Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Can I determine which process has put something on the desktop?

05 Dec 2017   #1
simonc8

Windows 7 64 bit Professional
 
 
Can I determine which process has put something on the desktop?

I have some adware on my system which all scans using various malware detection programmes have so far failed to find. It periodically puts a small ad on the bottom right corner of the desktop which is placed on top, so it's impossible to put anything in front of it. The ad (most often for an article about bitcoins) has a hyperlink associated (the mouse cursor changes to a pointing finger when over it) and a cross with REMOVE AD in the top right corner (which I have avoided clicking on). After say 40 minutes or so it disappears.

Is it possible to determine from looking at computer diagnostics which process has taken over this bit of the desktop? This would be as a way to try and identify the adware.

Once, this ad appeared while I was downloading a large file and the appearance of the ad was slowed, and it showed the word LOADING, so I assume the adware is making contact with the internet. Is there any way of tracking this contact, again as a way to try and identify the adware?

Grateful for assistance.


My System SpecsSystem Spec
.
05 Dec 2017   #2
WinDozeUser

Microsoft Windows 7 Home Premium Build 7601 32bit
 
 

Just a suggestion for you to look into. Not sure it will do all you want or not.

Systernals: Process Monitor
https://docs.microsoft.com/en-us/sys...nloads/procmon
My System SpecsSystem Spec
06 Dec 2017   #3
simonc8

Windows 7 64 bit Professional
 
 

Thanks for this suggestion. I have it running at the moment - now I just need the adware to kick in to see if it leaves a trace. I'll let you know...
My System SpecsSystem Spec
.

06 Dec 2017   #4
Layback Bear

Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
 
 

Did you have this problem before you started using (bitcoins)?

Go into 'msconfig' Startup and Non Microsoft Services and see if anything concerning 'bitcoin' is there. If so, uncheck them. Reboot and see how things go.
I'm thinking 'bitcoin' is calling home or 'mining'.

Jack
My System SpecsSystem Spec
06 Dec 2017   #5
mrjimphelps

Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
 
 

You could go into Task Manager and make a list of all the processes which are running. Do this both when the ad is present and when it is not present. Then compare the two lists.
My System SpecsSystem Spec
06 Dec 2017   #6
simonc8

Windows 7 64 bit Professional
 
 

Re post #5: When this first happened I immediately started Task Manager and had a look at all the processes and didn't spot anything unusual. It made me think does the adware have to be running all the time the ad is on the screen? Is it possible that the adware runs momentarily when placing the ad and then closes down, so it won't appear in the list?
My System SpecsSystem Spec
06 Dec 2017   #7
LMiller7

Windows 7 Pro 64 bit
 
 

Note: I will be using the term malware in the generic sense as referring to all forms of malicious software including viruses and adware.

Is it possible to determine what process placed something on the desktop? Possibly if the software were legitimate but in the case of malware, not likely. Not that I would be able to do this.

Is it possible that the adware runs momentarily when placing the ad and then closes down, so it won't appear in the list? This is possible.

There are all kinds of ways a malware process can hide itself. Don't expect it will advertise it's presence with with some suspicious looking process name. Or it may not be a process at all. It could be a thread that has been injected into a legitimate process, such as explorer.exe. This process is responsible for displaying the desktop, start menu, and more, Windows Explorer being only a part of it's activities. Sophisticated malware, and these days most of it is, can manipulate the information displayed by Task Manager and similar utilities.
My System SpecsSystem Spec
06 Dec 2017   #8
mrjimphelps

Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
 
 

I agree with LMiller7: it can disguise itself so you can't find it the way I described.

There is another possible way to catch it: Run msconfig, and go to the Services tab. Hide all the Microsoft services, and then disable all the non-Microsoft services (the ones still showing after you hid the Microsoft services). Reboot, and use the computer for a while, to see if the ad comes back.

If the ad never comes back after using the computer for a while, then it was one of the non-Microsoft services that was putting it on your screen. Go back into msconfig and re-enable one service at a time, rebooting after each one, then using the computer for a while. See if the ad comes back. If it doesn't come back, then re-enable another one, and another one, till either the ad comes back or until you have re-enabled all of them.

However, if the ad comes back with all of the non-Microsoft services being disabled, then this method won't solve it for you.
My System SpecsSystem Spec
07 Dec 2017   #9
simonc8

Windows 7 64 bit Professional
 
 

Thanks to LMiller7 and mrjimphelps for helpful comments.

Out of interest how/where is the desktop display managed? It seems to me like a multilayer graphics file where you can alter the order of the layers and there is one layer (the top layer) which can't be moved. Which bit of Windows actually populates these layers?

Since the ad clearly has an associated hyperlink how could I determine where this is pointing to without actually clicking on it? (My assumption is that if I clicked on the link it would send all sorts of compromising information about my system to some internet location.)

In the meantime I'll persevere with running Process Monitor, even though it slows down the machine a bit, and hope it shows some activity when the ad appears. It hasn't for more than a day. Maybe it knows it's being hunted down!
My System SpecsSystem Spec
07 Dec 2017   #10
Layback Bear

Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
 
 

Did you do as I posted 4?

You could also use Malwarebytes, AdwCleaner, Eset free online scanner and Super Anti Spyware.
I have used these programs many times.
Using them have never caused me a problem

Jack
My System SpecsSystem Spec
Reply

 Can I determine which process has put something on the desktop?




Thread Tools




Similar help and support threads
Thread Forum
How to determine process eating up CPU resources?
Is there any way in Windows 7 to see what any particular processor core might be struggling with? Every time I Sleep my computer and wake it back up, Core 5 comes back at almost 100% utilization and I can't figure out what it's doing or why. It'll even be listed as 'Parked' and STILL be...
Performance & Maintenance
empty desktop on login (explorer.exe is in the list of process)
hi. i updated a win7 machine and the installed zonealarm (this was a software update, not just an identifications update), restarted the machine and on login the desktop is empty (no decorations/windows/icons/background). i can open a taskmanager and see the following processes: ...
BSOD Help and Support
How to make explorer see/process a hidden desktop link at startup
I'm sure I can safely assume nobody has ever asked this question before (or probably even thought of why one might want such a thing!). You see, I have this program that I made which I use to send running apps to the system tray. I use the program exclusively through explorer's desktop link...
General Discussion
open explorer, starts new process, close it, process remains active
Hi, I've got a quicklaunch shortcut to: %windir%\explorer.exe shell:::{323CA680-C24D-4099-B94D-446DD2D7249E} That takes me straight to my explorer favourites. What I notice is that when I launch that, I get a new explorer.exe thread appear in the task manager. When I close it though, that...
General Discussion
Windows 7 + Process Explorer + Patch: [Opening error process]
Hi fooks, I hope you all can read this, i'm from Belgium so my Englsich is not as good as it might be. I have bought last year a little notebook with Windows 7 Home Premium on it. On this machine i am the Administrator, and there are no other people on that, or guestaccounts made. On...
Installation & Setup


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:31.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App