BleepingComputer.com: root certificate missing error

Hi

I recently had a very nasty infection (zlob dns changer) Which was apparently a rootkit. I don't actually know what a rootkit is but I was made to understand that it is very bad.

I got a lot of help, first from stang777 and then from Dachew. Dachew helped me for four days until we (he) finally eliminated the rootkit.
I can not sing the praises of him and this forum enough.

I am getting an error message on boot which I assume is related to the former rootkit. It says:

validation failed for c\windows\system 32\ vsinit.dll. you are probably missing a necessary root certificate.

Other than getting the message my computer seems to be working normally.

I would greatly appreciate any advice on what it means and what to do about it.

I hope I posted this in the right place, I am still learning how to use this forum.


Jonhut

This file is a component of ZoneAlarm Firewall. Try uninstalling and reinstalling ZA.

Let me know if this fixes it.

~Blade

Thanks for your help Blade,


I am not currently currently using ZoneAlarm. I used to have it but I removed it because it was constantly giving me messages that I had no clue what to do with (it was more annoying than the pop-ups).

However, I searched to make sure and found two files associated with it: Zaclients in a folder called Help(2) and a folder called images which has several images in it such as the ZoneAlarm logo. This was all I found.

Should I just delete them?

Should I find Zone alarm and install it?

Jonhut

In that case I would say that ZA left some traces behind. . . I would first try installing ZA and then uninstalling it. . . see if it does the uninstallation properly this time.

Blade,

I checked the properties on those files and they said "created 2004"

Zonealarm.com only offers a pay for version. There are lots of other sites showing free versions but there are many different versions.

I don't know which version I originally had, does it matter?

Is there a particular site were I should get it?

Sorry, so many questions, I'm pretty green and I don't want to screw up.

Thanks again for your help'

jonhut

No worries about too many questions. . . that's what we're here for!

Go to your Add/Remove Programs list and look for anything related to Zonealarm or Truevector and uninstall them. Let me know what you find, if anything.

On a side note. . . I read your other thread and noticed that you first mentioned the error on July 19, just after you ran TFC. Was this the first time the error had appeared, or had it been going on for longer?

~Blade

This post has been edited by Blade Zephon: 22 July 2009 - 12:08 PM

Blade,

I went to add/removed and looked at everything there. I did not see anything that appeared to be related to either one. I assume it would say zonealarm or truvector somewhere if it did?

I wish I could answer the second question with absolute certainty but I can't.

I Know that it showed up for the first time at some point after Chewy started having me do stuff. I was trying to let him know whenever anything weird happened, and the way I wrote the post indicates that was the first time I saw it. But I am not 100% sure.


jonhut

Alright. . . let's try this just to see what happens. It's definitely not a fix for your problem by any means. . . but it may help us identify the exact cause.

Please change the date on your computer to July 15. Then Reboot. Do you still get the error? (You can go ahead and change the date back to the current one after doing this)

~Blade

Blade,

OK that was interesting. I changed the date to the 15th and when I rebooted I didn't get the error.

What does it mean? I don't get it (who am I kidding, I don't get any of this stuff).

awaiting you reply,

Jonhut

Well it means that we know for certain that your problem is caused by a remnant piece of ZoneAlarm Security Suite. A lot of people have been having this problem; most of them currently use ZA and began experiencing the issue on the 16th. Not sure why your case is a bit different timing-wise(perhaps the fact that you no longer use ZA has something to do with it), but since setting the date back caused the problem to vanish it seems pretty clear to me that we're dealing with the same issue. Something about an expired digital certificate or something, the problem is new enough that there's not a whole lot of public information available on it at the moment. Yours is a unique scenario regarding a new problem, so it doesn't appear that ZA has a standard fix in place for your situation yet. Let me consult with the staff here as to the best course of action regarding how to proceed.

I or someone else will get back to you soon. In the meantime, can you look and see if you can find the file c\windows\system32\vsinit.dll? Let me know if it's there or not.

The good news about all this is that it's got nothing to do with the rootkit that was on your system!

~Blade

Hi again Jonhut,

I am glad Chewy was able to resolve your malware problems, I knew he could

The ZoneAlarm removal tool could help this problem. I am not sure if you will need to reinstall ZA or not to have it work correctly, but give it a try without reinstalling and find out.

It can be downloaded from the first post at

http://forums.zonelabs.com/zonelabs/board/...id=84259#M84259

I was unaware of the problem with ZA that started this month and I use ZA

Hi Stang

Apparently this problem is limited to those who hadn't updated to the new version of ZA Security Suite. So you may not be a part of the affected group.

@Jonhut - I didn't know there was a ZA removal tool! Stang is right, you should try that first. Let us know how it goes!

Thanks for the tip Stang!

~Blade

Hi Blade,

I have not updated to that, in fact, I am a few versions behind that. I am running the 7.0.483 version of the av/fw which was released almost a year ago. They are using the 8.whatever version now. Maybe it is that I am running such an older product that makes me be unaffected by it. Whatever the reason, I am very glad I am not having that problem.

You are welcome for the tip, I just hope it works. ZA always seems to leave behind files and probably reg entries too when it is uninstalled.

I have another way that might work if that does not, but it is a lot more complicated as it requires doing it all manually. I will watch this thread and if it is needed, I will post it.

This post has been edited by Stang777: 22 July 2009 - 10:21 PM

Hi, Blade and Stang,

I sure seem to be keeping every one busy here at the forum. Hopefully, one day, I will have learned enough that I can give back and help someone else out (could be a while though).

Stang- Yes, Chewy stuck with me for 4 days (lots of posts) and solved the problem. You guys really saved my bacon! Thanks again.



OK, I tried to run the removal tool, but when I did, the missing root certificate error came up immediately and it would go no further.

It's funny that it just happened to come up in the middle of the rootkit problem. Although, it shouldn't surprise me, coincidences like that happen all the time (in life in general).


jonhut

P.S. Off to work. will check back in the pm.

Sorry that did not work, it usually does, leastwise before this root certificate thing popped up. If you did not try doing it in safe mode, try that before trying the steps in the below links.

One other thought I have about this is since Blade said this was affecting those who had not upgraded to the new version of ZA Security Suite, maybe you could upgrade to that version, using the free trial, and then uninstall it with the ZA uninstall tool.

Here are two links from ZA to remove ZA manually, they seem rather complicated and to finish the job you do need to edit the registry. If you are uncomfortable doing that, then don't do it. If you do it, then use erunt to back up your registry first or atleast make sure you have a new restore point made in system restore just before doing it. The info in the first link seems a bit easier than the second so I would try that first. Make sure you are in safe mode when you do the stuff in the instructions at the below links....

http://forums.zonelabs.org/zonelabs/board/...;message.id=103

http://server.iad.liveperson.net/hc/s-2846...amp;action=view


OOPS, I just found one more thing, when running that uninstall tool, you should set the clock back to the 15th, reinstall and then use it, then it should work, try that before doing the other stuff

This post has been edited by Stang777: 23 July 2009 - 06:31 AM