slyman14

For info this issue appears to have now been resolved. MysteryFCM has confirmed that Asus do use this IP address and also that it will be unblocked on MBAM shortly. Please see below thread for full details / outcome: https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/

Thanks Steven - that's great news. Really appreciate your help.

Thanks for the really helpful step by step walkthrough David. The small issue I've had is that I can't seem to run C:\Program Files (x86)\ASUS\ASUSUpdate\UpdateChecker.exe directly in its folder. The PC seems to think about it for a moment but nothing else happens and MBAM doesn't present a blocked IP pop-up. Perhaps it can only be run in conjunction with or by another ASUS application or service? To get round this I've tried to capture the MBAM traffic block at start-up by adding Wireshark to my startup items and starting capture as soon as I could - It was certainly recording for a while before the MBAM popup so I hope I've caught the moment (though I couldn't see 168.95.1.1 in IP list) = ASUS1 ASUS1.pcap.zip I also captured when I tried to manually run the exe as well, just in case = ASUS2 ASUS2.pcap.zip I hope this helps. Please let me know if there's anything else to try Thanks again!

Thanks David. I have downloaded Wireshark as instructed but can't see how to start it before the exe sends the traffic and MBAM blocks it. Please see the other thread in false positives for my response / request for further help. This is the assistance I referenced above - I'm somewhat stuck! Any advice you can provide (perhaps put on the other thread) would be very gratefully received! Thanks again, Slyman14

Hi Daledoc1 Thanks again for your comments, but I think the jury is still out on this to be honest.... After starting the above thread I followed your suggestion and started a further thread in the Malware Removal Forum (including all the FRST files etc). https://forums.malwarebytes.org/index.php?/topic/156488-outgoing-traffic-to-1689511-should-i-be-concerned/?hl=%2B168.95.1.1#entry875832 After I'd done this, I noticed that another user had posted the exact same problem just a few minutes before me..... https://forums.malwarebytes.org/index.php?/topic/156486-possible-infection-malwarebytes-pro-blocking-access/?hl=%2B168.95.1.1 Before anyone replied to either of those threads, ggits posted a cause / solution in this thread (above). I've verified that disabling the executable by renaming does (very easily) stop this problem with no discernable consequences. This works for ggits, me and hipraptor. The uncertainty seems to be whether this is a genuine ASUS executable or not, and therefore whether this traffic is malicious or not - the file appears to have been present for some time and it has only been very recently that MBAM has started to object to the traffic from it. Because of this I created a third (and hopefully final!) thread posing the question in false positive (website blocking) forum: https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/?hl=%2B168.95.1.1#entry87603 MysteryFCM has stated that ASUS doesn't use this IP and suggested further diagnostics.... which I've asked separate assistance with. The niggle remains though that if this isn't a false positive (i.e. it is considered detrimental / malicious), and the executable is some form of malware, why is MBAM and other packages not identifying the executable as a threat? I would suggest that any interested parties follow the last thread in false positives and hopefully the experts there will help decide one way or the other. Thanks for everyone's help though - all very appreciated

Hi hipraptor Yeah, renaming the executable has the same effect - which I think suggests it's legitimate software rather than something malicious. The question for me is that this appears to be a longstanding ASUS executable but MBAM has only very recently started blocking it's connection to 168.95.1.1. In my mind, there are likely only a few possible causes for this I) the executable has been doing this for some time and the IP has only just recently been added to the MBAM malicious website, or ii) the executable perhaps is now contacting this IP when it didn't previously (perhaps it's a secondary IP contact and the primary is no longer available?), or iii) it truly is malicious software and somehow the genuine Asus executable has been overwritten / replaced. The "man from Malwarebytes" says ASUS doesn't use 168.95.1.1, which would tend to exclude i) & ii) above, but my gut is that iii) is equally unlikely. Would be good to get to the bottom of this though! Thanks all

Hello MysteryFCM - Thanks for any assistance you can offer. It seems that a number of us are having this issue. I haven't updated the Asus software (the last modified date is 11/12/08) and from the solution / info posted by the other member on my first thread I assume the file is unchanged and has been happily sending traffic to this IP since install, but MBAM has only started objecting to this in the last few days? I am a bit of a newbie to all this but have downloaded wireshark as instructed (though it is a little overwhelming in terms of options / functionality!). The problem I'm having is that this updater seems to send traffic once immediately on start up which MBAM then blocks. Wireshark only seems to record when instructed (rather than launch from startup - unless I've missed an option?) so (once I've set the file name back to it's original to start the problem again) I will inevitably miss that event, which I assume is what you're after? I can't seem to start wireshark recording before the traffic is sent and blocked (if you see what I mean). I don't know whether this ASUS file continues to send traffic to 168.95.1.1 and I guess I could turn off MBAM and leave wireshark running, but presumably this might be a single or very infrequent event and I might not capture anything of use?!? The user that suggested renaming this file explains how he tracked it down as the source of the problem on my first post - would it help if I supplied the .exe file to you for analysis? I have no reason to doubt it's anything other than a genuine ASUS executable..... Any hints / tips on how to use wireshark to capture what you are after? Thanks again for all your assistance Slyman14

