if pop-broker.com opens by itself, do not treat it as a normal browser tab or a Windows feature. It is usually a browser-redirect/adware symptom, and in several public cases the visible clue was a short C:\Windows\System32\cmd.exe flash that launched the browser through a scheduled task. Block the site, remove unwanted browser permissions, then inspect Task Scheduler and startup entries before resetting the browser.
Gridinsoft’s URL scanner currently classifies pop-broker.com as phishing, so do not enter passwords, card details, one-time codes, or account recovery information on pages opened through this redirect. The cleanup goal is to remove the trigger that keeps opening the site, not just close the tab.
If the recurring site is ultahost.gl instead of pop-broker.com, use the focused Ultahost.gl pop-ups removal and safety check because that case starts with browser notification permissions and only escalates when a download, scheduled task, or loader alert is present.
If the suspicious page is a one-time redirect doorway rather than a recurring local trigger, compare it with our Ixtok.com redirect and phishing safety check before entering any data.
| What you see | Likely source | First check |
|---|---|---|
| A browser tab opens to pop-broker.com every few hours | Scheduled task or startup item | Task Scheduler Library and Startup apps |
| Fake virus, VPN, prize, or robot-check notifications | Allowed site notifications | Chrome/Edge notification permissions |
| Searches or new tabs redirect through pop-broker.com | Extension or browser policy | Extensions, search engine, homepage, policies |
| The issue returns after browser reset | System-level persistence | Scheduled tasks, recent apps, full malware scan |
Why Pop-broker.com Keeps Opening
Pop-broker.com is a web domain, not a Windows process. When it appears without a click, something else is launching it: an allowed browser notification, a hijacked extension, a startup entry, or a scheduled task that runs cmd.exe /c start with a URL. Microsoft Q&A users have reported a task named GoogleUpdateDaily that opened www.pop-broker.com every six hours, which matches the “CMD opens and a tab appears” symptom.
That task name is especially misleading because real Google update tasks can exist on Windows. The suspicious part is the action. A legitimate updater should point to a Google updater executable, not to cmd.exe launching a pop-broker.com URL.
Step 1: Remove Pop-broker.com From Browser Notifications
If the browser is already open and you mostly see fake alerts in the corner of the screen, start with notification permissions. In Chrome, open chrome://settings/content/notifications and remove unfamiliar sites from the allowed list. In Edge, open edge://settings/content/notifications and remove unknown senders. Also block pop-ups and redirects for sites you do not recognize.
This step is useful when the symptom is a notification-style scam. If a command prompt flashes and then opens a new tab, continue with Task Scheduler because notification cleanup alone will not remove a system-level launcher.
Step 2: Check Extensions, Search, and Startup Pages
- Open your browser extensions page and remove extensions you did not install intentionally.
- Check the default search engine and homepage. Restore them to your chosen provider if they were changed.
- Close all browser windows, reopen the browser, and make sure the old pop-broker.com tab is not restored from the previous session.
- In Windows Settings, open Apps and uninstall recently added freeware, cracked-app helpers, download managers, or unknown browser tools.
For a similar browser redirect cleanup flow, see Gridinsoft’s guide to Markedoneofthe.com redirects. If your alerts imitate a known security brand, also compare the behavior with fake McAfee pop-up cleanup.
Step 3: Inspect Task Scheduler for a Fake GoogleUpdate Task
Open Task Scheduler from the Start menu and select Task Scheduler Library. Review tasks with names such as GoogleUpdateDaily, GoogleUpdateWeekly, or vague updater names. For each suspicious task, open Properties and check the Actions tab.
Disable or delete the task if the action launches cmd.exe, powershell.exe, wscript.exe, a browser executable, or a command like:
cmd.exe /c start https://www.pop-broker.com/...Do not delete every Google-named task blindly. Confirm the action first. Legitimate updater tasks normally point to an updater executable under a vendor folder, while the pop-broker.com pattern points to a browser URL. Microsoft documents schtasks as the Windows command-line interface for scheduled tasks, and MITRE ATT&CK tracks scheduled-task abuse as a common persistence technique.
Step 4: Scan for the PUA or Loader That Created the Task
Removing the task stops the visible redirect, but it does not prove the original installer is gone. Run a full scan with Gridinsoft Anti-Malware and pay attention to PUA/adware, browser hijacker, script, and startup detections. If the redirect started after installing a game mod, cracked app, browser extension, or downloader, remove that program before restoring browser settings.
After uninstalling the suspicious app or deleting the visible threat, use Gridinsoft Anti-Malware to check hidden files, startup entries, scheduled tasks, bundled apps, browser changes, and other persistence points that can restore malware.
Download Anti-MalwareAfter the scan and cleanup, restart Windows. Then wait through the interval when the tab usually appeared. If the browser stays closed and no new Task Scheduler entry appears, the persistent trigger is likely removed.
Step 5: If It Still Returns
- Check Startup apps in Windows Settings and Task Manager for unknown entries.
- Review browser policies at
chrome://policyoredge://policy. Unknown forced extensions or search policies can restore redirects. - Check every installed browser, not only the one that opened first.
- Create a restore point before making deeper system changes.
- If you use browser sync, reset the browser after cleanup and avoid syncing extensions until the account is clean.
How to Tell It Is Fixed
The fix is successful when no scheduled task points to pop-broker.com, no browser has the site in notification permissions, no unknown extension returns, and Gridinsoft no longer detects adware or startup persistence. A single closed tab is not enough; the important test is whether Windows stops launching the browser by itself.
FAQ
Is pop-broker.com a virus?
The domain itself is a website. The repeated opening behavior usually points to adware, a browser hijacker, an unwanted notification permission, or a scheduled task that launches the URL.
Why does cmd.exe flash before pop-broker.com opens?
A scheduled task or startup entry can run cmd.exe /c start with a URL. The command prompt appears briefly, then Windows opens the default browser.
Should I delete GoogleUpdateDaily?
Only delete or disable it if the task action points to cmd.exe, a browser, or pop-broker.com. Do not remove legitimate update tasks solely because their names contain Google.
Will resetting Chrome or Edge fix it?
Browser reset can help when the source is an extension or notification permission. It will not fix a scheduled task or startup item that launches the browser from Windows.
References
- Gridinsoft. “Pop-broker.com Phishing Report: Is It Safe?” Gridinsoft URL Scanner, accessed May 27, 2026. https://gridinsoft.com/online-virus-scanner/url/pop_broker-com
- Microsoft Q&A. “C:\Windows\System32\cmd.exe pop up randomly.” Microsoft Learn Answers, June 2024, accessed May 27, 2026. https://learn.microsoft.com/en-us/answers/questions/4009621/c-windowssystem32cmd-exe-pop-up-randomly
- Microsoft Learn. “schtasks commands.” Microsoft, accessed May 27, 2026. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
- MITRE ATT&CK. “Scheduled Task/Job: Scheduled Task (T1053.005).” MITRE, accessed May 27, 2026. https://attack.mitre.org/techniques/T1053/005/
- Google Chrome Help. “Remove unwanted ads, pop-ups and malware.” Google, accessed May 27, 2026. https://support.google.com/chrome/answer/2765944?co=GENIE.Platform%3DDesktop&hl=en
