kwq9101 0 Posted November 7 Posted November 7 Hey there, Ever since today's morning, I have been getting multiple pop-ups from LiveGrid informing me of files being sent, while I am not downloading anything and my browsers have only the usual stuff (YouTube, WhatsApp, Twitter) and some work websites. They all lead to hXXps://nmimatrme.com/en/ with a random string attached. I pinged it with VirusTotal and it showed infected files having contacted with it. Sucuri does not give me any more information. Alongside these, I get a similar notification but for ssl_cert.dat but not as often. I have not downloaded anything (I was actually asleep when the first warning happened), always check stuff before opening and send to VirusTotal, not running any weird extensions (uBlock, Dark Reader, Privady Badger, ESET's own Browser add-on, NordPass) and I'm on NordVPN via its own software. I do have it's Threat Protection Pro features enabled should it be related. The URLs do not appear on filtered websites, so I have been unable to pinpoint the process spawning them. I have scanned my PC (I do scheduled scans every day), did a quick check with MalwareBytes too, nothing detected/found. I have collected a log via ESET Log Collector but I'm unsure if it's safe to attach or it would be best to send via DMs. Quote
Administrators Marcos 5,468 Posted November 7 Administrators Posted November 7 The domain / IP address is adware related and should be blocked as long as you have detection of potentially unwanted applications enabled. You can upload ELC logs here since only ESET staff can access them and they will be deleted after some time. Quote
itman 1,807 Posted November 7 Posted November 7 1 hour ago, kwq9101 said: They all lead to hXXps://nmimatrme.com/en/ with a random string attached. If you use uBlock Origin extension, It will block this domain prior to web page rendering. Quote
kwq9101 0 Posted November 7 Author Posted November 7 (edited) 18 minutes ago, Marcos said: The domain / IP address is adware related and should be blocked as long as you have detection of potentially unwanted applications enabled. You can upload ESET Log Collector logs here since only ESET staff can access them and they will be deleted after some time. Hey there, Thank you so much for the quick response. I have attached the ESET Log Collector logs down below as requested. Regarding the blocking, I don't see it appear on Filtered Websites but I haven't tried to directly go to the source either. Plenty of others but those I do know where they come from and just skipped the websites afterwards. I have also run another AV online scanner and nothing seems to have appeared. I did notice one of the filtered websites pointed to ldrescdn, which is a CDN for LD Player, an Android emulator that I used to use and ESET did mark as PUA back in the day. Found out there was still a .sys file for it under it's folder alongside a bunch of other files. Booted into safe mode, deleted it and it seems that no more sent files alerts are popping up, so I would not be surprised if that was the cause. I just got the same message now. Six files sent. I did submit said .sys file to ESET for you guys to check just in case. @itman I did see it is under EasyList when I did some Google Search on the domain. Did not even try to open it just in case it had some drive-by issue or the likes. essp_logs.zip Edited November 7 by kwq9101 Added reply to user. Quote
kwq9101 0 Posted November 7 Author Posted November 7 (edited) Apologies for the double post. I was getting an error when trying to add the extra zip file. Browser Protection did have entries now: The first ID does not appear on the Chrome Store, the other two do. Extension ID: nmmhkkegccagdldgiimedpiccmgmieda - Three times <- I see on a quick search it is related to Google Wallet? Extension ID: ljglajjnnkapghbckkcmodicjhacbfhk - Three times <- This links to Power Automate (I do not have it installed) Extension ID: fjoaledfpmneenckfbpdfhkmimnjocfa - Three times <- This links to NordVPN I have attached a new entry of logs taken right after the issue happened. essp_logs2.zip Edited November 7 by kwq9101 Quote
Administrators Marcos 5,468 Posted November 7 Administrators Posted November 7 I would suggest disabling all Chrome extensions and re-enabling them one by one until you narrow it down to the one which triggers the url blocks. You may also want to review site permissions under Privacy and security -> Site settings. Also make sure that sync is turned off. Quote
kwq9101 0 Posted November 7 Author Posted November 7 (edited) 4 hours ago, Marcos said: I would suggest disabling all Chrome extensions and re-enabling them one by one until you narrow it down to the one which triggers the url blocks. You may also want to review site permissions under Privacy and security -> Site settings. Also make sure that sync is turned off. Hey there, I tried with everything disabled and like clockwork, 2h after the last attempt I got a bunch of fiels sent and half an hour later, a bunch more. It happened again with Chrome and Brave closed, so it must be something else connecting but the Sent Files log only tells me the URL, not the local address of the file. I haven't got any new entries to Browser Protection nor Filtered Websites, I'm only getting the sent files warning. Given the files are being sent, can I assume they are not being executed at least? Edited November 7 by kwq9101 Quote
Administrators Marcos 5,468 Posted November 8 Administrators Posted November 8 The reason why you are getting notifications about sent files is that you have enabled the appropriate desktop notification: Since the JavaScript on the site is slightly different each time you access the site, it's sent out repeatedly because it resembles JS/Adware.ClickAdu: The domain has now been blocked as PUA. It's already on some ad blacklists too. Quote
