Author Topic: Mystery process stealing focus from running program - possible virus/spyware?  (Read 3063 times)

0 Members and 1 Guest are viewing this topic.

Offline _lexi

  • Jr. Member
  • **
  • Posts: 35
Hi all

I'll keep this as brief as possible:

PROBLEM: A mystery process steals focus from whatever program I'm running on Windows, once per session. I am concerned that this behavior could indicate the presence of malicious software.

If I'm using an application that runs in the Windows desktop, that window becomes inactive, just as if I'd clicked on the desktop or task bar.

If I'm using a full screen application, such as a game, the game minimizes and I'm returned to the Windows desktop, just as if I'd hit alt+tab.

The issue only seems to occur once per session. If I restart or shut down the computer and power up again, it will re-occur after I've logged back in to windows.

I haven't been able to find anything to help me identify the process in Windows Event Viewer. I tried opening Task Manager the last time a loss of focus occurred, but I couldn't identify any usual processes. I checked Avast's firewall logs and the only activity recorded around the time of the loss of focus is pasted below. 192.168.5.1 is my LTE modem's LAN address; 192.168.5.75 is the ip assigned to my notebook by the LTE modem's DHCP service.

   27/12/2017 17:33:54   192.168.5.1   -   192.168.5.75   3   ICMP   Out      Public Icmp Destination Unreachable Out Block
   27/12/2017 17:32:07   192.168.5.1   -   192.168.5.75   3   ICMP   Out      Public Icmp Destination Unreachable Out Block
   27/12/2017 17:32:05   192.168.5.1   -   192.168.5.75   3   ICMP   Out      Public Icmp Destination Unreachable Out Block
   27/12/2017 17:31:53   fe80::4fd:90ff:fece:d1   -   ff02::1   130   ICMPv6   In      Public Icmp6 Listener Query In Block


SPECS:

OS - Windows 8.1, fully patched/updated as of 12 December 2017

AVAST - Avast Internet Security 17.9.2322, fully licensed

NETWORK HARDWARE - Netgear LB1110 LTE modem, connected to my notebook's ethernet port when I'm on the move or connected to a Netgear R7000 Nighthawk at home.

STARTUP PROGRAMS - i) Avast launcher ii) Catalyst Control Centre (graphics card related, last updated without issues at the beginning of the year) iii) HP Accelerometer iv) RealtekHD Audio Manager v) Synaptics Touchpad

POSSIBLE CAUSES:

1) The Netgear LTE modem.
When I first fired the modem up, it opened Chrome and auto navigated to its management/set-up page. This is normal behaviour for Netgear kit, but it might be possible that buggy firmware could be causing windows to return focus to the desktop in anticipation of a browser window opening.

2) Avast 17.9.2322
The problem appeared shortly after I updated to 17.9.2322. However, I haven't been able to find any other reports on the forums of the update triggering similar issues.

3) Poorly written malware.
This is a possibility, but repeated scans using Avast have failed to reveal anything wrong.

REDACTED

  • Guest
I am getting this every 30 minutes or so. I don’t think it’s a virus as 2 other people have recently posted about this issue.

Someone on my posted speculated it was AvastUI.exe opening a second time but not showing a UI. This might actually explain it but I don’t know for sure.

In the pinned release notes it actually mentions how AvastUI might have another process show in Task Manager.
« Last Edit: December 30, 2017, 12:40:35 PM by lgreg »

Offline dangeorgescu88

  • Newbie
  • *
  • Posts: 5
I get this too, and now I'm sure Avast is causing the alt+tab, because the process logger that I've installed to track the issue reports the same thing at the exact time when it happens:

Code: [Select]
12/30/2017 11:29:28
Process: [8648] C:\Program Files\AVAST Software\Avast\setup\aswOfferTool.exe
Username/Domain: [windows user folder]/DESKTOP-R9DF2R2
CommandLine: "C:\Program Files\AVAST Software\Avast\setup\aswOfferTool.exe" -checkChrome
MD5 Hash: F54FABEB4834EAA33E53E7EECD02383E
Bitness: 32-bit
Publisher: AVAST Software
Description: Avast Offer Installation Tool
Version: 17.9.3761.0
Integrity Level: High
Signer: AVAST Software s.r.o.
System Process: False
Protected Process: False
Metro Process: False
Parent: [2620] C:\Program Files\AVAST Software\Avast\AvastSvc.exe


[Process Creation]

12/30/2017 11:29:28
Process: [8912] C:\Program Files\AVAST Software\Avast\AvastUI.exe
Username/Domain: [windows user folder]/DESKTOP-R9DF2R2
CommandLine: "C:\Program Files\AVAST Software\Avast\AvastUI.exe" --type=renderer --disable-gpu-compositing --disable-pinch --no-sandbox --primordial-pipe-token=F5C53A62102BABC965FB8E684ABAF040 --lang=en-US --lang=en-US --log-file="C:\Users\[windows user folder]\AppData\Roaming\AVAST Software\Avast\log\cef_log.txt" --log-severity=error --user-agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.3.2987.1601 Safari/537.36 Avastium (17.9.2322)" --proxy-auto-detect --disable-webaudio --mute-audio --force-wave-audio --disable-gpu --disable-software-rasterizer --no-sandbox --disable-webgl --blacklist-accelerated-compositing --disable-accelerated-2d-canvas --disable-accelerated-compositing --disable-accelerated-layers --disable-accelerated-video-decode --blacklist-webgl --disable-bundled-ppapi-flash --disable-flash-3d --enable-aggressive-domstorage-flushing --enable-media-stream --allow-file-access-from-files=1 --pack_loading_disabled=1 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553 --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=F5C53A62102BABC965FB8E684ABAF040 --renderer-client-id=3 --mojo-platform-channel-handle=3268 /prefetch:1
MD5 Hash: 7891EA436E353768BAA279317A597CA1
Bitness: 32-bit
Publisher: AVAST Software
Description: Avast Antivirus
Version: 17.9.3761.0
Integrity Level: Medium
Signer: AVAST Software s.r.o.
System Process: False
Protected Process: False
Metro Process: False
Parent: [624] C:\Program Files\AVAST Software\Avast\AvastUI.exe
Parent CommandLine: AvastUI.exe /nogui

OS: Windows 10 Home (with fall creators update) and Avast Free Antivirus

I hope this will be fixed soon.

REDACTED

  • Guest
Did you ever figure out a fix for this issue?  Seems it still hasn't been addressed. 

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Did you ever figure out a fix for this issue?  Seems it still hasn't been addressed.
Bad idea to respond in old posts. Many things change over time.
If you're having a problem please start your own topic and give your details.
Thanks. :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

REDACTED

  • Guest
Did you ever figure out a fix for this issue?  Seems it still hasn't been addressed.
Bad idea to respond in old posts. Many things change over time.
If you're having a problem please start your own topic and give your details.
Thanks. :)

I suspect were I to make a new post that links to this one, describing that I have identical behavior keyed off by the same AvastUI background action as dangeorgescu88, but am making a second thread with no context only to satisfy your request, it would come across as malicious compliance or at the very least sarcasm.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
If you want help, start a new topic.
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801