Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finding a Disappearing Application in Windows?

Posted by ryuzaki0 on from the program-execution-audits dept.

siuengr asks: "I have a computer that has a window that pops up every few minutes, but disappears before I can figure out what it is. I have run every virus program and spybot cleaner I have, but they do not find any problems. How can I figure what is causing this window to pop-up all the time, when it doesn't stick around long enough to see anything about it? Is there any software that tracks what applications have ran over a period of time, even if they are not currently running?"

29 of 204 comments (clear)

  1. Task Manager by Lazbien · · Score: 2, Informative

    Open up the Task Manager and be patient. Watch the processes.

    1. Re:Task Manager by ForumTroll · · Score: 4, Informative

      It's trivial to replace the task manager with one that only shows certain processes, and this technique is used regularly by malware. If the security of your system has been breached the task manager isn't a reliable source of information.

      --
      "A Lisp programmer knows the value of everything, but the cost of nothing." - Alan Perlis
    2. Re:Task Manager by Anonymous Coward · · Score: 0, Informative

      Curious, mods, why is this modded as offtopic? I mean, seriously, can someone give me a decent answer? It seems that lately the mods have been worse and worse at moderating.

      This comment is hardly offtopic.

    3. Re:Task Manager by OmnipotentEntity · · Score: 3, Informative

      It could be that the process isn't actually a process, but a dll loaded into a process.

      You'll need to get Process Explorer as explained in the above posts. Then when you find the nasty, you'll want to kill the process housing it, and then type regsvr32 /u thenameofthe.dll into a cmd window. Then you'll want to move or remove the file.

      --
      "Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
    4. Re:Task Manager by Anonymous Coward · · Score: 0, Informative

      I agree completely - This is why I dont read or post at /. that much any more

    5. Re:Task Manager by MLease · · Score: 5, Informative

      Good point. Maybe download Process Explorer instead.

      -Mike

      --
      I'm sorry; I don't know what I was thinking!
  2. Same here. by Cybert4 · · Score: 2, Informative

    Same thing! Be interesting to see if anyone tracks this down. My solution was to buy a new computer (old one severely needed an upgrade anyway). I looked through my processes and didn't see anything. Tried windows live antivirus too. Happens every few minutes here. Try killing your processes or using msconfig to kill startup stuff. There's several sites that list known windows processes.

    Nuking windows and/or wiping drives or partitions will of course work as well.

    1. Re:Same here. by xtracto · · Score: 2, Informative

      Just as a comment, I once stupidly made my machine hijacked my crapware (can you believe I actually ran the "crack.exe" file that comes with the astalavista cracks =oS) and had to spend almost 4 hours cleaning my computer.

      I used lots of anti cracpware programs that certainly cleaned a lot of things but my machine kept getting infected.

      After some time I dont know why I searched in the "Screen properties" (dont remember the exact name as I am in Linux now), where you right click the desktop and then properties.

      That will show you a window with desktop and screen properties but there is also a tab that lets you configure the "Active Desktop" thing in which you can make a web page you desktop page. Well, the problem was that the trojan installed a web page as active desktop (with my same background so I could not notice), but this page had some javascript code that kept infecting the computer.

      I thing it was quite clever and since none of the anti spamware (ad aware, hijack this, MS-shitdefender, Freeav, avg, clamwin, etc) recognized it, I believe my comment might help someone avoid some headache.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
  3. Let us not get ahead of ourselves. by sporkme · · Score: 5, Informative

    Use CamStudio (GPL), or some other desktop video recorder. Record your desktop until the event has occurred a few times, then advance to a frame in the video file that contains the dialogue box/application window. Leave the task manager (ctrl-alt-delete) running off to the side. Let the event occur once with the applications tab displayed and once with the processes tab. Make sure you can see the whole process list.

    Check the event viewer (control panel->administration) for erratic messages. Try disabling processes one by one to see if one of them is the cause. What Anti-stuff are you running? Anti-stuff is only as good as the definition database. Furthermore, many malicious processes can hide their existence from the OS, and an application tracking software is almost certainly going to get this info from the OS. Make sure your video drivers are up-to-date. If you suspect that the app communicates over the netowrk, install a software firewall and set it to anal mode.

    Run a benchmarking utility or simultaneously run several resource hungry applications to slow the machine down, and maybe the window will hang around for a while.

