LinkBucks.com malware?

Question

Level 1

0 points

LinkBucks.com malware?

All links on Safari v. 5.1.10 web pages have today been usurped by ultrafiles.net - as with, e.g., this link (for information only!):

http://www.ultrafiles.net/7cc02b3a/url/http://uk.advfn.com/cmn/fbb/thread.php3?i d=29793328

LinkBucks - in beta - brings up an ad via the above link. Clicking on "Skip this ad" brings up

We are unable to install this application because it’s not compatible with your OS

Instead we recommend you try

Best personalized homepage - A Newspaper Styled Homepage

[needless to say, I've not clicked on anything there...]

I found (and have now lost) a possible answer, IF this is "Adware" infestation, and checked Safari prefs > Extensions but found an empty pane, so that hasn't helped. The lost article listed other things to test, but it was all rather beyond this octogenarian's technical capability.

My setup is Snow Leopard in MacBook Pro. My ISP at this Cape Town location is now transmitting to a dish on my house by wireless, using an Ethernet cable direct fromthe dish but without an intermediate modem.

Had no problem with that until today nor previously via modem/ethernet here or at home in the Isle of Man on a wireless connection.

I need to be trading online all of every working day, so desperation is imminent and any informed help would be very much appreciated.

Mac OS X (10.6.1), MacBook Pro

Posted on Jan 24, 2014 2:00 AM

Reply

Answer 1

Best reply

seventy one

Level 7

27,430 points

Jan 24, 2014 2:14 AM in response to Titusmac

Very much looks like malware on the basis of this document.

Linkbucks.com browser hijacker removal instructions | malwareremovalguides

But before you download anything from the above document double check to make sure it, too, is not malware.

Reply

Answer 2

Titusmac Author

Level 1

0 points

Jan 24, 2014 5:59 AM in response to seventy one

Thanks seventy one for responding and for the link.

However, 2 worries:

1. The removal instructions relate to Windows browsers and of course I've got this infection in Safari in OSX.

2. Not sure how to "double check" this set of instructions itself for malware if I download it...? Seems like Catch22 - download anti-malware app to check anti-malware app?

3. Also, I have Windows XP in a virtual machine (VMware Fusion) in this computer too. Being decidedly non-technical, I'm apprehensive about finding I've cross-infected that as well by attempting to download what seems to be Windows software into my MacBook.

Has anyone else any thoughts, please? Having converted some years ago to Apple computing to avoid suchlike filth, I'm out of my depth here now that it's roosting in my MacBook!

Reply

Answer 3

seventy one

Level 7

27,430 points

Jan 24, 2014 6:55 AM in response to Titusmac

Could have come via a windows source. And yes, the catch 22 thought was in my mind too.

Do you have the Easy Find application or even better, Find any File. If so, you could feed in such detail as you can establish and start to delete it. Easy Find is a free app from the App store, and Find any File is a low price app from the same place. Or Google them. I cannot work out if you are in SA or the Isle of Man at the moment; that could affect what you can download.

Your Mac should not accept Windows software, but I can't be sure in this situation.

I will have a closer look this afternoon and see if I find something ... but let me know if you can get hold of the two apps I mentioned.

Reply

Answer 4

seventy one

Level 7

27,430 points

Jan 24, 2014 8:19 AM in response to Titusmac

Have now had time to look around and it is clear this is malware of a nasty kind. The links I gave you for the two search helps both have direct connections. I know from personal experience both respond to enquiries. I suggest you write to both and ask them how they think your problem will be resolved via their app.

Easy Find. (Free app) This is their support page.

Get support for DEVONthink, DEVONagent & Co. for Mac and iOS - DEVONtechnologies

Find any File. (£5.49) Write direct to the address at the top of the screen(Thomas Tempelmann ... etc)

Thomas Tempelmann - Find Any File - Support

I think you should explain you have a virtual windows link to your Apple OS.

Best I can do; wish you luck.

Reply

Answer 5

Titusmac Author

Level 1

0 points

Jan 24, 2014 12:36 PM in response to seventy one

Thanks again, seventy one. I have now read every Apple Discussions thread on the Linkbucks virus and tried all the suggested solutions that could be tackled without 'nerd knowhow' - without success. (Apple has obligingly but incorrectly marked your posts above as having "solved my question", whereas I tried to mark them as "helpful"!)

Firstly, via Safari preferences > Privacy I found and deleted three linkbucks website cookies or other data (Cache).

Then, having switched off the computer, I disconnected, at the computer, the ethernet cable from the wireless receiving dish on the outside wall of my Cape Town house and replaced it.

