HTTPS redirect bad certification

okay here is a issue from a friends computer.

When going to a HTTPS website it changes the security certification. here is a few screen shots.

picture11.jpg is what it needs to be.

Picture1.jpg is what its showing up on this computer i am working on.
Picture12.jpg is what the ip address of the secure server that it is trying to go through.

i need to figure out how to fix this asap.

Thanks

Looks like he is using Windows XP? Has he installed all of the latest updates, including any optional updates regarding certification paths?

Does he have any trojans, worms, or viruses on his computer -- sometimes that could cause problems like this too. I would also suggest running Malwarebytes.

Thats been ran and it did find and clean. But I also installed avast and it keeps.poping back saying its originating from schost I believe its called. There was a trogen but avast cleaned it. Yes it is windows xp. Also it is fully updated in windows

This is caused by your original CSR request being signed by a weak MD5 hash. These certificates are no longer support by modern browsers. You need to talk to godaddy and see if they will let you regenerate a new CSR with a stronger MD5 hash and see if they will re-issue it for you.

that was not an issue. it was a virus and after much more googling me and the owner of the computer figured out how to fix it.

Thanks for all your help!

If you remember, I am curious what virus caused it in case we have someone else with this issue down the road?

Glad you got it fixed!

Interestingly enough I caught this rather nasty little virus on July 13th, but it didn't start manifesting itself until after I had rebooted the computer yesterday.

It's called Trojan Horse Dropper.Generic_c.MMI or possibly Trojan.Patchep!sys.

It infects services.exe which is a valid Windows operating system file and needs to be there. It disabled and corrupted Microsoft Security Essentials, AVG finds it but won't touch it because doing so would bugger up the operating system. One of the symptoms was the bogus security cert as noted in this post (My first clue was this morning when I opened my browser to Google and had that message instead of Google's search. I also had browser redirects, popups, etc.

One of the things about it is that it can allow remote access and harvesting of credentials.

Malwarebytes did not find anything related to this. Combofix would get as far as extracting the files, and then this virus would cause it to stop running.

Knowing that it was a windows system file, I decided to stop wasting time on antivirus and just ran an sfc /scannow (System File Checker Utility). It found the corrupted file and replaced it with the original, hence effectively nixing the virus (Reboot was required).

The method I used is detailed in the reply in this post
http://forums.avg.com/us-en/avg-forums? ... &id=212180

Another alternative method is detailed in this link, but it's a little more complicated
http://123seminarsonly.com/Blog/trojan- ... -infection

Good luck. It took me three hours of scans to get to where I could actually identify the virus. After that it was a 5 minute fix to run SFC

Wow, sounds like a nasty little virus.

Thanks for posting this Mark, I am sure this will help someone down the road. Easy fix, just hard to figure what you had needed to do.