Jump to content

Vista desktop keeps rearranging after removing malware

Recommended Posts

I'm using MalwareBytes, installed via mbam-setup-, on Vista Home Premium (64 bit).


I've been working at this for 4 days to fix the problem and find out what triggered it.  Finally narrowed it down to removing FreeMake video converter from desktop using MalwareBytes.  MBAM had found PUP.Optional.OpenCandy in this file (the executable rather than a shortcut was on my desktop).  I had installed MBAM (free version) and launched it from the installer.  Next restart of Vista, the desktop icons were rearranged.  The only way I found to stop this was a System Restore, which of course removed MBAM and restored the offending file.


Since I'd launched MalwareBytes from the installer, I wanted to see whether just installing the program triggered the problem.  I installed it again without launching it - no problem.  Then I right-clicked on FreeMake and analyzed it with the 3 anti-malware programs now on the machine: Webroot, ESET and MalwareBytes.  MalwareBytes was the only one that found the bad guy.  I canceled out of MalwareBytes without removing the file, then terminated (via the key sequence in Start Menu) and restarted (via Task Manager) Explorer.exe.  Icons did not rearrange.  This time, I deleted FreeMake from the desktop manually, then ran CCleaner to check the registry.  I removed one entry that referenced the executable on the desktop.  Everything seems to be working now.


A year ago (roughly), I had installed a 3rd party extension, LAYOUT.DLL and its companion LAYOUT.REG to combat this stubborn behavior of Vista, which would happen even if I had auto-arrange turned off.  It has worked for me ever since until this happened, and seems to be working again.


I haven't found any posts about others encountering this, so I guess I'm unique.  Question is, why did this happen, and other question is, is it likely to happen again?  Also, just in case someone here can answer the question, where does Vista save the desktop layout info?

Link to post
Share on other sites

Hello and :welcome:

MBAM will not mess with your layout on the desktop. You can try the steps below and provide the logs so we can take a better look.


If you think you may be infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank You

Link to post
Share on other sites

I tried to reproduce the problem which correlated (repeatably) with MBAM removing FreeMake.exe so event could be logged for MalwareBytes staff to examine.  I
restored the system to 4/30/14 checkpoint, which was the last checkpoint with FreeMake not removed and the desktop still undisturbed.

Followed instructions from the Forum to Clean-Remove MalwareBytes and install the update.  Downloaded the logging program.

Since I'd wound up deleting FreeMake manually and using CCleaner to remove the registry entries that pointed to it on the desktop, I restored
FreeMake.exe from the Recycle Bin.  Searched registry for FreeMake references, since I expected the System Restore would have restored them.  

There were several referencing files in TMP folders, but none referencing the desktop.  I double-clicked the FreeMake icon now back on the desktop
to try to restore the registry entries, but chickened out at the second Windows prompt "allow this program to make changes..." and clicked CANCEL.

Next, I tried exiting are restarting Explorer.exe just to make sure I was starting off with the desktop undisturbed.  The layout rearranged!  It had not done this upon
restart after Clean-Removing MBAM.

So I restored again to 4/30/14.  This restored the desktop and put FreeMake.exe back in the recycle bin.  Now unsure what was left of MalwareBytes, I again downloaded both the Clean Remove and the Installer for MalwareBytes, which had disappeared from the desktop due to System Restore.  This time, I created a folder in Documents and moved both files there instead of to the desktop so I wouldn't have to download them again after another System Restore.  I also moved a notes file there.

Tried exiting and restarting Explorer.exe again to check the desktop.  It rearranged!  All I'd done was download two files and move them to a folder in Documents without executing either of them.

Did another System Restore, this time to yesterday's (5/5/14) checkpoint since it didn't appear necessary to have FreeMake installed to make this happen.  The two files from MalwareBytes I'd moved from Downloads to a folder in Documents disappeared from that folder, and weren't back in Downloads either!  I thought System Restore wasn't supposed to mess with anything in Documents.  The folder was still there and still contained the notes file.

Can I use the logging program to catch this?  I'm not clear on the correct sequence for generating the logs.  Should I run the Scan Tool once before any changes to create a reference snapshot, or run both parts of the logger only after the change occurs?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.