Assigned Zemana detected a Suspicious Root CA. Is this serious?

[FrankN209]

I did a scan with Zemana and it found a suspicious Root CA. I was wondering if it was a false positive or potential virus?

root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355

 

[Deleted member 178]

@Miss Onnellisuus will tell you

 

[FrankN209]

I just did a scan with Zemana Beta 3.0 and it didn't show this. The previous scan was with a portable version. i'm not sure if that makes a big difference.

 

[KevinYu0504]

I just did a scan with Zemana Beta 3.0 and it didn't show this. The previous scan was with a portable version. i'm not sure if that makes a big difference.

ZAM 3.0 is still in beta (or we should say alpha) ,
only fast scan is available , so it won't scan whole system ,
indeed there is some different .

Help you to mark the member
@ZAM3_PO
he is Zemana's official engineer , he should be able to help you for your FP issue .

 

[ZAM3_PO]

Hi guys,

Thank you for tagging me here @KevinYu0504.
@FrankN209, I see that the cleaning action was set to "Delete" on the information you posted. Did you already delete this sample?

 

[FrankN209]

No, i didn't want to delete anything without knowing.

 

[FrankN209]

@ZAM3_PO

Should I delete this, or is this a fp?

 

[DeepWeb]

What Certificate is it? Can you figure it out? What version of Windows are you using? If it says it's suspicious just delete it. If your PC needs it, it will redownload the certificate anyway.

 

[FrankN209]

I'm running Windows 7 pro.

 

[DeepWeb]

Hmmm I don't know how Microsoft does it on Windows 7 but on Windows 10 they delete old and suspicious certificates. If you can figure out what the name of the root CA is it would be tremendously helpful. It could be one of those phony Chinese ones, or Equifax, or the ones Symantec made that went foul last September.

 

[In2an3_PpG]

@FrankN209

For the detection you're reporting about in the latest Zemana beta, the thumbprint of the certificate is 756F415104326826C082FB48F19A4EE990E8BDCC.

Use this PowerShell script:
https://a.uguu.se/8fwPMIBi2G1v.ps1

Spoiler

Start-Transcript
set-location cert:
dir -recurse | where {$_.Thumbprint -eq "756f415104326826c082fb48f19a4ee990e8bdcc"} | Format-List -property *
Stop-Transcript
[void][System.Console]::ReadKey($true)

References:
Finding Certificates by Thumbprint in PowerShell - risual
Working with Certificates in PowerShell
Start-Transcript (Microsoft.PowerShell.Host)
Stop-Transcript (Microsoft.PowerShell.Host)
Directory Class (System.IO)
Format-List (Microsoft.PowerShell.Utility)

The script will output to you at the end where the dropped transcript file is, assuming all works as expected.

You'll want to send that transcript log Zemana because they will be able to use it to learn more about the certificate which is being flagged with their signatures, but you can check it over for any personally sensitive information to be redacted beforehand first if you'd like.

 

[plat]

What do you think of certmgr.msc? It should be available in Windows 7. Type certmgr.msc in run box and check "create this task with administrative privileges." You can then search for it under Action heading, "all tasks" in drop-down and then "find certificate", whereby you can input the thumbprint. It looks like you can also export it or take a screenshot of it to be safe. Someone helped me with a bum certificate and provided this solution. I can link it on request.

 

[ZAM3_PO]

Hi @FrankN209, Can you quarantine this object and provide us with your logs together with transcript log suggested by @In2an3_PpG?

 

[FrankN209]

@
ZAM3_PO

Zemana AntiMalware 2.74.2.150 (Portable)

-------------------------------------------------------
Scan Result            : Terminated
Scan Date              : 2019/1/12
Operating System       : Windows 7 64-bit
Processor              : 8X Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz
BIOS Mode              : UEFI
CUID                   : 00800E63A16EA6495B2F8D
Scan Type              : System Scan
Duration               : 0m 17s
Scanned Objects        : 9476
Detected Objects       : 1
Excluded Objects       : 4
Read Level             : SCSI
Auto Upload            : Disabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0

 

[FrankN209]

**********************
Windows PowerShell transcript start
Start time: 20190112142337
Username:
RunAs User:
Machine:  (Microsoft Windows NT 6.1.7601 Service Pack 1)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file C:\Users\\Downloads\8fwPMIBi2G1v.ps1 -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Process ID: 3692
PSVersion: 5.1.14409.1005
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14409.1005
BuildVersion: 10.0.14409.1005
CLRVersion: 4.0.30319.36470
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\\Documents\PowerShell_transcript..Hen6Hc+o.20190112142337.txt
**********************
Windows PowerShell transcript end
End time: 20190112142337
**********************

 

[ZAM3_PO]

Thank you very much @FrankN209. Would you be able to provide me with log files under C:\Users\[USERNAME]\AppData\Local\Zemana\Tracer as well?

 

[thrillskr]

I have something similar after a clean install of Windows 10. Just sended today support a ticket and they will let me know what is. i did for sure also before a test with HitmanPro and Roguekiller with MALPE but they nothing found. Let me know what it is. If support send me answer i will let you know.

 

[boombastik]

usually the zemana find 2 false positives about rout certificates.

1) One is a buggy certificate from xbox live application in windows 10 that install it when u open it. You can find it in event viewer.

2)the certificate from battle net launcher.

Both of them can been ignored.

