Jump to content

Recommended Posts

Hello,

 

I've picked up a very stealthy fake java update hijack in Google Chrome. While browsing, it randomly redirects to javaistlau.com/index.html?sid=19&aff_sub=ad17-au&uuid=[long dash separated hex string, unique with each event].

 

From the usual looking java screen It downloads (without prompt) a .exe from istplayer.com and then redirects to an Asian dating site via seth.avazutracking.net, for which I didn't get the URL (my Chrome history was slightly mangled by a reinstall).

 

The problem does not appear to affect Internet Explorer 11.

 

While everything currently installed is 'legit', I have previously installed a cracked game (see the ESET Online Scan entry). It was run inside of a sandbox and I foolishly thought that was sufficient protection. If that was the origin, it has taken several months to start showing symptoms. I would say this was karma, but I bought it after trying it out.

 

I've added HOSTS entries for the sites listed above to help mitigate the issue until it is fixed.

 

 

What I have tried, in approximate chronological order

:

MalwareBytes Anti-Malware (0 threats found)

Adware Cleaner                    (Chrome extension removed)

Kaspersky Security Scan      (0 threats,vulns: java (updated) and FoxIt PDF (uninstalled))

ESET Online Scan                 (Deleted 1 dll - Win32/VMProtect.AAD)

TDSS Killer                            (0 threats found)

RKill                                       (0 threats found)

ComboFix                              (0 threats found)

JRT                                        (0 threats found)

HitmanPro x64                       (0 threats found)

ESET NOD32 full scan          (0 threats found)

SuperAntiSpyware                 (52 tracking cookies)

Malwarebytes Anti-Rootkit     (0 threats found)

 

I have removed all Chrome extensions. I cannot see anything suspicious in ProcessExplorer, and none of the running processors had a return from VirusTotal.

I then completely uninstalled Chrome, including all history/extensions/so forth, and reinstalled from the web. I unchecked syncing extensions and apps.

 

Whilst uTorrent is installed, it is completely disabled.

 

Incidentally, I can't paste anything into this editor using IE11 - CTRL-V, right click Paste, and the paste shortcuts (after the IE permissions popup) all do nothing.

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Apologies, I didn't see those warnings - I was following the instructions given to someone who had something which had sounded similar (desperation may have played a part). I clearly should of posted here a lot earlier instead of leaving it as a last resort. I appreciate your expertise, and didn't mean to sound as brusque as I think I may have in my second post.

 

While I haven't changed anything since my first post, a number of things were changed since ComboFix was run - from memory, Punkbuster was uninstalled (no games I still play use it) and MSE was replaced with NOD32. Kaspersky Scan Free has been on and off a few times.

ComboFix2.txt

Link to post
Share on other sites

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware
 
Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.