Cannot login to Microsoft account, cortana, open edge, weather, store

mab5555 · 24 Jan 2017

Hello,
I have been using Windows 10 for just over a year (a recent convert from mac OS). i hope you guys can help me out.

I recently got infected with 3 trojans. Bitdefender picked them, quarantined them but after every reboot they came back. So I downloaded Malwarebytes which not only quarantined them effectively but also identified several more that bitdefender had not picked up. Now every thing is fine except for the following issues:

I cannot log on to microsoft account, cannot open store, use cortana, edge does not open, and weather app and Xbox do not open. I gave microsoft remote access but after several hours they came to the conclusion that system restore is the only option. Id like to avoid that since then I will loose my MS Office for which i dont have the original key anymore.

I have myself tried almost every trick mentioned on the internet - powershell, sfc/scannow but to no avail. If I create amother user, I can logon to my microsoft account from settings but store, edge, cortana, weather, xbox still do not open. Disabling malewarebytes, bitdefender or Zonealarm firewall do not help either.

I thought id post the Malewarebytes quarantine file here to see which registry key is causing this. I deleted the quarantined files so unfortunately cannot restore. Please any help will be appreciated. Thanks

-Scan Details-
Process: 0
(No malicious items detected)

Module: 1
Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3\1a5y2r3.dll, Quarantined, [822], [361811],1.0.1076

Registry Key: 9
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\1a5y2r3, Quarantined, [822], [361818],1.0.1076
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6E4CC123-9FE4-4CCA-98E7-B4A034F33C86}, Quarantined, [822], [361812],1.0.1076
PUP.Optional.GeekBuddy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\GeekBuddyRSP, Quarantined, [2245], [362758],1.0.1076
PUP.Optional.GeekBuddy, HKLM\SYSTEM\SOFTWARE\COMODO\CLPS 4, Quarantined, [2245], [342292],1.0.1076
PUP.Optional.ProductSetup, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [17127], [242047],1.0.1076
PUP.Optional.GeekBuddy, HKLM\SOFTWARE\WOW6432NODE\GeekBuddyRSP, Quarantined, [2245], [342277],1.0.1076
PUP.Optional.InstallCore, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\csastats, Quarantined, [8], [260986],1.0.1076
PUP.Optional.InstallCore, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\ICSW1.19, Quarantined, [8], [239562],1.0.1076
Adware.NowUSeeIt, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\NowUSeeItPlayer, Quarantined, [17727], [251334],1.0.1076

Registry Value: 13
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{3BA2EC9D-6173-450B-94C1-57EB50AB759B}|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{524d1028-18e5-414b-b165-9a2f1eb0bcbe}|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{58c88c07-ecd3-461e-bbbd-29b52d4b4f9c}|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8ba764f4-9314-4c3c-8767-0f7349d9e3cd}|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8c550166-f6a5-424b-bf91-faf0572aa982}|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{afcd33ed-dd38-4deb-96ea-91e179e167c3}|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{ddb5be6a-89ba-4ecd-aed0-2af67c98a7fc}|NameServer, Replaced, [46], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{ddb5be6a-89ba-4ecd-aed0-2af67c98a7fc}|DhcpNameServer, Replaced, [46], [-1],0.0.0
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6E4CC123-9FE4-4CCA-98E7-B4A034F33C86}|PATH, Quarantined, [822], [361812],1.0.1076
PUP.Optional.ProductSetup, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\PRODUCTSETUP|TB, Quarantined, [17127], [242047],1.0.1076
PUP.Optional.WebBar, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|WBMAIN.EXE, Quarantined, [4306], [259463],1.0.1076

Data Stream: 0
(No malicious items detected)

Folder: 4
PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\57c1b535-1743-1, Quarantined, [46], [182288],1.0.1076
PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\57c1b535-2ed3-0, Quarantined, [46], [182288],1.0.1076
PUP.Optional.WebBar, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\WEBBAR, Quarantined, [4306], [244762],1.0.1076
Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3, Quarantined, [822], [361811],1.0.1076

