Here is what I just wrote and sent to [email protected]. It explains what I experienced.
"Hi. Something happened to me twice today that is extremely suspicious and troubling.
In Chrome, I have a tab open to my channel page. I went to refresh the page after being idle for an hour or so because I wanted to see who is casting on the top bar. Instead of refreshing, I get redirected to a page with this URL: http://javaapx.com/us/down.php?sid=35&dv1=ad33-us&uuid=532ce73b-b80c-4273-5003-xxxxxxxxxxxx [author note: full ID redacted]
(The uuid number changed when it happened the second time.) I got a popup message saying I needed to update my Java to Version 7 Update 25. (Note that I am already using the current version which is Version 7 Update 67.) So why is it wanting to "update" me to an old version? I closed the dialog box with the "x" in the upper corner, whereupon the page downloaded a file called java_installer.exe without my permission to do so.
I did a scan with Windows Defender and with MalwareBytes. Neither scan indicated a problem. Nonetheless, I'm certainly not going to run a file like this, downloaded without my OK from a site I'd never heard of. (Actually, after this happened the first time, I went to the Java Control Panel applet and did my own Java update. I think it moved me from Update 65 to Update 67. When this happened the 2nd time, obviously I already had the official update.) I sent the downloaded file to the recycle bin both times.
The other thing that is interesting is that the javaapx.com redirect erased the history from the tab I was on. I couldn't "go back" to my previous URL which was vaughnlive.tv/gil_on_vl . That alone is suspicious.
My thinking is that some bad actor has slipped in an advertisement on vaughnlive.tv that contains this rogue malware. If this happened to me twice, it might be happening to other vaughnlive users who aren't as cautious as I am when it comes to things like this. Note that I have AdBlock Plus turned OFF for the vaughnlive.tv domain, so I do see the advertisements.
I attached a screen shot of the page that came up immediately after I refreshed my gil_on_vl page.
Is there any way you can look into this? This might be a big problem for some people."
Here is the page I was redirected to. (Looking at it more closely now, I notice that "andacceptedthe" is all run together. Things like this are a tip-off that the page isn't legit.)