Jump to content
slyman14

Newbie question! Outgoing traffic to 168.95.1.1 - should I be concerned?

Recommended Posts

Hello - hope someone can help please?

 

MBAM gave a pop-up warning about outgoing traffic to the above IP (and presumably blocked it?)

 

My PC hasn't been misbehaving in any way that I've noticed and a full threat scan shows no infection.

 

See Protection Log below for info:

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malware Protection, Starting,
Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malware Protection, Started,
Protection, 05/09/2014 10:54:42, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, Starting,
Protection, 05/09/2014 10:55:38, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, Started,
Detection, 05/09/2014 10:56:57, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, IP, 168.95.1.1, 8, Outbound,
Detection, 05/09/2014 10:56:57, SYSTEM, SIMON-PC, Protection, Malicious Website Protection, IP, 168.95.1.1, 8, Outbound,

(end)

 

Should I be concerned?

Is there likely to be malware present that wasn't detected by MBAM?

If not, would some other software legitimately be sending data to the above IP (i.e. false positive)?

 

Thanks for any help / reassurance you can provide!

 

Slyman (Simon)

Share this post


Link to post
Share on other sites

Hello and :welcome: :
 
That IP is located in Taiwan.
If you are seeing many such blocks, ESPECIALLY if you are NOT using P2P software and ESPECIALLY if no browsers are open, it could be a sign of infection.
 
If you would like some expert help checking your system, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the preliminary steps to take to expedite the process.
A malware analyst will guide you through the cleanup process.

Thanks,

Share this post


Link to post
Share on other sites

Thanks daledoc1.... the pop ups appear just once on system startup, without any browser being opened. No, I'm not using any P2P software.

 

I installed some Adobe updates yesterday and this has only been happening since then.... is there an (ideally freeware!) utility that can be used to track the source of the traffic? If it is the Adobe software then I can stop worrying!

 

I didn't want to post on the Malware removal forum or go through all the instructions provided re: removal when I'm not convinced I'm infected, and in all likelihood am not, but since MBAM is flagging it I thought I ought to look into it.

 

Thanks again all, much appreciated

 

:)

Share this post


Link to post
Share on other sites

Not sure where your located, but if its not in Taiwan, I see no reason for your computer to be accessing Taiwan. There are fake adobe updates out there and if that's what you installed, it could explain it....

I recommend you follow the excellent instructions provided by daledoc1 above...

Share this post


Link to post
Share on other sites

Hi Slyman14,

 

I had the same issue and almost went insane after having in vain checked the registry, switched of masses of services and almost all programs in autostart. I scanned with several anti-virus boot sticks  but no virus was found. Since the warning did not outline which program was causing the access I finally gave up and restored an image of my entire C: partition from about 4 weeks ago. And guess what - the problem was still there. So the assumption that I caught something recently was obviously false.

 

To cut a long and time consuming action brief; I've found that the program causing this was the ASUS updatechecker.exe program located in C:\Program Files (x86)\ASUS\ASUSUpdate\UpdateChecker - I renamed the file, switched off everything that was showing up as an ASUS service or program and with the next reboot the warning was gone.

Run 'msconifg' from command line or/and 'services.msc' and check for ASUS services. Actually renaming the update program might do.

 

I narrowed the cause down with sysinternals process monitor and then found that the IP address is in the source code of updatechecker.exe in plain text. Means you can e.g. find it with cygwin tool grep:

 

C:\Program Files (x86)\ASUS\ASUSUpdate\UpdateChecker>grep 168.95.1.1 *
grep: LangFiles: Is a directory
Binary file UpdateChecker.exe matches

Hopefully this helps you getting rid of the warning - and above all protects from potential threads.

 

 

Share this post


Link to post
Share on other sites

Yep, brilliant, thanks Anonymous member - simply renaming the UpdateChecker.exe file solved the problem - not expecting ASUS to update any of the software on my fairly old machine now so can't imagine it will cause any problems.

 

https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/

 

Have posted a link on the false positives forum too - I can't believe this ASUS executable (which has no doubt been installed on my PC for many years) is contacting this IP with malicious intent, and perhaps Malwarebytes need to be aware that other users will get the same warning popups etc.

 

Thanks again for your help!

Share this post


Link to post
Share on other sites

Hi:

For the OP and anyone else who might read this topic, this does NOT appear to be a False Positive:
 

This is not an F/P. Unless something has changed in the last 48 hours, Asus doesn't use 168.95.1.1.
https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/#entry875912


If you would like an expert to assist you with taking a deeper look at your system for possible malware, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help AND the preliminary steps to take to expedite the process.
A malware analyst will guide you through the scanning and cleanup process.

