I had the same problem. Have McAffee Total Protection 2009, well maintained. Something called fizeyapug snuck in under McAffee's nose and I had to remove it with various other products (Webroot, MS OneCare, AdAware). Now, when I open Google, it gets hijacked to lightseek.biz or I get warnings from Webroot that the site is blocked. I ran your "Stinger v10.0.1.624" and it came up clean. Help! -Craig
O.K. I thought they were related because first I got the infection described in http://community.mcafee.com/message/98680#98680, despite having a well-maintained McAffee security center version 9.15. After cleaning that with non-McAffee products, now when I go to Google, my home page, I get a fake Google, which looks like Google, but it's not really Google:
Notice that it's missing the "Make Google my homepage" link that should appear above "c 2009 - Privacy."
If I type something into the search bar, I don't get any drop-down options from Google.
If I click on anything -- the search button, Gmail, and so on -- it tries to take me to a malware site, which I don't want to repeat to show you, but I'll do it if you need me to.
Trying to go to other common sites, like ATT WebMail, brings up additional pop-up windows trying to link to lightseek.biz.
Help! Thanks, -Craig
A lot of the rogue/fake security products have been modifying the hosts file lately and it's possible that yours may still be out of whack a bit.
If you go to C:\Windows\system32\drivers\etc you file a file called "hosts". A clean hosts file should look something like:
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 126.96.36.199 rhino.acme.com # source server
# 188.8.131.52 x.acme.com # x client host
If there are any entries below the 127.0.0.1 line, delete them and save the hosts file. You can open and edit the hosts file using notepad.
Let us know if there were any additional entries and if this helped at all.
Thanks for the advice. My C:\Windows\system32\drivers\etc "hosts" file looks exactly like the one you posted, so I guess there's something else that's directing me to a fake Google site.
I know it's fake (the one I pictured above) because now (Saturday, 11/14/2009, 11:45 a.m. EST) the REAL Google is displaying the wateronmoon09-hp.gif,
but mine still displays the old, multicolored Google logo shown in my post above.
If I click on something (like GMail, for example) or actually try to search for something on my fake Google site, it will take me to a rogue site and start "scanning my computer for viruses." Would you like me to try that and report back? Thanks, -Craig