Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finding a Disappearing Application in Windows?

Posted by ryuzaki0 on from the program-execution-audits dept.

siuengr asks: "I have a computer that has a window that pops up every few minutes, but disappears before I can figure out what it is. I have run every virus program and spybot cleaner I have, but they do not find any problems. How can I figure what is causing this window to pop-up all the time, when it doesn't stick around long enough to see anything about it? Is there any software that tracks what applications have ran over a period of time, even if they are not currently running?"

44 of 204 comments (clear)

  1. Task Manager by Lazbien · · Score: 2, Informative

    Open up the Task Manager and be patient. Watch the processes.

    1. Re:Task Manager by ForumTroll · · Score: 4, Informative

      It's trivial to replace the task manager with one that only shows certain processes, and this technique is used regularly by malware. If the security of your system has been breached the task manager isn't a reliable source of information.

      --
      "A Lisp programmer knows the value of everything, but the cost of nothing." - Alan Perlis
    2. Re:Task Manager by OmnipotentEntity · · Score: 3, Informative

      It could be that the process isn't actually a process, but a dll loaded into a process.

      You'll need to get Process Explorer as explained in the above posts. Then when you find the nasty, you'll want to kill the process housing it, and then type regsvr32 /u thenameofthe.dll into a cmd window. Then you'll want to move or remove the file.

      --
      "Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
    3. Re:Task Manager by MLease · · Score: 5, Informative

      Good point. Maybe download Process Explorer instead.

      -Mike

      --
      I'm sorry; I don't know what I was thinking!
  2. Same here. by Cybert4 · · Score: 2, Informative

    Same thing! Be interesting to see if anyone tracks this down. My solution was to buy a new computer (old one severely needed an upgrade anyway). I looked through my processes and didn't see anything. Tried windows live antivirus too. Happens every few minutes here. Try killing your processes or using msconfig to kill startup stuff. There's several sites that list known windows processes.

    Nuking windows and/or wiping drives or partitions will of course work as well.

    1. Re:Same here. by Simon80 · · Score: 2, Insightful

      buy a new computer? It really irks me when people cite this as a solution. You most definitely did NOT fix the problem, you are just avoiding it. At the very least, you can install another OS. This isn't a hard process, you just have to download an image, burn it to a CD, boot off the CD, and follow simple instructions.

    2. Re:Same here. by joto · · Score: 4, Insightful

      buy a new computer? It really irks me when people cite this as a solution.

      It is a solution!

      Just because it's not the techiest, or generally lowest-cost, or whatever, doesn't disqualify it from being a solution. It solved his problem. Therefore, by definition it is a solution.

    3. Re:Same here. by joto · · Score: 3, Insightful

      It's like "hey, my brakes squeal, how do I solve this?" And instead of really solving the squealing brakes by replacing them you just buy a new car. Do the brakes still squeal? Yes, but since you're not driving it anymore you no longer care.

      Yes. It is like that. But it is still a solution !

      Just because you find it a bit silly to replace a whole computer because of spyware, or replace a whole car because of squeaky brakes, doesn't disqualify it as a solution. No matter how silly you find it, it's still a solution to the problem of the user experiencing spyware on his computer, or squeaky brakes on his car.

      In the case of the computer, as a techie, I would actually recommend this to non-techies. A new dell costs about the same as you could expect to pay if you would pay someone to fix the problem. In addition you get a new and better computer. If you were to pay someone to fix it, you would still solve the problem, and still part with your money, but you would not have a new and spiffy computer. If you invested the time into learning enough about computers to fix it yourself, by the time you were finished fixing the probem, if you'd been working overtime instead, you could have bought at least 50 dells.

      As for the car, the same logic applies. If it's an old car, which you know sooner or later will need a major (costly) overhaul, you can just as well ditch it when a problem shows up, such as squeaky brakes. You don't need to fix it yourself, or pay someone to do it, when you are going to need a new car soon enough anyway.

    4. Re:Same here. by xtracto · · Score: 2, Informative

      Just as a comment, I once stupidly made my machine hijacked my crapware (can you believe I actually ran the "crack.exe" file that comes with the astalavista cracks =oS) and had to spend almost 4 hours cleaning my computer.

      I used lots of anti cracpware programs that certainly cleaned a lot of things but my machine kept getting infected.

      After some time I dont know why I searched in the "Screen properties" (dont remember the exact name as I am in Linux now), where you right click the desktop and then properties.

      That will show you a window with desktop and screen properties but there is also a tab that lets you configure the "Active Desktop" thing in which you can make a web page you desktop page. Well, the problem was that the trojan installed a web page as active desktop (with my same background so I could not notice), but this page had some javascript code that kept infecting the computer.

      I thing it was quite clever and since none of the anti spamware (ad aware, hijack this, MS-shitdefender, Freeav, avg, clamwin, etc) recognized it, I believe my comment might help someone avoid some headache.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
  3. Let us not get ahead of ourselves. by sporkme · · Score: 5, Informative

    Use CamStudio (GPL), or some other desktop video recorder. Record your desktop until the event has occurred a few times, then advance to a frame in the video file that contains the dialogue box/application window. Leave the task manager (ctrl-alt-delete) running off to the side. Let the event occur once with the applications tab displayed and once with the processes tab. Make sure you can see the whole process list.

    Check the event viewer (control panel->administration) for erratic messages. Try disabling processes one by one to see if one of them is the cause. What Anti-stuff are you running? Anti-stuff is only as good as the definition database. Furthermore, many malicious processes can hide their existence from the OS, and an application tracking software is almost certainly going to get this info from the OS. Make sure your video drivers are up-to-date. If you suspect that the app communicates over the netowrk, install a software firewall and set it to anal mode.

    Run a benchmarking utility or simultaneously run several resource hungry applications to slow the machine down, and maybe the window will hang around for a while.

    If you cant catch it there, just format and reinstall Windows--the standard fix for anything Microsoft. Cue the mac/linux comments!

    --
    FairTax baby!
    1. Re:Let us not get ahead of ourselves. by dohzer · · Score: 2, Interesting

      A camera is actually what I used to catch my Bios screen the other day when it was flashing up too quick to read, and then reseting. Because the problem was occuring before the OS could load there was no way I could actually use a program to check it.

  4. Some Anti-virus Progs by Zardus · · Score: 2, Interesting

    A friend of mine had issues with Kapersky anti-virus doing this every few minutes. Do you have that installed?

    --
    You can mod your friends, you can mod your nose, but you can't mod your friend's nose.
  5. Tiny Firewall by Microlith · · Score: 5, Informative

    Tiny Firewall provides a security module that requires the user authorize every unknown application be manually allowed to run.

    While I have yet to see any unknown process start on my machine, none (not even ones started by trusted processes) are allowed to proceed without first being given the OK by me. I'd give it a shot and see if TF 2006 can catch it for you.

    1. Re:Tiny Firewall by netsharc · · Score: 3, Informative

      I second this idea. Although I know it as Kerio Firewall (and it's nowhere to be found at kerio.kom, only at Sunbelt Software, what gives?), here's the download page.

      I once helped a girl who suffered the same problem. A pop-up comes up every so often. I didn't see anything wrong at first, but then I noticed wscript.exe was running. It was running a VBS-script in a loop, and every few random minutes it would launch an Internet Explorer window with an ad, which would just as quickly disappear. I search the disks for all VBS files, found the suspect file, and searched the registry for any mention of that filename.

      Another way malware might hide is when they install themselves as a service.

      --
      What time is it/will be over there? Check with my iPhone app!
  6. Process Explorer by greerga · · Score: 5, Informative

    Prcess Explorer Options..Different Highlight Duration

    1. Re:Process Explorer by RobertKozak · · Score: 2, Informative

      Process Explorer

      --
      Bet this .sig looks familiar.
  7. Disapearing Windows by Anonymous Coward · · Score: 5, Funny

    It might be a better solution

  8. Process Explorer by x2A · · Score: 4, Informative

    Google for it. It shows recently terminated processes in red (or whatever) for a few seconds after it's terminated (all configurable)

    --
    The revolution will not be televised... but it will have a page on Wikipedia
  9. Approach the problem logically... by baadger · · Score: 4, Funny

    Assumptions:
    1. For a dialog to be coming up it has to be iniatated by a process.
    2. Mystery process most likely isn't part of Windows

    Action:
    1. Disable all startup programs with msconfig
    2. Reboot
    3. If problem is gone re-enable startup processes one at a time.
          If the problem is back/still there go to step 5
    4. Goto step 2
    5. Visit Slashdot. Scroll past this comment and proceed to next proposed solution, one which, hopefully, won't waste your time like this one just did.

    1. Re:Approach the problem logically... by x2A · · Score: 2, Funny

      You lie! If this was really slashdot, 6. would be "profit!!!"

      --
      The revolution will not be televised... but it will have a page on Wikipedia
    2. Re:Approach the problem logically... by dasunt · · Score: 2, Insightful

      A binary search would be better. Split the search space (the set of startup programs) in half. Enable or disable one half. If the problem appears, adjust your search space to that half. If the problem does not appear, adjust your search space to the other half. Repeat.

  10. Check Scheduled Tasks by justanyone · · Score: 4, Informative


    If nothing obvious is running as a process, this might be popping up from a scheduled task.

