1.    24 Jan 2017 #1
    Join Date : Jan 2017
    Posts : 6
    windows 10

    Cannot login to Microsoft account, cortana, open edge, weather, store


    Hello,
    I have been using Windows 10 for just over a year (a recent convert from mac OS). i hope you guys can help me out.

    I recently got infected with 3 trojans. Bitdefender picked them, quarantined them but after every reboot they came back. So I downloaded Malwarebytes which not only quarantined them effectively but also identified several more that bitdefender had not picked up. Now every thing is fine except for the following issues:

    I cannot log on to microsoft account, cannot open store, use cortana, edge does not open, and weather app and Xbox do not open. I gave microsoft remote access but after several hours they came to the conclusion that system restore is the only option. Id like to avoid that since then I will loose my MS Office for which i dont have the original key anymore.

    I have myself tried almost every trick mentioned on the internet - powershell, sfc/scannow but to no avail. If I create amother user, I can logon to my microsoft account from settings but store, edge, cortana, weather, xbox still do not open. Disabling malewarebytes, bitdefender or Zonealarm firewall do not help either.

    I thought id post the Malewarebytes quarantine file here to see which registry key is causing this. I deleted the quarantined files so unfortunately cannot restore. Please any help will be appreciated. Thanks

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 1
    Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3\1a5y2r3.dll, Quarantined, [822], [361811],1.0.1076

    Registry Key: 9
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\1a5y2r3, Quarantined, [822], [361818],1.0.1076
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6E4CC123-9FE4-4CCA-98E7-B4A034F33C86}, Quarantined, [822], [361812],1.0.1076
    PUP.Optional.GeekBuddy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\GeekBuddyRSP, Quarantined, [2245], [362758],1.0.1076
    PUP.Optional.GeekBuddy, HKLM\SYSTEM\SOFTWARE\COMODO\CLPS 4, Quarantined, [2245], [342292],1.0.1076
    PUP.Optional.ProductSetup, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [17127], [242047],1.0.1076
    PUP.Optional.GeekBuddy, HKLM\SOFTWARE\WOW6432NODE\GeekBuddyRSP, Quarantined, [2245], [342277],1.0.1076
    PUP.Optional.InstallCore, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\csastats, Quarantined, [8], [260986],1.0.1076
    PUP.Optional.InstallCore, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\ICSW1.19, Quarantined, [8], [239562],1.0.1076
    Adware.NowUSeeIt, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\NowUSeeItPlayer, Quarantined, [17727], [251334],1.0.1076

    Registry Value: 13
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{3BA2EC9D-6173-450B-94C1-57EB50AB759B}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{524d1028-18e5-414b-b165-9a2f1eb0bcbe}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{58c88c07-ecd3-461e-bbbd-29b52d4b4f9c}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8ba764f4-9314-4c3c-8767-0f7349d9e3cd}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8c550166-f6a5-424b-bf91-faf0572aa982}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{afcd33ed-dd38-4deb-96ea-91e179e167c3}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{ddb5be6a-89ba-4ecd-aed0-2af67c98a7fc}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{ddb5be6a-89ba-4ecd-aed0-2af67c98a7fc}|DhcpNameServer, Replaced, [46], [-1],0.0.0
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6E4CC123-9FE4-4CCA-98E7-B4A034F33C86}|PATH, Quarantined, [822], [361812],1.0.1076
    PUP.Optional.ProductSetup, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\PRODUCTSETUP|TB, Quarantined, [17127], [242047],1.0.1076
    PUP.Optional.WebBar, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|WBMAIN.EXE, Quarantined, [4306], [259463],1.0.1076

    Data Stream: 0
    (No malicious items detected)

    Folder: 4
    PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\57c1b535-1743-1, Quarantined, [46], [182288],1.0.1076
    PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\57c1b535-2ed3-0, Quarantined, [46], [182288],1.0.1076
    PUP.Optional.WebBar, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\WEBBAR, Quarantined, [4306], [244762],1.0.1076
    Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3, Quarantined, [822], [361811],1.0.1076

    File: 4
    PUP.Optional.WebBar, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\WEBBAR\WB.LOG, Quarantined, [4306], [244762],1.0.1076
    Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3\1a5y2r3.dll, Quarantined, [822], [361811],1.0.1076
    Trojan.Agent.Generic, C:\ProgramData\1a5y2r3\169.tmp, Quarantined, [822], [361811],1.0.1076
    Trojan.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\1a5y2r3, Quarantined, [822], [361824],1.0.1076

    Physical Sector: 0
    (No malicious items detected)

    (end)

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 1
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA9F595B-7E22-44A8-AAF0-2A9B2EB5A226}, Quarantined, [822], [361812],1.0.1076

    Registry Value: 1
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA9F595B-7E22-44A8-AAF0-2A9B2EB5A226}|PATH, Quarantined, [822], [361812],1.0.1076

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 1
    Trojan.Agent.Generic, C:\WINDOWS\TASKS\1A5Y2R3.JOB, Quarantined, [822], [361821],1.0.1076

    Physical Sector: 0
    (No malicious items detected)

    (end)
      My ComputerSystem Spec
  2.    24 Jan 2017 #2
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,971
    Windows 10 (Pro and Insider Pro)

    Hi mab5555 and welcome to Ten Forums.

