Jump to content


Photo
  • This topic is locked This topic is locked
20 replies to this topic

#1 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 03 November 2013 - 05:22 PM

Hello, MBAM Forum. I play Mount and Blade: Warband, and its expansion, Napoleonic Wars quite a bit on Steam. Starting a few weeks ago (3-5), I began getting IP Blocks from my copy of MBAM Pro. Each time, its the same address from the same location. Using a IP lookup (whatismyipaddress), I've discovered that its in the geographic center of Ukraine. I was wondering, What does it mean?

 

 

I've been running scans each day with all programs that I have (MBAM Pro, Avast! Free antivirus, and Norton 360), and none come up with anything wrong except Norton and random Tracking Cookies with what is usually does. I've posted on the makers of the game's forum for support, but to no avail. Mind helping me out on this one?



#2 daledoc1

daledoc1

    Forum Deity

  • Spam Hunters
  • PipPipPipPipPipPip
  • 11,884 posts
  • Gender:Not Telling

Posted 03 November 2013 - 05:29 PM

Hello and welcome, DisgruntledCarthaginian: :)

 

Disclaimer: I do not personally use Steam & I am only a home user, not staff or a computer expert.

Without the protection logs showing the process and the IP being blocked, it's hard to say for sure.

 

Some general information:

IP blocks can indicate a number of things:

  • They could indicate that MBAM is doing its job of blocking bad content on websites.
  • In some cases the blocks are a false positive.
  • However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the in the Help Desk topics HERE and HERE and HERE, and in the FAQ - Section G.
They also contain instructions on how to determine what process might be trying to make the connections.
You may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this pinned topic before starting a new topic in the Website Blocking False Positives sub-forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with the cleaning process Available Assistance For Possibly Infected Computers.

Under the circumstances, this would probably be the safest plan of action at this time.

The expert help in the malware removal section of the forum is free.

 

>>Also, you said that you ran both Avast! and Norton 360?

Having more than 1 anti-virus (AV) installed on your system actually increases your vulnerability; it can also cause system slowdowns, crashes and other problems.

When you get assistance for the IP blocks, the expert helping you will undoubtedly suggest that you completely uninstall one or the other.

Thanks,

daledoc1


Just a home user & forum volunteer
DT1: Win7/Ult/64 SP1; Intel Core i7-3770 @3.4 GHz; 16 GB RAM; NVidia GeForce GT620; IE9; Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner
DT2: Win7 Ult/64 SP1; Intel Core i7-860 @2.8 GHz; 8 GB RAM; ATI Radeon HD 5770; IE 9, Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner.
LT: Win7 Pro/64 SP1; Intel Core i7-3632 cached @3.2 GHz; 16 GB RAM; NVidia GeForce GT640M; IE 10; Fx; TB; WLAN; MBAM PRO 1.75.0.1300; Sophos ES 10.3; SAS Free; CCleaner.


#3 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 03 November 2013 - 05:57 PM

Hello and welcome, DisgruntledCarthaginian: :)

 

Disclaimer: I do not personally use Steam & I am only a home user, not staff or a computer expert.

Without the protection logs showing the process and the IP being blocked, it's hard to say for sure.

 

Some general information:

IP blocks can indicate a number of things:

  • They could indicate that MBAM is doing its job of blocking bad content on websites.
  • In some cases the blocks are a false positive.
  • However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the in the Help Desk topics HERE and HERE and HERE, and in the FAQ - Section G.
They also contain instructions on how to determine what process might be trying to make the connections.
You may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this pinned topic before starting a new topic in the Website Blocking False Positives sub-forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with the cleaning process Available Assistance For Possibly Infected Computers.

Under the circumstances, this would probably be the safest plan of action at this time.

The expert help in the malware removal section of the forum is free.

 

>>Also, you said that you ran both Avast! and Norton 360?

Having more than 1 anti-virus (AV) installed on your system actually increases your vulnerability; it can also cause system slowdowns, crashes and other problems.

When you get assistance for the IP blocks, the expert helping you will undoubtedly suggest that you completely uninstall one or the other.

