Windows 10: Cannot login to Microsoft account, cortana, open edge, weather, store Solved

  1.    24 Jan 2017 #1

    Cannot login to Microsoft account, cortana, open edge, weather, store

    I have been using Windows 10 for just over a year (a recent convert from mac OS). i hope you guys can help me out.

    I recently got infected with 3 trojans. Bitdefender picked them, quarantined them but after every reboot they came back. So I downloaded Malwarebytes which not only quarantined them effectively but also identified several more that bitdefender had not picked up. Now every thing is fine except for the following issues:

    I cannot log on to microsoft account, cannot open store, use cortana, edge does not open, and weather app and Xbox do not open. I gave microsoft remote access but after several hours they came to the conclusion that system restore is the only option. Id like to avoid that since then I will loose my MS Office for which i dont have the original key anymore.

    I have myself tried almost every trick mentioned on the internet - powershell, sfc/scannow but to no avail. If I create amother user, I can logon to my microsoft account from settings but store, edge, cortana, weather, xbox still do not open. Disabling malewarebytes, bitdefender or Zonealarm firewall do not help either.

    I thought id post the Malewarebytes quarantine file here to see which registry key is causing this. I deleted the quarantined files so unfortunately cannot restore. Please any help will be appreciated. Thanks

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 1
    Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3\1a5y2r3.dll, Quarantined, [822], [361811],1.0.1076

    Registry Key: 9
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\1a5y2r3, Quarantined, [822], [361818],1.0.1076
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6E4CC123-9FE4-4CCA-98E7-B4A034F33C86}, Quarantined, [822], [361812],1.0.1076
    PUP.Optional.GeekBuddy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\GeekBuddyRSP, Quarantined, [2245], [362758],1.0.1076
    PUP.Optional.GeekBuddy, HKLM\SYSTEM\SOFTWARE\COMODO\CLPS 4, Quarantined, [2245], [342292],1.0.1076
    PUP.Optional.ProductSetup, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [17127], [242047],1.0.1076
    PUP.Optional.GeekBuddy, HKLM\SOFTWARE\WOW6432NODE\GeekBuddyRSP, Quarantined, [2245], [342277],1.0.1076
    PUP.Optional.InstallCore, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\csastats, Quarantined, [8], [260986],1.0.1076
    PUP.Optional.InstallCore, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\ICSW1.19, Quarantined, [8], [239562],1.0.1076
    Adware.NowUSeeIt, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\NowUSeeItPlayer, Quarantined, [17727], [251334],1.0.1076

    Registry Value: 13
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{3BA2EC9D-6173-450B-94C1-57EB50AB759B}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{524d1028-18e5-414b-b165-9a2f1eb0bcbe}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{58c88c07-ecd3-461e-bbbd-29b52d4b4f9c}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8ba764f4-9314-4c3c-8767-0f7349d9e3cd}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8c550166-f6a5-424b-bf91-faf0572aa982}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{afcd33ed-dd38-4deb-96ea-91e179e167c3}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{ddb5be6a-89ba-4ecd-aed0-2af67c98a7fc}|NameServer, Replaced, [46], [-1],0.0.0
    PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{ddb5be6a-89ba-4ecd-aed0-2af67c98a7fc}|DhcpNameServer, Replaced, [46], [-1],0.0.0
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6E4CC123-9FE4-4CCA-98E7-B4A034F33C86}|PATH, Quarantined, [822], [361812],1.0.1076
    PUP.Optional.ProductSetup, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\PRODUCTSETUP|TB, Quarantined, [17127], [242047],1.0.1076
    PUP.Optional.WebBar, HKU\S-1-5-21-2729831988-1437708180-221547350-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|WBMAIN.EXE, Quarantined, [4306], [259463],1.0.1076

    Data Stream: 0
    (No malicious items detected)

    Folder: 4
    PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\57c1b535-1743-1, Quarantined, [46], [182288],1.0.1076
    PUP.Optional.DNSUnlocker.ACMB2, C:\PROGRAMDATA\57c1b535-2ed3-0, Quarantined, [46], [182288],1.0.1076
    PUP.Optional.WebBar, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\WEBBAR, Quarantined, [4306], [244762],1.0.1076
    Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3, Quarantined, [822], [361811],1.0.1076

    File: 4
    PUP.Optional.WebBar, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\WEBBAR\WB.LOG, Quarantined, [4306], [244762],1.0.1076
    Trojan.Agent.Generic, C:\PROGRAMDATA\1a5y2r3\1a5y2r3.dll, Quarantined, [822], [361811],1.0.1076
    Trojan.Agent.Generic, C:\ProgramData\1a5y2r3\169.tmp, Quarantined, [822], [361811],1.0.1076
    Trojan.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\1a5y2r3, Quarantined, [822], [361824],1.0.1076

    Physical Sector: 0
    (No malicious items detected)