    Occassionally we ran these at my old job and it would pop up a window in front of whatever you were doing, very briefly. The task was a batch file that kicked off something else.

    --
    Unitarian Church: Freethinkers Congregate!
  11. HP? by Anonymous Coward · · Score: 2, Informative

    If you have an HP printer/scanner it might be their updater program.

  12. Sysinternals.com by szyzyg · · Score: 2, Informative

    Look on sysinternals.com - the best bet would be Filemon - then you can track which files are being opened.

  13. Process Explorer by rizzle · · Score: 2, Interesting

    Download Process Explorer. It's like task manager on steroids. One of the things you can do is put "delays" on the list of running processes when the list changes, like with the addition/removal of a process/window.

    Go to Options > Difference Highlight Duration, and set it like 15 seconds or whatever. New processes will show up in bright green for 15 secs, and killed processes will show up as red for 15 secs.

  14. Do you use TweakUI? by WalterGR · · Score: 4, Informative

    Your exact scenario happened to me a few weeks ago.

    Do you use the TweakUI program that comes with Powertoys for Windows XP? If so, do you have X-Mouse turned on? Check Mouse -> X-Mouse and see if "Activation follows mouse (X-Mouse)" is turned on.

    Some poorly written Windows apps will pop up dialogs that then disappear if they lose mouse focus. If you have X-Mouse turned on, they will pop up a dialog - and if your mouse is anywhere else on the screen, they'll think they've lost focus and close the dialog.

    All I had to do was disable X-Mouse until the app popped the dialog again, then I could deal with it. Unfortunately I don't remember what the poorly written program happened to be...

    --
    The Online Slang Dictionary
  15. HP Software? by Clazzy · · Score: 2, Informative

    We have an HP PSC 2355 printer and we installed the software that came with it. Anyhow, every half an hour or so, a program would randomly appear in the taskbar and disappear very quickly afterwards, usually minimising any full-screen applications. In the end, we had to disable it in msconfig. I honestly can't remember what the entry was in msconfig, but I could find it somewhere if it's actually the problem. Of course, it probably begins with "hp" anyway.

    --
    If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
    1. Re:HP Software? by biglig2 · · Score: 3, Funny

      Tell me about it, I installed a new HP multi-fuction printer/scanner/fax on Tuesday. As soon as I connected it to the phone line, it called up the phone company, pretended to be me, got my phone records, and faxed them to HP corporate headquarters.

      --
      ~~~~~ BigLig2? You mean there's another one of me?
  16. Spy++ by storem · · Score: 4, Insightful

    Spy++ (comes with Visual Studio and probably other packages) should be able to list the window, even after it disappears and trace it to the owning process. Used it many times to find information about "rogue" dialogs.

    --
    StarTrek.org Free Webmail
    1. Re:Spy++ by enharmonix · · Score: 2, Informative

      Somebody please mod parent up! It needs to be +5 Informative.

      First thing I thought of was the Borland version (Winsight), and this is exactly how you figure this kind of nonsense out. These apps actually enumerate all current window handles and will give you owning pids, parent/child windows, message queues, etc. If you don't already have a Borland IDE license, Borland now offers free (beer) and trial versions of their products, just dl a windows version and it ought to come with this tool.

      If not, I also found another similar standalone app called Winspector (not to be confused w/ Borland's Winspector, which does something different) at http://www.windows-spy.com/, but I have not used it and can't vouch for it.

  17. What.... by Yusaku+Godai · · Score: 2, Funny

    Since when did Slashdot become Experts Exchange?

    1. Re:What.... by east+coast · · Score: 4, Insightful

      Since when did Slashdot become Experts Exchange?

      At least we don't need to login to see the solution. That site is annoying.

      --
      Dedicated Cthulhu Cultist since 4523 BC.
    2. Re:What.... by StikyPad · · Score: 2, Informative

      Yeah, parent is probably Old School like the Old School. They don't require people to login anymore, but they used to a few years ago. I'm not sure when they changed it.

      --
      https://www.eff.org/https-everywhere
    3. Re:What.... by SurturZ · · Score: 4, Funny

      Accepted Answer!

  18. Process Lasso by nomax · · Score: 2, Informative

    Try Process Lasso, it has a process log feature. Very handy.

    http://www.bitsum.com/

    --nomax

  19. You might be looking at it... by HiredMan · · Score: 2, Interesting

    You might be looking at it and not see it.

    When to a security demo and watched the security guys run a Metasploit process that actually injected the remote .dll into a currently running .dll on the target machine while showing process viewer.
    So while sys_msg.exe or whatever minimal process changed in the process viewer slightly the name remained the same and there was no way to tell that the process was suddenly pwned from a remote host and was (presumably) doing horrible and unwanted things to your computer. All from a dropdown menu, point and click interface too.

