Work Computer-No Internet

[REDACTED]

So I started back at my restaurant after leaving in October, Apparently the last chef was running no security on his new laptop they bought for him. It won't connect to the interwebz and says its running through a proxy server. When you tell it to automatically detect settings it will auto switch back to routing through the proxy server. I safemoded it and attempted repair with mbam. Its running the scan now but in the meantime I got the logs off it. I'll post mbam logs as soon as it's done.

[Pondus]

not important but it is best to run FRST after you have run Malwarebytes, in that case frst log will show what is left behind if MBAM found/removed anything

[REDACTED]

Logs. Mbam Log and updated frst log

[REDACTED]

I'll post the update mbam log after it's done running.

[essexboy]

Let me know if the networks is OK after the FRST reboot

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
AppInit_DLLs: C:\PROGRA~3\INTERE~1\INTERE~2.DLL => C:\PROGRA~3\INTERE~1\INTERE~2.DLL File Not Found
AppInit_DLLs-x32: c:\progra~3\intere~1\intere~1.dll => "c:\progra~3\intere~1\intere~1.dll" File Not Found
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Policy Restriction on ProxySettings)
ProxyServer: [HKLM] => http=127.0.0.1:49243;https=127.0.0.1:49243
ProxyServer: [HKLM-x32] => http=127.0.0.1:49243;https=127.0.0.1:49243
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight2_14_33&cd=2XzuyEtN2Y1L1Qzu0AtDtB0B0BzzyDyC0AtCyDzz0DyBzyyDtN0D0Tzu0StCtDtByBtN1L2XzutAtFyDtFtCtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StDtBtB0ByE0EyC0FtG0AyDzytAtGyCtCyCtDtG0ByEyD0EtGyEtA0DtA0A0B0B0D0CyD0E0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyEyBtAtAzzzz0DtGtB0Azy0AtGyE0EtA0EtG0BtCzzyCtGtC0E0AyEtAyC0FtD0CyD0E0E2Q&cr=922772326&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight2_14_33&cd=2XzuyEtN2Y1L1Qzu0AtDtB0B0BzzyDyC0AtCyDzz0DyBzyyDtN0D0Tzu0StCtDtByBtN1L2XzutAtFyDtFtCtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StDtBtB0ByE0EyC0FtG0AyDzytAtGyCtCyCtDtG0ByEyD0EtGyEtA0DtA0A0B0B0D0CyD0E0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyEyBtAtAzzzz0DtGtB0Azy0AtGyE0EtA0EtG0BtCzzyCtGtC0E0AyEtAyC0FtD0CyD0E0E2Q&cr=922772326&ir=
2015-04-01 20:04 - 2015-04-01 20:04 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d06ce0e9b4bd34.job
2015-04-01 20:04 - 2015-04-01 20:04 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-01 20:04 - 2015-04-01 20:04 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Google
2015-04-01 20:04 - 2015-04-01 20:04 - 00000000 ____D () C:\Program Files (x86)\Google
2015-04-01 20:03 - 2015-04-01 20:03 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Deployment
2015-04-01 20:03 - 2015-04-01 20:03 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Apps\2.0
2015-03-04 18:10 - 2015-04-01 13:54 - 00000000 ____D () C:\Users\Bryan\AppData\Local\9ef4d6cb-7267-4409-8f60-a911bfdd2bcd
2014-10-23 13:04 - 2014-10-23 13:04 - 0022528 _____ () C:\Users\Bryan\AppData\Local\3836968dsisetup38424372.exe
2014-12-21 12:10 - 2014-12-21 12:10 - 0000064 _____ () C:\Users\Bryan\AppData\Local\96c19848fb4b5725e3dad3b802ffd897
Task: {0A5C9ABA-14AD-4CCF-8CF9-88B773794F2D} - System32\Tasks\APSnotifierPP2 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {0CF936A9-D2AF-4AAB-95F4-396DCA522C91} - System32\Tasks\PastaQuotes => C:\Program Files (x86)\pastaleads\ScheduledTask.exe <==== ATTENTION
Task: {3A3E6CEA-A401-4FFC-8DCC-D4EEBB5F8746} - System32\Tasks\f849be5d-9582-4f96-848b-1bc4d5f673c5-4 => C:\Program Files (x86)\Cinema-Plus-1.7cV15.10\f849be5d-9582-4f96-848b-1bc4d5f673c5-4.exe <==== ATTENTION
Task: {47654925-0AB7-4CF4-9F5C-BA0C7B516003} - System32\Tasks\ProPCCleaner_Start => C:\Program Files (x86)\Pro PC Cleaner\ProPCCleaner.exe <==== ATTENTION
Task: {59D3B78F-C181-4DB4-B0F3-CF6CEE914968} - System32\Tasks\TidyNetwork Update => C:\Users\Bryan\AppData\Local\TidyNetwork\petnupdate.exe
Task: {72372FEB-188A-4A5F-B3D0-DD879E087A6E} - System32\Tasks\APSnotifierPP3 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {8AB0A9C9-0F9D-4AA9-B0CA-5B4482233889} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe <==== ATTENTION
Task: {EC424EB8-7BD6-4DD9-A4D7-E3ED365FD4C8} - System32\Tasks\APSnotifierPP1 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\f849be5d-9582-4f96-848b-1bc4d5f673c5-4.job => C:\Program Files (x86)\Cinema-Plus-1.7cV15.10\f849be5d-9582-4f96-848b-1bc4d5f673c5-4.exe <==== ATTENTION
C:\Program Files (x86)\AnyProtectEx
C:\Program Files (x86)\pastaleads
C:\Program Files (x86)\Cinema-Plus-1.7cV15.10
C:\Program Files (x86)\Pro PC Cleaner
C:\Program Files (x86)\Google\Update\Install\{E3320EE0-0621-4FC4-A94A-D607ED0869A4}
C:\Program Files (x86)\GUM4329.tmp
C:\Users\Bryan\AppData\Local\Apps\2.0\5WLKRW4Q.PZ4
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[REDACTED]

2nd mbam log. Should I run the first fixlist you created or wait until you have a chance to update it with the second log?

[Pondus]

Follow essexboys instructions and attach requested logs

When done you may run and attach a fresh frst log.   Essexboy  will be back online tomorrow

[REDACTED]

I also have an error when I open chrome. Something about it being in quarantine. I will screenshot it next time it occurs. That unknown error I posted went away *I think*. Time will tell.

[REDACTED]

Chrome Error

[essexboy]

Is the net now working ? 

Could you run a fresh FRST scan please

[REDACTED]

The net is still popping up with the error and the icon is disappeared. It happened after I ran the fixlist. Here's the latest FRST log.

[essexboy]

Could you screenshot the error(s) please

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
2015-03-31 15:15 - 2014-10-15 12:30 - 00000000 ____D () C:\ProgramData\jnXRMmDZGP
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Error

[REDACTED]

Fix Log

[essexboy]

OK it looks like the bad chrome is still trying to run

Download and run Delfix
Select only remove disinfection tools


THEN

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Select  additions at the bottom
• Press Scan button.
  
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
  
• Please attach both logs generated.