Assigned Zemana detected a Suspicious Root CA. Is this serious?

This thread is being handled by a member of the staff.

FrankN209

Level 1
Thread author
Verified
May 30, 2016
31
I did a scan with Zemana and it found a suspicious Root CA. I was wondering if it was a false positive or potential virus?

Code:
root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355
 

KevinYu0504

Level 5
Verified
Well-known
Mar 10, 2017
227
I just did a scan with Zemana Beta 3.0 and it didn't show this. The previous scan was with a portable version. i'm not sure if that makes a big difference.

ZAM 3.0 is still in beta (or we should say alpha) ,
only fast scan is available , so it won't scan whole system ,
indeed there is some different .

Help you to mark the member
@ZAM3_PO
he is Zemana's official engineer , he should be able to help you for your FP issue .
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
What Certificate is it? Can you figure it out? What version of Windows are you using? If it says it's suspicious just delete it. If your PC needs it, it will redownload the certificate anyway.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Hmmm I don't know how Microsoft does it on Windows 7 but on Windows 10 they delete old and suspicious certificates. If you can figure out what the name of the root CA is it would be tremendously helpful. It could be one of those phony Chinese ones, or Equifax, or the ones Symantec made that went foul last September.
 

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
@FrankN209

For the detection you're reporting about in the latest Zemana beta, the thumbprint of the certificate is 756F415104326826C082FB48F19A4EE990E8BDCC.

Use this PowerShell script:
https://a.uguu.se/8fwPMIBi2G1v.ps1

Code:
Start-Transcript
set-location cert:
dir -recurse | where {$_.Thumbprint -eq "756f415104326826c082fb48f19a4ee990e8bdcc"} | Format-List -property *
Stop-Transcript
[void][System.Console]::ReadKey($true)

References:
Finding Certificates by Thumbprint in PowerShell - risual
Working with Certificates in PowerShell
Start-Transcript (Microsoft.PowerShell.Host)
Stop-Transcript (Microsoft.PowerShell.Host)
Directory Class (System.IO)
Format-List (Microsoft.PowerShell.Utility)

The script will output to you at the end where the dropped transcript file is, assuming all works as expected.

You'll want to send that transcript log Zemana because they will be able to use it to learn more about the certificate which is being flagged with their signatures, but you can check it over for any personally sensitive information to be redacted beforehand first if you'd like.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
What do you think of certmgr.msc? It should be available in Windows 7. Type certmgr.msc in run box and check "create this task with administrative privileges." You can then search for it under Action heading, "all tasks" in drop-down and then "find certificate", whereby you can input the thumbprint. It looks like you can also export it or take a screenshot of it to be safe. Someone helped me with a bum certificate and provided this solution. I can link it on request.
 
  • Like
Reactions: vtqhtr413

FrankN209

Level 1
Thread author
Verified
May 30, 2016
31
@
ZAM3_PO

Code:
Zemana AntiMalware 2.74.2.150 (Portable)

-------------------------------------------------------
Scan Result            : Terminated
Scan Date              : 2019/1/12
Operating System       : Windows 7 64-bit
Processor              : 8X Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHz
BIOS Mode              : UEFI
CUID                   : 00800E63A16EA6495B2F8D
Scan Type              : System Scan
Duration               : 0m 17s
Scanned Objects        : 9476
Detected Objects       : 1
Excluded Objects       : 4
Read Level             : SCSI
Auto Upload            : Disabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

