Unexpected Web Exclusion Found in Settings

[knl]

I found a web exclusion in settings for this IP: 195.255.164.40. 

 

I googled the IP, and found it located in Iraq:  http://iplocationtools.com/159.255.164.40.html.

 

I don't think I put it there.  More likely entries by me would be in domain name format.   The Iraq address seems strange.  When I tried to connect to the web address of the IP, MWB blocked it as a dangerous web site.

 

I have removed the exclusion.

 

Should I be concerned as to how this dangerous location was added as an exclusion?

 

 

 

 

[1PW]

Hello knl:

 

Before answering, please allow more information to be known about the system.
 
Please perform Log Set 2 diagnostic step, only.
 
Please do not Copy & Paste, but instead attach by way of the "More Reply Options" button.

 

Thank you.

[knl]

requested file is attached

CheckResults.txt

[1PW]

Hello knl:
 
Although nothing obvious is immediately apparent, Experts/Staffers will be requested to check all the diagnostics after you have additionally provided the following:

Please read Diagnostic Logs and individually attach the 2 requested logs only from Log Set 1 in a reply to this thread.

Those diagnostic output text logs to be posted are FRST.txt and Addition.txt.

Thank you.

[knl]

Requested files are attached.  Thanks. KNL

[knl]

Requested files are attached.  Thanks. KNL

Addition.txt

CheckResults.txt

FRST.txt

[AdvancedSetup]

Please go to the following folder. You may need to enable show hidden or system folders to do so.

 

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

 

Then zip up all the files in that folder and post the zip file back here as an attachment.

 

Thank you

 

Ron

[knl]

Logs attached.  Thanks.  KNL

Logs.zip

[AdvancedSetup]

I'm not finding this IP entry in any of the logs. Can you please show me a screen shot of what you're seeing.

 

Also that IP is not from Iraq - I show is as the following:

 

195.255.164.40 is from Finland (FI) in region Scandinavia

 

http://network-tools.com/default.asp?prog=express&host=195.255.164.40

[knl]

The entry was found in the settings tab, in web exclusions.  I deleted the entry from settings before posting my inquiry.  I understand that the location for the IP entered in my post is in Finland.  I found Iraq by searching on 159.255.164.40.  I believe I searched on the entry that I saw in settings/web exclusion, and may have transposed 159 to 195 when I wrote the post.  I'm not 100% certain of that, so it's possible that it was actually 195 and I transposed when I searched. I neglected to keep a copy of what I saw before deleting the entry, so for illustration I added the web exclusion as it appeared initially, screen shot is below.  Apologies for confusion I caused.  IP exlcusion in Finland or Irag...either stil unexpected. Screen shot is attached.

 

Thanks, KNL

 

 

 

 

Screenshot.docx

[AdvancedSetup]

Well at this point I'm not sure. The logs don't indicate that it's there that I'm seeing. We could collect all your files and review further but that probably still would not tell us how the entry got in there as I don't think we currently log the method it was entered only that it exists.

 

I would remove the entry and then continue to monitor it for a while. I do see in the logs though that you have a proxy setting which is okay as long as you're aware of it and you're the one that enabled it.

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
    ProxyOverride          <local>;192.168.*.*;*.local

 

If you did not set it then I'd remove it and possibly have someone assist you in checking your system further for any possible infections.

[knl]

Thanks very much.  Will check out ProxyOverride.  KNL