ADVERTISEMENT - SCROLL TO CONTINUE

First-tl Pop-up Ads – Fake Virus Alerts

Pop-up ads from First-tl keep appearing on your screen? Here's how you stop that.

By Andy Mulholland - Malware Researcher 3 Min Read

ⓘ This article addresses potential risks such as phishing and malware. If you come across any undisclosed threats, please let us know.

First-tl is a common pattern of website domains used by cybercriminals to trick users into giving them notification permission.

They do this in order to display unwanted advertisements on the device’s screen, which benefits them from forced ad revenue.

Some domains include:

  • First-tl-119-d.buzz
  • First-tl-100-d.buzz
  • First-tl-100-e.buzz
  • First-tl-163-c.buzz

These pop-up ads can display push notifications even when the browser is not being used. Excessive advertising on computer screens can be annoying to many people.

On PC screens, First-tl pop-ups are frequently displayed in the notification panel, which is located in the bottom-right corner.

First-tl alerts, such as fake antivirus alerts, can be mistaken for legitimate security software. Fake virus alerts are intended to instill fear and elicit an immediate response from users.

They hope you will engage and interact with the pop-ups, believing that this will eliminate the alleged “threat”. However, interacting with these pop-ups may result in a redirection to unsafe websites.

More about pop-up ads

Most pop-ups from First-tl websites attempt to deceive users by claiming that their device is infected with malware.

They also urge users to install an antivirus program that claims to be effective against malware.

To be clear, the notifications are fake, and there is no real malware on the computer.

This strategy aims to persuade users to buy a security software license, allowing cybercriminals to profit from the subsequent affiliate sale.

Pop-ups not only display fake virus alerts, but also advertisements for gambling and dating websites. They make money by forcing advertisements onto the screen.

A pop-up can redirect the web browser to a malicious drive-by download. This could lead to the system becoming infected with malware.

While browsing the internet, you may encounter First-tl pop-up ads that direct you to misleading websites. These are frequently caused by accessing illegal streaming platforms and torrenting websites.

We previously encountered a similar threat with fake push notifications from the website Flowprotocol.co.in.


The instructions below will walk you through the process of removing First-tl-caused fake virus alerts from your device’s screen.

First-tl removal guide

If you are in dire need of help removing First-tl from your browser, then you have come to the right place.

The step-by-step instructions below will show you how to remove the unwanted pop-ups and redirections.

We considered the technical skills of the people who use the internet, so we made sure the steps are simple enough that even those who aren’t tech-savvy could follow them.

For the Overviews
To remove First-tl from your browser, you only need to follow a simple three-step procedure:

Step 1: Remove browser permission

Step 2: Delete unwanted extensions
Step 3: Scan for malware with AdwCleaner

Step 1: Remove browser permission

First-tl is only able to show ads to the computer screen because it has permission from the browser to do so. In order to remove the unwanted alerts and notifications, you can revoke the said permission.

Here’s how to do so:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge

How to remove First-tl from Google Chrome:

1. Launch the Google Chrome application, then click the three-dot menu button in the top-right corner of the browser window. Choose Settings when the drop-down menu appears.

Chrome Permission Step1

2. Once the browser has opened the Settings page, select Privacy and Security from the list of available options on the left-side panel.

Chrome Permission Step2

3. After opening the privacy page, navigate to the Privacy and Security section and select Site Settings.

Chrome Permission Step3

4. Locate the Permissions section of the page by scrolling down. To view all websites with notification access in the browser, click Notifications.

Chrome Permission Step4

5. Next, under Allowed to send notifications, it will display a list of websites that are allowed to display notifications. Click the three dots next to the link and choose Remove to revoke the website’s permission.

Chrome Permission Step5

How to remove First-tl from Mozilla Firefox:

1. Open Mozilla Firefox and click the three horizontal lines in the upper-right corner to bring up the menu. Choose Settings from the drop-down menu that displays.

Firefox Permission Step 1

2. Select Privacy and Security from the left-side panel after the Settings page has opened in a new tab.

Firefox Permission Step 2

3. Scroll down until you find the Permission section and click the Settings icon beside Notifications.

Firefox Permission Step 3

4. Websites that are allowed to display notifications will open in a separate window. You can revoke the permission by clicking on First-tl and selecting the Remove Website button,

Firefox Permission Step 4

How to remove First-tl from Microsoft Edge:

1. Start by clicking the three-dot icon in the upper-right corner of Microsoft Edge once it has launched on the computer. Click Settings once the drop-down menu has appeared.

Edge Permission Step 1

2. After opening in a new tab, choose Cookies and Site permissions from the left sidebar of the Microsoft Edge settings page.

Edge Permission Step 2

3. Scroll down on the Cookies and Data Settings page and select Notifications below the site permission section.

Edge Permission Step 3

4. In the Notifications page’s Allow section, find First-tl. Next, click the three horizontal dots and select Remove.

Edge Permission Step 4

Once the notification permission has been adjusted as needed, pop-ups from First-tl should no longer show up in the browser.

Step 2: Delete unwanted extensions

Extensions can be the leading cause of First-tl showing pop-ups. However, it may be difficult to remove them if certain browser policies are set to make it persist. It might disable the delete button which makes it hard to do so.

For this reason, we will first need to delete the policies it has set on the browser before attempting to remove unwanted extensions.

