I advise getting in touch with your hosting service-after you fix your own site first.

7 thoughts on “ pop-under Virus

  1. Thanks for that article. I have experienced the same problem as you “courtesy” of 3iX, and their solution is always to remove the malicious code on the index pages (which I could very easily do myself) but not address the issues I raise about security.

    Of course, the script seems to return every couple of days, so I will also be moving elsewhere.

  2. Thanks for the visit and comments Tim. I’m glad this info was able to help you out. When I first had the problem I couldn’t find anything so I wrote this one up.

    And yeah, I had a horrific problem with 3ix about 2 weeks ago because I had the audacity to have a large number of visits one day (1000 people). They just shut down my site. No warning, no notice. Nothing. AND they put up an embarrassing page that made it look like I hadn’t paid my bills! So I had been planning to leave in April when my year was up, but I left early. I’m gonna write a detailed piece soon. I don’t think they’re evil people per se, just prone to incompetence and/or not really too concerned about quality service. Like “Hey, wadda they expect for a dollar a month!”

  3. I agree with all of that. I swear, these people must have stock in paracetemol and hair-renewal products and be doing their bit to up sales worldwide.

    Just of interest Dave; where is it you rehosted? I have two seperate sites on the 3iX server and I’d rather not have to pay to host them both seperately, especially as I rarely ever touch one of them. I’ve seen some places that look good but don’t offer the “housing sub-domains” thing that 3iX do.

    Cheers 🙂

  4. Haha ha! Thanks for the visit Tim.
    Yeah it’s funny because next month I’m supposed to renew with those guys but it’s just sitting dormant since I quietly packed up and “moved,” and I’ll just let that 3ix account close.

    And I’m at geekstorage now. After looking at prices, responsiveness of the company and services I chose those guys and the first DAY I was with them they crashed for like 5 days. So I was all set to take advantage of their money back guarantee and find somebody else. But it seemed to have been a fluke and things have been been smooth. Plus I think they gave us a gift as compensation.

  5. 3ix – has got to be the very worst hosting company I’ve come across in using many different hosts (for different projects) over the last 11 years!

    They (and are completely useless.

    1. Their service is unreliable

    2. They have a lot of security holes

    3. They will only communicate with you if and when it suits them

    The final straw came, when after breakfast I went online to find an email from them saying – ‘Account terminated due to a report from spamcop’!

    They hadn’t emailed me to ask or debate – just chopped me and all of the sites (+ valuable data) off!

    And could I contact them – by any means? – Not a chance!

    They had sent me the email header – I processed it through spamcop – and it actually showed that the offending source was from elsewhere!

    I am currently trying to relocate around 8 websites and domains – but as yet, have not heard from them – and have lost all of my clients data.


  6. Hi Mike,
    I’m very sorry to hear about how their bad service affected YOUR ability to be on the web. I’ve been waiting until April (now) to do my piece on them, but I think if enough of us do pieces associating the words “3ix” and “bad” then at least when people do a search at least they’ll have some stories to read and make a judgment. That dollar a month is attractive though, so it’s an uphill battle!

  7. Thanks for the reply Dave.

    Unfortunately I have/had (not too sure yet) 2 x $55 accounts + some extra’s (with costs).

    I’ve been phoning, emailing, and using their ‘live chat’ all day – to try and get some response – even just to let me access mySql data – but to no avail.

    One of the sites I had hosted there was one of the bigger top sites list, and another, a busy forum – so all day I’ve been bombarded with messages from disgruntled members.

    I wouldn’t wish this on anyone.

    Anyway – that’s it! I’m off to the pub to drown my sorrows!

Comments are closed.