question

jaehongpark-9743 avatar image
0 Votes"
jaehongpark-9743 asked RichMatheisen-8856 answered

Anyone know what could cause windows return such a fake processes and process ID in ps?

This is just part of it.

Procmon.exe (78)
Procmon64.exe (78)
netmon.exe (78)
avp.exe (78)
df5serv.exe (78)
DFServ.exe (78)
DFLocker.exe (78)
DFLocker64.exe (78)
FrzState2k.exe (78)
TaskMgr.exe (78)
dwwatcher.exe (78)
McTray.exe (78)
dwarkdaemon.exe (78)
dwservice.exe (78)
mfevtps.exe (78)
dwengine.exe (78)
mcshield.exe (78)
NS.exe (78)
ccSvcHst.exe (78)
Wireshark.exe (78)
Tshark.exe (78)
idag64.exe (78)
idau64.exe (78)
idaq.exe (78)
idaw.exe (78)
idaq64.exe (78)
idaw64.exe (78)
idag.exe (78)
idau.exe (78)
avpui.exe (78)
VBoxService.exe (78)
VBoxTray.exe (78)
TPAutoConnect.exe (78)
TPAutoConnSvc.exe (78)
vmacthlp.exe (78)
vmtoolsd.exe (78)
CExecSvc.exe (78)
VMSrvc.exe (78)
Fiddler.exe (78)
httpdebugger.exe (78)
qhactivedefense.exe (78)
QHSafeTray.exe (78)
v3lite.exe (78)
v3main.exe (78)
v3sp.exe (78)
spideragent.exe (78)
dwengine.exe (78)
dwarkdaemon.exe (78)
qemu-ga.exe (78)
bullguardtray.exe (78)
bdagent.exe (78)
bullguard.exe (78)
bdss.exe (78)
dumpcap.exe (78)
HookExplorer.exe (78)
LordPE.exe (78)
SysInspector.exe (78)
proc_analyzer.exe (78)
ResourceHacker.exe (78)
x32dbg.exe (78)
x64dbg.exe (78)
Avira.ServiceHost.exe (78)
Avira.Systray.exe (78)
Avira.OptimizerHost.exe (78)
Avira.VpnService.exe (78)
Avira.SoftwareUpdater.ServiceHost.exe (78)
Avira.Spotlight.Service.exe (78)
avguard.exe (78)
avshadow.exe (78)
protectedservice.exe (78)
fshoster32.exe (78)

windows-server-powershell
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered

Hi,

Can you post your current script using the Ctrl-K tool? To get the running processes you can use the Get-Process cmdlet.


Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

Have you installed "Dr.Web Anti-Rootkit", "Dr.Web Anti-Virus", or "Dr.Web® Anti-Rootkit Scanning Daemon" software? Some root-kits camouflage themselves as this software. A root-kit is certainly capable of doing this.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.