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge

How to remove Google Chrome browser policies:

1. To do this, we will use Chrome Policy Remover. Download the Windows version by clicking here.

ChromePolicy Step1

2. Proceed to download delete_chrome_policies.bat by clicking Download anyway.

ChromePolicy Step2

3. Once the bat file has finished downloading, run it as administrator to begin removing unwanted policies set by the malware.

ChromePolicy Step3

4. If the Microsoft Defender SmartScreen prevented it from running, click Run anyway. This tool has been recommended enough times in the Google Chrome community therefore we can vouch that it is safe to run. (VirusTotal results of the Policy Remover.)

ChromePolicy Step4

5. The command prompt will open up, it will close Chrome and delete certain malicious policies. Once the policies are removed, you can now close the command prompt and begin removing the extension.

ChromePolicy Step5

How to delete unwanted extensions from Chrome:

1. Open Google Chrome and click the three horizontal dots on the upper-right corner of the screen.

ChromeExtension Step1

2. From the dropdown menu, select Extensions and click Manage Extensions.

ChromeExtension Step2

3. You should now be able to click the Remove button. Continue to do so in order to remove the unwanted extension from the browser. (For this example, we will be using Google Docs Offline.)

ChromeExtension Step3

How to remove Mozilla Firefox browser policies:

1. Open the browser and type about:policies in the address bar.

FirefoxPolicy Step1

2. Take note of the active policy names as shown on the screen.

FirefoxPolicy Step2

3. Press Windows Key + R to open the Run command.

FirefoxPolicy Step3

4. Type regedit and hit enter to open the Registry Editor.

FirefoxPolicy Step4

5. Go to the following directory: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox

FirefoxPolicy Step5

6. Delete the policies that matched the ones shown on the browser policy page earlier. With this, we can proceed with deleting the unwanted extension.

FirefoxPolicy Step6

How to remove unwanted extensions from Firefox:

1. Open the Firefox browser and click the extension icon on the upper-right corner of the screen.

FirefoxExtension Step1

2. Click on the cog icon near the unwanted extension you want to install. From the dropdown menu, select Remove Extension. (We will be using a sample extension to demonstrate.)

FirefoxExtension Step2

How to delete browser policies set in Microsoft Edge:

1. Open Command Prompt as administrator.

EdgePolicy Step1

2. Type in the following code and enter each line separately.

taskkill /im msedge.exe /f
reg delete "HKCU\Software\Policies\Microsoft\Edge" /f
reg delete "HKLM\Software\Policies\Microsoft\Edge" /f

3. Once finished, close Command Prompt and we can begin removing the unwanted extension/s from the browser.

EdgePolicy Step3

How to remove unwanted extensions from Microsoft Edge:

1. Open Microsoft Edge and click the Extensions icon on the top bar of the browser.

EdgeExtension Step1

2. Click on Manage Extensions.

EdgeExtension Step2

3. Find the unwanted extension and click Remove.

EdgeExtension Step3

Step 3: Scan for malware with AdwCleaner

AdwCleaner is a utility tool that is primarily used for cleaning adware and potentially unwanted applications (PUP) from the computer. This program is also primarily used to find and remove malware that is targeted at the web browser.

Here’s how to install and use AdwCleaner:

1. To start, download the latest version of AdwCleaner.

AdwCleaner Step1

2. Once AdwCleaner has finished downloading (adwcleaner.exe), run the executable file.

AdwCleaner Step2

3. If the User Account Control window pops up, click Yes to proceed with running the program.

AdwCleaner Step3

4. Once the program has launched, agree to the End User License Agreement by clicking the I Agree button.

AdwCleaner Step4

5. Click on the Scan Now button to begin scanning your computer for browser threats such as adware, PUPs, and more.

AdwCleaner Step5

6. Wait for AdwCleaner to finish scanning the files on the system. This may take a while depending on how large the files on your device are, as well as your system’s hardware capabilities.

AdwCleaner Step6

7. Once the scan is complete, proceed to take action by following the on-screen instructions. Otherwise, if the scan shows a clean result, click Run Basic Repair to reset Winsock and other settings before finishing the process.

AdwCleaner Step7

Tips to keep your computer safe

As the saying goes:The biggest vulnerability is the person behind the screen

So, here are some tips and what you need to know in order to keep your device safe and malware-free in the long run.

Keep every software installed up to date

Make sure that all of the programs in your computer is up-to-date with the latest version released by the developer. The reason behind this is that these updates frequently tackle bugs and issues that malware actors often exploit.

The same goes for your computer’s operating system, make sure Windows is up-to-date with the latest software update to prevent malware from exploiting a hidden vulnerability.

Avoid downloading files from unknown sources

One of the biggest sources of malware infection in a computer system is third-party installations. This happens when a user downloads a certain program from sources that are not the official download links. Some of the common types of sources where malware is present are torrent files, cracked software, and games.

Be careful with opening email attachments

Malware often disguises itself as resumes and quotations and threat actors often send thousands of these infected emails to company employees around the world in order to infiltrate their network.

Always check where your emails are coming from as there may be a chance that the project attachment you received via email did not actually come from a co-worker.

Do not visit unreputable websites

Avoid visiting websites that contain unfiltered advertisements such as illegal streaming websites, cracked software platforms, and links sent out to you by somebody you do not trust.

These sites are often linked to redirect chains that load once you click on an ad element on the page. Following this chain often leads to drive-by malware and phishing pages that an average user may eventually fail to notice.

Leave a comment