Can I determine which process has put something on the desktop?

Just a suggestion for you to look into. Not sure it will do all you want or not.

Systernals: Process Monitor
https://docs.microsoft.com/en-us/sys...nloads/procmon

Thanks for this suggestion. I have it running at the moment - now I just need the adware to kick in to see if it leaves a trace. I'll let you know...

You could go into Task Manager and make a list of all the processes which are running. Do this both when the ad is present and when it is not present. Then compare the two lists.

Re post #5: When this first happened I immediately started Task Manager and had a look at all the processes and didn't spot anything unusual. It made me think does the adware have to be running all the time the ad is on the screen? Is it possible that the adware runs momentarily when placing the ad and then closes down, so it won't appear in the list?

Note: I will be using the term malware in the generic sense as referring to all forms of malicious software including viruses and adware.

Is it possible to determine what process placed something on the desktop? Possibly if the software were legitimate but in the case of malware, not likely. Not that I would be able to do this.

Is it possible that the adware runs momentarily when placing the ad and then closes down, so it won't appear in the list? This is possible.

There are all kinds of ways a malware process can hide itself. Don't expect it will advertise it's presence with with some suspicious looking process name. Or it may not be a process at all. It could be a thread that has been injected into a legitimate process, such as explorer.exe. This process is responsible for displaying the desktop, start menu, and more, Windows Explorer being only a part of it's activities. Sophisticated malware, and these days most of it is, can manipulate the information displayed by Task Manager and similar utilities.

I agree with LMiller7: it can disguise itself so you can't find it the way I described.

There is another possible way to catch it: Run msconfig, and go to the Services tab. Hide all the Microsoft services, and then disable all the non-Microsoft services (the ones still showing after you hid the Microsoft services). Reboot, and use the computer for a while, to see if the ad comes back.

If the ad never comes back after using the computer for a while, then it was one of the non-Microsoft services that was putting it on your screen. Go back into msconfig and re-enable one service at a time, rebooting after each one, then using the computer for a while. See if the ad comes back. If it doesn't come back, then re-enable another one, and another one, till either the ad comes back or until you have re-enabled all of them.

However, if the ad comes back with all of the non-Microsoft services being disabled, then this method won't solve it for you.

Thanks to LMiller7 and mrjimphelps for helpful comments.

Out of interest how/where is the desktop display managed? It seems to me like a multilayer graphics file where you can alter the order of the layers and there is one layer (the top layer) which can't be moved. Which bit of Windows actually populates these layers?

Since the ad clearly has an associated hyperlink how could I determine where this is pointing to without actually clicking on it? (My assumption is that if I clicked on the link it would send all sorts of compromising information about my system to some internet location.)

In the meantime I'll persevere with running Process Monitor, even though it slows down the machine a bit, and hope it shows some activity when the ad appears. It hasn't for more than a day. Maybe it knows it's being hunted down!