Abstract -- I am trying to find out a "criminal" process that opens ads automatically when I am not using my Windows 10 PC. I tried Process Monitor but the Process trace ended at a system service called Background Tasks Infrastructure Service. I am asking for help on the next step to find out who started the ad via this service.
Long story short. I caught some virus (100% sure it was a virus) and did some clean-ups both manually and using Windows Defender (11/13/2016 late night). It seems, however, the virus was not completely cleared.
Something (cannot be so sure if this was the virus) spawns Mozilla Firefox (my default browser) once a day just to show the same web ad, which is here -- ad page, don't open since I am not sure if that page is safe: http://qaafa.com/7fKEs582d18c5aebf7euplsX1eWReAj?r=L2Rhb2xud29kL3p5eC5zcHBhc3dvZG5pd3phZC8vOnB0dGg=. This happened on 11/14/2016 for the first time. Today is 11/16, and it was indeed the third time this happened.
Since the parent process ID of that Firefox ends up pointing to nothing (this was my experience from the second time it happened which was yesterday), I used Process Monitor to watch process creation events. Without filtering, the monitor captures thousands of events every second, so I filtered to include only process creation events that spawn "firefox.exe".
The good news was, it worked. The event was captured as
High Resolution Date & Time: 11/16/2016 6:41:00.6482030 PM
Event Class: Process
Operation: Process Create
Result: SUCCESS
Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
TID: 8528
Duration: 0.0000000
PID: 904
Command line: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -osint -url "http://dazwindowsapps.xyz/download/index.php?mn=9995"
And the details for the parent process who started Firefox was
Description: Windows Explorer
Company: Microsoft Corporation
Name: explorer.exe
Version: 10.0.14393.0 (rs1_release.160715-1616)
Path: C:\WINDOWS\explorer.exe
Command Line: C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
PID: 7000
Parent PID: 812
Session ID: 1
User: <hostname>\<username> (Personal user I am using)
Auth ID: 00000000:0008e4e4
Architecture: 64-bit
Virtualized: False
Integrity: Medium
Started: 11/16/2016 6:41:00 PM
Ended: 11/16/2016 6:42:00 PM
Modules:
...
The bad news, which was obvious, was that the parent process was "explorer.exe" and the path indicated it was actually the genuine Windows Explorer program and process.
The UUID {75dff2b7-6936-4c06-a8bb-676a7b00b24b} points to HKLM\SOFTWARE\Classes\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}, which has a "LocalServer32" sub-key with "(Default)" value being %SystemRoot%\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}.
However, the process information also gave that the parent ID of this specific instance of "explorer.exe" was 812, which is still running at the time I am back to my PC -- is the BrokerInfrastructure (Background Tasks Infrastructure Service).
Now what I see is, this service is apparently a broker as is suggested by its name. There must be "some one" (a process, for example), published some event through this broker, and the broker spawned Windows Explorer itself with the command line to start Firefox. This event was likely to be (guessing) "I want to open this URL", and the genuine Windows service just chose my default broker for it.
Okay... What is the next step I should take to find out the actual "criminal" process?
Additional information
I actually not just had Process Monitor running, but also turned on "Audit process tracking" in Local Group Policy. Auditing shows the following "Process Creation" events occurred at that time (6:41:00pm):
1 --
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/16/2016 6:41:00 PM
Event ID: 4688
Task Category: Process Creation
Level: Information
Keywords: Audit Success
User: N/A
Computer: <hostname>
Description:
A new process has been created.
Creator Subject:
Security ID: SYSTEM
Account Name: <hostname>$
Account Domain: HOME
Logon ID: 0x3E7
Target Subject:
Security ID: <hostname>\<username>
Account Name: <username>
Account Domain: <hostname>
Logon ID: 0x8E4E4
Process Information:
New Process ID: 0x27b0
New Process Name: C:\Windows\explorer.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x504
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line:
2 --
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/16/2016 6:41:00 PM
Event ID: 4688
Task Category: Process Creation
Level: Information
Keywords: Audit Success
User: N/A
Computer: <hostname>
Description:
A new process has been created.
Creator Subject:
Security ID: SYSTEM
Account Name: <hostname>$
Account Domain: HOME
Logon ID: 0x3E7
Target Subject:
Security ID: <hostname>\<username>
Account Name: <username>
Account Domain: <hostname>
Logon ID: 0x8E4E4
Process Information:
New Process ID: 0x1b58
New Process Name: C:\Windows\explorer.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x32c
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line:
3 --
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/16/2016 6:41:00 PM
Event ID: 4688
Task Category: Process Creation
Level: Information
Keywords: Audit Success
User: N/A
Computer: <hostname>
Description:
A new process has been created.
Creator Subject:
Security ID: <hostname>\<username>
Account Name: <username>
Account Domain: <hostname>
Logon ID: 0x8E4E4
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x388
New Process Name: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x1b58
Creator Process Name: C:\Windows\explorer.exe
Process Command Line:
