Joined
May 30, 2016
Messages
29
#1
I did a scan with Zemana and it found a suspicious Root CA. I was wondering if it was a false positive or potential virus?

Code:
root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355
 

KevinYu0504

Level 5
Verified
Joined
Mar 10, 2017
Messages
207
Operating System
Windows 10
Antivirus
Emsisoft
#4
I just did a scan with Zemana Beta 3.0 and it didn't show this. The previous scan was with a portable version. i'm not sure if that makes a big difference.
ZAM 3.0 is still in beta (or we should say alpha) ,
only fast scan is available , so it won't scan whole system ,
indeed there is some different .

Help you to mark the member
@ZAM3_PO
he is Zemana's official engineer , he should be able to help you for your FP issue .
 

DeepWeb

Level 21
Verified
Joined
Jul 1, 2017
Messages
1,061
Operating System
Windows 10
Antivirus
Kaspersky
#8
What Certificate is it? Can you figure it out? What version of Windows are you using? If it says it's suspicious just delete it. If your PC needs it, it will redownload the certificate anyway.
 

DeepWeb

Level 21
Verified
Joined
Jul 1, 2017
Messages
1,061
Operating System
Windows 10
Antivirus
Kaspersky
#10
Hmmm I don't know how Microsoft does it on Windows 7 but on Windows 10 they delete old and suspicious certificates. If you can figure out what the name of the root CA is it would be tremendously helpful. It could be one of those phony Chinese ones, or Equifax, or the ones Symantec made that went foul last September.
 

In2an3_PpG

Level 17
Content Creator
Verified
Joined
Nov 15, 2016
Messages
836
Operating System
Windows 10
#11
@FrankN209

For the detection you're reporting about in the latest Zemana beta, the thumbprint of the certificate is 756F415104326826C082FB48F19A4EE990E8BDCC.

Use this PowerShell script:
https://a.uguu.se/8fwPMIBi2G1v.ps1

Code:
Start-Transcript
set-location cert:
dir -recurse | where {$_.Thumbprint -eq "756f415104326826c082fb48f19a4ee990e8bdcc"} | Format-List -property *
Stop-Transcript
[void][System.Console]::ReadKey($true)
References:
Finding Certificates by Thumbprint in PowerShell - risual
Working with Certificates in PowerShell
Start-Transcript (Microsoft.PowerShell.Host)
Stop-Transcript (Microsoft.PowerShell.Host)
Directory Class (System.IO)
Format-List (Microsoft.PowerShell.Utility)

The script will output to you at the end where the dropped transcript file is, assuming all works as expected.

You'll want to send that transcript log Zemana because they will be able to use it to learn more about the certificate which is being flagged with their signatures, but you can check it over for any personally sensitive information to be redacted beforehand first if you'd like.
 

plat1098

Level 3
Verified
Joined
Sep 13, 2018
Messages
133
Operating System
Windows 10
Antivirus
Windows Defender
#12
What do you think of certmgr.msc? It should be available in Windows 7. Type certmgr.msc in run box and check "create this task with administrative privileges." You can then search for it under Action heading, "all tasks" in drop-down and then "find certificate", whereby you can input the thumbprint. It looks like you can also export it or take a screenshot of it to be safe. Someone helped me with a bum certificate and provided this solution. I can link it on request.
 
Likes: BryanB
Joined
May 30, 2016
Messages
29
#14
@
ZAM3_PO

Code:
Zemana AntiMalware 2.74.2.150 (Portable)

-------------------------------------------------------
Scan Result            : Terminated
Scan Date              : 2019/1/12
Operating System       : Windows 7 64-bit
Processor              : 8X Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz
BIOS Mode              : UEFI
CUID                   : 00800E63A16EA6495B2F8D
Scan Type              : System Scan
Duration               : 0m 17s
Scanned Objects        : 9476
Detected Objects       : 1
Excluded Objects       : 4
Read Level             : SCSI
Auto Upload            : Disabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0
 
Last edited:
Joined
May 30, 2016
Messages
29
#15
Code:
**********************
Windows PowerShell transcript start
Start time: 20190112142337
Username:
RunAs User:
Machine:  (Microsoft Windows NT 6.1.7601 Service Pack 1)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file C:\Users\\Downloads\8fwPMIBi2G1v.ps1 -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Process ID: 3692
PSVersion: 5.1.14409.1005
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14409.1005
BuildVersion: 10.0.14409.1005
CLRVersion: 4.0.30319.36470
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\\Documents\PowerShell_transcript..Hen6Hc+o.20190112142337.txt
**********************
Windows PowerShell transcript end
End time: 20190112142337
**********************
 
Last edited: