ASUS AI Protection Keeps getting triggered by malware? HELP :-/

Roverno · 16 Jul 2017 at 17:08

Over the last two days the ASUS Ai Protection on my router keeps getting triggered by my computer trying to access a 'malicious site'. Presumably this is because I have some unknown malicious software trying to access it to download or transmit something.

I have checked the URL in the trendmicro Site safety centre checker tool and it flags as safe. The site has the words Winner and Survey in it so it sounds pretty suspicious right off the bat.

At the moment my router is certainly protecting me but i'd quite like to get rid of the problem; find out what application is making requests to this potentially malicious website.

Would appreciate any help on this as I haven't had to do something like this before.

I have removed my computer name, mac address and the malicous website.

Event number : 1
Alert type : Malicious Sites Blocking
Source : <My PC and MAC address>
Destination : <malicious website>

RT-AC87U's AiProtection detected suspicious networking behavior and prevented your device making a connection to a malicious website (see above and the attached log for details).Suggested actions:
1. If you know that the cause of this attempted connection was a proprietary app or program and not a web browser, we recommand that you uninstall it from your device.
2. Ensure your device is up to time in all its operating system patches as well as updates to all apps or programs.
3. You should take this opportunity to check for, and install, any router firmware updates.
4. If you continue to receive such alerts for similar attempted connections, investigation into the cause will be necessary.
Meanwhile, rest assured that AiProtection continues to help keep you safe on the Internet.

KIA · 16 Jul 2017 at 20:02

It might be a false positive. I don't have much faith in gimmicky router features.

Roverno · 16 Jul 2017 at 21:07

I can't believe its a false positive. Something is requesting access to a website which I do not know and can guarantee is not from a reliable company. Survey Winner is not what you call a website of something tech related. Its the name of a website that is designed to attract the attention of unsuspecting browsers. Even if the application requesting is 'legit' I would really like to track what that application is... :-/

VKleita · 17 Jul 2017 at 08:46

The database that your router uses is maintained by trend Micro, they don't generally tend to be morons so I'm pretty sure you have picked something up

Get a free version of Mal Ware Bytes installed and get it updated and scanned, see what appears and work from there.

Roverno · 17 Jul 2017 at 17:35

Got malware bytes and it detected some odd registry key, maybe that was enough. Its quarantined so will have to find out if i get the notification again. Thanks for the suggestion.

KIA · 17 Jul 2017 at 17:59

Roverno said:
Got malware bytes and it detected some odd registry key

Please post the MBAM log.

Roverno · 17 Jul 2017 at 18:09

This log?

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/17/17
Scan Time: 5:19 PM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2384
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Obsidian-PC\Adam

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 418761
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 1 min, 19 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 1
PUM.Optional.HomepageControl, HKU\S-1-5-21-837734012-1568815617-3883257744-3282\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HOMEPAGE, Replaced, [16758], [293330],1.0.2384

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

I actually just looked at the registry key. Its a modified homepage for internet explorer i think. I think this was forced by the admin when i added my computer to the company domain, which my pc is no longer a part of.

Roverno · 17 Jul 2017 at 18:16

Just got the notification from the router again...

Edit: ...and again three minutes later :-/

Roverno · 17 Jul 2017 at 18:44

Interesting. I used netstat to monitor the network for a while. and looked up the malicious website on ipinfo.com to get the IP address.

It looks like foobar2000 was trying to access it. Maybe its looking for lyrics at this dodgy AF website?

Andy_82 · 17 Jul 2017 at 19:56

Roverno said:
Interesting. I used netstat to monitor the network for a while. and looked up the malicious website on ipinfo.com to get the IP address.

It looks like foobar2000 was trying to access it. Maybe its looking for lyrics at this dodgy AF website?

Just had a quick look through google and found this https://hydrogenaud.io/index.php/topic,113883.0.html Might be of some help

Roverno · 17 Jul 2017 at 20:16

Thanks, finally managed to find that too. Seems like that lyrics search is using an out of date ip or something. I think it might be time to move on from foobar2000. Just not enough updates to keep it secure.

Unless anyone can think of anything else this might have caused, it looks like its a closed case. Thank you