    If you cant catch it there, just format and reinstall Windows--the standard fix for anything Microsoft. Cue the mac/linux comments!

    --
    FairTax baby!
  4. Tiny Firewall by Microlith · · Score: 5, Informative

    Tiny Firewall provides a security module that requires the user authorize every unknown application be manually allowed to run.

    While I have yet to see any unknown process start on my machine, none (not even ones started by trusted processes) are allowed to proceed without first being given the OK by me. I'd give it a shot and see if TF 2006 can catch it for you.

    1. Re:Tiny Firewall by netsharc · · Score: 3, Informative

      I second this idea. Although I know it as Kerio Firewall (and it's nowhere to be found at kerio.kom, only at Sunbelt Software, what gives?), here's the download page.

      I once helped a girl who suffered the same problem. A pop-up comes up every so often. I didn't see anything wrong at first, but then I noticed wscript.exe was running. It was running a VBS-script in a loop, and every few random minutes it would launch an Internet Explorer window with an ad, which would just as quickly disappear. I search the disks for all VBS files, found the suspect file, and searched the registry for any mention of that filename.

      Another way malware might hide is when they install themselves as a service.

      --
      What time is it/will be over there? Check with my iPhone app!
  5. Process Explorer by greerga · · Score: 5, Informative

    Prcess Explorer Options..Different Highlight Duration

    1. Re:Process Explorer by RobertKozak · · Score: 2, Informative

      Process Explorer

      --
      Bet this .sig looks familiar.
  6. Process Explorer by x2A · · Score: 4, Informative

    Google for it. It shows recently terminated processes in red (or whatever) for a few seconds after it's terminated (all configurable)

    --
    The revolution will not be televised... but it will have a page on Wikipedia
  7. Check Scheduled Tasks by justanyone · · Score: 4, Informative


    If nothing obvious is running as a process, this might be popping up from a scheduled task.

    Occassionally we ran these at my old job and it would pop up a window in front of whatever you were doing, very briefly. The task was a batch file that kicked off something else.

    --
    Unitarian Church: Freethinkers Congregate!
  8. HP? by Anonymous Coward · · Score: 2, Informative

    If you have an HP printer/scanner it might be their updater program.

  9. Sysinternals.com by szyzyg · · Score: 2, Informative

    Look on sysinternals.com - the best bet would be Filemon - then you can track which files are being opened.

  10. Do you use TweakUI? by WalterGR · · Score: 4, Informative

    Your exact scenario happened to me a few weeks ago.

    Do you use the TweakUI program that comes with Powertoys for Windows XP? If so, do you have X-Mouse turned on? Check Mouse -> X-Mouse and see if "Activation follows mouse (X-Mouse)" is turned on.

    Some poorly written Windows apps will pop up dialogs that then disappear if they lose mouse focus. If you have X-Mouse turned on, they will pop up a dialog - and if your mouse is anywhere else on the screen, they'll think they've lost focus and close the dialog.

    All I had to do was disable X-Mouse until the app popped the dialog again, then I could deal with it. Unfortunately I don't remember what the poorly written program happened to be...

    --
    The Online Slang Dictionary
  11. HP Software? by Clazzy · · Score: 2, Informative

    We have an HP PSC 2355 printer and we installed the software that came with it. Anyhow, every half an hour or so, a program would randomly appear in the taskbar and disappear very quickly afterwards, usually minimising any full-screen applications. In the end, we had to disable it in msconfig. I honestly can't remember what the entry was in msconfig, but I could find it somewhere if it's actually the problem. Of course, it probably begins with "hp" anyway.

    --
    If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
    1. Re:HP Software? by Anonymous Coward · · Score: 1, Informative

      Amen. HP printer drivers are an embarrasment to humanity.

  12. Process Lasso by nomax · · Score: 2, Informative

    Try Process Lasso, it has a process log feature. Very handy.

    http://www.bitsum.com/

    --nomax

  13. Re:Good one by Anonymous Coward · · Score: 1, Informative

    Yes the HP software was doing it to me too, I would be playing a game and it would actually drop me to the desktop. At first I thought the game had crashed but I was able to alt-tab back to it. I ended up uninstalling all the HP software that came with that printer.

