How to Remove FixMyComputer "Java" Malware Redirect: "Free Java Security Update (Required)"

Discussion in 'Windows Security' started by Mike, Aug 27, 2014.

  1. Mike

    Mike Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Jul 22, 2005
    Messages:
    8,488
    Likes Received:
    783
    Problems: Your computer has been infiltrated with browser redirection malware. This redirection malware often jumps you over to to a fake Java website which is a phishing scam. Once you arrive on this page, by clicking on a hyperlink and being redirected, do not click on anything on that page. The page will often look like this, prompting you that "Your Current Java Is Outdated" and that a "Free Java Security Update (Required)" is available. The domain can be arbitrary, as the software infiltrates your system through purported freeware, such as video and audio decoders, encoders, unpopular video editing software, coupon and savings software, etc.

    [​IMG]

    This may also be classified as a virus, because during installation, it will install arbitrary extensions and plugins in your web browser causing intentional malfunction in other applications. These extensions will idle in your browser, until such a time as upon (1) fetching a new page or (2) clicking on a hyperlink, you are redirected to the Java malware website. It may also prompt an update from the system tray to update Java when no such update is available. In Google Chrome, for example, it will never even appear that you were "redirected" to this site in your History. It may be installed through crapware browser toolbars promoting discounts, etc.

    Solutions:

    You can blacklist [theoffendingwebsite.com] in your HOSTS file. Run -> C:\Windows\System32\Drivers\etc\hosts open in Notepad.

    Temporary Fix: How to Open and Edit the Hosts File:
    • Click Start (or in Windows 8 Search for NotePad) -> All Programs -> Accessories
    • Right click Notepad and select Run as administrator
    • Allow elevated privilege: "Windows needs your permission" UAC window.
    • Under notepad, click File -> Open
    • Type C:\Windows\System32\Drivers\etc\hosts
    In Hosts, you will see:

    Code:
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    
    Add at the bottom:

    Code:
    0.0.0.0 theoffendingwebsite.com # malware trap
    
    With "theoffendingwebsite.com" being the page you are being redirected to, such as "freejavaupdate.com" (do not go to that website!), adding this line to your HOSTS file will make the Java malware site unretrievable from your system.

    Keep in mind that editing the HOSTS file is a temporary solution.

    This adware/malware redirect will appear in your browser if you have installed any unusual software from potentially unwanted vendors and may masquerade as a real Java update. I personally recommend using Revo Uninstaller to take out anything related to "Converters", "MP4", "MP3", "Free", "Player", "Video" etc. There is then much work to be done.

    You will want to go into your Control Panel, Programs, and remove all unnecessary software from the system, including anything suspect. You will want to remove any and all updates listed as "Java" until such a time that you can eliminate the problem. The only place to get Java is at http://www.java.com. This will not change!

    Remove “Java Software Critical Update” Malware

    The goal of the malware website is likely to harvest personally identifiable information. You MUST perform the following operations:

    As indicated above, remove all suspect software from the system. Look for software that is unrecognized, unused, and unnecessary.

    Malwarebytes and Malwarebytes Pro should be run, but will not trace the problem.

    ESET Smart Security and possibly other anti-virus software will not detect the problem, but should be run.
    Use this guide: http://malwaretips.com/blogs/java-software-critical-update-removal/

    You MUST reset all of your web browsers using the guide above.
    You MUST download and run this software: ADW Cleaner

    * These are the two most important steps.


    It will isolate the problem, so prompt it to Clean once it is done scanning.

    Example of output text file from ADW Cleaner once it is done (crazy result at how this hides itself):

    Code:
    # AdwCleaner v3.308 - Report created 27/08/2014 at 14:35:41
    # Updated 20/08/2014 by Xplode
    # Operating System : Windows 8.1 Pro  (64 bits)
    # Username : X - X
    # Running from : C:\Users\X\Downloads\adwcleaner_3.308.exe
    # Option : Clean
    
    ***** [ Services ] *****
    
    
    ***** [ Files / Folders ] *****
    
    Folder Deleted : C:\Users\X\AppData\Local\DefineExt
    Folder Deleted : C:\Users\X\AppData\Local\eSupport.com
    
    ***** [ Scheduled Tasks ] *****
    
    
    ***** [ Shortcuts ] *****
    
    
    ***** [ Registry ] *****
    
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
    Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220222622278}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660266626678}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660266626678}
    Key Deleted : HKCU\Software\APN PIP
    Key Deleted : HKCU\Software\Cr_Installer
    Key Deleted : HKCU\Software\InstalledBrowserExtensions
    Key Deleted : HKLM\SOFTWARE\PIP
    Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
    
    ***** [ Browsers ] *****
    
    -\\ Internet Explorer v11.0.9600.17239
    
    
    -\\ Mozilla Firefox v31.0 (x86 en-US)
    
    [ File : C:\Users\X\AppData\Roaming\Mozilla\Firefox\Profiles\6dksk18t.default-1409164300051\prefs.js ]
    
    
    -\\ Google Chrome v36.0.1985.143
    
    [ File : C:\Users\X\AppData\Local\Google\Chrome\User Data\Default\preferences ]
    
    Deleted [Extension] : gjkpcnacdgdlpfejlgflolpaigoicibh
    
    *************************
    
    AdwCleaner[R0].txt - [2769 octets] - [27/08/2014 14:33:21]
    AdwCleaner[S0].txt - [2573 octets] - [27/08/2014 14:35:41]
    
    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2633 octets] ##########
    
    
    You do not need Hitman Pro, as listed in the guide above at MalwareTips.com. This may be a product placement by them (unfortunately).

    It is now safe to re-install Java, only from http://www.java.com/
    During the installation of the LEGITIMATE version of Java, you may be prompted to install the ASK browser toolbar. You may want to elect NOT to install this crappy toolbar.

    Tips for the Future:

    Adware, malware, and these types of security problems pose an evolving and potentially dangerous threat to your security, data integrity, and privacy. Do not download any suspect software such as wildly unknown video converters, unnecessary toolbars or browser plugins/extensions, and certainly not any software, for which you may not recognize the trustworthiness of the vendor. Do not click on links that do not make any sense to you. This is a phishing and malware scheme. Avoid and let me know if this resolves your issue.
     
    #1 Mike, Aug 27, 2014
    Last edited: Aug 27, 2014

Share This Page

Loading...