    I went back to my office and hugged my Mac, tell you what.

    =tkk

    --
    Bill Gates - Creationist?!?
  20. The next step... by hackwrench · · Score: 2, Insightful

    After doing that and then downloading Process explorer to make sure it isn't replaced is to look in your startup with either MSconfig or startup control panel.
    http://www.sysinternals.com/Utilities/ProcessExplo rer.html
    http://www.mlin.net/StartupCPL.shtml

  21. What OS? by teridon · · Score: 4, Informative

    You fail to state what OS you are running.

    If you are running Windows XP Professional (I think Windows 2000 Pro also has it), you can simply turn on process tracking in Group Policy. Every process that starts will now be logged in the security log. View it with the Event Viewer (Start.. Run.. type "eventvwr.msc")

    Instructions for how to enable process tracking (for exactly the same problem!)

    I don't think the same can be done for Windows XP Home... but I've been wrong before ;-)

    --
    I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
  22. iTunes and Shared Music? by herrlich_98 · · Score: 2, Interesting

    I hate to just chime with my own two cents and wild guess but I've had the same experience and tracked it down to iTunes opening a song from Shared Music. It a small wide rectangular window saying "Opening URL..." or something. I have seen it up for longer when there are network problems. You can reproduce it by clicking on Next Song several times quickly just as quickly as it can load songs.

  23. Slo-Mo by Mignon · · Score: 5, Funny

    Press the "turbo" switch and run your PC at 8mhz instead of 12. The window will stay on screen longer, giving you enough time to see what it says.

  24. Write a monitoring script by Money+for+Nothin' · · Score: 2, Informative

    Write a script (VBS, Perl, whatever) to monitor your process list. Have it poll the process list every quarter of a second or something, and keep a running list of processes that are found. On the first iteration, write the list to one file. On succeeding iterations, compare the list of the i-th iteration to the list of known processes -- if a new process appears that wasn't in a previous iteration, spit it out to another file...

    --

    Is Capitalism Good for the Poor?
  25. Get Spyberus by Alien54 · · Score: 3, Informative

    Available at robotgenius.net

    Spyberus is free of charge. Check out the tutorial

    There is probably a dll that is tied into explorer or something to repopulate when you clean.

    Also, use Spybot Search and Destroy in safe mode with all of the updates, but use all of the immunize functions first. It can spot some zombie process that "look" normal, but which sure as heck aren't. and then kill them.

    Do a maximum amount of cleaning in safe mode.

    Check out Spywarewarrior.com for a comperhensive list of bogus cleaners that are really infectors. For an example, see this illustration.

    I make a decent living doing nothing but cleaning things like this up. I can't give you a ten page How-to, but the links will put you on the right trail.

    --
    "It is a greater offense to steal men's labor, than their clothes"
  26. Macs aren't safe by Myria · · Score: 2, Informative

    Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.

    Same applies to Linux's ptrace().

    Melissa

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  27. Root-Kit? by UltimApe · · Score: 5, Interesting

    Why hasn't anyone mentioned root-kits?

    My gf's computer had a root-kit on it. I go to a tech school, and nearly everyone knowledgeable here (even IT guys) went over the damn thing to see what was wrong. It kept doing pop-ups, like it had some type of ad-ware, but it didn't appear to have anything abnormal running. It didn't matter if it was IE or firefox, the ad would pop up on pretty regular intervals. Every possible thing was checked, from using standard tools like spy-bot-s&d, any number of free and bought virus scanners... Some people (including me) even poured over the registry by hand to find out if anything was running. absolutely nothing.

    It turned out to be a ROOT-KIT (2 actually, they hid each other. One user-mode, and one kernel-mode). The rogue programs actually were able to make windows "not see" the file. On boot, windows would see it just enough to turn it on, but after it was running it prevented anything from actually finding it, injecting code between the hard-disk access and low-level windows stuff. not windows-explorer, not regedit, not task-manager, not even 3rd party apps like win-task, or even defraggers.

    http://www.sysinternals.com/Utilities/RootkitRevea ler.html - RootkitRevealer 1.7 by Sysinternals showed a directory in "C:/windows", and one in "C:/program files", that if you went to look normally, didn't show up. I quickly booted up Knoppix and verified that there was some crap in there, but a search on the Internet showed nothing. Booted windows into safe mode, and since safemode doesn't run things other than windows crap, I was able to delete the two folders, and even a registry entry that showed up about it.

    If you can't find anything, maybe its because it won't let you find it!

    --
    "Infecting minds with my own memetic virus, one post at a time." Ultimape