Jump to content

Recommended Posts

Posted

Hey there,

Ever since today's morning, I have been getting multiple pop-ups from LiveGrid informing me of files being sent, while I am not downloading anything and my browsers have only the usual stuff (YouTube, WhatsApp, Twitter) and some work websites. 

They all lead to hXXps://nmimatrme.com/en/ with a random string attached. I pinged it with VirusTotal and it showed infected files having contacted with it. Sucuri does not give me any more information. Alongside these, I get a similar notification but for ssl_cert.dat but not as often.

I have not downloaded anything (I was actually asleep when the first warning happened), always check stuff before opening and send to VirusTotal, not running any weird extensions (uBlock, Dark Reader, Privady Badger, ESET's own Browser add-on, NordPass) and I'm on NordVPN via its own software. I do have it's Threat Protection Pro features enabled should it be related.

The URLs do not appear on filtered websites, so I have been unable to pinpoint the process spawning them.

I have scanned my PC (I do scheduled scans every day), did a quick check with MalwareBytes too, nothing detected/found. I have collected a log via ESET Log Collector but I'm unsure if it's safe to attach or it would be best to send via DMs.

  • Administrators
Posted

The domain / IP address is adware related and should be blocked as long as you have detection of potentially unwanted applications enabled. You can upload ELC logs here since only ESET staff can access them and they will be deleted after some time.

Posted
1 hour ago, kwq9101 said:

They all lead to hXXps://nmimatrme.com/en/ with a random string attached.

If you use uBlock Origin extension, It will block this domain prior to web page rendering.

Posted (edited)

  

18 minutes ago, Marcos said:

The domain / IP address is adware related and should be blocked as long as you have detection of potentially unwanted applications enabled. You can upload ESET Log Collector logs here since only ESET staff can access them and they will be deleted after some time.

 

Hey there,

Thank you so much for the quick response. I have attached the ESET Log Collector logs down below as requested.

Regarding the blocking, I don't see it appear on Filtered Websites  but I haven't tried to directly go to the source either.   Plenty of others but those I do know where they come from and just skipped the websites afterwards.

I have also run another AV online scanner and nothing seems to have appeared.

I did notice one of the filtered websites pointed to ldrescdn, which is a CDN for LD Player, an Android emulator that I used to use and ESET did mark as PUA back in the day. Found out there was still a .sys file for it under it's folder alongside a bunch of other files. Booted into safe mode, deleted it and it seems that no more sent files alerts are popping up, so I would not be surprised if that was the cause.

I just got the same message now. Six files sent.

I did submit said .sys file to ESET for you guys to check just in case.

@itman

I did see it is under EasyList when I did some Google Search on the domain. Did not even try to open it just in case it had some drive-by issue or the likes.

 

essp_logs.zip

Edited by kwq9101
Added reply to user.
Posted (edited)

Apologies for the double post. I was getting an error when trying to add the extra zip file.

Browser Protection did have entries now:

The first ID does not appear on the Chrome Store, the other two do.
Extension ID: nmmhkkegccagdldgiimedpiccmgmieda - Three times <- I see on a quick search it is related to Google Wallet?

Extension ID: ljglajjnnkapghbckkcmodicjhacbfhk - Three times <- This links to Power Automate (I do not have it installed)

Extension ID: fjoaledfpmneenckfbpdfhkmimnjocfa - Three times <- This links to NordVPN

I have attached a new entry of logs taken right after the issue happened.

essp_logs2.zip

Edited by kwq9101
  • Administrators
Posted

I would suggest disabling all Chrome extensions and re-enabling them one by one until you narrow it down to the one which triggers the url blocks.

You may also want to review site permissions under Privacy and security -> Site settings. Also make sure that sync is turned off.

 

Posted (edited)
4 hours ago, Marcos said:

I would suggest disabling all Chrome extensions and re-enabling them one by one until you narrow it down to the one which triggers the url blocks.

You may also want to review site permissions under Privacy and security -> Site settings. Also make sure that sync is turned off.

 

Hey there,

I tried with everything disabled and like clockwork, 2h after the last attempt I got a bunch of fiels sent and half an hour later, a bunch more.

It happened again with Chrome and Brave closed, so it must be something else connecting but the Sent Files log only tells me the URL, not the local address of the file.
I haven't got any new entries to Browser Protection nor Filtered Websites, I'm only getting the sent files warning.

Given the files are being sent, can I assume they are not being executed at least?

Edited by kwq9101
  • Administrators
Posted

The reason why you are getting notifications about sent files is that you have enabled the appropriate desktop notification:

image.png

Since the JavaScript on the site is slightly different each time you access the site, it's sent out repeatedly because it resembles JS/Adware.ClickAdu:

image.png

The domain has now been blocked as PUA. It's already on some ad blacklists too.

 

Posted (edited)
6 hours ago, Marcos said:

The reason why you are getting notifications about sent files is that you have enabled the appropriate desktop notification:

image.png

Since the JavaScript on the site is slightly different each time you access the site, it's sent out repeatedly because it resembles JS/Adware.ClickAdu:

image.png

The domain has now been blocked as PUA. It's already on some ad blacklists too.

