FrankN209

Level 1
I did a scan with Zemana and it found a suspicious Root CA. I was wondering if it was a false positive or potential virus?

Code:
root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355
 

KevinYu0504

Level 5
Verified
I just did a scan with Zemana Beta 3.0 and it didn't show this. The previous scan was with a portable version. i'm not sure if that makes a big difference.
ZAM 3.0 is still in beta (or we should say alpha) ,
only fast scan is available , so it won't scan whole system ,
indeed there is some different .

Help you to mark the member
@ZAM3_PO
he is Zemana's official engineer , he should be able to help you for your FP issue .
 

DeepWeb

Level 22
Verified
What Certificate is it? Can you figure it out? What version of Windows are you using? If it says it's suspicious just delete it. If your PC needs it, it will redownload the certificate anyway.
 

DeepWeb

Level 22
Verified
Hmmm I don't know how Microsoft does it on Windows 7 but on Windows 10 they delete old and suspicious certificates. If you can figure out what the name of the root CA is it would be tremendously helpful. It could be one of those phony Chinese ones, or Equifax, or the ones Symantec made that went foul last September.
 

In2an3_PpG

Level 17
Content Creator
Verified
@FrankN209

For the detection you're reporting about in the latest Zemana beta, the thumbprint of the certificate is 756F415104326826C082FB48F19A4EE990E8BDCC.

Use this PowerShell script:
https://a.uguu.se/8fwPMIBi2G1v.ps1

Code:
Start-Transcript
set-location cert:
dir -recurse | where {$_.Thumbprint -eq "756f415104326826c082fb48f19a4ee990e8bdcc"} | Format-List -property *
Stop-Transcript
[void][System.Console]::ReadKey($true)
References:
Finding Certificates by Thumbprint in PowerShell - risual
Working with Certificates in PowerShell
Start-Transcript (Microsoft.PowerShell.Host)
Stop-Transcript (Microsoft.PowerShell.Host)
Directory Class (System.IO)
Format-List (Microsoft.PowerShell.Utility)

The script will output to you at the end where the dropped transcript file is, assuming all works as expected.

You'll want to send that transcript log Zemana because they will be able to use it to learn more about the certificate which is being flagged with their signatures, but you can check it over for any personally sensitive information to be redacted beforehand first if you'd like.
 

plat1098

Level 5
Verified
What do you think of certmgr.msc? It should be available in Windows 7. Type certmgr.msc in run box and check "create this task with administrative privileges." You can then search for it under Action heading, "all tasks" in drop-down and then "find certificate", whereby you can input the thumbprint. It looks like you can also export it or take a screenshot of it to be safe. Someone helped me with a bum certificate and provided this solution. I can link it on request.
 
Reactions: BryanB

FrankN209

Level 1
@
ZAM3_PO

Code:
Zemana AntiMalware 2.74.2.150 (Portable)

-------------------------------------------------------
Scan Result            : Terminated
Scan Date              : 2019/1/12
Operating System       : Windows 7 64-bit
Processor              : 8X Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz
BIOS Mode              : UEFI
CUID                   : 00800E63A16EA6495B2F8D
Scan Type              : System Scan
Duration               : 0m 17s
Scanned Objects        : 9476
Detected Objects       : 1
Excluded Objects       : 4
Read Level             : SCSI
Auto Upload            : Disabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0
 
Last edited:

FrankN209

Level 1
Code:
**********************
Windows PowerShell transcript start
Start time: 20190112142337
Username:
RunAs User:
Machine:  (Microsoft Windows NT 6.1.7601 Service Pack 1)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file C:\Users\\Downloads\8fwPMIBi2G1v.ps1 -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Process ID: 3692
PSVersion: 5.1.14409.1005
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14409.1005
BuildVersion: 10.0.14409.1005
CLRVersion: 4.0.30319.36470
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\\Documents\PowerShell_transcript..Hen6Hc+o.20190112142337.txt
**********************
Windows PowerShell transcript end
End time: 20190112142337
**********************
 
Last edited:

thrillskr

Level 1
I have something similar after a clean install of Windows 10. Just sended today support a ticket and they will let me know what is. i did for sure also before a test with HitmanPro and Roguekiller with MALPE but they nothing found. Let me know what it is. If support send me answer i will let you know.
 

boombastik

Level 1
usually the zemana find 2 false positives about rout certificates.

1) One is a buggy certificate from xbox live application in windows 10 that install it when u open it. You can find it in event viewer.
1.png


2.png


2)the certificate from battle net launcher.

