During this week starting from monday, I’ve ran into quite weird issue with Noscript…

When casually browsing websites and trying to open new pages, Noscript suddenly gives a notification of blocked redirect request to the webpage. The weird thing I’ve noticed is that Noscript only seemingly blocks webpages that use HTTP connection instead of HTTPS, hence sites like Gmail and Youtube work while sites like tvtropes.org or finnish websites like iltasanomat.fi don’t. This has happened once a day so far, and every time there has been different solution: first I succesfully tried to enter one of the websites Noscript blocked via Google Chrome, Firefox suddenly started to let me enter the webpages again without restarting the browser. Next time problem was fixed with simple restart of Firefox. When it happened yet again today just about two hours ago, it only lasted a short time and FF let me to browse normally without me doing anything.

I recorded one screenshot of an instance of the notification from Noscript ABE tool gave when trying to enter into finnish non-HTTPS newspaper website rom new browser tab. (translation: “Pyyntö” = “Request”, “Suodattanut” = “Filtered”).

Note: the area covered with Paint brush is and IP adress that has been identical in every notification. Since I saved it into public image hosting site (imgur), I desided to brush the Ip adress over for possible safety reasons, but with help from finnish IT forum I managed to get that it seemingly belongs to my local hosting provider.

I did a quick post about the issue on reddit, and one user replied this:

I'm no expert with NoScript, but I strongly believe that " Deny" means that a script hosted on your own computer, or a redirect to a website hosted on your own computer was blocked.

This could potentially be caused by malware/adware on your computer trying to inject javascript or redirects into the website.
That could be used for example for a cross-site scripting attack, trying to steal your login session or login data, or for browser hijacking.
In this case I’d recommend cleaning up your system.

This could also be caused by other things like unusual programming practices, like a browser addon + local server program hybrid, or an edited host file.

The fact that only HTTP connections and no HTTPS connections are affected makes this seem like a someone is manipulating your internet traffic on the fly (likely your internet service provider), because that would be very hard/impossible for encrypted (HTTPS) traffic.
But doing that to inject scripts/redirects to your local computer would be weird.

Given the point of possible mal/adware, I desiced to run trough logs cans to reveal/hopefully exclude possible infection(s). I’ve ran trough Avast and MBAM scans already whenever Noscript ABE notifications have appeared, and all scans have showed clean by far.

Also, couple of notes: my internet provider is finnish company DNA, and our household has used never router with (seemingly) better connection for some weeks now, but the connection has suffered from occasional shortouts and overall slow connection. The other thing is that nature of this issue seems to be that it only appears twice a day, and almost within same time of the day, between 1 pm and 2 pm (finnish time of course). As mentioned, I’ve already posted about this subject to finnish IT forum for help, but I figured it would probably be for the best to come here to request help finding if the issue would be somehow be about my computer, browser, internet connection, or possibly a hickup of Noscript addon.

Is it still restricted to just Chrome ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2016-06-06 04:12 - 2016-06-06 04:13 - 00000000 ____D C:\Users\Juha\AppData\Local\{39563481-3640-41A5-9A2D-2DEC8A747A90} Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Hi exxexboy!

The problem is not with Chrome, its Firefox, since to my understanding Noscript is for Firefox only. Sorry if my exposition was bit unclear. I dont know however why ABE notification mentions Chrome. Firefox is the browser I use casually and on which the problem occurs. It’s quite hard for me to test this problem out given the nature of it…

EDIT: I figured out that “chrome” seems to sign to Firefox’s “new tab” page, given how “chrome” seems to be one element Noscript views there.

Log attached.

EDIT2: I managed to confirm (via Avast home network scan) that Ip adress I mentioned seems to indeed be IP of my household’s internet router.

Try using opendns and see if that stops the script problem

https://www.opendns.com/setupguide/

Thanks for the tip, I’ll try to look up into it soon. It seems there were no visible hints to infections within logs?

No that was just a basic tidy up

I think I found the cause of the problem!

When Noscript blocked my accesses to http websites again, I opened Chrome to take a quick visit to http website since it has seemed to be one way to tempolarly fix the issue. When I tried to access a http website, Chrome suddenly redirected me into a website of our internet service provider, and the domain in address bar seemed to be the exact same as one in Noscript ABE notification messages, Ip adress, stuff about html and redirects, and lastly the webpage I tried to access. The service provider website had little window that informed me about some sort of upgrade being available. When I clicked “Upgrade”, it gave me another window asking for username and password for router user interface. But since I didn’t have the passowrd, I had to close it up for now. So in the end, it seems that all this time our new router has tried to insert an upgrade request into my PC all this time, out of all computers in our household, and Noscript seems to have always blocked it.