Author Topic: Hj.Name (csrss) and Suspicious.Path found (nvcontainer) false positive or real?  (Read 2681 times)

0 Members and 1 Guest are viewing this topic.

November 12, 2018, 04:52:16 pm

Faergor

  • Newbie

  • Offline
  • *

  • 21
  • Reputation:
    0
    • View Profile
Hi,
Roguekiller 13.0.9.0 found 4 entries:
いいいいいいいいいいいい Processes いいいいいいいいいいいい
[Hj.Name (Malicious)] csrss.exe (672) -- \Device\HarddiskVolume3\Windows\System32\csrss.exe -> Found
[Suspicious.Path (Potentially Malicious)] nvcontainer.exe (3892) -- C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe -> Found

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

いいいいいいいいいいいい Services いいいいいいいいいいいい
[Suspicious.Path (Potentially Malicious)] NvContainerLocalSystem (3892) -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" -> Found

いいいいいいいいいいいい Tasks いいいいいいいいいいいい

いいいいいいいいいいいい Registry いいいいいいいいいいいい
>>>>>> O23 - Services
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NvContainerLocalSystem -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" (missing) -> Found


Only thing that I did during last few days was downloading some addons for WoW, but from WoWInterface and WoW curse, the ones that had most downloads, therefore should be safe.
Before I started playing WoW I scanned my pc and found nothing, after starting and downloading addons I found this. They however may be completely unrelated to my problem.

Is this please false positive or real? I am uploading a file of scan results. Thanks.

Reply #1November 12, 2018, 06:01:19 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2206
  • Reputation:
    79
    • View Profile
Hi Faergor,

Thanks for your feedback.
Could you please attach the corresponding JSON report showing these detections ?

Regards.

Reply #2November 12, 2018, 07:39:46 pm

Faergor

  • Newbie

  • Offline
  • *

  • 21
  • Reputation:
    0
    • View Profile
Sure, here you go. Thx for reply.

At the end of this, first scan, I tried to delete everything.
I did following scans and Hj.Name doesnt show up anymore, but all  Suspicious.Paths do.

Reply #3November 12, 2018, 08:51:38 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2206
  • Reputation:
    79
    • View Profile
Hi Faergor,

The NVIDIA detections are false positives, these should be whitelisted in RogueKiller next release.
In the meantime, please ignore them.

Regarding the [Hj.Name] detection on process csrss.exe, this is also very likely to be a false positive but we will need time to understand what triggered it in order to fix it.

Once again, thanks for your feedback.

Regards.

Reply #4November 13, 2018, 07:36:58 pm

Faergor

  • Newbie

  • Offline
  • *

  • 21
  • Reputation:
    0
    • View Profile
Thanks a lot buddy :). Appreciate your help.
One last question: what is HJ.Name actually? What kind of infection is it and what damage does it cause?

Ofc,you said it is very likely to be false positive.
But if it wasnt, and it was real,what does it do? Thanks a lot :)

Reply #5November 13, 2018, 08:56:47 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2206
  • Reputation:
    79
    • View Profile
Hi Faergor,

You are very welcome.

A [HJ.Name] detection is short for name hijackers malware.
Those malware run process with names that match those used by legit Windows process, like smss.exe, csrss.exe, lsass.exe, etc. but from different folders. In your case, since the process is located in %WINDIR%\system32\ directory, which is where csrss.exe should be, we can conclude it's a false positive / bug.

Regards.