root
Status             : Scanned
Object             : HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\756F415104326826C082FB48F19A4EE990E8BDCC\Blob = 5C000000010000000400000000040000190000000100000010000000D7BC42A603F8D67231F82B70E915F9B20F0000000100000014000000472851FECB5B65434FD9EC81FFFD7FE6F63DFA03030000000100000014000000756F415104326826C082FB48F19A4EE990E8BDCC140000000100000014000000EEF5A88EEE2E90F0B3F47132F398693C0C8B5C0C040000000100000010000000B51B531A64D6A681CE92BCBB3AFCDC9E20000000010000002B0200003082022730820190020900D0F8030C6CFEF304300D06092A864886F70D01010505003058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F74301E170D3136303132353037343232315A170D3236303132323037343232315A3058310B300906035504061302434E310B300906035504080C024744310B300906035504070C025348310F300D060355040A0C06666F7363616D310F300D060355040B0C06666F7363616D310D300B06035504030C04726F6F7430819F300D06092A864886F70D010101050003818D0030818902818100D01E2E2F026BB5C56260F09AA6111F6DBA0703EF98E45BD0442600AA16C38CCA0DFD24CB7943817134EF124BA9F822062B4B0F6487D7CBECC09E8CCABE85B6DE7C4E822EA4704C2A465B3C5BFEC83B4C89E3F81DECA4925828EF1D8F88DDCB1DEEE142422E3E1AA221BBBC568871EC62E64A2DDA9C8F72F41C0C2342BF32F4470203010001300D06092A864886F70D010105050003818100B2C8ACB6F31ADA13C6FA9284E56DE9E4534519A7B716B9D837D7C54C499DB3ECBC1E90973EC0DD0AF7DE60FD30F38B330DDF278F80202D9BCA8302F2EB3CCBB419BE772329CFAB933302DDF3438330CA31009D0D277D15CC0E4B24FD01BDFDEB3A6996A9040163E1EE4C1BC030B2E7F80767D9939E327074078C94B058AF5355


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0
 
Last edited:

FrankN209

Level 1
Thread author
Verified
May 30, 2016
31
Code:
**********************
Windows PowerShell transcript start
Start time: 20190112142337
Username:
RunAs User:
Machine:  (Microsoft Windows NT 6.1.7601 Service Pack 1)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file C:\Users\\Downloads\8fwPMIBi2G1v.ps1 -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Process ID: 3692
PSVersion: 5.1.14409.1005
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14409.1005
BuildVersion: 10.0.14409.1005
CLRVersion: 4.0.30319.36470
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\\Documents\PowerShell_transcript..Hen6Hc+o.20190112142337.txt
**********************
Windows PowerShell transcript end
End time: 20190112142337
**********************
 
Last edited:

thrillskr

Level 2
Verified
Dec 28, 2018
83
I have something similar after a clean install of Windows 10. Just sended today support a ticket and they will let me know what is. i did for sure also before a test with HitmanPro and Roguekiller with MALPE but they nothing found. Let me know what it is. If support send me answer i will let you know.
 

boombastik

Level 2
Verified
Dec 17, 2018
98
usually the zemana find 2 false positives about rout certificates.

1) One is a buggy certificate from xbox live application in windows 10 that install it when u open it. You can find it in event viewer.
1.png


2.png


2)the certificate from battle net launcher.

Both of them can been ignored.
 

thrillskr

Level 2
Verified
Dec 28, 2018
83
@ZAM3_PO as requested. Let me know. Nothing special i guess but i am no expert lol

Microsoft ECC TS Root Certificate Authority 2018
Status : Gescand
Object : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Verdachte Root CA
Cleaning Action : Verwijderen
Related Objects :
Registervermelding - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob = 59000000010000001A000000450043004400530041002F005300480041003300380034000000140000000100000014000000E847C8429AB09DAE6F0B283B98158FE3B1E880B20F000000010000003000000003D1C76765EDA88BC8E0875E6091D060432543D180BCB86C064936ADB941C42163780B8289921A94FEBB7F9E47EDAC1204000000010000001000000037942958862A06E6BBCFD7AB59C7F23C69000000010000000E000000300C060A2B0601040182373C03020B00000001000000620000004D006900630072006F0073006F00660074002000450043004300200054005300200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020003200300031003800000003000000010000001400000031F9FC8BA3805986B721EA7295C65B3A445342746B00000001000000200000003FD4BE8BAAD2F26E1BDE06C7584BB720DD1A972D111F5A4999BC44B08FB4960D190000000100000010000000A40F3CB7F5FFA3E812BEC7F85507CBF47C0000000100000020000000C5750BF85F459FB70E2B6CD1898D375E92D7938E47A6E034CCE0C12D30372CCD20000000010000001B030000308203173082029EA0030201020210153875E1647ED1B047B4EFAF41128245300A06082A8648CE3D04030330818F310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31393037060355040313304D6963726F736F66742045434320545320526F6F7420436572746966696361746520417574686F726974792032303138301E170D3138303232373230353133345A170D3433303232373231303031325A30818F310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31393037060355040313304D6963726F736F66742045434320545320526F6F7420436572746966696361746520417574686F7269747920323031383076301006072A8648CE3D020106052B8104002203620004DECDBB7020F12520B494E8D7B43B0F6E87DDABACCF4D402F81336B590918D6870D26239CB48D959D769FA5B90642E6AD36B2C4B3AE7A3C08D5CB9D3A5E45216C0BE320F59BC2DD4433E342B9EAF2284292AAFE0C07CA8A13993B6200EDDAF335A381BC3081B9300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E04160414E847C8429AB09DAE6F0B283B98158FE3B1E880B2301006092B0601040182371501040302010030650603551D20045E305C30060604551D20003052060C2B0601040182374C837D01013042304006082B060105050702011634687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F446F63732F5265706F7369746F72792E68746D00300A06082A8648CE3D04030303670030640230148650C0261AEBEAA114773A5BDF6339A533C75040D56B356B0FB4DF7D56B9E1A59D781982A1436E1AD758A3550342DB02301894B41E3A8D64FA0C271B87134AD2B73A0094C6F2E563BFAFE3FADC93D5E7469A6B81693E02DF510D8F28714189912F

