I've installed Sucuri Security which found modified core files (five total: two jquery libraries, two svg media elements, and a license.txt at /wpincludes/images/crystal). It appears to have reversed the damage on those files, however the pop-ups still continue.
I ran Sucuri's malware scanner, but it found no infections.