 

Hey there,

Thank you so much for all the answers, really appreciate it.

I do know about the notifications, it's just me worrying about what is causing these files to even be present on my PC. Given the event happens even with Chrome and Brave closed, I assume it is related to another application in my computer so I guess it's time to see if I can find which one is connecting to that URL.

I got another notification with the hxxps://chiamfxz.com/en/ domain on it which also has the same serving IP as the others, I just blocked those IPs on ESET Firewall just in case. It's reported as a phishing URL by Yandex on VirusTotal.


Is there any way ESET can tell me which process is spawning these files? When checking under Logs -> Sent Files, I only get to see the URL of the file being sent, not what process tried to access it or similar.

Edited by kwq9101
  • Administrators
Posted
40 minutes ago, kwq9101 said:

I got another notification with the hxxps://chiamfxz.com/en/ domain on it which also has the same serving IP as the others, I just blocked those IPs on ESET Firewall just in case. It's reported as a phishing URL by Yandex on VirusTotal.

This one should have been blocked since it resolves to 94.242.247.32 which has been on the PUA blacklist for several months and you have PUA detection enabled. Could you check if it doesn't resolve to a different IP address on your machine? Nevertheless, I'd recommend removing all extensions from Chrome and adding them back one by one to identify the one accessing the blocked servers.

Posted (edited)
12 minutes ago, Marcos said:

This one should have been blocked since it resolves to 94.242.247.32 which has been on the PUA blacklist for several months and you have PUA detection enabled. Could you check if it doesn't resolve to a different IP address on your machine? Nevertheless, I'd recommend removing all extensions from Chrome and adding them back one by one to identify the one accessing the blocked servers.

Hey there,

Trying nslookup 94.242.247.32 does not resolve with my rules on the firewall setup. Without them active, I get:

Server:  UnKnown
Address:  103.86.96.100

Name:    92-242-247-32.broadband.mtnet.hr
Address:  92.242.247.32

First one I believe is from NordVPN, since that is a PacketHub IP. But it is resolving.

I will remove all extensions again. I tried yesterday, did not seem to have any effect. I did clean all my cache, cookies, site settings and turnt off the sync for those.

Edited by kwq9101
  • Administrators
Posted

What IP address does chiamfxz.com resolve to on your machine?

C:\>nslookup chiamfxz.com
Non-authoritative answer:
Name:    chiamfxz.com
Address:  94.242.247.32

Posted (edited)
12 minutes ago, Marcos said:

What IP address does chiamfxz.com resolve to on your machine?

C:\>nslookup chiamfxz.com
Non-authoritative answer:
Name:    chiamfxz.com
Address:  94.242.247.32

Hey there,

With NordVPN enabled

C:\Users\User>nslookup chiamfxz.com

Server:  UnKnown
Address:  103.86.96.100

Non-authoritative answer:
Name:    chiamfxz.com
Address:  94.242.247.32

Without NordVPN enabled

C:\Users\User>nslookup chiamfxz.com

Server:  www.routerlogin.net
Address:  192.168.1.1

Non-authoritative answer:
Name:    chiamfxz.com
Address:  94.242.247.32

Despite having the firewall rules supposedly blocking that IP the lookup went without a hitch. I'm starting to get worried 😅

A few minutes ago, I did get the nmimatrme.com domain on sent files too.

Edited by kwq9101
  • Administrators
Posted

It's normal that DNS lookup works, you don't want to block the communication with your DNS servers, only access to chiamfxz.com. That should have been blocked by ESET for about 2 hours already.

image.png

Posted (edited)
6 minutes ago, Marcos said:

It's normal that DNS lookup works, you don't want to block the communication with your DNS servers, only access to chiamfxz.com. That should have been blocked by ESET for about 2 hours already.

image.png

Hey there,

I really owe you snacks for all the help.

I get the exact same page when trying to visit the website, so that's a relief at least.

I also get that same page when going to the nmimatrme.com after ignoring the warning from uBlock (only extension I'm testing right now and seeing if it's causing the Sent Files issue)

Edited by kwq9101
Posted (edited)

Hey there,

I have been checking and uninstalling things I thought could be related to the issue which remains and no dice yet.
I did notice that this happens right at logon, so I assume it is a startup program. Four sent files as soon as I logged into my user account.
Other than doing binary search, would it be possible with ESET to find out the culprit?

Edited by kwq9101
Posted (edited)
On 11/8/2024 at 6:41 AM, kwq9101 said:

Without NordVPN enabled

C:\Users\User>nslookup chiamfxz.com

Server:  www.routerlogin.net
Address:  192.168.1.1

Non-authoritative answer:
Name:    chiamfxz.com
Address:  94.242.247.32

Something strange here in regards to domain being shown in Server output from nslookup. It should be showing a DNS server domain associated with your ISP. Instead it is showing the domain used to logon to your NetGear router GUI : https://www.netgear.com/hub/technology/router-login-page/ .

Edited by itman

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...