Thanks,

Share this post


Link to post
Share on other sites

Hi Daledoc1

 

Thanks again for your comments, but  I think the jury is still out on this to be honest.... After starting the above thread I followed your suggestion and started a further thread in the Malware Removal Forum (including all the FRST files etc).

 

https://forums.malwarebytes.org/index.php?/topic/156488-outgoing-traffic-to-1689511-should-i-be-concerned/?hl=%2B168.95.1.1#entry875832

 

After I'd done this, I noticed that another user had posted the exact same problem just a few minutes before me.....

 

https://forums.malwarebytes.org/index.php?/topic/156486-possible-infection-malwarebytes-pro-blocking-access/?hl=%2B168.95.1.1

 

Before anyone replied to either of those threads, ggits posted a cause / solution in this thread (above). I've verified that disabling the executable by renaming does (very easily) stop this problem with no discernable consequences. This works for ggits, me and hipraptor.

 

The uncertainty seems to be whether this is a genuine ASUS executable or not, and therefore whether this traffic is malicious or not - the file appears to have been present for some time and it has only been very recently that MBAM has started to object to the traffic from it.

 

Because of this I created a third (and hopefully final!) thread posing the question in false positive (website blocking) forum:

 

https://forums.malwarebytes.org/index.php?/topic/156550-1689511-asus-updatecheckerexe/?hl=%2B168.95.1.1#entry87603

 

MysteryFCM has stated that ASUS doesn't use this IP and suggested further diagnostics.... which I've asked separate assistance with.

 

The niggle remains though that if this isn't a false positive (i.e. it is considered detrimental / malicious), and the executable is some form of malware, why is MBAM and other packages not identifying the executable as a threat?

 

I would suggest that any interested parties follow the last thread in false positives and hopefully the experts there will help decide one way or the other.

 

Thanks for everyone's help though - all very appreciated

Share this post


Link to post
Share on other sites

I merely mentioned it so that internet surfers who casually locate the topic via a search would not be overly complacent in attributing this or a similar IP block to a "False Positive".

IOW, it wouldn't necessarily be safe to disregard the block at this time.

 

We have to err on the side of caution around here.

Less sophisticated users often see 2 + 2 and add it up to 3, if you know what I mean.

 

Nothing more, nothing less.

 

Cheers,

Share this post


Link to post
Share on other sites

Hi Daledoc1

 

Thanks again for your comments, but  I think the jury is still out on this to be honest.... After starting the above thread I followed your suggestion and started a further thread in the Malware Removal Forum (including all the FRST files etc).

 

< snip >

 

MysteryFCM has stated that ASUS doesn't use this IP and suggested further diagnostics.... which I've asked separate assistance with.

 

 

Steven (MysteryFCM) requested a PCAP.  That means Steven wants you to run Wireshark and capture packets when ..\ASUSUpdate\UpdateChecker.exe is executed. 

 

While the IP address in question is not an ASUS owned IP, it is for a Taiwanese ISP DNS server [ http://www.hinet.net/ ].  It could be that ASUS software is specifically querying the DNS server for a Taiwanese IP that may not be distributed outside Taiwan.  Examination of a captured packet decode file (aka;  a PCAP file) will help discern exactly what communication is taking place.

Share this post


Link to post
Share on other sites

Thanks David. I have downloaded Wireshark as instructed but can't see how to start it before the exe sends the traffic and MBAM blocks it. Please see the other thread in false positives for my response / request for further help. This is the assistance I referenced above - I'm somewhat stuck!

Any advice you can provide (perhaps put on the other thread) would be very gratefully received!

Thanks again, Slyman14

Share this post


Link to post
Share on other sites

I noticed the warning pop-ups are always right after I log onto Steam.  I just let it stay blocked and don't notice any difference in gaming or Steam features.

 

I also have an ASUS mobo, but I haven't changed anything with the update yet.  LOL, I haven't even checked to see if I use that...

 

When you check their whois here http://whatismyipaddress.com/ip/168.95.1.1 it's owned by CHTD, Chunghwa Telecom Co., Ltd who sounds like a phone co that runs the main internet backbone servers in Taiwan.

 

My question is could it be that a lot of spam goes through those servers so their whole IP gets blacklisted? 

 

That same sort of thing happens a lot to godaddy.com's email servers that the secureservers.net email service uses.

 

Thaanx

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.