Thanks,

daledoc1

 

Well, its been happening alot, and nothings been happening, so I just was wondering what it meant.



#4 daledoc1

daledoc1

    Forum Deity

  • Spam Hunters
  • PipPipPipPipPipPip
  • 11,884 posts
  • Gender:Not Telling

Posted 03 November 2013 - 07:00 PM

Hi:
 
Well, the various links I provided explain what it means, how it works, etc. :)
 
It's impossible to say what's specifically happening on your machine without additional information (e.g. the IPs being blocked, the process making the connections, etc).

The location of the IPs in the Ukraine is certainly suspicious.
 
If you would like one of the staff/experts to assist you with this, please post back with the protection logs and both DDS logs, as explained below.
Depending on what these show, you may be referred to the malware removal section of the forum or to the help desk for further assistance.

 

Please post back with these logs as ATTACHMENTS to your next reply:

  • A couple of protection logs, if you have them
  • DDS.txt from DDS
  • Attach.txt from DDS

 
Thanks,
daledoc1

-----------------------------

Step 1 --  Please also upload your 3 most recent Protection module logs:

In Windows XP, these logs are located in: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
In Windows Vista/7/8, these logs are located in: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Step 2 -- Run DDS and create 2 logs:

Download DDS from one of the locations below and save it to your Desktop:
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once it is downloaded, you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.


  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please attach both of the following logs to your next reply: DDS.txt and Attach.txt
    --->You can ignore the note about zipping the Attach.txt file in most cases.

Just a home user & forum volunteer
DT1: Win7/Ult/64 SP1; Intel Core i7-3770 @3.4 GHz; 16 GB RAM; NVidia GeForce GT620; IE9; Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner
DT2: Win7 Ult/64 SP1; Intel Core i7-860 @2.8 GHz; 8 GB RAM; ATI Radeon HD 5770; IE 9, Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner.
LT: Win7 Pro/64 SP1; Intel Core i7-3632 cached @3.2 GHz; 16 GB RAM; NVidia GeForce GT640M; IE 10; Fx; TB; WLAN; MBAM PRO 1.75.0.1300; Sophos ES 10.3; SAS Free; CCleaner.


#5 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 04 November 2013 - 06:33 AM

 

-----------------------------

Step 1 --  Please also upload your 3 most recent Protection module logs:

In Windows XP, these logs are located in: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
In Windows Vista/7/8, these logs are located in: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs


 

I'll see if I can work on that.



#6 daledoc1

daledoc1

    Forum Deity

  • Spam Hunters
  • PipPipPipPipPipPip
  • 11,884 posts
  • Gender:Not Telling

Posted 04 November 2013 - 06:59 AM

OK, please post back with the protection logs and DDS logs (both of them) when you have them.

 

In the interim, can you at least tell us the exact IP or IPs that is/are being blocked, for starters?

 

Thanks,

 

daledoc1


Just a home user & forum volunteer
DT1: Win7/Ult/64 SP1; Intel Core i7-3770 @3.4 GHz; 16 GB RAM; NVidia GeForce GT620; IE9; Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner
DT2: Win7 Ult/64 SP1; Intel Core i7-860 @2.8 GHz; 8 GB RAM; ATI Radeon HD 5770; IE 9, Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner.
LT: Win7 Pro/64 SP1; Intel Core i7-3632 cached @3.2 GHz; 16 GB RAM; NVidia GeForce GT640M; IE 10; Fx; TB; WLAN; MBAM PRO 1.75.0.1300; Sophos ES 10.3; SAS Free; CCleaner.


#7 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 04 November 2013 - 02:30 PM

OK, please post back with the protection logs and DDS logs (both of them) when you have them.

 

In the interim, can you at least tell us the exact IP or IPs that is/are being blocked, for starters?

 

Thanks,

 

daledoc1

Want it on the forum or a private message? I can do both, however, I'd like doing the MBAM ones first, and only doing the DDS if needed.



#8 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 9,991 posts
  • Gender:Male
  • Location:USA

Posted 04 November 2013 - 02:39 PM

Please post all required logs (in order to help you) as attachments here in the forum, by clicking on More Reply Options.

