So I started back at my restaurant after leaving in October, Apparently the last chef was running no security on his new laptop they bought for him. It won’t connect to the interwebz and says its running through a proxy server. When you tell it to automatically detect settings it will auto switch back to routing through the proxy server. I safemoded it and attempted repair with mbam. Its running the scan now but in the meantime I got the logs off it. I’ll post mbam logs as soon as it’s done.
not important but it is best to run FRST after you have run Malwarebytes, in that case frst log will show what is left behind if MBAM found/removed anything
Logs. Mbam Log and updated frst log
I’ll post the update mbam log after it’s done running.
Let me know if the networks is OK after the FRST reboot
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: AppInit_DLLs: C:\PROGRA~3\INTERE~1\INTERE~2.DLL => C:\PROGRA~3\INTERE~1\INTERE~2.DLL File Not Found AppInit_DLLs-x32: c:\progra~3\intere~1\intere~1.dll => "c:\progra~3\intere~1\intere~1.dll" File Not Found GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Policy Restriction on ProxySettings) ProxyServer: [HKLM] => http=127.0.0.1:49243;https=127.0.0.1:49243 ProxyServer: [HKLM-x32] => http=127.0.0.1:49243;https=127.0.0.1:49243 SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight2_14_33&cd=2XzuyEtN2Y1L1Qzu0AtDtB0B0BzzyDyC0AtCyDzz0DyBzyyDtN0D0Tzu0StCtDtByBtN1L2XzutAtFyDtFtCtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StDtBtB0ByE0EyC0FtG0AyDzytAtGyCtCyCtDtG0ByEyD0EtGyEtA0DtA0A0B0B0D0CyD0E0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyEyBtAtAzzzz0DtGtB0Azy0AtGyE0EtA0EtG0BtCzzyCtGtC0E0AyEtAyC0FtD0CyD0E0E2Q&cr=922772326&ir= SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight2_14_33&cd=2XzuyEtN2Y1L1Qzu0AtDtB0B0BzzyDyC0AtCyDzz0DyBzyyDtN0D0Tzu0StCtDtByBtN1L2XzutAtFyDtFtCtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StDtBtB0ByE0EyC0FtG0AyDzytAtGyCtCyCtDtG0ByEyD0EtGyEtA0DtA0A0B0B0D0CyD0E0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyEyBtAtAzzzz0DtGtB0Azy0AtGyE0EtA0EtG0BtCzzyCtGtC0E0AyEtAyC0FtD0CyD0E0E2Q&cr=922772326&ir= 2015-04-01 20:04 - 2015-04-01 20:04 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d06ce0e9b4bd34.job 2015-04-01 20:04 - 2015-04-01 20:04 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2015-04-01 20:04 - 2015-04-01 20:04 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Google 2015-04-01 20:04 - 2015-04-01 20:04 - 00000000 ____D () C:\Program Files (x86)\Google 2015-04-01 20:03 - 2015-04-01 20:03 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Deployment 2015-04-01 20:03 - 2015-04-01 20:03 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Apps\2.0 2015-03-04 18:10 - 2015-04-01 13:54 - 00000000 ____D () C:\Users\Bryan\AppData\Local\9ef4d6cb-7267-4409-8f60-a911bfdd2bcd 2014-10-23 13:04 - 2014-10-23 13:04 - 0022528 _____ () C:\Users\Bryan\AppData\Local\3836968dsisetup38424372.exe 2014-12-21 12:10 - 2014-12-21 12:10 - 0000064 _____ () C:\Users\Bryan\AppData\Local\96c19848fb4b5725e3dad3b802ffd897 Task: {0A5C9ABA-14AD-4CCF-8CF9-88B773794F2D} - System32\Tasks\APSnotifierPP2 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: {0CF936A9-D2AF-4AAB-95F4-396DCA522C91} - System32\Tasks\PastaQuotes => C:\Program Files (x86)\pastaleads\ScheduledTask.exe <==== ATTENTION Task: {3A3E6CEA-A401-4FFC-8DCC-D4EEBB5F8746} - System32\Tasks\f849be5d-9582-4f96-848b-1bc4d5f673c5-4 => C:\Program Files (x86)\Cinema-Plus-1.7cV15.10\f849be5d-9582-4f96-848b-1bc4d5f673c5-4.exe <==== ATTENTION Task: {47654925-0AB7-4CF4-9F5C-BA0C7B516003} - System32\Tasks\ProPCCleaner_Start => C:\Program Files (x86)\Pro PC Cleaner\ProPCCleaner.exe <==== ATTENTION Task: {59D3B78F-C181-4DB4-B0F3-CF6CEE914968} - System32\Tasks\TidyNetwork Update => C:\Users\Bryan\AppData\Local\TidyNetwork\petnupdate.exe Task: {72372FEB-188A-4A5F-B3D0-DD879E087A6E} - System32\Tasks\APSnotifierPP3 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: {8AB0A9C9-0F9D-4AA9-B0CA-5B4482233889} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe <==== ATTENTION Task: {EC424EB8-7BD6-4DD9-A4D7-E3ED365FD4C8} - System32\Tasks\APSnotifierPP1 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: C:\Windows\Tasks\f849be5d-9582-4f96-848b-1bc4d5f673c5-4.job => C:\Program Files (x86)\Cinema-Plus-1.7cV15.10\f849be5d-9582-4f96-848b-1bc4d5f673c5-4.exe <==== ATTENTION C:\Program Files (x86)\AnyProtectEx C:\Program Files (x86)\pastaleads C:\Program Files (x86)\Cinema-Plus-1.7cV15.10 C:\Program Files (x86)\Pro PC Cleaner C:\Program Files (x86)\Google\Update\Install\{E3320EE0-0621-4FC4-A94A-D607ED0869A4} C:\Program Files (x86)\GUM4329.tmp C:\Users\Bryan\AppData\Local\Apps\2.0\5WLKRW4Q.PZ4 Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
2nd mbam log. Should I run the first fixlist you created or wait until you have a chance to update it with the second log?
Follow essexboys instructions and attach requested logs
When done you may run and attach a fresh frst log. Essexboy will be back online tomorrow
I also have an error when I open chrome. Something about it being in quarantine. I will screenshot it next time it occurs. That unknown error I posted went away I think. Time will tell.
Chrome Error
Is the net now working ?
Could you run a fresh FRST scan please
The net is still popping up with the error and the icon is disappeared. It happened after I ran the fixlist. Here’s the latest FRST log.
Could you screenshot the error(s) please
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: 2015-03-31 15:15 - 2014-10-15 12:30 - 00000000 ____D () C:\ProgramData\jnXRMmDZGP Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
Error
Fix Log
OK it looks like the bad chrome is still trying to run
Download and run Delfix
Select only remove disinfection tools
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
THEN
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.