Hi Callie14 I posted a thread minutes after you yesterday with exactly the same problem. I see you too have an ASUS mobo / utilities...? Some kind soul seems to have solve the mystery...... See below for a solution which works for me so hopefully will for you too! https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/ All the best Slyman14

Hello - This problem has been solved See: https://forums.malwa...i-be-concerned/ for full details. I've posted a new thread on the false positives website as this may fall into that category? https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/ Thanks all Slyman14

Yep, brilliant, thanks Anonymous member - simply renaming the UpdateChecker.exe file solved the problem - not expecting ASUS to update any of the software on my fairly old machine now so can't imagine it will cause any problems. https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/ Have posted a link on the false positives forum too - I can't believe this ASUS executable (which has no doubt been installed on my PC for many years) is contacting this IP with malicious intent, and perhaps Malwarebytes need to be aware that other users will get the same warning popups etc. Thanks again for your help!

Hello I posted a query on the Malwarebyets Anti-Malware Help Forum yesterday. It was suggested that I should post the problem experienced with FRST logs in the Malware Removal Help Forum - which I did. Links to both below for info: https://forums.malwarebytes.org/index.php?/topic/156469-newbie-question-outgoing-traffic-to-1689511-should-i-be-concerned/ https://forums.malwarebytes.org/index.php?/topic/156488-outgoing-traffic-to-1689511-should-i-be-concerned/?hl=%2B168.95.1.1 In the latter forum, there another user experiencing exactly the same problem, who posted minutes before me: https://forums.malwarebytes.org/index.php?/topic/156486-possible-infection-malwarebytes-pro-blocking-access/?hl=%2B168.95.1.1 I haven't yet received any response to the Removal Help request yet, but an anonymouse user has now responded to my first thread with a solution to / culprit for the problem. As suggested by them, I have renamed the file below which has stopped the problem..... C:\Program Files (x86)\ASUS\ASUSUpdate\UpdateChecker.exe But ASUS is a reputable manufacturer and this file has been present on my PC for many years - could this website only recently have been added to MBAM malicious website list? Is this a false positive as I'd be surprised if the ASUS executable had any malicious intent! Please advise Thanks as always Slyman14 PS - I will add links to the bottom of all 3 threads above to both the solution given and to the discussion here. Hope that's OK!

Hello - I'm a bit of a newbie and was directed here from the general help forum. Sorry if I'm wasting peoples time but just trying to get to the bottom of this..... MBAM gave a pop-up warning about outgoing traffic to the above IP and blocked it. See Protection Log below for info: Malwarebytes Anti-Malware www.malwarebytes.org Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malware Protection, Starting, Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malware Protection, Started, Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, Starting, Protection, 05/09/2014 10:55:38, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, Started, Detection, 05/09/2014 10:56:57, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, IP, 168.95.1.1, 8, Outbound, Detection, 05/09/2014 10:56:57, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, IP, 168.95.1.1, 8, Outbound, (end) My PC hasn't been misbehaving in any way (that I've noticed) and a full MBAM threat scan finds nothing malicious. The pop ups appear just once (just after system startup) before any browser is opened - the application / source of the outgoing traffic is blank in the warning box though. I'm not using any P2P software. I installed some Adobe updates yesterday and this has only been happening since then, which might be a coincidence or otherwise?!? I wasn't going to post on the Malware removal forum because I'm not convinced I'm infected, but since MBAM is flagging it and others have suggested I post here (and that I may have downloaded a fake Adobe update) I hope someone can assist! FRST files (x2) attached Thanks again, very much appreciated FRST.txt Addition.txt

Thanks daledoc1.... the pop ups appear just once on system startup, without any browser being opened. No, I'm not using any P2P software. I installed some Adobe updates yesterday and this has only been happening since then.... is there an (ideally freeware!) utility that can be used to track the source of the traffic? If it is the Adobe software then I can stop worrying! I didn't want to post on the Malware removal forum or go through all the instructions provided re: removal when I'm not convinced I'm infected, and in all likelihood am not, but since MBAM is flagging it I thought I ought to look into it. Thanks again all, much appreciated

Hello - hope someone can help please? MBAM gave a pop-up warning about outgoing traffic to the above IP (and presumably blocked it?) My PC hasn't been misbehaving in any way that I've noticed and a full threat scan shows no infection. See Protection Log below for info: Malwarebytes Anti-Malware www.malwarebytes.org Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malware Protection, Starting, Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malware Protection, Started, Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, Starting, Protection, 05/09/2014 10:55:38, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, Started, Detection, 05/09/2014 10:56:57, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, IP, 168.95.1.1, 8, Outbound, Detection, 05/09/2014 10:56:57, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, IP, 168.95.1.1, 8, Outbound, (end) Should I be concerned? Is there likely to be malware present that wasn't detected by MBAM? If not, would some other software legitimately be sending data to the above IP (i.e. false positive)? Thanks for any help / reassurance you can provide! Slyman (Simon)