Windows 10 apps still blocked after malware removed

[jasmr]

Hi,

I am helping a friend who installed Windows 10 and then somehow became infected by a very pernicious attack.

Initially Malwarebytes (free version) which I had previously installed on his computer would not run. Nor would many other applications.

 

I managed to get Malwarebytes running using Chameleon from a cmd prompt as suggested on this forum.

 

After 3 or 4 runs no more infected objects were found or needed to be removed.

 

Many programs were now working but no "modern" apps. They gave an error like "This app can't open   Your trial period for this app has expired. Visit the Windows Store to purchase the full app. Go to the Store"

 

After disabling a number of startup applications which seemed to be masquerading as Skype (the user wasn't using Skype) and restarting I was then able to run Windows Defender which found and removed Trojan:Java/Adwind.G.

 

However none of the Modern Apps are able to start including the Windows 10 Settings App which gives the error message as shown above.

 

I have run FRST64 as suggested in this forum and attach the FRST.txt and Addition.txt files that were generated.

 

I would love some help with this problem.

 

Thanks

 

Addition.txt

FRST.txt

[jasmr]

Forget this request... I could not wait any longer for a response so I did a reset without losing user data and the Apps are all working fine now. Just means I have to re-install some applications.

 

The question (for myself) is do I install Malwarebytes again or carry out yet another review of anti-virus programs to choose something else?

 

Malwarebytes looked quite promising there for a while! I was going to start recommending the pro version to my clients.

 

Windows Defender was the application that found and removed the Adware infection - Malwarebytes didn't seem to see it?

[LiquidTension]

Hello jasmr, 
 

The question (for myself) is do I install Malwarebytes again or carry out yet another review of anti-virus programs to choose something else?

Malwarebytes Anti-Malware (MBAM) Free or Premium is not an Anti-Virus; nor is it a replacement for one. Whilst the Premium version of MBAM provides real-time protection, there are fundamental differences between MBAM and a standard, resident Anti-Virus. MBAM should be used in conjunction with an Anti-Virus; not as a replacement.

[David H. Lipman]

Malwarebytes' Anti-Malware ( MBAM ) is not an anti virus application.  It is an adjunct to an anti virus application and not a replacement.
 
"Trojan:Java/Adwind.G" is a Java based Remote Access Trojan ( aka; JRAT ).  Most variants of this JRAT do not work with the latest version  of Oracle Java ( v8 ).
 
As a Java based trojan, it is not something that MBAM targets.

In its role as a adjunct, complimentary, anti malware application it has limitations in aspects that the anti virus application performs in its role.
 
MBAM does not target script files. That means MBAM will not target; JS, JSE, PY, .HTML, VBS, VBE, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target document files such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.
 
MBAM targets mainly non-viral malware.  The exception being a virus dropper ( a malware file that drops a virus and starts a virus infection but is not infected with the virus ) and worms ( such as Internet worms and AutoRun worms ).
 
MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.
 
A file infecting virus will prepend, append or cavity inject malicious code into a legitimate file.  Once infected, that infected file can further the infection by infecting other legitimate files.
 
On the other hand there are trojans that will prepend, append or cavity inject malicious code into a legitimate file.   However that file can not infect other files.  The infection stops with that targeted file.  These files are either deemed to be "trojanized" or "patched".  Since MBAM can not remove the added malicious code, at best MBAM will try to replace the trojanized file with a legitimate, unaltered, file.
 
Where a traditional anti virus application is weak, MBAM is strong.  Today's malware is much more complex than 10 years ago.  When we saw the Melissa virus ( I-Worm via SMTP  ), Lovsan/Blaster worm (  I-Worm via RPC/RPCSS @ TCP port 135 ) etc, they were distributed for the effect, damage and bragging rights.  Today's malware is more sophisticated in that it is "all about the money".  Malicious actors use malware to profit from.  Either by stealing, distribution affiliation revenue, data exfiltration, personal identification impersonation, etc.  To effect that the malicious actors don't want the victim to know that their system was compromised or they are so blatant about it by generating advertisements,  Yesterday's malware was simple and less obtrusive.  Today's malware is very intrusive and makes numerous modifications to the Operating System.  Those numerous modifications to the Operating System is where the traditional anti virus application does poorly and where MBAM specializes.
 
MBAM is not a historical anti malware solution.  That means it will not target old malware.  It's intent is to target 0-Day malware.  Malware that is infecting computers Today with malware found in-the-wild, Today.  That means that something like the BugBear which infected years ago will not be targeted by MBAM.  Malwarebytes will actually cull their signature database for malware that is no longer seen in-the-wild Today.   It is why Malwarebytes requests samples that are submitted for detection consideration be no older than 3 months old.

[jasmr]

Hi LiquidTension and David Lipman,

 

Thank you very much for your responses.

 

This clarifies many misunderstandings that I have had. I have used MBAM on a number of occasions to "fix" peoples computers without fully understanding what it had done.

I guess it is important to keep the "nasty" guys in the dark as much as possible.

 

I will now reconsider my recommended strategy for folks I help (mostly) pro-bono and seniors like myself. I'll let the "professionals" down the road help those able to pay. Although I am not confident many of them are any better informed than myself - often they appear less so from the mess that I see on some computers :-(.

 

Thanks once again

[David H. Lipman]

You're welcome.

 

Unless we can help you with something else, I will request this thread be closed.

 

Is there anything else ?

[jasmr]

Hi David,

 

No thanks, you can close this thread.

 

James

[jasmr]

PS I did install the Pro version of MBAM on his system in the end. Belts & braces :-).

[Naathim]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.