No joy: the cookies were replaced, hijacking continues, switching off and unplugging things does zilch for me.

As there is no intervening modem (see my first post above) with this ISP method, I presume that function occurs at the transmitter mast end, across a valley from here. Could it, as one thread discusses, be a DNS problem? As always, it's a week-end when these failures occur, but on Monday I'll try to discuss that with the ISP, where presumably the "wireless modem" is located (?).

I'm not clear from your last post above if either or both the recommended file finder apps will do anything different from what I've already done by zapping the cookies/cache as I have. But I'll try one or both just in case I don't - as is likely - understand some difference between "website cookies or other data" and "files".

What really disturbs me is that this virus has apparently, as evidenced on this Apple site, been infecting Apple equipment for at least a year and a half, so far, yet the producers and purveyors of this high-faluting, expensive bling which is said to be (almost) virus free appear to be totally disinterested in the havoc it has been causing for so long. Bypassing the problem by browsing with an iPad is not a serious proposition for me: I normally use 2 computers and 3 or 4 17 to 24-inch monitors simulaneously, all day long, to earn a living on real-time trading platforms.

But that's "I.T." A car manufacturer that behaved similarly wouldn't last long.

Reply

Answer 6

tpwilson

Level 1

0 points

Jan 24, 2014 9:35 PM in response to Titusmac

Boy I hope someone finds a fix or this soon... My laptop and my wife's ipad were both infected today. I went to starbucks thinking maybe the problem is with the ISP, but no luck.

Since this is a redirect, maybe I could delete or wipe clean the host file. Can anyone here offer some tips.

I live in California, so I guess this is a worldwide problem.

Reply

Answer 7

seventy one

Level 7

27,430 points

Jan 24, 2014 10:44 PM in response to Titusmac

Good Morning. Unfortunately there is no way (I know of) of changing the solved star, though only you could have marked it that way. Apple doesn't amend or contribute to these posts. But I will continue to follow this post and help wherever I can.

What I am hoping for from the two links I gave you is their suggestions as to how their facility can help you. They will almost certainly be aware of the bug.

What their facility does do is to dig through all your files to find anything which is connected to the key words, phrases,sequences that you feed into it. You can then delete what it finds. It takes but a minute vestige of a bug in your system for it to be recognised and act as a trigger under certain circumstances.

I do hope they will respond to your request for help.

Reply

Answer 8

tpwilson

Level 1

0 points

Jan 24, 2014 11:15 PM in response to tpwilson

Reset Safari, cleared the cache, unplugged the router for 15 minutes and plugged it back in. Seems to be working OK now.

Reply

Answer 9

Titusmac Author

Level 1

0 points

Jan 26, 2014 3:33 AM in response to tpwilson

tpwilson: is that solution still working? If so, many thanks for the info.

With dozens of web links on my desktop for instant access (so much quicker for me than all that fancy Bookmarks fiddling), I'm not keen to zap everything with a drastic Safari Reset + Cache clearance unless this action works and stays worked!

But if it has held, I'll go for it. Just deleting linkbucks.com (cache), linkbucksmedia.com (cache), linkbucksdns.com (cache and cookie), also ultrafiles.net certainly didn't - they were immediately reloaded, so this virus is presumably hiding somewhere deeper.

seventy one: many thanks for persevering with me - on Monday I'll follow up on the file finder apps you kindly linked and explained, if tp's solution doesn't fix it.

Meanwhile, for anyone still struggling with this problem, I find it is possible to get into a hijacked site by deleting the bit of the url they insert, which in my case starts ultrafile.net immediately after the http://, but that has to be done each time one changes address.

Reply

Answer 10

seventy one

Level 7

27,430 points

Jan 26, 2014 3:51 AM in response to Titusmac

And you are having to persevere too. 😟 I truly think you need to get to the root of this and the two apps I recommended will help, I am sure. Why not download the Easy Find app, it's free, see what it finds and you'll have a basis for communicating with the developer then. I'll keep watching the post.

Reply

Answer 11

thomas_r.

Level 7

31,989 points

Jan 26, 2014 6:23 AM in response to Titusmac

There are many possible explanations for this problem, including adware, DNS cache poisoning, your wireless router being hacked, etc. Deleting LinkBucks cookies or clearing your browser's cache will not solve the problem. If the problem went away following such an action, the problem was likely solved independently (such as the DNS server being fixed) and flushing the cache caused the fix to take effect immediately.

If the problem recurs, see Eliminating browser redirects and advertisements.

