Dan,
If I remember the location of host file changed few times with the version of windows. ? So you will have to figure it out.
Normally HOST file should be empty of entries. ?When you type ¡°Google.com¡± your DNS server should tell your computer what is the numerical address of ¡°Google.com¡±. ? But some nefarious site might enter that Google goes somewhere else.
Oh another way they use host file is to enter 127.0.0.1 (your own computer) for popular sites like Google.com and have a fake web servers that send your browser those pop-ups. ? Here¡¯s a brief writer-up about host file hijacking?
?= ?= ?= ?= ?= ?=?
While I was typing this, there¡¯s also the possibility of DNS hijacking. ? Your dns entry is normally your own ISP (or one of the famous DNS). ? But sometimes an attacker might enter their own DNS server address so it will tell your browser to
go to their own websites (to make pop up happen).
?= ?= ?= ?= ?= ?=?
DNS hijacking and host file hijacking would probably have the symptoms you¡¯ve described (multiple browsers all showing pop-ups, without any virus being installed or detected).
I hope it works out and I didn¡¯t send you down a bad rabbit¡¯s holes.
Jong?
toggle quoted message
Show quoted text
On Apr 15, 2025, at 3:55 AM, Dan Kahn via groups.io <dankahn88@...> wrote:
?
Jong,
Thanks, I think I have an idea what you are saying but can I just do a search for the HOST file. Where is it located, under Program Files?
wings515
On Tuesday, April 15, 2025 at 09:51:06 AM EDT, jong kung via groups.io <jongkung01@...> wrote:
Dan,
Look in your HOST file and see if there¡¯s a redirect of famous sites like Google to a pop up server somewhere. ?I had this happen to me once. ? This trick (of entering redirect of famous websites) makes any browser wanting to go to Google, yahoo,
cnn, etc., instead go to the pop-up sites (or any sites).
This happened to me very long ago, and I suspect modern virus scanners knows this trick. ?But check anyway, just in case.
Jong?
On Apr 15, 2025, at 3:25 AM, Dan Kahn via groups.io <dankahn88@...> wrote:
?
Update!
I downloaded Malwarebytes and after a 55 minute scan it found 5 PUP's. I figured the problem was solved. Much to my dismay, the user opened his email account and up popped the same warning. So it was not removed. I am going to try downloading PrivaZer and see
if that does the trick.
These "pop-ups" must be embedded in some registry location since it is not application related. It is on Chrome, Edge and Outlook.
As an aside, the pc does not meet the requirements for an upgrade to WIN11 so this user has requested that I do the transfer to a new PC he is buying. My concern is this Norton/McAfee popup will also be transferred to the new pc and I will have that to deal
with during the install.
Is a puzzlement!
wings515
On Sunday, April 13, 2025 at 11:07:45 AM EDT, Donald H Locker via groups.io <dhlocker@...> wrote:
Are they actually popups from the browser or do they just look like browser popups?
Donald.
On 4/13/25 10:35, Dan Kahn via groups.io wrote:
Donald,
I agree, these pop-ups are not from both McAfee and Norton but some other insidious hacker. Since they are on both Chrome and Edge, I would think they are imbedded in the registry some place.
I am wondering if Malwarebytes and PrivaZer might be able to find and eliminate them. I have both of these and are not plagued by these popups.
wings515
On Saturday, April 12, 2025 at 02:59:42 PM EDT, Donald H Locker via groups.io
<dhlocker@...>
wrote:
I'd be strongly suspecting that these popups are not, in fact, from McAfee or Norton. McAfee has a fairly good page on spotting and eliminating fake popups:
In particular note that if setting the browser to block popups from the claimed site is not working, that is another indication that the popup did not originate with that site. (I can't tell you, off the top of my head how to identify the actual source site
for popups; sorry.)
Disclaimer - I haven't use Windoze for at least five years, so my experience is quite dated.
Donald.
On 4/12/25 11:56, Dan Kahn via groups.io wrote:
I just linked in to the user PC with TeamViewer.? There are no URL's listed under the Allowed links to remove as per the YouTube video.
I also did a search to see if either Norton or McAfee was downloaded and they were not.
?
I had the user download Gaurdio or something like that and even though it stated "Free" it was only free after entering the Credit card info.? I was not going to have the user do this without knowing if this app really worked.
?
Additionally the user mentioned he has other friends with this same problem.
?
On going investigation.
?
Thanks,
wings515