 

[thrillskr]

@ZAM3_PO as requested. Let me know. Nothing special i guess but i am no expert lol

Microsoft ECC TS Root Certificate Authority 2018
Status : Gescand
Object : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Verdachte Root CA
Cleaning Action : Verwijderen
Related Objects :
Registervermelding - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob = 59000000010000001A000000450043004400530041002F005300480041003300380034000000140000000100000014000000E847C8429AB09DAE6F0B283B98158FE3B1E880B20F000000010000003000000003D1C76765EDA88BC8E0875E6091D060432543D180BCB86C064936ADB941C42163780B8289921A94FEBB7F9E47EDAC1204000000010000001000000037942958862A06E6BBCFD7AB59C7F23C69000000010000000E000000300C060A2B0601040182373C03020B00000001000000620000004D006900630072006F0073006F00660074002000450043004300200054005300200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020003200300031003800000003000000010000001400000031F9FC8BA3805986B721EA7295C65B3A445342746B00000001000000200000003FD4BE8BAAD2F26E1BDE06C7584BB720DD1A972D111F5A4999BC44B08FB4960D190000000100000010000000A40F3CB7F5FFA3E812BEC7F85507CBF47C0000000100000020000000C5750BF85F459FB70E2B6CD1898D375E92D7938E47A6E034CCE0C12D30372CCD20000000010000001B030000308203173082029EA0030201020210153875E1647ED1B047B4EFAF41128245300A06082A8648CE3D04030330818F310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31393037060355040313304D6963726F736F66742045434320545320526F6F7420436572746966696361746520417574686F726974792032303138301E170D3138303232373230353133345A170D3433303232373231303031325A30818F310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31393037060355040313304D6963726F736F66742045434320545320526F6F7420436572746966696361746520417574686F7269747920323031383076301006072A8648CE3D020106052B8104002203620004DECDBB7020F12520B494E8D7B43B0F6E87DDABACCF4D402F81336B590918D6870D26239CB48D959D769FA5B90642E6AD36B2C4B3AE7A3C08D5CB9D3A5E45216C0BE320F59BC2DD4433E342B9EAF2284292AAFE0C07CA8A13993B6200EDDAF335A381BC3081B9300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E04160414E847C8429AB09DAE6F0B283B98158FE3B1E880B2301006092B0601040182371501040302010030650603551D20045E305C30060604551D20003052060C2B0601040182374C837D01013042304006082B060105050702011634687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F446F63732F5265706F7369746F72792E68746D00300A06082A8648CE3D04030303670030640230148650C0261AEBEAA114773A5BDF6339A533C75040D56B356B0FB4DF7D56B9E1A59D781982A1436E1AD758A3550342DB02301894B41E3A8D64FA0C271B87134AD2B73A0094C6F2E563BFAFE3FADC93D5E7469A6B81693E02DF510D8F28714189912F

Microsoft ECC Product Root Certificate Authority 2018
Status : Gescand
Object : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Verdachte Root CA
Cleaning Action : Verwijderen
Related Objects :
Registervermelding - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob = 59000000010000001A000000450043004400530041002F0053004800410033003800340000001900000001000000100000007D9E7D1E8D5DA11DC0C84B0757ECEDCB0F000000010000003000000032991981BF1575A1A5303BB93A381723EA346B9EC130FDB596A75BA1D7CE0B0A06570BB985D25841E23BE944E8FF118F0B000000010000006C0000004D006900630072006F0073006F006600740020004500430043002000500072006F006400750063007400200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020003200300031003800000069000000010000000E000000300C060A2B0601040182373C030203000000010000001400000006F1AA330B927B753A40E68CDF22E34BCBEF33520400000001000000100000001F124EDE13E06A023CD7C09A4F48C3D614000000010000001400000043EF7087B89DBFEC8819DCC6C46B750D753433085C00000001000000040000008001000020000000010000002703000030820323308202A8A003020102021014982666DC7CCD8F4053677BB999EC85300A06082A8648CE3D040303308194310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313E303C060355040313354D6963726F736F6674204543432050726F6475637420526F6F7420436572746966696361746520417574686F726974792032303138301E170D3138303232373230343230385A170D3433303232373230353034365A308194310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313E303C060355040313354D6963726F736F6674204543432050726F6475637420526F6F7420436572746966696361746520417574686F7269747920323031383076301006072A8648CE3D020106052B8104002203620004C711162A761D568EBEB96265D4C3CEB4F0C330EC8F6DD76E39BCC849ABABB8E34378D581065DEFC77D9FCED6B39075DE0CB090DE23BAC8D13E67E019A91B86311E5F342DEE17FD15FB7E278A32A1EAC98FC97E18CB2F3B2C487A7DA6F40107ACA381BC3081B9300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E0416041443EF7087B89DBFEC8819DCC6C46B750D75343308301006092B0601040182371501040302010030650603551D20045E305C30060604551D20003052060C2B0601040182374C837D01013042304006082B060105050702011634687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F446F63732F5265706F7369746F72792E68746D00300A06082A8648CE3D0403030369003066023100A1C049445D325527CC3E906E25229D245B9B5135C79149492AA3F96F4F1CCDDD9CE1B557C99EC222459B0615701C45BF023100C5D328EB72C73EB0AC27097F623D6079E592F1452AB9A502E460BBFE7A2B9C60A7B59914F2B0BEF0BB059656568FC168


Cleaning Result
-------------------------------------------------------
Cleaned : 2
Reported as safe : 0
Failed : 0

 

[JM Safe]

Hello guys, when Zemana detects a suspicious certificate could you please open Powershell and type this command:

dir cert: -Recurse | Where-Object { $_.Thumbprint -like "*HERE THE THUMBPRINT OF THE DETECTED CERTIFICATE*" }

Find certificates using PowerShell

Then please push Enter button to run the command.

And please post here the result. Thank you very much.