Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware causing removal of all default Certificates?


  • Please log in to reply
2 replies to this topic

#1 netarc

netarc

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 16 March 2005 - 04:54 AM

Is anyone aware of any malware that specifically targets the default certificate store on a Win2K system?

Recently, an increasing number of our users have been experiencing the issue wherein, upon logon to the Win2K system, the computer presents the error message:

Windows File Protection error
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows 2000 Server CD-ROM now.

Inserting said CD seems to result in files being accessed (copied?) ... yet the error recurs upon subsequent logon. If, otoh, one "cancels" the above dialog, another short error is displayed, after which one can go on using the system as normal (again, though, the error recurs upon next logon).

An additional symptom for some users is that access of certain secure sites, such as Webex or a banking site, results in certificate errors where one wouldn't expect them. One user, upon connecting to the Webex site, continually sees the error “Revocation information for the security certificate for this site is not available. Do you want to proceed?” Clicking yes to continue, however, causes the browser to still hang up while trying to connect to a conference. (this, I suspect, is merely a symptom of the "no certificate" problem detailed below)

Microsoft KB articles we've found that seem relevant to this issue include Q293781, Q296241

The resolution detailed in the latter article (importing the No Liability and MS Root Authority certificates from a "clean" computer) is one that we've been using with limited success - sometimes this works around the "error message at logon" problem (though it doesn't seem a complete resolution), sometimes not.

What's most troubling, though, is that upon accessing the Certificates MMC on the afflicted system one sees that there are absolutely no certificates installed on the OS (as opposed to a fresh/clean system, which seems to have hundreds)!

The single common thread among most (all?) of the systems exhibiting this behaviour is that they've seen relatively heavy malware (adware/spyware/etc) affliction.

BC AdBot (Login to Remove)

 


#2 Talon

Talon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 16 March 2005 - 02:37 PM

My first question would be

Can you post a HiJackThis log so we can see if there is anything showing there.
Also, post a Start Up list.

There may not be anything showing there but it's a place to start if it's malware causing the issue.

It could also be a website they are hitting that is deleting the certs.

This could also be caused by a virus.

Don't kknow if this will help... you may have seen this already..

http://msdn.microsoft.com/library/default....icate_store.asp

This won't be easy to track down.

#3 netarc

netarc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 21 March 2005 - 02:11 AM

I'll be obtaining/posting a Hijack This log from an afflicted system shortly ... also, we've opened a ticket with MS support, so if I receive any info from them I'll post to this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users