Both of them can been ignored.
 

thrillskr

Level 1
@ZAM3_PO as requested. Let me know. Nothing special i guess but i am no expert lol

Microsoft ECC TS Root Certificate Authority 2018
Status : Gescand
Object : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Verdachte Root CA
Cleaning Action : Verwijderen
Related Objects :
Registervermelding - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob = 59000000010000001A000000450043004400530041002F005300480041003300380034000000140000000100000014000000E847C8429AB09DAE6F0B283B98158FE3B1E880B20F000000010000003000000003D1C76765EDA88BC8E0875E6091D060432543D180BCB86C064936ADB941C42163780B8289921A94FEBB7F9E47EDAC1204000000010000001000000037942958862A06E6BBCFD7AB59C7F23C69000000010000000E000000300C060A2B0601040182373C03020B00000001000000620000004D006900630072006F0073006F00660074002000450043004300200054005300200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020003200300031003800000003000000010000001400000031F9FC8BA3805986B721EA7295C65B3A445342746B00000001000000200000003FD4BE8BAAD2F26E1BDE06C7584BB720DD1A972D111F5A4999BC44B08FB4960D190000000100000010000000A40F3CB7F5FFA3E812BEC7F85507CBF47C0000000100000020000000C5750BF85F459FB70E2B6CD1898D375E92D7938E47A6E034CCE0C12D30372CCD20000000010000001B030000308203173082029EA0030201020210153875E1647ED1B047B4EFAF41128245300A06082A8648CE3D04030330818F310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31393037060355040313304D6963726F736F66742045434320545320526F6F7420436572746966696361746520417574686F726974792032303138301E170D3138303232373230353133345A170D3433303232373231303031325A30818F310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31393037060355040313304D6963726F736F66742045434320545320526F6F7420436572746966696361746520417574686F7269747920323031383076301006072A8648CE3D020106052B8104002203620004DECDBB7020F12520B494E8D7B43B0F6E87DDABACCF4D402F81336B590918D6870D26239CB48D959D769FA5B90642E6AD36B2C4B3AE7A3C08D5CB9D3A5E45216C0BE320F59BC2DD4433E342B9EAF2284292AAFE0C07CA8A13993B6200EDDAF335A381BC3081B9300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E04160414E847C8429AB09DAE6F0B283B98158FE3B1E880B2301006092B0601040182371501040302010030650603551D20045E305C30060604551D20003052060C2B0601040182374C837D01013042304006082B060105050702011634687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F446F63732F5265706F7369746F72792E68746D00300A06082A8648CE3D04030303670030640230148650C0261AEBEAA114773A5BDF6339A533C75040D56B356B0FB4DF7D56B9E1A59D781982A1436E1AD758A3550342DB02301894B41E3A8D64FA0C271B87134AD2B73A0094C6F2E563BFAFE3FADC93D5E7469A6B81693E02DF510D8F28714189912F

Microsoft ECC Product Root Certificate Authority 2018
Status : Gescand
Object : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Verdachte Root CA
Cleaning Action : Verwijderen
Related Objects :
Registervermelding - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob = 59000000010000001A000000450043004400530041002F0053004800410033003800340000001900000001000000100000007D9E7D1E8D5DA11DC0C84B0757ECEDCB0F000000010000003000000032991981BF1575A1A5303BB93A381723EA346B9EC130FDB596A75BA1D7CE0B0A06570BB985D25841E23BE944E8FF118F0B000000010000006C0000004D006900630072006F0073006F006600740020004500430043002000500072006F006400750063007400200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020003200300031003800000069000000010000000E000000300C060A2B0601040182373C030203000000010000001400000006F1AA330B927B753A40E68CDF22E34BCBEF33520400000001000000100000001F124EDE13E06A023CD7C09A4F48C3D614000000010000001400000043EF7087B89DBFEC8819DCC6C46B750D753433085C00000001000000040000008001000020000000010000002703000030820323308202A8A003020102021014982666DC7CCD8F4053677BB999EC85300A06082A8648CE3D040303308194310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313E303C060355040313354D6963726F736F6674204543432050726F6475637420526F6F7420436572746966696361746520417574686F726974792032303138301E170D3138303232373230343230385A170D3433303232373230353034365A308194310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313E303C060355040313354D6963726F736F6674204543432050726F6475637420526F6F7420436572746966696361746520417574686F7269747920323031383076301006072A8648CE3D020106052B8104002203620004C711162A761D568EBEB96265D4C3CEB4F0C330EC8F6DD76E39BCC849ABABB8E34378D581065DEFC77D9FCED6B39075DE0CB090DE23BAC8D13E67E019A91B86311E5F342DEE17FD15FB7E278A32A1EAC98FC97E18CB2F3B2C487A7DA6F40107ACA381BC3081B9300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E0416041443EF7087B89DBFEC8819DCC6C46B750D75343308301006092B0601040182371501040302010030650603551D20045E305C30060604551D20003052060C2B0601040182374C837D01013042304006082B060105050702011634687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F446F63732F5265706F7369746F72792E68746D00300A06082A8648CE3D0403030369003066023100A1C049445D325527CC3E906E25229D245B9B5135C79149492AA3F96F4F1CCDDD9CE1B557C99EC222459B0615701C45BF023100C5D328EB72C73EB0AC27097F623D6079E592F1452AB9A502E460BBFE7A2B9C60A7B59914F2B0BEF0BB059656568FC168


Cleaning Result
-------------------------------------------------------
Cleaned : 2
Reported as safe : 0
Failed : 0
 

Similar Threads

Similar Threads