Jump to content

Strange certificates installed on Windows. Concerned of middle man attack.


GANI482
 Share

Recommended Posts

Hello, and thank you for reading my thing here.  I checked my certificates on Windows and have noticed a few that seem fishy.  I am hoping someone here can help me sort whats legitimate or not.  I have included a sample picture to show like ones called China something and doesn't expire for decades.  One is called 'no liability'.  Thanks in advance. 

certs.PNG433968400_morecerts.thumb.PNG.79e43f504602304e15d2b2b7bff6b3ce.PNG

 

Edited by GANI482
added another picture to show ones expired decades ago as well
Link to post
Share on other sites

  • Root Admin

SigCheck
https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck

sigcheck64.exe -tv *

 

Required trusted root certificates
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/trusted-root-certificates-are-required

 

Removing certificates can cause real issues for the system. Microsoft keeps a list of trusted certificates and manages for you in general

 

Link to post
Share on other sites

It is a faux conclusion that just because you don't recognize a Certificate Authority Root Certificate that they are suspicious and its a case of malware or malicious activity.  The vast majority of people do not understand Public Key Infrastructure (PKI) the role of a Certificate Authority or the Online Certificate Status Protocol (OCSP).  PKI is, after-all, an esoteric subject matter.  Many systems are dependent upon PKI such as perform Cryptographic Logons, email signing & encryption, Secure Sockets Layer/Transport Layer Security (SSL/TLS)  and/or use an Encrypted File System.  The use of PKI is becoming more commonplace and has even entered the telecommunication industry due to the use of Voice over IP (VoIP) telephony.  PKI is now being employed into telephony in the form of SHAKEN/STIR (aka; STIR/SHAKEN) using the Certificate Authority system in a "chain of trust" verification.  Embedded-SIM (eSIM) is just another system using PKI.

 

References:

 

 

 

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Thanks 1
Link to post
Share on other sites

It took me awhile to figure out how to get it to run.  Does it look like the command ran properly.  I cant figure out the online virus total scan, and am not sure I ran the right scan.  It says it found unsigned ones in system32.  What do I do next?  Delete them?

Capture.PNG.0315b45b7f55ee07dc660b0e39a60e1c.PNG

Capture2.PNG.994b740e2c14017700dfec1ff1921d48.PNG

 

 

Edited by GANI482
new info
Link to post
Share on other sites

  • Root Admin

Yes, all is fine. If one of the certificates were bad then the Microsoft scanner would point that out too which you've already ran I do believe.

 

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

Link to post
Share on other sites

  • Root Admin
  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Hello.  I would like to check these firewall rules.  I have noticed they are always there even when I reset to default.  I mostly am talking about the firewallapi.dll ones.  Thanks I am glad this is still open.

firewall.PNG

size.PNG.eddb463444a5b95250784cd893a5b068.PNG

also why is all files 23gb but the drive shows 52gb full?  where are hidden files?

Edited by GANI482
more
Link to post
Share on other sites

I installed the malwarebytes browser guard like recommended above.  It is constantly blocking, detecting 150,000 heuristic blocks on sites like youtube and reddit.  I know it didnt used to do this months ago when I had the browser guard.  Is there any way to find out whats being blocked and why?  It just constantly keeps blocking something, and its on multiple sites.

1706948161_Screenshot(163).thumb.png.dc5196f74bac9e9df73116f0de601a70.png

1979800157_Screenshot(162).thumb.png.c4bc988ddd7becf2199f59abc8f028aa.png2068055351_Screenshot(161).thumb.png.2a6579efdc0fe0d68e39fe9ca4d73606.png

Link to post
Share on other sites

1 hour ago, GANI482 said:

I installed the malwarebytes browser guard like recommended above.  It is constantly blocking, detecting 150,000 heuristic blocks on sites like youtube and reddit.  I know it didnt used to do this months ago when I had the browser guard.  Is there any way to find out whats being blocked and why?  It just constantly keeps blocking something, and its on multiple sites.

This is new, topic about it below.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.