File: 4
PUP.Optional.WebBar, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\WEBBAR\WB.LOG, Quarantined, [4306], [244762],1.0.1076
Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3\1a5y2r3.dll, Quarantined, [822], [361811],1.0.1076
Trojan.Agent.Generic, C:\ProgramData\1a5y2r3\169.tmp, Quarantined, [822], [361811],1.0.1076
Trojan.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\1a5y2r3, Quarantined, [822], [361824],1.0.1076

Physical Sector: 0
(No malicious items detected)

(end)

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA9F595B-7E22-44A8-AAF0-2A9B2EB5A226}, Quarantined, [822], [361812],1.0.1076

Registry Value: 1
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA9F595B-7E22-44A8-AAF0-2A9B2EB5A226}|PATH, Quarantined, [822], [361812],1.0.1076

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.Agent.Generic, C:\WINDOWS\TASKS\1A5Y2R3.JOB, Quarantined, [822], [361821],1.0.1076

Physical Sector: 0
(No malicious items detected)

(end)

AndreTen · 24 Jan 2017

Hi mab5555 and welcome to Ten Forums.

Maybe some expert will comment on that infections later. But with mess like this clean install is almost always best solution.
If Office key is only drawback, try Speccy or Belarc advisor they usually provide original keys of installed software.

One thing I don't quite get... System restore is like system backup and Office should stay intact, but it is difficult to predict exact time of infection and pick correct restore point.

Other possible solution is so called inplace upgrade (tutorial link). Download ISO of Windows 10 from MS site and let the setup run. ISO should be of the same language as your current install.

If you want to be able to restore your current Windows install (if anything get lost) make a system backup with Macrium reflect free.

Samuria · 24 Jan 2017

A system restore may bring back malware can you do all our scans post results PCHF System Scans

Bree · 25 Jan 2017

mab5555 said:

I cannot log on to microsoft account, cannot open store, use cortana, edge does not open, and weather app and Xbox do not open.

The common factor is that those are all Modern Windows Apps. How about Calculator? That's another one. There's a Tutorial on re-registering them...
Apps - Reinstall and Re-register in Windows 8 and 10

...but the repair install in @AndreTen's link would probably be the better option.

mab5555 · 25 Jan 2017

after the latest windows 10 update everything is working fine. cant believe that was the issue.

the original source of these trojans was a local CDs of SPSS and endnote that cost like a dollar whereas the original SPSS and endnote are close to 100-300. Greed got the better of me. its not worth it. well lesson learnt.

one thing is for sure. malewarebytes is hands down the best antimaleware software. during this saga i tried hitman pro, cc cleaner, kapersky, and even bitdefender couldnt clean completely. malewarebytes rocks.

cottonball · 25 Jan 2017

mab555,

Just to make sure that the system is clean, try using the Zemana AntiMalware Download
Double-click on the file Zemana.AntiMalware.Setup.exe to install.
When the program starts you are presented with a Setup screen, click: Next
Follow the prompts to install.

Once Zemana AntiMalware starts, click: Scan

When Zemana AntiMalware is finished it displays a list of all the items found. (If any is present)
Click on Next to remove the malicious files from your computer.
A reboot may be required to remove malware.

Click the Graph icon (far upper right), highlight the applicable log file, and then click: Open Report
Please attach the notepad text file for review.

mab5555 · 25 Jan 2017

thanks, i tried zemana. it gave a clean bill :)

the pubmed.com thing seems a false alarm because its a very reputable website. thank you for all the help. this is my favorite windows10 website now :)

Detected Objects
-------------------------------------------------------

Firefox Homepage
Status : Scanned
Object : pubmed.com
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Homepage

Cleaning Result
-------------------------------------------------------
Cleaned : 1
Reported as safe : 0
Failed : 0

cottonball · 25 Jan 2017