Jump to content
slyman14

168.95.1.1 - (Asus) UpdateChecker.exe

Recommended Posts

Hello

 

I posted a query on the Malwarebyets Anti-Malware Help Forum yesterday.

 

It was suggested that I should post the problem experienced with FRST logs in the Malware Removal Help Forum - which I did.

 

Links to both below for info:

 

https://forums.malwarebytes.org/index.php?/topic/156469-newbie-question-outgoing-traffic-to-1689511-should-i-be-concerned/

 

https://forums.malwarebytes.org/index.php?/topic/156488-outgoing-traffic-to-1689511-should-i-be-concerned/?hl=%2B168.95.1.1

 

In the latter forum, there another user experiencing exactly the same problem, who posted minutes before me:

 

https://forums.malwarebytes.org/index.php?/topic/156486-possible-infection-malwarebytes-pro-blocking-access/?hl=%2B168.95.1.1

 

I haven't yet received any response to the Removal Help request yet, but an anonymouse user has now responded to my first thread with a solution to / culprit for the problem.

 

As suggested by them, I have renamed the file below which has stopped the problem.....

 

C:\Program Files (x86)\ASUS\ASUSUpdate\UpdateChecker.exe

 

But ASUS is a reputable manufacturer and this file has been present on my PC for many years - could this website only recently have been added to MBAM malicious website list? Is this a false positive as I'd be surprised if the ASUS executable had any malicious intent!

 

Please advise

 

Thanks as always

 

Slyman14

 

PS - I will add links to the bottom of all 3 threads above to both the solution given and to the discussion here. Hope that's OK!

 

Share this post


Link to post
Share on other sites

This is not an F/P. Unless something has changed in the last 48 hours, Asus doesn't use 168.95.1.1.

 

Can you get me a pcap please?

 

http://wireshark.org

Share this post


Link to post
Share on other sites

Hello:

 

I too have this same problem going on and have been watching the member's forums waiting to see for a solution. It seems for at least the three of us that we all have received the block for that IP within the same time frame. And I too have an ASUS MB but agree that there shouldn't be any reason for a MB to be sending out its own IP at startup for no apparent reason. Below I have put my own FRST info as attachments. Sorry if I'm not supposed to post here but I'm new to the forums even though I have had MBAM for several years now.

 

Addition.txt

 

FRST.txt

Share this post


Link to post
Share on other sites

Hello MysteryFCM - Thanks for any assistance you can offer. It seems that a number of us are having this issue. I haven't updated the Asus software (the last modified date is 11/12/08) and from the solution / info posted by the other member on my first thread I assume the file is unchanged and has been happily sending traffic to this IP since install, but MBAM has only started objecting to this in the last few days?

 

I am a bit of a newbie to all this but have downloaded wireshark as instructed (though it is a little overwhelming in terms of options / functionality!).

 

The problem I'm having is that this updater seems to send traffic once immediately on start up which MBAM then blocks. Wireshark only seems to record when instructed (rather than launch from startup - unless I've missed an option?) so (once I've set the file name back to it's original to start the problem again) I will inevitably miss that event, which I assume is what you're after? I can't seem to start wireshark recording before the traffic is sent and blocked (if you see what I mean).

 

I don't know whether this ASUS file continues to send traffic to 168.95.1.1 and I guess I could turn off MBAM and leave wireshark running, but presumably this might be a single or very infrequent event and I might not capture anything of use?!?

 

The user that suggested renaming this file explains how he tracked it down as the source of the problem on my first post - would it help if I supplied the .exe file to you for analysis? I have no reason to doubt it's anything other than a genuine ASUS executable.....

 

Any hints / tips on how to use wireshark to capture what you are after?

 

Thanks again for all your assistance

 

Slyman14

Share this post


Link to post
Share on other sites

I have just disabled this program in Zonealarm and this did the trick the program did not do any more pings to the address 168.95.1.1.  I then enabled it is Zonealarm and restarted PC again and it then pinged 168.95.1.1.