  14. Sysinternals is a windows admins best friend by Anonymous Coward · · Score: 1, Informative

    For any windows problem to which you do not know the answer immediately or through a quick google search.

    Visit http://www.sysinternals.com/

    Look through all the categories and short descriptions until you find a tool that could provide a diagnostic clue.

    In your case Process Explorer will do the trick, just turn the highlight time up and you should see process creation (provided it is caused by a process).

    If no new process is spawning, an existing one is launching the window, so compare the process listing against a similarly configured pc without the problem or a clean one and slowly remove processes until the one causing the problem is destroyed.

    If all the processes listed are valid, then you may have a compromised exe or dll, so use the dependency walker to find all the files used, then use md5sum or similar to hash them and compare the hashes against a clean machine.

    If you think the problem may be using a network connection you get additional options; you can use tcpview & process explorer to find the process in question and then kill it. You can also use wireshark (formerly ethereal) from http://www.wireshark.org/ either on the machine itself or another machine to monitor the network traffic.

    If all these steps are ineffectual, you may have a rootkit, so run rootkit revealer also from sysinternals.

    If you suspect a virus/spyware then it can be difficult to use the machine itself to diagnose; instead grab a copy of Barts PE with Mcaffee/Sophos & lavasoft adaware and the registry redirector to scan the local machine. This usually will allow you to get the machine to a state where other tools can be effective.

    Check out the Windows Resource Kits from Microsoft; they have a wealth of tools that may not be immediately useful, but can prove invaluable.

    On domain machines, the first step is always to check any logon scripts/group policy.

  15. Re:What.... by StikyPad · · Score: 2, Informative

    Yeah, parent is probably Old School like the Old School. They don't require people to login anymore, but they used to a few years ago. I'm not sure when they changed it.

    --
    https://www.eff.org/https-everywhere
  16. What OS? by teridon · · Score: 4, Informative

    You fail to state what OS you are running.

    If you are running Windows XP Professional (I think Windows 2000 Pro also has it), you can simply turn on process tracking in Group Policy. Every process that starts will now be logged in the security log. View it with the Event Viewer (Start.. Run.. type "eventvwr.msc")

    Instructions for how to enable process tracking (for exactly the same problem!)

    I don't think the same can be done for Windows XP Home... but I've been wrong before ;-)

    --
    I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
  17. Write a monitoring script by Money+for+Nothin' · · Score: 2, Informative

    Write a script (VBS, Perl, whatever) to monitor your process list. Have it poll the process list every quarter of a second or something, and keep a running list of processes that are found. On the first iteration, write the list to one file. On succeeding iterations, compare the list of the i-th iteration to the list of known processes -- if a new process appears that wasn't in a previous iteration, spit it out to another file...

    --

    Is Capitalism Good for the Poor?
  18. Get Spyberus by Alien54 · · Score: 3, Informative

    Available at robotgenius.net

    Spyberus is free of charge. Check out the tutorial

    There is probably a dll that is tied into explorer or something to repopulate when you clean.

    Also, use Spybot Search and Destroy in safe mode with all of the updates, but use all of the immunize functions first. It can spot some zombie process that "look" normal, but which sure as heck aren't. and then kill them.

    Do a maximum amount of cleaning in safe mode.

    Check out Spywarewarrior.com for a comperhensive list of bogus cleaners that are really infectors. For an example, see this illustration.

    I make a decent living doing nothing but cleaning things like this up. I can't give you a ten page How-to, but the links will put you on the right trail.

    --
    "It is a greater offense to steal men's labor, than their clothes"
  19. Macs aren't safe by Myria · · Score: 2, Informative

    Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.

    Same applies to Linux's ptrace().

    Melissa

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  20. Re:Spy++ by enharmonix · · Score: 2, Informative

    Somebody please mod parent up! It needs to be +5 Informative.

    First thing I thought of was the Borland version (Winsight), and this is exactly how you figure this kind of nonsense out. These apps actually enumerate all current window handles and will give you owning pids, parent/child windows, message queues, etc. If you don't already have a Borland IDE license, Borland now offers free (beer) and trial versions of their products, just dl a windows version and it ought to come with this tool.

    If not, I also found another similar standalone app called Winspector (not to be confused w/ Borland's Winspector, which does something different) at http://www.windows-spy.com/, but I have not used it and can't vouch for it.