    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 1
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA9F595B-7E22-44A8-AAF0-2A9B2EB5A226}, Quarantined, [822], [361812],1.0.1076

    Registry Value: 1
    Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA9F595B-7E22-44A8-AAF0-2A9B2EB5A226}|PATH, Quarantined, [822], [361812],1.0.1076

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 1
    Trojan.Agent.Generic, C:\WINDOWS\TASKS\1A5Y2R3.JOB, Quarantined, [822], [361821],1.0.1076

    Physical Sector: 0
    (No malicious items detected)

      My ComputerSystem Spec

  2. AndreTen's Avatar
    Posts : 14,109
    Windows 10 (Pro and Insider Pro)
       24 Jan 2017 #2

    Hi mab5555 and welcome to Ten Forums.

    Maybe some expert will comment on that infections later. But with mess like this clean install is almost always best solution.
    If Office key is only drawback, try Speccy or Belarc advisor they usually provide original keys of installed software.

    One thing I don't quite get... System restore is like system backup and Office should stay intact, but it is difficult to predict exact time of infection and pick correct restore point.

    Other possible solution is so called inplace upgrade (tutorial link). Download ISO of Windows 10 from MS site and let the setup run. ISO should be of the same language as your current install.

    If you want to be able to restore your current Windows install (if anything get lost) make a system backup with Macrium reflect free.
      My ComputerSystem Spec

  3.    24 Jan 2017 #3

    A system restore may bring back malware can you do all our scans post results PCHF System Scans
      My ComputerSystem Spec

  4. Bree's Avatar
    Posts : 8,540
    10 Home x64 (1803) (10 Pro on 2nd pc)
       25 Jan 2017 #4

    mab5555 said: View Post
    I cannot log on to microsoft account, cannot open store, use cortana, edge does not open, and weather app and Xbox do not open.
    The common factor is that those are all Modern Windows Apps. How about Calculator? That's another one. There's a Tutorial on re-registering them...
    Apps - Reinstall and Re-register in Windows 8 and 10

    ...but the repair install in @AndreTen's link would probably be the better option.
      My ComputersSystem Spec

  5.    25 Jan 2017 #5

    after the latest windows 10 update everything is working fine. cant believe that was the issue.

    the original source of these trojans was a local CDs of SPSS and endnote that cost like a dollar whereas the original SPSS and endnote are close to 100-300. Greed got the better of me. its not worth it. well lesson learnt.

    one thing is for sure. malewarebytes is hands down the best antimaleware software. during this saga i tried hitman pro, cc cleaner, kapersky, and even bitdefender couldnt clean completely. malewarebytes rocks.
    Last edited by mab5555; 25 Jan 2017 at 02:43.
      My ComputerSystem Spec

  6.    25 Jan 2017 #6


    Just to make sure that the system is clean, try using the Zemana AntiMalware Download
    Double-click on the file Zemana.AntiMalware.Setup.exe to install.
    When the program starts you are presented with a Setup screen, click: Next
    Follow the prompts to install.

    Once Zemana AntiMalware starts, click: Scan

    When Zemana AntiMalware is finished it displays a list of all the items found. (If any is present)
    Click on Next to remove the malicious files from your computer.
    A reboot may be required to remove malware.

    Click the Graph icon (far upper right), highlight the applicable log file, and then click: Open Report
    Please attach the notepad text file for review.
      My ComputerSystem Spec

  7.    25 Jan 2017 #7

    thanks, i tried zemana. it gave a clean bill :)

    the thing seems a false alarm because its a very reputable website. thank you for all the help. this is my favorite windows10 website now :)

    Detected Objects

    Firefox Homepage
    Status : Scanned
    Object :
    MD5 : -
    Publisher : -
    Size : -
    Version : -
    Detection : Suspicious Browser Setting
    Cleaning Action : Repair
    Related Objects :
    Browser Setting - Firefox Homepage

    Cleaning Result
    Cleaned : 1
    Reported as safe : 0
    Failed : 0
      My ComputerSystem Spec

  8.    25 Jan 2017 #8

      My ComputerSystem Spec


Related Threads
Help! Cortana Microsoft account changed windows login! in User Accounts and Family Safety
Can anyone please advise me? I enabled cortana on my fathers windows 10 install, which required the creation of a Microsoft user account. I created a new Microsoft user account linked to my fathers email address for this^ purpose, and...
I would like help solving a mystery. I set up a new Dell Optiplex 3020 which shipped with Windows 10 Pro. I bypassed the option to set up the user with a Microsoft Account (The owner does not have a microsoft account and I did not create one at...
Hello, My problem is i think i have a buged micro. acc. I already changed 4 time my password. But my account will be corrupted few days to two weeks later. Corrupted is what i call: Not possible to login with my Known password. Password or...
Read more: Cortana finally gives weather in Celsius based on your weather settings | Windows Central
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 10:45.
Find Us