Microsoft ECC Product Root Certificate Authority 2018
Status : Gescand
Object : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Verdachte Root CA
Cleaning Action : Verwijderen
Related Objects :
Registervermelding - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob = 59000000010000001A000000450043004400530041002F0053004800410033003800340000001900000001000000100000007D9E7D1E8D5DA11DC0C84B0757ECEDCB0F000000010000003000000032991981BF1575A1A5303BB93A381723EA346B9EC130FDB596A75BA1D7CE0B0A06570BB985D25841E23BE944E8FF118F0B000000010000006C0000004D006900630072006F0073006F006600740020004500430043002000500072006F006400750063007400200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020003200300031003800000069000000010000000E000000300C060A2B0601040182373C030203000000010000001400000006F1AA330B927B753A40E68CDF22E34BCBEF33520400000001000000100000001F124EDE13E06A023CD7C09A4F48C3D614000000010000001400000043EF7087B89DBFEC8819DCC6C46B750D753433085C00000001000000040000008001000020000000010000002703000030820323308202A8A003020102021014982666DC7CCD8F4053677BB999EC85300A06082A8648CE3D040303308194310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313E303C060355040313354D6963726F736F6674204543432050726F6475637420526F6F7420436572746966696361746520417574686F726974792032303138301E170D3138303232373230343230385A170D3433303232373230353034365A308194310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313E303C060355040313354D6963726F736F6674204543432050726F6475637420526F6F7420436572746966696361746520417574686F7269747920323031383076301006072A8648CE3D020106052B8104002203620004C711162A761D568EBEB96265D4C3CEB4F0C330EC8F6DD76E39BCC849ABABB8E34378D581065DEFC77D9FCED6B39075DE0CB090DE23BAC8D13E67E019A91B86311E5F342DEE17FD15FB7E278A32A1EAC98FC97E18CB2F3B2C487A7DA6F40107ACA381BC3081B9300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E0416041443EF7087B89DBFEC8819DCC6C46B750D75343308301006092B0601040182371501040302010030650603551D20045E305C30060604551D20003052060C2B0601040182374C837D01013042304006082B060105050702011634687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F446F63732F5265706F7369746F72792E68746D00300A06082A8648CE3D0403030369003066023100A1C049445D325527CC3E906E25229D245B9B5135C79149492AA3F96F4F1CCDDD9CE1B557C99EC222459B0615701C45BF023100C5D328EB72C73EB0AC27097F623D6079E592F1452AB9A502E460BBFE7A2B9C60A7B59914F2B0BEF0BB059656568FC168


Cleaning Result
-------------------------------------------------------
Cleaned : 2
Reported as safe : 0
Failed : 0
 

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
Hello guys, when Zemana detects a suspicious certificate could you please open Powershell and type this command:

Code:
dir cert: -Recurse | Where-Object { $_.Thumbprint -like "*HERE THE THUMBPRINT OF THE DETECTED CERTIFICATE*" }


Then please push Enter button to run the command.

And please post here the result. Thank you very much.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top