The program is there to offer updates to once's bios and on doing some research on the program it seems to very rarely offer any updates for the bios and this is the case personally, I will not unisntall it but I am going to Kill it again and keep an eye on this thread.

Share this post


Link to post
Share on other sites

Hi hipraptor

 

Yeah, renaming the executable has the same effect - which I think suggests it's legitimate software rather than something malicious.

 

The question for me is that this appears to be a longstanding ASUS executable but MBAM has only very recently started blocking it's connection to 168.95.1.1.

 

In my mind, there are likely only a few possible causes for this

 

I) the executable has been doing this for some time and the IP has only just recently been added to the MBAM malicious website, or

ii) the executable perhaps is now contacting this IP when it didn't previously (perhaps it's a secondary IP contact and the primary is no longer available?), or

iii) it truly is malicious software and somehow the genuine Asus executable has been overwritten / replaced.

 

The "man from Malwarebytes" says ASUS doesn't use 168.95.1.1, which would tend to exclude i) & ii) above, but my gut is that iii) is equally unlikely.

 

Would be good to get to the bottom of this though!

 

Thanks all

Share this post


Link to post
Share on other sites

hipraptor and AJRoxlife:
 
This is slyman14's thread. If you have an issue, please start your own thread.

Please reference: Please read before reporting a false positive
 
Post #2



If you are not a member of Staff or Experts group please do not reply to other users posts in either the File or Web Blocking forums.

 
Thank you for understanding.

Share this post


Link to post
Share on other sites

slyman14:

 

Per your request for assistance...

 

Start Wireshark.

 

You'll see something to the effect of...

post-14644-0-48011800-1410101012_thumb.j

 

You'll see the green Shark Fin and "Start".

 

post-14644-0-42438800-1410101135_thumb.j

 

Under that you'll see it states Local Area Connection.  Since the PC I am on is Wired Ethernet that's what I'll choose.  If you too are on Wired Ethernet that is what you'll choose.  If you are on WiFi you will have to choose a wireless connection.

 

Then click on the green Shark Fin and "Start".

 

Minimize Wireshark.

 

Run Asus Update [ C:\Program Files (x86)\ASUS\ASUSUpdate\UpdateChecker.exe ]

 

Let Malwarebytes complain about the IP and block it.

 

Go back to Wireshark

 

Click on the Red Square on the toolbar to stop capturing Packets.

post-14644-0-71803800-1410101610_thumb.j

 

Then choose; File --> Save As

 

Browse to a familiar place like your Desktop.

 

Give it a name such as ASUS then choose "Save".  Now you would have an ASUS.PCAP file.

 

Place the PCAP file in a ZIP or RAR archive and attach that ZIP or RAR in your reply.

Share this post


Link to post
Share on other sites

Thanks for the really helpful step by step walkthrough David.

 

The small issue I've had is that I can't seem to run C:\Program Files (x86)\ASUS\ASUSUpdate\UpdateChecker.exe directly in its folder. The PC seems to think about it for a moment but nothing else happens and MBAM doesn't present a blocked IP pop-up.  Perhaps it can only be run in conjunction with or by another ASUS application or service?

 

To get round this I've tried to capture the MBAM traffic block at start-up by adding Wireshark to my startup items and starting capture as soon as I could - It was certainly recording for a while before the MBAM popup so I hope I've caught the moment (though I couldn't see 168.95.1.1 in IP list) = ASUS1

 

ASUS1.pcap.zip

 

I also captured when I tried to manually run the exe as well, just in case = ASUS2

 

ASUS2.pcap.zip

 

I hope this helps. Please let me know if there's anything else to try

 

Thanks again!

Share this post


Link to post
Share on other sites

Sorry for the delay.

 

I've had a word with Acer and they are indeed now using it. The IP will be unblocked in a few minutes, and my apologies for the confusion.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.