Jump to content
Pilate

TrojanDisabledAVSecurityCerts

Recommended Posts

Hello!

Some registry entries has been flagged by MB4 as TrojanDisabledAVSecurity Certs. Here is the log

[code]Malwarebytes
www.malwarebytes.com

-Данные журнала-
Дата проверки: 22.04.2020
Время проверки: 16:58
Файл журнала: 5e81b1a2-84a1-11ea-aef5-10bf481e78af.json

-Информация о ПО-
Версия: 4.1.0.56
Версия компонентов: 1.0.835
Версия пакета обновления: 1.0.22770
Лицензия: Бесплатная версия

-Информация о системе-
ОС: Windows 7 Service Pack 1
Процессор: x64
Файловая система: NTFS
Пользователь: NOTEBOOK\Matias

-Отчет о проверке-
Тип проверки: Полная проверка
Способ запуска проверки: Вручную
Результат: Завершено
Проверено объектов: 235578
Обнаружено угроз: 16
Помещено в карантин: 16
Затраченное время: 10 мин, 42 с

-Настройки проверки-
Память: Включено
Автозагрузка: Включено
Файловая система: Включено
Архивы: Включено
Руткиты: Включено
Эвристика: Включено
PUP: Обнаружение
PUM: Предупредить

-Данные проверки-
Процесс: 0
(Вредоносные программы не обнаружены)

Модуль: 0
(Вредоносные программы не обнаружены)

Раздел реестра: 16
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\1990649205B55EAB5D692E9EDB1BE0DDD3B037DE, Помещено в карантин, 6754, 813677, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\3AD010247A8F1E991F8DDE5D47989CB5202E5614, Помещено в карантин, 6754, 813678, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\6A2C691767C2F1999B8C020CBAB44756A99A0C41, Помещено в карантин, 6754, 813679, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\1990649205B55EAB5D692E9EDB1BE0DDD3B037DE, Помещено в карантин, 6754, 813677, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\3AD010247A8F1E991F8DDE5D47989CB5202E5614, Помещено в карантин, 6754, 813678, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\6A2C691767C2F1999B8C020CBAB44756A99A0C41, Помещено в карантин, 6754, 813679, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\6B6FA65B1BDC2A0F3A7E66B590F93297B8EB56B9, Помещено в карантин, 6754, 813680, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\6B6FA65B1BDC2A0F3A7E66B590F93297B8EB56B9, Помещено в карантин, 6754, 813680, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\8835437D387BBB1B58FF5A0FF8D003D8FE04AED4, Помещено в карантин, 6754, 813681, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\8835437D387BBB1B58FF5A0FF8D003D8FE04AED4, Помещено в карантин, 6754, 813681, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\9FEB091E053D1C453C789E8E9C446D31CB177ED9, Помещено в карантин, 6754, 813682, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\9FEB091E053D1C453C789E8E9C446D31CB177ED9, Помещено в карантин, 6754, 813682, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\C597D4E7FF9CE5BD3EC321C11827FCA9294A6BA1, Помещено в карантин, 6754, 813683, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\C597D4E7FF9CE5BD3EC321C11827FCA9294A6BA1, Помещено в карантин, 6754, 813683, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\D3FD325D0F2259F693DD789430E3A9430BB59B98, Помещено в карантин, 6754, 813684, 1.0.22770, , ame,
Trojan.DisabledAVSecurityCerts, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\D3FD325D0F2259F693DD789430E3A9430BB59B98, Помещено в карантин, 6754, 813684, 1.0.22770, , ame,

Значение реестра: 0
(Вредоносные программы не обнаружены)

Данные реестра: 0
(Вредоносные программы не обнаружены)

Поток данных: 0
(Вредоносные программы не обнаружены)

Папка: 0
(Вредоносные программы не обнаружены)

Файл: 0
(Вредоносные программы не обнаружены)

Физический сектор: 0
(Вредоносные программы не обнаружены)

Инструментарий управления Windows (WMI): 0
(Вредоносные программы не обнаружены)


(end)[/code]

My security sodtware works as usual.

 

 

Share this post


Link to post
Share on other sites

Hi,  
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

 

[     1     ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

[     2     ]

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.
Thank you,
Sincerely.
 

