Teltrab Posted October 31, 2017 ID:1177932 Share Posted October 31, 2017 (edited) Several friends have reported the same "rearrangement of icons" that I have been observing. When Windows updates and sometimes even when my computer just is turned on or comes back from hibernation all of my icons have been stacked on one side of the monitor. The switch "View/Auto Arrange Icons" is turned off. The switch "align icons to grid" was turned off, but now I notice that it is back on. Though this is merely an inconvenience, I am concerned that this is some sort of malware. Malwarebytes keeps saying nothing is detected. In the world of biological viruses, the ones that are more likely to survive are the ones that don't make their host go to the doctor. Considering that the psychology of a virus maker and an arsonist would seem to be similar, this sort of benign "there but not obvious" virus would be the perfect candidate to make a very big thing that someone could say, "I did that." It could also be a test run of how to make a pervasive virus. How would we ask the people at Malwarebytes to consider this a virus? Edited October 31, 2017 by Teltrab typo Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 1, 2017 Staff ID:1177981 Share Posted November 1, 2017 I would not think this is malware but i will move this to the malware removal section if you want them to run a manual frst scan of your computer. Link to post Share on other sites More sharing options...
Teltrab Posted November 1, 2017 Author ID:1177996 Share Posted November 1, 2017 Yes. What should I do to facilitate this? Bob Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2017 Root Admin ID:1178012 Share Posted November 1, 2017 Hello @Teltrab and Please follow the instructions below and post back your logs and we'll check on it for you. Thanks Ron Link to post Share on other sites More sharing options...
Teltrab Posted November 1, 2017 Author ID:1178304 Share Posted November 1, 2017 Gentlemen, Thank you in advance for your help with this. I have run Farbar and attached to this reply are the "Addition.txt" and the "FRST.txt" files per your request. Also attached please find Malwarebytes scan report. As a reminder, I do not know that I have a computer virus, it was just a behavior that I was suspicious of - My monitor rearranging my icons when Windows updated and sometimes when just turning on. Bob Addition.txt FRST.txt Malwarebytes SCAN report 01Nov2017.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2017 Root Admin ID:1178310 Share Posted November 1, 2017 Thanks @Teltrab The logs don't indicate any obvious infection. There are a few system errors in the Event Logs, but not an infection. ================== Error: (10/31/2017 11:47:10 AM) (Source: Act! Scheduler) (EventID: 0) (User: ) Description: Service cannot be started. System.Exception: Unable to start scheduler service. ScheduledItems count is less than or equal to 0. at Act.Scheduler.SchedulerService.OnStart(String[] args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state) Error: (10/31/2017 10:40:31 AM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating Windows Defender status to SECURITY_PRODUCT_STATE_ON. Error: (10/31/2017 10:40:31 AM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating Windows Defender status to SECURITY_PRODUCT_STATE_ON. Error: (10/31/2017 10:40:29 AM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating Windows Defender status to SECURITY_PRODUCT_STATE_ON. Error: (10/31/2017 10:40:28 AM) (Source: SecurityCenter) (EventID: 16) (User: ) Description: Error while updating Windows Defender status to SECURITY_PRODUCT_STATE_ON. Error: (10/31/2017 10:30:21 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: svchost.exe, version: 10.0.15063.0, time stamp: 0x4c9dbd90 Faulting module name: ntdll.dll, version: 10.0.15063.608, time stamp: 0x4c143763 Exception code: 0xc0000409 Fault offset: 0x000a60f0 Faulting process id: 0x650 Faulting application start time: 0x01d34e779aa6d8b7 Faulting application path: C:\WINDOWS\system32\svchost.exe Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll Report Id: 1ddb831e-c07d-4da1-8002-af755f381563 Faulting package full name: Faulting package-relative application ID: Error: (10/30/2017 05:48:04 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program soffice.bin version 4.0.9783.500 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: 1fb8 Start Time: 01d3517e3bd68a63 Termination Time: 86 Application Path: C:\Program Files\OpenOffice 4\program\soffice.bin Report Id: 3e5817a7-d7d2-49f5-aa8d-4ef4dcf5994c Faulting package full name: Faulting package-relative application ID: Error: (10/26/2017 11:29:36 AM) (Source: Act! Scheduler) (EventID: 0) (User: ) Description: Service cannot be started. System.Exception: Unable to start scheduler service. ScheduledItems count is less than or equal to 0. at Act.Scheduler.SchedulerService.OnStart(String[] args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state) Error: (10/26/2017 08:59:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: ) Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied. . Error: (10/20/2017 05:17:01 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: C-10) Description: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information. System errors: ============= Error: (10/31/2017 11:51:16 AM) (Source: Service Control Manager) (EventID: 7022) (User: ) Description: The Delivery Optimization service hung on starting. Error: (10/31/2017 11:48:42 AM) (Source: BugCheck) (EventID: 1001) (User: ) Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0x80d194e0, 0x92be7880, 0x00000000, 0x0000000d). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: e5596b31-24a2-4dd2-aa67-83bd4e63b949. Error: (10/31/2017 11:47:06 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The CldFlt service failed to start due to the following error: The request is not supported. Error: (10/31/2017 11:47:06 AM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 11:03:22 AM on 10/31/2017 was unexpected. Error: (10/31/2017 10:32:24 AM) (Source: Service Control Manager) (EventID: 7032) (User: ) Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running. Error: (10/31/2017 10:32:24 AM) (Source: Service Control Manager) (EventID: 7032) (User: ) Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running. Error: (10/31/2017 10:32:24 AM) (Source: Service Control Manager) (EventID: 7032) (User: ) Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Computer Browser service, but this action failed with the following error: An instance of the service is already running. Error: (10/31/2017 10:31:24 AM) (Source: Service Control Manager) (EventID: 7032) (User: ) Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error: An instance of the service is already running. Error: (10/31/2017 10:30:24 AM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. Error: (10/31/2017 10:30:24 AM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Windows Push Notifications System Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. CodeIntegrity: =================================== Date: 2017-07-28 16:06:43.205 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Store signing level requirements. Date: 2017-07-28 16:06:41.919 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Store signing level requirements. Date: 2017-07-28 16:06:41.509 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Store signing level requirements. Date: 2017-07-28 16:06:33.596 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Store signing level requirements. Date: 2017-07-28 16:06:31.789 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Store signing level requirements. Thanks Ron Link to post Share on other sites More sharing options...
Teltrab Posted November 2, 2017 Author ID:1178324 Share Posted November 2, 2017 Ron, Thank you very much. Bob Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2017 Root Admin ID:1178325 Share Posted November 2, 2017 You're quite welcome. As this is not an infection I will go ahead and close your topic here. Thank you again and good luck Ron Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2017 Root Admin ID:1178326 Share Posted November 2, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts