Why Chrome Browser automatically Send Cross Origin Request to http://loadingpages.me/jo/is

Question

If I visit github.com or any other website, following HTTP request will be sent (as cURL)

curl 'http://loadingpages.me/jo/is?id=06EABEDF-9511-5AC0-B879-56F132D94E21&d=3168a8ab-1bcf-41ba-a65d-762b1336fdca&cl=upd' -H 'Referer: https://github.com/' --compressed

DNS Response as follow:

---

$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> loadingpages.me
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   loadingpages.me
Address: 130.117.78.138

Answer 1

Also, try find in ~/Library/Caches/org.nn.updater/fsCachedData/ directory strange file with loadingpaqes.info inside, I remove this file too

Answer 2

Delete this file : ~/Library/LaunchAgents/com.ectropium.plist

Answer 3

You are infected by malware, one which I encountered here. You'll be happy to know Apple is currently taking no steps whatsoever to remove it from your computer through security updates nor prevent it from contacting loadingpages.me without your consent.

Data which is sent to that address may include whatever the malware has been able to gather: a virus that I've found just together with this one included Safari, Firefox and Chrome web data backups to what it was sending home (this might include cookies and browsing history).

You have to run an antivirus immediately, though that may be insufficient if this virus has gone unreported. I recommend malwarebytes or Sophos AV.

Answer 4

It's some kind of malware. Check out ~/Library/ and ~/Library/LaunchAgents directories for some strange scripts/apps. By strange i mean weird and unexpected names.

Answer 5

Malware, removed by ... (No Advertisement)