Got a virus that is preventing malwarebytes from starting.

[PileOfDough]

Got Windows Update and BITS started.

https://gyazo.com/5ff9a5f67d932e8b079781d612ad8545
 

There are some more services that are disabled that I'm not sure if I should enable or not.

Also, Windows Firewall is refusing to start in a similar fashion to how Windows Defender and Windows Security Center would not.

 

Edit: Obviously I needed to enable the Windows Firewall Service there, so that works now. But like I said I'm not sure about the others.

Edited March 7, 2017 by PileOfDough
I'm silly.

[Aura]

If you want, you can run Windows Repair AIO again, and this time check Restore Important Windows Services and Reset Windows Services To Default Startup.

[PileOfDough]

New Problem:

Now that Windows Firewall is reenabled, it is stopping some of my applications from working properly. For example, I tried starting League of Legends and It shows a process in task manager but opens no tab on screen. After disabling windows firewall again it works perfectly.

[Aura]

Check if these programs are allowed in the Windows Firewall.

http://www.dummies.com/computers/operating-systems/windows-7/how-to-allow-programs-through-the-windows-7-firewall/

Though resetting it might be easier.

http://www.thewindowsclub.com/reset-windows-firewall-settings

[PileOfDough]

I went ahead and ran the Windows Repair AIO again with the settings you advised me to use and it seems to have fixed the issue. In addition my computer seems to be running and loading applications just slightly faster now!

 

However shortly after reboot, I got this popup
https://gyazo.com/57bf5c1bf64ebea9a8653415c1d17cd6

I did not request any action and I have no Idea what this could be from.

[Aura]

If you reboot again, is the message still there?

[PileOfDough]

It has done it like twice but not since I posted about it.

[PileOfDough]

Update: I've been away from my computer for some time now and when I woke it from a sleep state the popup was back again.
https://gyazo.com/31f92868122b3f2d166ff3f9a8e2b7f5

Do you think this could be a keylogger attempting to use my nonexistent email program to send logs?

[Aura]

I don't think so. Run a scan with FRST and provide me a new set of logs (FRST.txt and Addition.txt).

[PileOfDough]

Ran the scan, text files attached.

Went through FRST.txt and found a bunch of stuff for google chrome. I don't use this anymore and have it uninstalled. Is there any way to remove these extensions or whatever they are?

Chrome:
=======
CHR Profile: C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default [2017-03-05]
CHR Extension: (Google Slides) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-10-04]
CHR Extension: (Google Docs) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-10-04]
CHR Extension: (Google Drive) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-04]
CHR Extension: (YouTube) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-04]
CHR Extension: (Adobe Acrobat) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-01-25]
CHR Extension: (Google Sheets) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-10-04]
CHR Extension: (Google Docs Offline) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-10-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-25]
CHR Extension: (Gmail) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-10-04]
CHR Extension: (Chrome Media Router) - C:\Users\spart\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-26]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

I looked through the Addition.txt file as well and the task for PileOfDough monitor was still there. I removed it manually.

Also, I found this bit.
ATTENTION: System Restore is disabled
 

I manually re-enabled that as well.

FRST.txt

Addition.txt

Edited March 8, 2017 by PileOfDough
Forgot to attach the files. Derp

[Aura]

Sorry I wasn't home yesterday, so I didn't have time to reply to your thread. I can delete all that with a FRST fix. But first I just thought of something, restart your computer to get the prompt, leave it open, then open the Task Manager, right-click on Apps name associated with it, and select Go to details. What's the associated process name, and where is the file located?

[PileOfDough]

Did as you said. The file is located in C:\Windows\SysWOW64 and is called dllhost.exe.

https://gyazo.com/5ef782c471b59ba9b781af8a62547a95

[Aura]

Are you familiar with Process Explorer, from the Sysinternal Suite?

[PileOfDough]

No, I'm not. I've never used it.

[Aura]

In that case let's try something else first.

Autoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:

• Download Autoruns.zip from the Sysinternals Suite webpage;
• Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
• Accept the EULA on opening, then wait for all the entries to load;
• Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file;
• Upload the file on Dropbox, Google Drive or OneDrive  and post the download URL for it here;
  

 

[PileOfDough]

Done, the file is linked, and I think these entries may be the cause of the popup.
https://gyazo.com/f32ab5e3b2ddb9d65c7ec2b990e7f879

Talking about the two entries for Winmail.exe.

 

Here is the file:
https://drive.google.com/open?id=0B6cB8jeHNfZad29mWkNpVDJjdnM

Edited March 9, 2017 by PileOfDough
Forgot the file again....

[Aura]

Looks like it. Please uncheck them and restart your computer. See if the prompt comeback.

[PileOfDough]

Done and it hasn't come back so far. 

 

Edit: Can I get that fix file to remove all the old extensions for chrome?

Edited March 10, 2017 by PileOfDough
Afterthought

[Aura]

It looks to me like Google Chrome is still installed on your system, so you should uninstall it first.

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)

 

[PileOfDough]

I have uninstalled it already I don't know why that's there. 

[Aura]

You don't see it listed in your list of installed programs anymore?

[Aura]

Hi PileOfDough,

Are you still with me?

[PileOfDough]

I apologize, I meant to post one last time before I left town for spring break and let you know I'd be away, but I forgot. I'll be back sometime tomorrow though and able to continue. 

However, the confusion over Google Chrome was, I uninstalled it and my girlfriend reinstalled it at some point between then and now. (Apparently she prefers it over Firefox)

Also the Email pop up happened again. 

Edited March 16, 2017 by PileOfDough
Typo

[Aura]

Are you free to continue now?

[Aura]

Hi PileOfDough,

Are you still with me?