Nvidia Files Flagged as "Trojan.StolenCert"

[EEH]

A Malwarebytes full scan on 03-19-2022 yielded two Nvidia files being flagged as Trojan.StolenCert. I had them quarantined. The following is the report:

File: 2
Trojan.StolenCert, C:\PROGRAM FILES\NVIDIA CORPORATION\NVSMI\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145
Trojan.StolenCert, C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\NVHM.INF_AMD64_NEUTRAL_8E08A5B2230FF134\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145

Also, when Malwarebytes Anti-Rootkit is opened, the following is immediately displayed: Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity. 

I'm not sure if it is related, but I had my very first BSOD on 02-22-2022. Event Viewer reported: Custom dynamic link libraries are being loaded for every application. String C:\Windows\system32\nvinitx.dll

In light of the recent Nvidia breach of stolen credentials and certificates, should I be concerned? Is there anything I should do going forward? Note: These Nvidia files were signed in 2012.

Thank you,
Eric

[cli]

Can you attach the file and logs? Thanks.

[Porthos]

Want to add, user is also trying to get help at Bleeping Computer as well https://www.bleepingcomputer.com/forums/t/770136/nvidia-files-flagged-as-trojanstolencert/#entry5336687

[EEH]

39 minutes ago, cli said:

Can you attach the file and logs? Thanks.

Which file, or files should I attach? I assume the log you've requested is the report generated by Malwarebytes, correct?

[cli]

Please attach the files that were detected as well as the logs. The logs can be retrieved by following directions in Upload Malwarebytes Support Tool logs offline. Thanks.

[shadowwar]

Please attach the files so i can verify but this should be fixed now. 

[EEH]

45 minutes ago, shadowwar said:

Please attach the files so i can verify but this should be fixed now. 

The two files are in quarantine, listed as follows:

9fd350ca-a75e-11ec-9242-a0b3cc4b896b.quar
34793f4c-a759-11ec-82e7-a0b3cc4b896b.quar

Are these the files you want me to attach?

 

 

[EEH]

4 hours ago, cli said:

The logs can be retrieved by following directions in Upload Malwarebytes Support Tool logs offline. Thanks.

I do not have .NET Framework 4 installed. Could I simply paste the plain text report in the dialog box here? Thank you for your time in assisting me.

[cli]

Sure, attach the .quar files and plain text report. Thanks.

[EEH]

1) How do I attach the .quar files? I tried, but got a warning box that the file extension is not accepted.

2) Here is the Malwarebytes report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/19/22
Scan Time: 2:39 AM
Log File: ab22d416-a757-11ec-b47a-a0b3cc4b896b.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.563
Update Package Version: 1.0.25145
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Eric-dv7\Eric

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 572385
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 3 hr, 11 min, 26 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.StolenCert, C:\PROGRAM FILES\NVIDIA CORPORATION\NVSMI\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145
Trojan.StolenCert, C:\WINDOWS\SYSTEM32\DRIVERSTORE\FILEREPOSITORY\NVHM.INF_AMD64_NEUTRAL_8E08A5B2230FF134\NVDEBUGDUMP.EXE, Quarantined, [7503], [1035227],1.0.25145

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[Porthos]

5 minutes ago, EEH said:

1) How do I attach the .quar files? I tried, but got a warning box that the file extension is not accepted.

You have to ZIP them before attaching. https://support.microsoft.com/en-us/windows/zip-and-unzip-files-8d28fa72-f2f9-712f-67df-f80cf89fd4e5

Edited March 24, 2022 by Porthos

[EEH]

Here are the .quar files

34793f4c-a759-11ec-82e7-a0b3cc4b896b.zip

9fd350ca-a75e-11ec-9242-a0b3cc4b896b.zip

34793f4c-a759-11ec-82e7-a0b3cc4b896b.zip

[cli]

Thanks for reporting. This was a false positive and has been fixed. 

[EEH]

My apologies, as the first 34793f4c-a759-11ec-82e7-a0b3cc4b896b.zip (217.1 kB) is incorrect, and should be removed.

[EEH]

Just now, cli said:

Thanks for reporting. This was a false positive and has been fixed. 

That's great, and you're welcome. Should I release the files from quarantine then? Also, should I be concerned going forward as the signing certificates were included in the Nvidia breach by Lapsus$? 

[EEH]

Additionally, should I be worried that Malwarebytes Anti-Rootkit keeps flagging AppInit_Dlls at C:\Windows\SysWOW64\nvinit.dll. It's another Nvidia file, so I thought I'd ask.

[shadowwar]

we need the scan log showing the detection to determine. 

[EEH]

5 hours ago, shadowwar said:

we need the scan log showing the detection to determine. 

Here is the scan log:

mbar-log-2022-03-24 (14-37-22).txt

Scans reveal no detection, but this dialog box pops up every time I run Malwarebytes Anti-Rootkit:

 

[shadowwar]

This is the stand alone rootkit tool?

if so thats a normal message when something uses the appinit key. Just a warning. Being we know its nvidia valid file you can select no. 

[EEH]

1 hour ago, shadowwar said:

This is the stand alone rootkit tool?

Yes, it's the Malwarebytes Anti-Rootkit scanner (mbar.exe).

 

1 hour ago, shadowwar said:

if so thats a normal message when something uses the appinit key. Just a warning. Being we know its nvidia valid file you can select no. 

So, I am safe from the stolen Nvidia signing certificates being used in Nvidia files and drivers already installed on my system?

Also, should I restore the other two files that were previously quarantined by Malwarebytes?

Thank you for your time in helping me.

[shadowwar]

Yes you can restore as they were valid nvidia files that our defs misdetected. Only recommendation is to update the nvidia software to the latest version if possible. 

Also mbar is pretty outdated and mbam 4 can detect A LOT more then it can. 

[EEH]

30 minutes ago, shadowwar said:

Only recommendation is to update the nvidia software to the latest version if possible. 

Also mbar is pretty outdated and mbam 4 can detect A LOT more then it can. 

Thank you again for your help. Unfortunately, I don't believe I can update the Nvidia drivers past the versions that I already have.

When running mbam, should I always check the "Scan for rootkits" box?

[shadowwar]

it is not necessary unless there is an infection we cant remove. 

[EEH]

2 hours ago, shadowwar said:

it is not necessary unless there is an infection we cant remove. 

So I should not scan for rootkits during my regular full scans? How would I know if I had a rootkit or not if I don't scan for it?

[Porthos]

5 minutes ago, EEH said:

So I should not scan for rootkits during my regular full scans? How would I know if I had a rootkit or not if I don't scan for it?

Rootkits are actually rare now. Also the setting disables some whitelisting leading to false positives. It also increases scan time.

You should have both of these non default settings off..

I also suggest upgrading to a supported OS or a newer computer.

Edited March 25, 2022 by Porthos