Thanks

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#9 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 05 November 2013 - 02:29 PM

I apologize for not posing much due to a tight schedule, but I'm guessing I'll be needing to publicly post the IP here, so, its 91.222.138.41.



#10 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,030 posts
  • Gender:Male
  • Location:US

Posted 05 November 2013 - 02:40 PM

IP address: 91.222.138.41
Host name: vps-7524.vps-ukraine.com.ua
91.222.138.41 is from Ukraine(UA) in region Eastern Europe

I'll have one of our Research members check on this and see if I can obtain more information on why we block it and get back to you.

Thanks

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#11 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 05 November 2013 - 02:55 PM

The block is in place due to a plethora of malicious content across the entire /24, and the AS being unresponsive.


Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#12 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 05 November 2013 - 04:21 PM

The block is in place due to a plethora of malicious content across the entire /24, and the AS being unresponsive.

Explain more, please.



#13 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 05 November 2013 - 04:59 PM

Sorry for the double post, but, why would it be doing that whenever I try to play the multiplayer?



#14 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,030 posts
  • Gender:Male
  • Location:US

Posted 07 November 2013 - 09:25 PM

We have no idea. We don't own or play this game and have no control over how it functions. Please contact the game author and ask them why it's reaching out to these sites.

Thank you

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#15 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 10 November 2013 - 10:34 AM

It happened AGAIN, however, this time the IP was http://whatismyipadd...p/82.146.63.181, and its located in Moscow, Russia.



#16 daledoc1

daledoc1

    Forum Deity

  • Spam Hunters
  • PipPipPipPipPipPip
  • 11,884 posts
  • Gender:Not Telling

Posted 10 November 2013 - 11:02 AM

Hi, again:
 
Please refer to the previous replies to your inquiry: :)
 

The block is in place due to a plethora of malicious content across the entire /24, and the AS being unresponsive.
https://forums.malwa...005#entry750234


We have no idea. We don't own or play this game and have no control over how it functions. Please contact the game author and ask them why it's reaching out to these sites.

https://forums.malwa...005#entry751300


And as was already suggested.... :)

 

...If you would like a malware expert to assist you with scanning your computer for malware and any cleanup that might be needed, please follow the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.


Thanks,

daledoc1


Just a home user & forum volunteer
DT1: Win7/Ult/64 SP1; Intel Core i7-3770 @3.4 GHz; 16 GB RAM; NVidia GeForce GT620; IE9; Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner
DT2: Win7 Ult/64 SP1; Intel Core i7-860 @2.8 GHz; 8 GB RAM; ATI Radeon HD 5770; IE 9, Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner.
LT: Win7 Pro/64 SP1; Intel Core i7-3632 cached @3.2 GHz; 16 GB RAM; NVidia GeForce GT640M; IE 10; Fx; TB; WLAN; MBAM PRO 1.75.0.1300; Sophos ES 10.3; SAS Free; CCleaner.


#17 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 13 November 2013 - 06:54 PM

Apparently the forum admins are not affiliated with the game, only the community.



#18 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 13 November 2013 - 09:47 PM

Oh, also, during a session with friends, I got an IP block from a "91.211.117.88".

Any info on it?



#19 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,030 posts
  • Gender:Male
  • Location:US

Posted 13 November 2013 - 09:56 PM

Just look up any IP yourself on the Web and you can find out where it comes from.  If we're blocking it then its because we feel its a threat to your computer.

If you feel it's a false positive then you can submit it as such.

 

https://forums.malwa...p?showforum=123

 

Thanks


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#20 DisgruntledCarthaginian

DisgruntledCarthaginian

    New Member

  • Members
  • Pip
  • 27 posts

Posted 16 November 2013 - 05:54 PM

I'll see if I can talk with a dev of the game soon.







Also tagged with one or more of these keywords: game, Mount and Blade, Mount & Blade, Mount and Blade: Warband, MBAM, Napoleonic Wars, IP Block, Mount & Blade: Warband, Help, Steam

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users