Share this post


Link to post
Share on other sites

MBAR found nothing. Is this a false positive of MBAM?

Share this post


Link to post
Share on other sites

Can you get MBST logs from your Windows 7 machine? Do you know anything about those disallowed certificates, did you set them or did you use any software that did it?

Share this post


Link to post
Share on other sites

No. This is first time when they are flagged by Malwarebytes software. Previous scans were clean. I regulary scans my systems with Malwarebytes software

Share this post


Link to post
Share on other sites

Thanks.  How can I remove diagnostic tools?

Share this post


Link to post
Share on other sites

I restored these items from quarantine then update Malwarebytes software and rescan my systems. MB4 on Win7 found nothing, but MBAM 1.75 on XP still detects them. Why?

Share this post


Link to post
Share on other sites

The problem has been resolved. With the latest database version MBAM 1.75 no longer detects these certificates.

Share this post


Link to post
Share on other sites

Seems like that the MBAR driver (C:/Windows/system32/drivers/2751135D.sys) was not removed. This file is signed by Malwarebytes Do I need to remove it manually?

Share this post


Link to post
Share on other sites

Hello.

You may delete  C:/Windows/system32/drivers/2751135D.sys

You should delete the mbar.exe   that was downloaded.

You can delete  mb-support-1.6.0.774.exe   on the Downloads folder

Delete mbst-grab-results.zip   on the Desktop

 

To remove the FRSTENGLISH tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Let us know if you need other help.

Share this post


Link to post
Share on other sites

Hello!

I have two questions

1.I already removed C:/FRST folder and FRSTEnglish.exe. Should I redownload the tool and uninstall it correctly?

2. How can I identify MBAR driver on my Wwindows 7 machine? Seems like that it has random name.

Share this post


Link to post
Share on other sites

On # 1,  that is ok.   You removed FRST.

On # 2,   you already removed one.

Delete this folder if still present      C:\Documents and Settings\Matias\Рабочий стол\mbar

 

Delete this file if it is still present

 C:\Documents and Settings\Matias\Рабочий стол\mbar-1.10.3.1001.exe

 

 

Share this post


Link to post
Share on other sites
1 hour ago, Maurice Naggar said:

On # 2,   you already removed one

I removed MBAR driver from my XP system, but not from Windows 7 system. How can I identify it?

Share this post


Link to post
Share on other sites

You can run the FRST tool on the system-at-issue

Then look at the FRST.txt   report

 

Look for entry similar to this

(Malwarebytes) C:\WINDOWS\system32\Drivers\2751135D.sys

 

If there are any leftover drivers, they would be in the sub-folder  C:\WINDOWS\system32

Share this post


Link to post
Share on other sites

Should I install MB3 on my XP system? Now this PC has MBAM 1.75.

Share this post


Link to post
Share on other sites

For the XP system:

Uninstall MBAM 1.75

Next,    

Ideally, if possible, do a Windows Restart. Then proceed.

the Malwarebytes installer is at this link

Please use this link


download and save the setup file . It will automatically download. Just SAVE first.

1.    Double-click mb3-setup-legacy .......exe to start the Malwarebytes for Windows setup.
2.    Follow the installation instructions to complete setup.

Watch all of the process. Have lots of patience.
Let me know how it goes. When setup has completed, my suggestion is always to do a Windows Restart.

Please let me know how this goes.

Once the setup is finished,  you need to do one Update run.

Start Malwarebytes, click on Settings
then click Applications tab
then click on Install Application Updates
 

image.png.c42457afe98f1f40ea83b46c11df594c.png

 

Nextjust as a double-check,      click the Dashboard button. Look on the very far right-side pane and look under "System"
and then click on the blue Current   just to re-check for Updates.

 

Let me know what Version you see  & let me know how this goes.    & if you need other help.
 

Sincerely.

Share this post


Link to post
Share on other sites

Thanks for instructions. I will install MB3 tomorrow. Is it enough to uninstall MBAM 1.75 via Add/Remove programs?

Share this post


Link to post
Share on other sites

Yes,  do that first.    Then do a RESTART.    😃

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.