Identifying program attempting to install certificate on windows

07
2014-07
  • R..

    I'm trying to help a friend using Windows (which I'm not an expert on by any means) who's experiencing malware-like behavior: a dialog box is repeatedly popping up reading:

    You are about to install a certificate from a certification authority (CA) claiming to represent:

    CE_UmbrellaCert

    Warning: If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "yes" you acknowledge this risk.

    AV and anti-malware scanners don't detect anything. My friend hasn't accepted installing the certificate, but whatever program is trying to install it keeps retrying, making the system unusable (constant interruptions). Is there any way to track down which program is making the attempt to install it so this program can be uninstalled/deleted?

    • Answers
  • Marc Antony

    I had the same experience. I downloaded and installed a Flash grabber program from Softonic and realized almost immediately from the sluggish behavior of my machine that I had picked up rogue software along with the program. I immediately uninstalled the program and rebooted, but then I started getting the relentless CE_UmbrellaCert warning pop-up window. As you mention, it makes the machine unusable. I rolled back as you did which got rid of the warning window, but I was still suspicious about what had been causing the relentless certificate warning pop-up even though the offending program had been uninstalled.

    I installed Malware Bytes Free (made sure I updated it with its latest definitions) and did a full system scan. It found 3 PUP (Probably Unwanted Program) items that I didn't have before.

    Registry Keys Detected: 1 HKCU\Software\Softonic\Universal Downloader (PUP.Optional.Softonic.A) -> No action taken

    Folders Detected: 1 C:\Documents and Settings\Margaret\Application Data\ContentExplorer (PUP.Optional.ContentExplorer.A) -> No action taken.

    Files Detected: 1 C:\Documents and Settings\Margaret\Application Data\ContentExplorer\RootCert.cer (PUP.Optional.ContentExplorer.A) -> No action taken.

    I checked the little boxes to get rid of the items, but first I had a look at the "RootCert.cer" file. It was a "DO_NOT_TRUST_FiddlerRoot" certificate.

    I wish I could help you directly identify which program was causing your CE_UmbrellaCert warning, but I suspect that you must have intentionally or unintentionally installed something or upgraded something just prior to your getting the warning pop-ups that altered your system. That would be the culprit program, add-on or update that you're trying to identify.

    Have you tried running a full system scan with the latest updated version of Malware Bytes? It would be interesting to see if you find a registry item and/or a RootCert.cer file on your system as I did.


    • Related Question

    iphone application ad-hoc installation on windows gives invalid certificate error
  • Lorenzo Boccaccia

    I've an application that need to be deployed to some testers. those with windows machine are reporting that the certificate used for signing the application couldn't be installed because of an unknown critical extension (1.2.840.113635.100.6.1.4)

    is there a way to make that critical extension known to windows (vista 64bit specifically)?

    I'm guessing that all this system of extension give user the ability to register callbacks to interpret the various added extensions (it would be totally useless otherwise)


    • Related Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.