Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linkbucks.com malware infection


  • Please log in to reply
17 replies to this topic

#1 uncuva65

uncuva65

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 09 February 2015 - 03:26 PM

Hi,

 

When I click links on Twitter, about half the time I get redirected to a linkbucks.com page. It tries to install some sort of download, and then my Avast antivirus informs me that it has blocked an attempted malware infection. I have attached both FRST.txt and Addition.txt results to this post. Please help!

 

Thanks.

Attached Files


Edited by uncuva65, 09 February 2015 - 03:26 PM.


BC AdBot (Login to Remove)

 


#2 uncuva65

uncuva65
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 10 February 2015 - 11:26 AM

FYI -- the same thing is happening when I click links on Facebook.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 AM

Posted 13 February 2015 - 09:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2476} URL = http://www.default-search.net/search?sid=476&aid=106&itype=n&ver=14094&tm=500&src=ds&p={searchTerms}
SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2476} URL = http://www.default-search.net/search?sid=476&aid=106&itype=n&ver=14094&tm=500&src=ds&p={searchTerms}
SearchScopes: HKU\S-1-5-21-91956962-1195141547-2717481273-1001 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2476} URL = http://www.default-search.net/search?sid=476&aid=106&itype=n&ver=14094&tm=500&src=ds&p={searchTerms}
AlternateDataStreams: C:\ProgramData\TEMP:07BB519E
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:63238B95
AlternateDataStreams: C:\ProgramData\TEMP:65A7E066
AlternateDataStreams: C:\ProgramData\TEMP:E744A7DC
C:\Users\Devid\AppData\Local\Temp\BavPro_Setup_313.exe
C:\Users\Devid\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7to_od.dll
C:\Users\Devid\AppData\Local\Temp\install_flashplayer15x32_mssd_aaa_aih.exe
C:\Users\Devid\AppData\Local\Temp\utt33AE.tmp.exe
C:\Users\Devid\AppData\Local\Temp\uttB633.tmp.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#4 uncuva65

uncuva65
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 15 February 2015 - 12:09 PM

Thanks for the response. I have attached both logs to this reply, and will let you know how the computer is after I have some time to test things out.

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 AM

Posted 15 February 2015 - 02:15 PM

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#6 uncuva65

uncuva65
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 16 February 2015 - 03:27 PM

Below please find the results of the Security Check, noting that the Linkbucks.com issue is still present.

 

 

 Results of screen317's Security Check version 0.99.96  
   x64 (UAC is enabled)  
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Windows Defender   
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0    
  Java 64-bit 8 Update 31  
 Adobe Flash Player     16.0.0.305  
 Adobe Reader XI  
 Mozilla Firefox (35.0.1)
 Google Chrome (40.0.2214.111)
 Google Chrome (40.0.2214.94)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast ng vbox\AvastVBoxSVC.exe
 AVAST Software Avast ng ngservice.exe
 AVAST Software Avast avastui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 AM

Posted 17 February 2015 - 09:14 AM

The Security Check log is clean.

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 AM

Posted 21 February 2015 - 09:59 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 uncuva65

uncuva65
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 22 February 2015 - 04:27 PM

The problem hasn't been present today, so I'm hoping it is solved. I will definitely let you know if it appears again. Thanks!



#10 uncuva65

uncuva65
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 25 February 2015 - 02:43 PM

There is still malware on my computer. I am now getting popups when I go to websites telling me my flash player is out of date (the type of popup that is certainly malware and not legitimate). Could you please have a look at the following logs? Thanks.

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 AM

Posted 26 February 2015 - 08:32 AM



Did you install this program and do you know what it does?
() C:\Program Files (x86)\lisaanmasry\eadwin.exe

===

Clean your Flash cache.
https://forums.adobe.com/message/4278569

If all is well then stop.

===

If that fails Disable the Flash extension/pluging from your browser.

If any of the instructions stop the popups then I suggest you remove Flash from the Add/Remove Programs applet and restart the computer.
Test the computer and if all is well you should reinstall flash if you need it.

========================= How to Disable Flash: ==================


Disable Flash in IE10
http://www.eightforums.com/browsers-mail/27982-disable-flash-ie10.html


In Chrome: https://support.google.com/chrome/answer/108086?hl=en

- Enter the following address in Chrome’s address bar to access the Plug-ins screen:
chrome://plugins/

Scroll down the list of plug-ins and click the “Disable” link located at the bottom of the Adobe Flash Player section to disable Flash.
___

In Firefox: Tools> Addons> Plugins> Shockwave Flash - Never Activate

>> Browser check: https://support.mozilla.org/en-US/questions/988836

Keep me posted.

#12 uncuva65

uncuva65
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 28 February 2015 - 12:34 PM

Thanks for your response, and I did install that program (it's an Arabic language dictionary). I don't think the problem is with Abode Flash itself, because the linkbucks issue is also still occuring (and I haven't seen the abode flash player issue today or yesterday). There is quite clearly a general malware issue still present in my computer. Did you not spot anything abnormal in the results I posted? Could it be that my computer is now clean, but there is an issue in my router?



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 AM

Posted 01 March 2015 - 08:56 AM


linkbucks is a browser hijacker.
I do not think that you router has been compromised.

Run this tool.

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

If that fails refer to this page and see what you can do to remove it.
http://www.malwareremovalguides.info/linkbucks-com-browser-hijacker-removal-instructions/

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 AM

Posted 07 March 2015 - 09:20 AM

Are you still with me?

#15 uncuva65

uncuva65
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 07 March 2015 - 02:28 PM

Hi, I have attached the Malware Bytes log to this message. It did not find anything, and linkbucks issue has still been appearing. I'll try the steps on the link you posted and will let you know how it goes.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users