Hj.Name (csrss) and Suspicious.Path found (nvcontainer) false positive or real?

[Faergor]

Hi,
Roguekiller 13.0.9.0 found 4 entries:
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Hj.Name (Malicious)] csrss.exe (672) -- \Device\HarddiskVolume3\Windows\System32\csrss.exe -> Found
[Suspicious.Path (Potentially Malicious)] nvcontainer.exe (3892) -- C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Suspicious.Path (Potentially Malicious)] NvContainerLocalSystem (3892) -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> O23 - Services
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NvContainerLocalSystem -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" (missing) -> Found


Only thing that I did during last few days was downloading some addons for WoW, but from WoWInterface and WoW curse, the ones that had most downloads, therefore should be safe.
Before I started playing WoW I scanned my pc and found nothing, after starting and downloading addons I found this. They however may be completely unrelated to my problem.

Is this please false positive or real? I am uploading a file of scan results. Thanks.

[Curson]

Hi Faergor,

Thanks for your feedback.
Could you please attach the corresponding JSON report showing these detections ?

Regards.

[Faergor]

Sure, here you go. Thx for reply.

At the end of this, first scan, I tried to delete everything.
I did following scans and Hj.Name doesnt show up anymore, but all  Suspicious.Paths do.

[Curson]

Hi Faergor,

The NVIDIA detections are false positives, these should be whitelisted in RogueKiller next release.
In the meantime, please ignore them.

Regarding the [Hj.Name] detection on process csrss.exe, this is also very likely to be a false positive but we will need time to understand what triggered it in order to fix it.

Once again, thanks for your feedback.

Regards.

[Faergor]

Thanks a lot buddy . Appreciate your help.
One last question: what is HJ.Name actually? What kind of infection is it and what damage does it cause?

Ofc,you said it is very likely to be false positive.
But if it wasnt, and it was real,what does it do? Thanks a lot

[Curson]

Hi Faergor,

You are very welcome.

A [HJ.Name] detection is short for name hijackers malware.
Those malware run process with names that match those used by legit Windows process, like smss.exe, csrss.exe, lsass.exe, etc. but from different folders. In your case, since the process is located in %WINDIR%\system32\ directory, which is where csrss.exe should be, we can conclude it's a false positive / bug.

Regards.