IP protection detecting infection from evilterritory.com/Evilrtcw2.com

[derrick90]

I was just browsing Youtube and got a "Malwarebytes' Anti-Malware IP Protection: Infection detected: 209.44.99.178" notice.

I'm not sure if Youtube has anything to do with it since I googled the IP and found out it belongs to Evilrtcw2.com and also evilterritory.com and warcraft-source.com.

Is this a threat or just a common false positive?

Thanks for your support.

[swagger]

It looks like a legit IP, but I'm not an expert. See here

[derrick90]

It looks like a legit IP, but I'm not an expert. See here

Well, it's not listed on hosts-file.net's database.

Do you (or anyone else viewing this thread) get the same message when you visit evilterritory.com or any of the other sites that I mentioned?

Also, how reliable is hosts-file.net as a threat identifier?

[swagger]

It isn't blocked on 1.41 beta which may further back the evidence for a false positive as there is a bug in 1.40 that blocks legitimate IPs.

I've seen most of the experts refer to http://hosts-file.net when dealing with IPs since this new feature has been introduced. I think with that being said, it's pretty reliable

[derrick90]

It isn't blocked on 1.41 beta which may further back the evidence for a false positive as there is a bug in 1.40 that blocks legitimate IPs.

I've seen most of the experts refer to <a href="http://hosts-file.net" target="_blank">http://hosts-file.net</a> when dealing with IPs since this new feature has been introduced. I think with that being said, it's pretty reliable

Thanks for your insight but I'd like an expert (you said you are not one) to answer my question, no offense intended.

And thanks for the info about hosts-file.net

[swagger]

No offense taken at all. You have your rights I hope one helps you soon

[derrick90]

A little update: IP Protection just detected 200.98.197.7. This site is listed on hosts-file.net and is considered to be threatening.

The only reason that I found it necessary to make this thread is because I don't usually get warnings like this regularly from MBAM. I am getting these warnings while browsing sites that I commonly visit. It's just at this moment that I am getting an unreasonable amount of warnings which makes me suspect something harmful. I don't have a p2p program open so I know it's not a false positive from some random person.

Any ideas as to what might be going on?

[swagger]

You're right, according to hosts-file.net it does seem to be malicious. I tried pinging the IP from my desktop running version 1.41 beta and I was able to reach the IP. This could be due to the fact that the definitions for the beta don't include this IP... We aren't allowed to update from the beta because it's still being tested.

Do you have any IM software? What are the sites that you browse if you don't mind me asking? Maybe there's an ad on the page that is trying to load from that IP.

[mountaintree16]

@ Derrick90

I might be mistaken, but, I think that P2P's could potentially cause this to happen even if they aren't actually open. Do you have any P2P programs?

[derrick90]

You're right, according to hosts-file.net it does seem to be malicious. I tried pinging the IP from my desktop running version 1.41 beta and I was able to reach the IP. This could be due to the fact that the definitions for the beta don't include this IP... We aren't allowed to update from the beta because it's still being tested.

Do you have any IM software? What are the sites that you browse if you don't mind me asking? Maybe there's an ad on the page that is trying to load from that IP.

When you say "IM software" you mean instant messaging right? If so, then no, although I have previously installed a few of them, which are now uninstalled (properly I hope).

The sites that I have been browsing include youtube, google, yahoo and other similar sites. Just general popular sites like this. I actually got the 200.98.197.7 warning while I was using the google search engine... These warnings may have had nothing to do with the sites that I was browsing, I just listed some of them as I thought it might be relevant.

[derrick90]

Yes, I use uTorrent and I have never had any problems using utorrent and MBAM in sync. I usually turn off IP protection while using utorrent to avoid the constant false positives.

I have never encountered this problem while utorrent was inactive.

[mountaintree16]

@ Derrick90

Hmm I'm out of ideas then. Hopefully an expert on this can jump in here and hopefully will be able to tell you whats going on or what might be going on.

[MysteryFCM]

Apologies for taking so long to notice this thread. To answer your questions;

209.44.99.178

This IP is on a Netelligent IP range, who are known for housing criminals, which is why it is blocked.

200.98.197.7

The IP itself seems fine, I can't identify any malicious activity thus far, however, the rest of the range does presently house malicious activity, because of this, the range itself was blocked, rather than just the IP's.

/edit

For clarity by the way, hpHosts is actually run by me.

[derrick90]

Apologies for taking so long to notice this thread. To answer your questions;

209.44.99.178

This IP is on a Netelligent IP range, who are known for housing criminals, which is why it is blocked.

200.98.197.7

The IP itself seems fine, I can't identify any malicious activity thus far, however, the rest of the range does presently house malicious activity, because of this, the range itself was blocked, rather than just the IP's.

/edit

For clarity by the way, hpHosts is actually run by me.

Thanks for the info.

The "attacks" seem to have subsided for now. I will update this thread if I encounter any more threats.

Thanks again.

[MysteryFCM]

No problem

[swagger]

For clarity by the way, hpHosts is actually run by me.

I did not know this, but it makes perfect sense now. Thanks for a very informative site and helpful HOSTS file Thanks for helping out derrick90 also, I'm sure you've eased his concerns.

[MysteryFCM]

No problem

[Emma]

I have a question and I'm not sure this is the place to post it -- but when I am browsing and I get a warning that Malwarebytes has identified an infection - do they quarantine or disinfect automatically? Each time I get this warning I immediately do a full scan and no malicious objects are detected?

[MysteryFCM]

It's not actually an infection per-se, it's a known malicious IP, so it will actually prevent the site from infecting you to begin with.

For details, please see;

http://www.malwarebytes.org/forums/index.php?showtopic=21076