Author: Tony Stewart
Subject: Rootkit processes in Procexp but not Procmon
Posted: 03 November 2014 at 4:53pm
I recently installed some Rogue driver helper tool which during uninstall , installed 2 additional tagteam trojans apps which installed 1 at a time and the other the other app would install after the 1st app was uninstalled.
Both were protected from kill in Procexp even when started as Administrator yet were visible but Procmon failed to show any activity of the PID's in question.
It was easy for me to kill both apps simultaneously with WinPatrol and delete startups& scheduled tasks , but curious how the discrepancy in permissions to view the PID's and processes between Procmon and Procexp.
I was using Win8 x64 Pro on a relatively new install.
Edited by Tony Stewart - 6 hours 52 minutes ago at 5:11pm
Subject: Rootkit processes in Procexp but not Procmon
Posted: 03 November 2014 at 4:53pm
I recently installed some Rogue driver helper tool which during uninstall , installed 2 additional tagteam trojans apps which installed 1 at a time and the other the other app would install after the 1st app was uninstalled.
Both were protected from kill in Procexp even when started as Administrator yet were visible but Procmon failed to show any activity of the PID's in question.
It was easy for me to kill both apps simultaneously with WinPatrol and delete startups& scheduled tasks , but curious how the discrepancy in permissions to view the PID's and processes between Procmon and Procexp.
I was using Win8 x64 Pro on a relatively new install.
Edited by Tony Stewart - 6 hours 52 minutes ago at 5:11pm