    Maybe some expert will comment on that infections later. But with mess like this clean install is almost always best solution.
    If Office key is only drawback, try Speccy or Belarc advisor they usually provide original keys of installed software.

    One thing I don't quite get... System restore is like system backup and Office should stay intact, but it is difficult to predict exact time of infection and pick correct restore point.

    Other possible solution is so called inplace upgrade (tutorial link). Download ISO of Windows 10 from MS site and let the setup run. ISO should be of the same language as your current install.

    If you want to be able to restore your current Windows install (if anything get lost) make a system backup with Macrium reflect free.
      My ComputerSystem Spec
  3.    24 Jan 2017 #3
    Join Date : Jul 2016
    Crewe Cheshire
    Posts : 1,462
    windows 10

    A system restore may bring back malware can you do all our scans post results PCHF System Scans
      My ComputerSystem Spec
  4.    25 Jan 2017 #4
    Join Date : Aug 2016
    S/E England
    Posts : 4,524
    10 Home x64 (1709) (10 Pro on 2nd pc)

    Quote Originally Posted by mab5555 View Post
    I cannot log on to microsoft account, cannot open store, use cortana, edge does not open, and weather app and Xbox do not open.
    The common factor is that those are all Modern Windows Apps. How about Calculator? That's another one. There's a Tutorial on re-registering them...
    Apps - Reinstall and Re-register in Windows 8 and 10

    ...but the repair install in @AndreTen's link would probably be the better option.
      My ComputersSystem Spec
  5.    25 Jan 2017 #5
    Join Date : Jan 2017
    Posts : 6
    windows 10
    Thread Starter

    after the latest windows 10 update everything is working fine. cant believe that was the issue.

    the original source of these trojans was a local CDs of SPSS and endnote that cost like a dollar whereas the original SPSS and endnote are close to 100-300. Greed got the better of me. its not worth it. well lesson learnt.

    one thing is for sure. malewarebytes is hands down the best antimaleware software. during this saga i tried hitman pro, cc cleaner, kapersky, and even bitdefender couldnt clean completely. malewarebytes rocks.
    Last edited by mab5555; 25 Jan 2017 at 02:43.
      My ComputerSystem Spec
  6.    25 Jan 2017 #6
    Join Date : Aug 2016
    Posts : 553
    Windows 10 Home

    mab555,

    Just to make sure that the system is clean, try using the Zemana AntiMalware Download
    Double-click on the file Zemana.AntiMalware.Setup.exe to install.
    When the program starts you are presented with a Setup screen, click: Next
    Follow the prompts to install.

    Once Zemana AntiMalware starts, click: Scan


    When Zemana AntiMalware is finished it displays a list of all the items found. (If any is present)
    Click on Next to remove the malicious files from your computer.
    A reboot may be required to remove malware.

    Click the Graph icon (far upper right), highlight the applicable log file, and then click: Open Report
    Please attach the notepad text file for review.
      My ComputerSystem Spec
  7.    25 Jan 2017 #7
    Join Date : Jan 2017
    Posts : 6
    windows 10
    Thread Starter

    thanks, i tried zemana. it gave a clean bill

    the pubmed.com thing seems a false alarm because its a very reputable website. thank you for all the help. this is my favorite windows10 website now

    Detected Objects
    -------------------------------------------------------

    Firefox Homepage
    Status : Scanned
    Object : pubmed.com
    MD5 : -
    Publisher : -
    Size : -
    Version : -
    Detection : Suspicious Browser Setting
    Cleaning Action : Repair
    Related Objects :
    Browser Setting - Firefox Homepage


    Cleaning Result
    -------------------------------------------------------
    Cleaned : 1
    Reported as safe : 0
    Failed : 0
      My ComputerSystem Spec
  8.    25 Jan 2017 #8
    Join Date : Aug 2016
    Posts : 553
    Windows 10 Home

      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Help! Cortana Microsoft account changed windows login!
Can anyone please advise me? I enabled cortana on my fathers windows 10 install, which required the creation of a Microsoft user account. I created a new Microsoft user account linked to my fathers email address for this^ purpose, and...
User Accounts and Family Safety
Local account login changed to Microsoft Account so unable to log in
I would like help solving a mystery. I set up a new Dell Optiplex 3020 which shipped with Windows 10 Pro. I bypassed the option to set up the user with a Microsoft Account (The owner does not have a microsoft account and I did not create one at...
User Accounts and Family Safety
Possible microsoft account corrupting itself at store login ?
Hello, My problem is i think i have a buged micro. acc. I already changed 4 time my password. But my account will be corrupted few days to two weeks later. Corrupted is what i call: Not possible to login with my Known password. Password or...
User Accounts and Family Safety
Cortana finally gives weather in Celsius based on weather settings
Read more: Cortana finally gives weather in Celsius based on your weather settings | Windows Central
Windows 10 News
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 15:47.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums