Solved Can I determine which process has put something on the desktop?

[simonc8]

I have some adware on my system which all scans using various malware detection programmes have so far failed to find. It periodically puts a small ad on the bottom right corner of the desktop which is placed on top, so it's impossible to put anything in front of it. The ad (most often for an article about bitcoins) has a hyperlink associated (the mouse cursor changes to a pointing finger when over it) and a cross with REMOVE AD in the top right corner (which I have avoided clicking on). After say 40 minutes or so it disappears.

Is it possible to determine from looking at computer diagnostics which process has taken over this bit of the desktop? This would be as a way to try and identify the adware.

Once, this ad appeared while I was downloading a large file and the appearance of the ad was slowed, and it showed the word LOADING, so I assume the adware is making contact with the internet. Is there any way of tracking this contact, again as a way to try and identify the adware?

Grateful for assistance.

 

[WinDozeUser]

Just a suggestion for you to look into. Not sure it will do all you want or not.

Systernals: Process Monitor
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

 

[simonc8]

Thanks for this suggestion. I have it running at the moment - now I just need the adware to kick in to see if it leaves a trace. I'll let you know...

 

[Layback Bear]

Did you have this problem before you started using (bitcoins)?

Go into 'msconfig' Startup and Non Microsoft Services and see if anything concerning 'bitcoin' is there. If so, uncheck them. Reboot and see how things go.
I'm thinking 'bitcoin' is calling home or 'mining'.

Jack

 

[mrjimphelps]

You could go into Task Manager and make a list of all the processes which are running. Do this both when the ad is present and when it is not present. Then compare the two lists.

 

[simonc8]

Re post #5: When this first happened I immediately started Task Manager and had a look at all the processes and didn't spot anything unusual. It made me think does the adware have to be running all the time the ad is on the screen? Is it possible that the adware runs momentarily when placing the ad and then closes down, so it won't appear in the list?

 

[LMiller7]

Note: I will be using the term malware in the generic sense as referring to all forms of malicious software including viruses and adware.

Is it possible to determine what process placed something on the desktop? Possibly if the software were legitimate but in the case of malware, not likely. Not that I would be able to do this.

Is it possible that the adware runs momentarily when placing the ad and then closes down, so it won't appear in the list? This is possible.

There are all kinds of ways a malware process can hide itself. Don't expect it will advertise it's presence with with some suspicious looking process name. Or it may not be a process at all. It could be a thread that has been injected into a legitimate process, such as explorer.exe. This process is responsible for displaying the desktop, start menu, and more, Windows Explorer being only a part of it's activities. Sophisticated malware, and these days most of it is, can manipulate the information displayed by Task Manager and similar utilities.

 

[mrjimphelps]

I agree with LMiller7: it can disguise itself so you can't find it the way I described.

There is another possible way to catch it: Run msconfig, and go to the Services tab. Hide all the Microsoft services, and then disable all the non-Microsoft services (the ones still showing after you hid the Microsoft services). Reboot, and use the computer for a while, to see if the ad comes back.

If the ad never comes back after using the computer for a while, then it was one of the non-Microsoft services that was putting it on your screen. Go back into msconfig and re-enable one service at a time, rebooting after each one, then using the computer for a while. See if the ad comes back. If it doesn't come back, then re-enable another one, and another one, till either the ad comes back or until you have re-enabled all of them.

However, if the ad comes back with all of the non-Microsoft services being disabled, then this method won't solve it for you.

 

[simonc8]

Thanks to LMiller7 and mrjimphelps for helpful comments.

Out of interest how/where is the desktop display managed? It seems to me like a multilayer graphics file where you can alter the order of the layers and there is one layer (the top layer) which can't be moved. Which bit of Windows actually populates these layers?

Since the ad clearly has an associated hyperlink how could I determine where this is pointing to without actually clicking on it? (My assumption is that if I clicked on the link it would send all sorts of compromising information about my system to some internet location.)

In the meantime I'll persevere with running Process Monitor, even though it slows down the machine a bit, and hope it shows some activity when the ad appears. It hasn't for more than a day. Maybe it knows it's being hunted down!

 

[Layback Bear]

Did you do as I posted 4?

You could also use Malwarebytes, AdwCleaner, Eset free online scanner and Super Anti Spyware.
I have used these programs many times.
Using them have never caused me a problem

Jack

 

[LMiller7]

The desktop is managed by then explorer.exe and dwm.exe (Desktop Window Manager) processes. The code is contained in the process exe and the many DLLs they load. This is all very complex.

As to where the ad is ultimately pointing to, this is something the adware developers really don't want you to know and have devoted considerable effort to ensure you don't. There are many ways of doing this.

 

[DonnaB]

Hi simonc8,

You said you ran various malware detection programmes. Which ones did you run?

Could you grab a screen shot of this ad that pops up that includes the link and attach in reply? https://www.sevenforums.com/members/simonc8.html

 

[simonc8]

Hi simonc8,

You said you ran various malware detection programmes. Which ones did you run?

Could you grab a screen shot of this ad that pops up that includes the link and attach in reply?

1. I attach a screen grab showing the ad (I reduced the image size and pixelated my email programme) but you can see where the ad is - this one was for something to do with mis-selling by Barclays bank.
2. The programmes I've tried are Microsoft Security Essentials, Malwarebytes (free edition) and RogueKiller.

However thanks to running Process Manager as suggested by WinDozeUser at #2 I may have isolated the problem. The ad disappeared shortly after a call to wpscenter.exe which is something installed with KingSoft WPS Office which I have on my machine although I rarely use it. I've set up a Windows firewall block on that programme, so let's see what happens...

 

[simonc8]

Fascinating that because an ad appeared on my screen relating to Bitcoin people immediately assume I'm a Bitcoin user!

The answer is: I had installed WPS Office, a free alternative to Microsoft Office, on my system. It turns out it generates ads and puts them on your desktop. By disabling one of the installed programmes, called wpscloudsvr.exe which will be found somewhere in C:\Users\your user name\AppData\Local\Kingsoft\WPS Office I stopped these ads appearing.

 

[Barman58]

Sorry about that - Spammer got to post as I was dealing with them, as soon as you mention a "popular" subject these days, they appear, but we normally get them before members see them