Chrome Hijack - Fake Java Update Popup (javaistlau)

[AgoutiByte]

Hello,

 

I've picked up a very stealthy fake java update hijack in Google Chrome. While browsing, it randomly redirects to javaistlau.com/index.html?sid=19&aff_sub=ad17-au&uuid=[long dash separated hex string, unique with each event].

 

From the usual looking java screen It downloads (without prompt) a .exe from istplayer.com and then redirects to an Asian dating site via seth.avazutracking.net, for which I didn't get the URL (my Chrome history was slightly mangled by a reinstall).

 

The problem does not appear to affect Internet Explorer 11.

 

While everything currently installed is 'legit', I have previously installed a cracked game (see the ESET Online Scan entry). It was run inside of a sandbox and I foolishly thought that was sufficient protection. If that was the origin, it has taken several months to start showing symptoms. I would say this was karma, but I bought it after trying it out.

 

I've added HOSTS entries for the sites listed above to help mitigate the issue until it is fixed.

 

 

What I have tried, in approximate chronological order

:

MalwareBytes Anti-Malware (0 threats found)

Adware Cleaner                    (Chrome extension removed)

Kaspersky Security Scan      (0 threats,vulns: java (updated) and FoxIt PDF (uninstalled))

ESET Online Scan                 (Deleted 1 dll - Win32/VMProtect.AAD)

TDSS Killer                            (0 threats found)

RKill                                       (0 threats found)

ComboFix                              (0 threats found)

JRT                                        (0 threats found)

HitmanPro x64                       (0 threats found)

ESET NOD32 full scan          (0 threats found)

SuperAntiSpyware                 (52 tracking cookies)

Malwarebytes Anti-Rootkit     (0 threats found)

 

I have removed all Chrome extensions. I cannot see anything suspicious in ProcessExplorer, and none of the running processors had a return from VirusTotal.

I then completely uninstalled Chrome, including all history/extensions/so forth, and reinstalled from the web. I unchecked syncing extensions and apps.

 

Whilst uTorrent is installed, it is completely disabled.

 

Incidentally, I can't paste anything into this editor using IE11 - CTRL-V, right click Paste, and the paste shortcuts (after the IE permissions popup) all do nothing.

 

 

FRST.txt

Addition.txt

[TwinHeadedEagle]

Read this first --> https://forums.malwarebytes.org/index.php?/topic/97700-piracy/

[AgoutiByte]

Topic was read prior to posting, hence why I explicitly referred to both uTorrent and the EDET Online Scan result. If desired I can uninstall uTorrent before proceeding, but I do use it for legitimate purposes.

[TwinHeadedEagle]

Why did you use ComboFix even after millions of warning this tool shouldn't be run without experts's guidance?

 

I would like to see ComboFix report.

[AgoutiByte]

Apologies, I didn't see those warnings - I was following the instructions given to someone who had something which had sounded similar (desperation may have played a part). I clearly should of posted here a lot earlier instead of leaving it as a last resort. I appreciate your expertise, and didn't mean to sound as brusque as I think I may have in my second post.

 

While I haven't changed anything since my first post, a number of things were changed since ComboFix was run - from memory, Punkbuster was uninstalled (no games I still play use it) and MSE was replaced with NOD32. Kaspersky Scan Free has been on and off a few times.

ComboFix2.txt

[TwinHeadedEagle]

Scan with Malwarebytes' Anti-Malware
 
Please re-run Malwarebytes' Anti-Malware.

• First of all, select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the newest Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[AgoutiByte]

Log attached, no threats found.

MBAM.txt

[AgoutiByte]

Apologies, I had enabled Scan for Rootkits when I scanned previously, but it was off for that scan. Re-enabled and re-scanned.

MBAM2.txt

[TwinHeadedEagle]

Do you still have this problem, PC seems clean.

[AgoutiByte]

Yes, I believe so. It occurred twice this morning, and I have not done anything which would have removed it in the intervening time. I suppose the next step is a format and fresh install?

[TwinHeadedEagle]

Try to reset your router.

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!