Jump to content

Nvidia Files Flagged as "Trojan.StolenCert"


EEH
 Share

Recommended Posts

A Malwarebytes full scan on 03-19-2022 yielded two Nvidia files being flagged as Trojan.StolenCert. I had them quarantined. The following is the report:

File: 2
Trojan.StolenCert, C:\PROGRAM FILES\NVIDIA CORPORATION\NVSMI\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145
Trojan.StolenCert, C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\NVHM.INF_AMD64_NEUTRAL_8E08A5B2230FF134\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145

Also, when Malwarebytes Anti-Rootkit is opened, the following is immediately displayed: Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity. 

I'm not sure if it is related, but I had my very first BSOD on 02-22-2022. Event Viewer reported: Custom dynamic link libraries are being loaded for every application. String C:\Windows\system32\nvinitx.dll

In light of the recent Nvidia breach of stolen credentials and certificates, should I be concerned? Is there anything I should do going forward? Note: These Nvidia files were signed in 2012.

Thank you,
Eric

Link to post
Share on other sites

45 minutes ago, shadowwar said:

Please attach the files so i can verify but this should be fixed now. 

The two files are in quarantine, listed as follows:

9fd350ca-a75e-11ec-9242-a0b3cc4b896b.quar
34793f4c-a759-11ec-82e7-a0b3cc4b896b.quar

Are these the files you want me to attach?

 

 

Link to post
Share on other sites

1) How do I attach the .quar files? I tried, but got a warning box that the file extension is not accepted.

2) Here is the Malwarebytes report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/19/22
Scan Time: 2:39 AM
Log File: ab22d416-a757-11ec-b47a-a0b3cc4b896b.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.563
Update Package Version: 1.0.25145
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Eric-dv7\Eric

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 572385
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 3 hr, 11 min, 26 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.StolenCert, C:\PROGRAM FILES\NVIDIA CORPORATION\NVSMI\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145
Trojan.StolenCert, C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\NVHM.INF_AMD64_NEUTRAL_8E08A5B2230FF134\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

5 minutes ago, EEH said:

1) How do I attach the .quar files? I tried, but got a warning box that the file extension is not accepted.

You have to ZIP them before attaching. https://support.microsoft.com/en-us/windows/zip-and-unzip-files-8d28fa72-f2f9-712f-67df-f80cf89fd4e5

Edited by Porthos
Link to post
Share on other sites

Just now, cli said:

Thanks for reporting. This was a false positive and has been fixed. 

That's great, and you're welcome. Should I release the files from quarantine then? Also, should I be concerned going forward as the signing certificates were included in the Nvidia breach by Lapsus$? 

Link to post
Share on other sites

1 hour ago, shadowwar said:

This is the stand alone rootkit tool?

Yes, it's the Malwarebytes Anti-Rootkit scanner (mbar.exe).

 

1 hour ago, shadowwar said:

if so thats a normal message when something uses the appinit key. Just a warning. Being we know its nvidia valid file you can select no. 

So, I am safe from the stolen Nvidia signing certificates being used in Nvidia files and drivers already installed on my system?

Also, should I restore the other two files that were previously quarantined by Malwarebytes?

Thank you for your time in helping me.

Link to post
Share on other sites

30 minutes ago, shadowwar said:

Only recommendation is to update the nvidia software to the latest version if possible. 

Also mbar is pretty outdated and mbam 4 can detect A LOT more then it can. 

Thank you again for your help. Unfortunately, I don't believe I can update the Nvidia drivers past the versions that I already have.

When running mbam, should I always check the "Scan for rootkits" box?

Link to post
Share on other sites

2 hours ago, shadowwar said:

it is not necessary unless there is an infection we cant remove. 

So I should not scan for rootkits during my regular full scans? How would I know if I had a rootkit or not if I don't scan for it?

Link to post
Share on other sites

5 minutes ago, EEH said:

So I should not scan for rootkits during my regular full scans? How would I know if I had a rootkit or not if I don't scan for it?

Rootkits are actually rare now. Also the setting disables some whitelisting leading to false positives. It also increases scan time.

You should have both of these non default settings off..

I also suggest upgrading to a supported OS or a newer computer.

image.png.2ea4af572803d3b2bb3adb6d077d4c38.png

Edited by Porthos
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.