kwq9101 0 Posted November 8 Author Posted November 8 (edited) 6 hours ago, Marcos said: The reason why you are getting notifications about sent files is that you have enabled the appropriate desktop notification: Since the JavaScript on the site is slightly different each time you access the site, it's sent out repeatedly because it resembles JS/Adware.ClickAdu: The domain has now been blocked as PUA. It's already on some ad blacklists too. Hey there, Thank you so much for all the answers, really appreciate it. I do know about the notifications, it's just me worrying about what is causing these files to even be present on my PC. Given the event happens even with Chrome and Brave closed, I assume it is related to another application in my computer so I guess it's time to see if I can find which one is connecting to that URL. I got another notification with the hxxps://chiamfxz.com/en/ domain on it which also has the same serving IP as the others, I just blocked those IPs on ESET Firewall just in case. It's reported as a phishing URL by Yandex on VirusTotal. Is there any way ESET can tell me which process is spawning these files? When checking under Logs -> Sent Files, I only get to see the URL of the file being sent, not what process tried to access it or similar. Edited November 8 by kwq9101 Quote
Administrators Marcos 5,468 Posted November 8 Administrators Posted November 8 40 minutes ago, kwq9101 said: I got another notification with the hxxps://chiamfxz.com/en/ domain on it which also has the same serving IP as the others, I just blocked those IPs on ESET Firewall just in case. It's reported as a phishing URL by Yandex on VirusTotal. This one should have been blocked since it resolves to 94.242.247.32 which has been on the PUA blacklist for several months and you have PUA detection enabled. Could you check if it doesn't resolve to a different IP address on your machine? Nevertheless, I'd recommend removing all extensions from Chrome and adding them back one by one to identify the one accessing the blocked servers. Quote
kwq9101 0 Posted November 8 Author Posted November 8 (edited) 12 minutes ago, Marcos said: This one should have been blocked since it resolves to 94.242.247.32 which has been on the PUA blacklist for several months and you have PUA detection enabled. Could you check if it doesn't resolve to a different IP address on your machine? Nevertheless, I'd recommend removing all extensions from Chrome and adding them back one by one to identify the one accessing the blocked servers. Hey there, Trying nslookup 94.242.247.32 does not resolve with my rules on the firewall setup. Without them active, I get: Server: UnKnown Address: 103.86.96.100 Name: 92-242-247-32.broadband.mtnet.hr Address: 92.242.247.32 First one I believe is from NordVPN, since that is a PacketHub IP. But it is resolving. I will remove all extensions again. I tried yesterday, did not seem to have any effect. I did clean all my cache, cookies, site settings and turnt off the sync for those. Edited November 8 by kwq9101 Quote
Administrators Marcos 5,468 Posted November 8 Administrators Posted November 8 What IP address does chiamfxz.com resolve to on your machine? C:\>nslookup chiamfxz.com Non-authoritative answer: Name: chiamfxz.com Address: 94.242.247.32 Quote
kwq9101 0 Posted November 8 Author Posted November 8 (edited) 12 minutes ago, Marcos said: What IP address does chiamfxz.com resolve to on your machine? C:\>nslookup chiamfxz.com Non-authoritative answer: Name: chiamfxz.com Address: 94.242.247.32 Hey there, With NordVPN enabled C:\Users\User>nslookup chiamfxz.com Server: UnKnown Address: 103.86.96.100 Non-authoritative answer: Name: chiamfxz.com Address: 94.242.247.32 Without NordVPN enabled C:\Users\User>nslookup chiamfxz.com Server: www.routerlogin.net Address: 192.168.1.1 Non-authoritative answer: Name: chiamfxz.com Address: 94.242.247.32 Despite having the firewall rules supposedly blocking that IP the lookup went without a hitch. I'm starting to get worried 😅 A few minutes ago, I did get the nmimatrme.com domain on sent files too. Edited November 8 by kwq9101 Quote
Administrators Marcos 5,468 Posted November 8 Administrators Posted November 8 It's normal that DNS lookup works, you don't want to block the communication with your DNS servers, only access to chiamfxz.com. That should have been blocked by ESET for about 2 hours already. Quote
kwq9101 0 Posted November 8 Author Posted November 8 (edited) 6 minutes ago, Marcos said: It's normal that DNS lookup works, you don't want to block the communication with your DNS servers, only access to chiamfxz.com. That should have been blocked by ESET for about 2 hours already. Hey there, I really owe you snacks for all the help. I get the exact same page when trying to visit the website, so that's a relief at least. I also get that same page when going to the nmimatrme.com after ignoring the warning from uBlock (only extension I'm testing right now and seeing if it's causing the Sent Files issue) Edited November 8 by kwq9101 Quote
kwq9101 0 Posted November 9 Author Posted November 9 (edited) Hey there, I have been checking and uninstalling things I thought could be related to the issue which remains and no dice yet. I did notice that this happens right at logon, so I assume it is a startup program. Four sent files as soon as I logged into my user account. Other than doing binary search, would it be possible with ESET to find out the culprit? Edited November 9 by kwq9101 Quote
itman 1,807 Posted November 9 Posted November 9 (edited) On 11/8/2024 at 6:41 AM, kwq9101 said: Without NordVPN enabled C:\Users\User>nslookup chiamfxz.com Server: www.routerlogin.net Address: 192.168.1.1 Non-authoritative answer: Name: chiamfxz.com Address: 94.242.247.32 Something strange here in regards to domain being shown in Server output from nslookup. It should be showing a DNS server domain associated with your ISP. Instead it is showing the domain used to logon to your NetGear router GUI : https://www.netgear.com/hub/technology/router-login-page/ . Edited November 9 by itman garioch7 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.