Author Topic: [Suspicious.Path] NvOAWrapperCache.exe False Positive?  (Read 11010 times)

0 Members and 7 Guests are viewing this topic.

July 22, 2018, 06:52:36 PM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
[Suspicious.Path] NvOAWrapperCache.exe False Positive?
« on: July 22, 2018, 06:52:36 PM »
Hi, I updated my graphic card through Nvidia exprience and scanned my computer with roguekiller, and I keep receiving this:

1.
¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] NvOAWrapperCache.exe(7192) -- C:\Users\XXXXXXXXX\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe[7] -> Found

Is this false positive?

2.
+ previously I received
PUM.Dns  in registry ending in DhcpNameServer

Is this too false positive? It appeared only once and never again, but also today.

NvOAWrapper keeps appearing after each restart.

Thanks.

Reply #1July 23, 2018, 08:10:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #1 on: July 23, 2018, 08:10:31 PM »
Hi farnhold,

Welcome to Adlice.com Forum and thanks for your feedback.
This is indeed a false positive. We will whitelist this detection as soon as possible.

As for the PUM.DNS detection, this was also likely a false positive. For more information, please refer to RogueKiller Documentation.

Regards.

Reply #2July 23, 2018, 10:34:38 PM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #2 on: July 23, 2018, 10:34:38 PM »
This is the PUM.Dns that I found. I did not know that roguekiller stores logs, found it out now :D. So here is the log. This is the log from yesterday when I made the post. Do you think this was definitely false positive?

¤¤¤ Registry : 1 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{af6688e0-e884-44ba-8f59-df73fd60d6fb} | DhcpNameServer : 150.213.1.2 ([X])  -> Found

First appeared this and then never again. Then started appearing Nvidia Suspicious path after each restart in my post above.

Reply #3July 24, 2018, 03:01:30 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #3 on: July 24, 2018, 03:01:30 AM »
Hi farnhold,

Thanks.
This IP does not seems to be in use anymore. Is the name "Norasia" familiar to to you ?

Regards.

Reply #4July 24, 2018, 07:53:28 PM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #4 on: July 24, 2018, 07:53:28 PM »
No, never heard of it. What is it? Btw, google showed timezone of ip coming from country that is not mine.

So, please, do you think it was a false threat or, what was it? What does it all even mean?

I mean, does pum.dns mean that someone elsr was in my computer and I should worry about personal information or it.might have been a modification from, lets say an online game that I played?
Most of all, is it threat or false positive?
Thanks
« Last Edit: July 25, 2018, 03:34:43 PM by farnhold »

Reply #5July 26, 2018, 02:02:25 PM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #5 on: July 26, 2018, 02:02:25 PM »
Dude?:) was someone in my computer or was it false positive please?

Reply #6July 26, 2018, 10:52:09 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #6 on: July 26, 2018, 10:52:09 PM »
Hi farnhold,

Sorry, it was a busy week.
This IP address was linked to a company called Norasia in the past. In case you did know this name, it may be that you used their DNS sever at some point. Since, that's not it, I can't really explain why this IP was assigned to your network interface.

The IP now points to nothing, so there is nothing malicious going on.
Please don't hesitate to report back if RogueKiller detects it again.

Regards.

Reply #7July 27, 2018, 01:38:26 AM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #7 on: July 27, 2018, 01:38:26 AM »
Thanks a lot for your answers :),last 2 questions:
1. I have internet with dynamic IP, is it possible that perhaps I received IP that belonged to them?
2. you say nothing malicious is happening atm, but if 1. question is wrong, then something malicious may have happened in past?

Or, this all is completely harmless anyway?
I will let you know :)

Reply #8July 27, 2018, 02:19:47 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #8 on: July 27, 2018, 02:19:47 AM »
Hi farnhold,

You are welcome. To answer your questions :

1) No, it's really unlikely this IP was assigned to you by your ISP.
2) That's hard to say, but I don't think so since this address is not present in malware analysis databases.

Regard.

Reply #9July 27, 2018, 04:39:11 PM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #9 on: July 27, 2018, 04:39:11 PM »
Thanks a lot for your answers :)

I have version 12.12.28.0 of roguekiller and it still keeps finding NvOAWrapperCache.exe as threat - suspicous path. Hopefully it will be whitelisted in next version :D

This is the current log:
[Suspicious.Path] NvOAWrapperCache.exe(8040) -- C:\Users\XXXXXXX\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe[7] -> Killed [TermThr]

Is this still same problem and it is false positive, right?
« Last Edit: July 27, 2018, 08:33:04 PM by farnhold »

Reply #10July 28, 2018, 05:18:39 PM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #10 on: July 28, 2018, 05:18:39 PM »
Sorry for bothering you. Just want to verify if this was really not fixed yet and is false positive :D.
Cause day after I reported this Roguekiller had an update ( 12.12.28.0) and yet I was finding it.
Thanks.

Reply #11July 29, 2018, 04:17:57 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #11 on: July 29, 2018, 04:17:57 PM »
Hi farnhold,

You are very welcome.
RogueKiller V12.12.29 will be released tomorrow and will contain the fix.

Regards.

Reply #12July 30, 2018, 12:54:15 AM

farnhold

  • Newbie

  • Offline
  • *

  • 8
  • Reputation:
    0
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #12 on: July 30, 2018, 12:54:15 AM »
Thanks a lot for your help and patience :). Appreciate it. I know I had a lot of questions, I apologize for that. Have a nice day :)

Reply #13July 30, 2018, 01:25:03 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: [Suspicious.Path] NvOAWrapperCache.exe False Positive?
« Reply #13 on: July 30, 2018, 01:25:03 AM »
Hi farnhold,

You are very welcome.
I'm glad I was able to help you.  :)

Have a nice day.