linkbucks.com browser hijack malware/virus removal questions

[mynetdude]

I'm trying to find out about if there's a least invasive way to go about this; my customer brought me a laptop she had taken to staples they had done a courtesy inspection and I did some research on information they had given her and based on my findings and some things I had said she had said they also said so therefore it seems to me what I would do is consistent to what they would do.

Has anyone run into this before? Nothing seems to pick this up, mbam, sphyhunter, hitman pro, etc the best recommendation I found was to manually remove it; but at that point you might as well reformat because you're likely to do damage to it thus the need to back up her data would be first priority.

Already checked with MSE, Microsoft Safety Scanner, etc.


What would you do? Is there something I am not doing?

 

[fairfieldfalconsfan]

What exactly is it doing?

 

[mynetdude]

What exactly is it doing?

ah ^^ that would help, my bad

she's getting popups and redirects so when she goes to Google she is redirected to some bizzare website and sometimes to Linkbucks.com - Make money when people leave your website! masked by another domain, etc and its also slowing down her PC but the notable exception is she does have other issues that are causing the slowdown not just this issue alone although based on what I read; linkbucks.com browser hijack/malware/virus can slow down the PC too.

I don't know why they're calling it a virus when they also keep saying its just a browser hijack and everything I've used isn't detecting this one.

 

[KSoD]

It is a redirect infection and not a virus. That is why the scanners you mention don't find it. The reason it isn't being removed, it is linked to the Registry.

How to Permanently Remove Linkbucks.com Redirect Virus? Manual Removal Tips - Remove Malware - Zimbio

 

[mynetdude]

It is a redirect infection and not a virus. That is why the scanners you mention don't find it. The reason it isn't being removed, it is linked to the Registry.

How to Permanently Remove Linkbucks.com Redirect Virus? Manual Removal Tips - Remove Malware - Zimbio

yeah I read that; I can do it would take me a little more time just to make sure that I don't make a grave mistake; but that's what backups are for.

What about a registry cleaner that looks for this kind of stuff? (I'm going to assume: no, because that would have been mentioned if it was a viable solution).

 

[Yevrag35]

These are all of the registry keys that Linkbucks.com can affect:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = '0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = '0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = '1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = '1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = '1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = '1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = '0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′


Also, but probably most important of all, would be to check your hosts file!
C drive=>Windows=>System32=>drivers=>etc=>hosts (open it with notepad). It should look like this:

If there is anything else besides this written in there, you need to delete it so only this is showing (make sure you can't scroll down the file either, sometimes they hide like a 1000 lines down the page).

 

[mynetdude]

So there's no safe tool that can do this without me having to get under the hood?

Yeah I suspect the hosts file has some unwanted stuff, I think I'd rather just tell my customer to consider having it reformatted; the time and effort its going to take to fix this plus a few other issues is almost as much as reformatting.

 

[Yevrag35]

So there's no safe tool that can do this without me having to get under the hood?

Yeah I suspect the hosts file has some unwanted stuff, I think I'd rather just tell my customer to consider having it reformatted; the time and effort its going to take to fix this plus a few other issues is almost as much as reformatting.

I would boot into safe mode with networking, run this: http://download.bleepingcomputer.co...security/security-utilities/r/rkill/rkill.exe

Then I would perform a full scan with malwarebytes: https://store.malwarebytes.org/342/cookie?affiliate=1878&redirectto=http%3A%2F%2Fdownload.bleepingcomputer.com%2Fdl%2F0bc14e63217c5d3f8efeef21e696e7f8%2F511925af%2Fwindows%2Fsecurity%2Fanti-spyware%2Fm%2Fmalwarebytes-anti-malware%2Fmbam-setup.exe&product=29945

If that doesn't show up with any results, then you can talk about reformatting with the customer.

Edit: Also if mbam does find any rootkits, backdoor exploits, etc. (anything besides trojans), I would also run Kaspersky's TDSSKiller.

 

[mynetdude]

I would boot into safe mode with networking, run this: http://download.bleepingcomputer.co...security/security-utilities/r/rkill/rkill.exe

Then I would perform a full scan with malwarebytes: https://store.malwarebytes.org/342/cookie?affiliate=1878&redirectto=http%3A%2F%2Fdownload.bleepingcomputer.com%2Fdl%2F0bc14e63217c5d3f8efeef21e696e7f8%2F511925af%2Fwindows%2Fsecurity%2Fanti-spyware%2Fm%2Fmalwarebytes-anti-malware%2Fmbam-setup.exe&product=29945

If that doesn't show up with any results, then you can talk about reformatting with the customer.

Ok, yeah I tried mbam in normal mode; didn't catch anything so safe mode sounds like a good next step for process of elimination; thanks

 

[Yevrag35]

Ok, yeah I tried mbam in normal mode; didn't catch anything so safe mode sounds like a good next step for process of elimination; thanks

If you run RKill before scanning, it'll help mbam's detecting process just in case any portion of it is hiding itself. It will also tell you about registry errors and the such.