Reply

Answer 12

Titusmac Author

Level 1

0 points

Jan 26, 2014 11:47 AM in response to thomas_r.

Thanks thomas_r.

I've read that "Eliminating..." piece several times already. I'm not a computer software mechanic and suspect that to struggle with DNS settings etc. could get me into worse trouble than this weblinks referral virus is causing. I HAVE to keep my computer operational online on https links and vital realtime dealing platforms for the next two months until I return to the UK and anything that risks disabling it further is to be avoided at all costs.

The evidence that LinkBucks has been around since at least March 2012 and we only have general tinkering measures recommendations rather than a dedicated fix for this particular virus mystifies me, but there it is.

seventy one: I've downloaded Easy Find (apparently) but "opening" it or getting it to do anything has defeated me. Clicking on the nice bunny image on my dock just produces something like a Finder (or is it a Search?) window titled EasyFind with a block of headed columns (Name, Created, Modified, Size, Kind, Where) - all rows empty. Cape Town is amongst the world's most primitive broadband environments - at 21.25 at night seemingly all the kids are still playing computer games, as I'm getting something between 15 and 50kbps at present, which hasn't helped - with the simplest website taking many minutes to load.

Tomorrow I'll ask my ISP about DNS poisoning, fwiw. There's not router, wireless or otherwise, between my computer and the wireless receiving dish on my outside wall, as previously noted, so they alone know how that works. I can see the IP Address, Router and DNS Server codes on my computer, so will take it from there.

I'd still love to know if tpwilson's cure has held, for him on his system. He's departed into the sunset, so perhaps it has...(?). Having spent all afternoon laboriously copying my desktop web links into a text file I am at least prepared to follow his lead with a full Safari reset, but if that also failed to dislodge LinkBucks and it's lackey ultrafiles.net I would not be happy, so confirmation would be greatly appreciated.

Reply

Answer 13

tpwilson

Level 1

0 points

Jan 26, 2014 12:03 PM in response to Titusmac

This morning the virus reappeared, so I repeated the procedure except this time I reset my wifes' safari browser as well. Something like this:

Unplug wireless router equipment

reset Safari (macbook), shut down

reset Safari (ipad), shutdown

wait ten minutes

Plug router back in

reboot macbook

reboot ipad

So far, so good, everything has returned to normal. Went to the appstore and downloaded the free vesion of Bitdefender (painful for me, I like to brag to all my PC buddies about how virus software is not needed with OSX),

ran a full scan, it found and deleted this:

"Worm.Generic.24461 ... /Users/[name]/Library/Mail Downloads/mail.doc...pif"

Not sure if that's what caused it, but it's like that brown spot that showed up on my cheek last year... it doesn't belong there, so I had it removed.

I'm guessing this is a virus that lodged itself on my computer then spread to my wife's ipad through the router. So when I cleared my cache the first time it took a day or so to reappear, migrating from the ipad back to me. Hopefully now it's gone, however I haven't virus-scanned the ipad yet.

Come to think of it, it's probably better to do the virus scan while the router is disconnected... I'll try this route if it reappears.

Reply

Answer 14

thomas_r.

Level 7

31,989 points

Jan 26, 2014 12:16 PM in response to tpwilson

"Worm.Generic.24461 ... /Users/[name]/Library/Mail Downloads/mail.doc...pif"

That's not Mac malware, it's Windows malware that arrived attached to an e-mail message in Mail. It's definitely not causing the problem.

I missed the fact that your wife's iPad is having the same problem. There is no known malware capable of infecting an iPad that hasn't been jailbroken, and even if you had a jailbroken iPad, there's no malware at all capable of infecting both a Mac and an iPad. So, the fact that you're having the problem on these two devices pretty firmly points the finger at your network. It simply cannot be anything else... however these two devices are connecting to the internet, that network connection has been compromised somehow. If the same problem occurred at a nearby Starbucks, it may be a large-scale problem affecting your area, or the Starbucks may be using the same local ISP that you are.

Reply

Answer 15

tpwilson

Level 1

0 points

Jan 26, 2014 12:53 PM in response to thomas_r.

That Starbucks is 30 miles from here, and they use ATT. My ISP is Wisprenn, a local outfit that buys their access from Comcast. So, not the same ISP. My daughter in law also uses Wisprenn, but has had no problem (she runs a PC with a virus checker).

Here's another interesting tidbit: My homepage is set to Google.com. When the virus is operating, the google homepage does not load. You can browse and click links on Yahoo or Wikipedia without a problem. So I'm guessing it only affects web pages that use Google advertising links. Google adwords or something like that.

Reply