6 Replies Latest reply on Nov 14, 2009 10:51 AM by CraigSpirka Branched from an earlier discussion.

    gets hijacked to lightseek.biz

      Mo,

      I had the same problem.  Have McAffee Total Protection 2009, well maintained.  Something called fizeyapug snuck in under McAffee's nose and I had to remove it with various other products (Webroot, MS OneCare, AdAware).  Now, when I open Google, it gets hijacked to lightseek.biz or I get warnings from Webroot that the site is blocked.  I ran your "Stinger v10.0.1.624" and it came up clean.  Help!  -Craig

        • 1. Re: gets hijacked to lightseek.biz

          Criag i have created a new thread for you to avoid confusion.

          • 2. Re: gets hijacked to lightseek.biz

            Thank you.  The "same problem" in question in my original post above was the one reported in http://community.mcafee.com/message/98680#98680 Thanks, -Craig

            • 3. Re: gets hijacked to lightseek.biz

              Actually Criag, both are different type of infections.

              • 4. Re: gets hijacked to lightseek.biz

                O.K. I thought they were related because first I got the infection described in http://community.mcafee.com/message/98680#98680, despite having a well-maintained McAffee security center version 9.15.  After cleaning that with non-McAffee products, now when I go to Google, my home page, I get a fake Google, which looks like Google, but it's not really Google:

                FakeGoogle.JPG

                Notice that it's missing the "Make Google my homepage" link that should appear above "c 2009 - Privacy."

                 

                If I type something into the search bar, I don't get any drop-down options from Google.

                 

                If I click on anything -- the search button, Gmail, and so on -- it tries to take me to a malware site, which I don't want to repeat to show you, but I'll do it if you need me to.

                 

                Trying to go to other common sites, like ATT WebMail, brings up additional pop-up windows trying to link to lightseek.biz.

                 

                Help!   Thanks, -Craig

                • 5. Re: gets hijacked to lightseek.biz
                  BMann

                  A lot of the rogue/fake security products have been modifying the hosts file lately and it's possible that yours may still be out of whack a bit.

                   

                  If you go to C:\Windows\system32\drivers\etc you file a file called "hosts".  A clean hosts file should look something like:

                   

                  # Copyright (c) 1993-1999 Microsoft Corp.
                  #
                  # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
                  #
                  # This file contains the mappings of IP addresses to host names. Each
                  # entry should be kept on an individual line. The IP address should
                  # be placed in the first column followed by the corresponding host name.
                  # The IP address and the host name should be separated by at least one
                  # space.
                  #
                  # Additionally, comments (such as these) may be inserted on individual
                  # lines or following the machine name denoted by a '#' symbol.
                  #
                  # For example:
                  #
                  #      102.54.94.97     rhino.acme.com          # source server
                  #       38.25.63.10     x.acme.com              # x client host

                  127.0.0.1       localhost

                   

                  If there are any entries below the 127.0.0.1 line, delete them and save the hosts file.  You can open and edit the hosts file using notepad.

                   

                  Let us know if there were any additional entries and if this helped at all.

                  • 6. Re: gets hijacked to lightseek.biz

                    Hi Brian.

                     

                    Thanks for the advice.  My C:\Windows\system32\drivers\etc "hosts" file looks exactly like the one you posted, so I guess there's something else that's directing me to a fake Google site.

                     

                    I know it's fake (the one I pictured above) because now (Saturday, 11/14/2009, 11:45 a.m. EST) the REAL Google is displaying the wateronmoon09-hp.gif,

                     

                    wateronmoon09-hp.gif

                     

                     

                    but mine still displays the old, multicolored Google logo shown in my post above.

                     

                    If I click on something (like GMail, for example) or actually try to search for something on my fake Google site, it will take me to a rogue site and start "scanning my computer for viruses."  Would you like me to try that and report back?  Thanks, -Craig