# ZHPFix, Script Manager

ZHPFix Script Manager is a utility designed and developed by Nicolas Coolman based on writing a script. It allows to treat the detections in reports ZHPDiag, but not only !

ZHPFix has been completely rewritten in a new language, It is now portable, that is to say that it requires more installation.

ZHPFix does not delete the files and folders present in the script, He moves in quarantine folders. It cleans the registry Base keeping an export of each key in a registry quarantine folder.

This software is usually used by the helpers of the forums of disinfection. The script provided by the expert must be imported into the utility by clicking the import button. It is also possible to do a copy and paste your script into the editing area of the interface.

It is highly recommended that you get help from a security expert to write your ZHPFix script.

ATTENTION,
ZHPFix does not support a complete report of ZHPDiag. Safety precaution, each script must be preceded by the words "Script ZHPFix" or the string "Start".:: "as in the following example :

Start::
CreateRestorePoint
EmptyTemp
EmptyCLSID
EmptyPrefetch
EmptyTracing
DeleteValue: HKCUSOFTWARE2lhtRiaGXfCYRiaGXfCY
DeleteKey: HKCUSOFTWARE2lhtRiaGXfCY
HKLMSOFTWAREMicrosoftTracingKMDDSP
[MD5.339631DF934AFC2BE35E2B27A6F7DB06] [WIS][2016/11/03 09:25:06] (.Adobe Systems, Incorporated.) — C:\WINDOWSInstaller0000000.msp [1642496]
Ø90 – PUC: '0000669E3B673D1149B5000CF41B67A0 '. [HKCU] . (.WebAdSystem.) — C:\WindowsInstaller{A7039FE8-5B0F-4A15-8A76-8DDF0287C74E}\icon.ico
O69 – SBI: SearchScopes [HKCU] {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] – (Cassiopesa) – http://www.cassiopesa.com
O69 – SBI: prefs.js [Coolman2 – 5y4a68sg.default - 1512305234396] user_pref("app.update.lastUpdateTime.addon - background-update-timer.", 1434480329)
O61 – LFC: 11/06/2014 – 12:15:57 R–A- . (…) — C:\TempTest.com [2935928]
O53 – SMSR:HKLM…\startupregSkype [Key] . (…) — C:\Program Files (x86)\SkypePhoneSkype.exe
O53 – SMSR:HKLM…\startupregmsnmsgr (…) — C:\Program FilesMSNU MessengerMsnMsgr.Exe /background
End::

ZHPFix is available in English,German,Spanish, French, Dutch, Polish and Portuguese. The change is done via the interface by clicking on the button «» Languages "and restarting the application.

# The end of treatment report

End of treatment, You can view the report in your default browser by clicking on the button «» View the report« . The report is also available in text format that you can send to your assistant desktop. This report details all of the operations performed when processing. The distribution is based on the topics «» Logiciel« , « Service« , « Scheduled tasks« , « Browsers« , « Explorer« , « Registry« , « Order« , « Not addressed« , and «» Balance sheet« .

—\ SOFTWARE. (0)
Lists the software to uninstall via the interface "Applications and features" in Windows. This method is preferable because it can usually do a complete uninstall of the product.

—\ SERVICE. (0)
Specifies the action that is performed on Windows services stopped, disabled or removed. A white list control will be done on some system services and portions of registry. This control can result in an impossibility to move files or delete keys.

—\\ SERVICE. (1)
REFUSED Service: HKLMSYSTEMCurrentControlSetServicesBonjour Service [mDNSResponder.exe]

—\\ EXPLORER ( Records, Files ). (1)
REFUSED Service file: C:\Program FilesBonjourmDNSResponder.exe

—\\ BALANCE SHEET. (2)
ATTENTION, This legitimate service cannot be deleted : Hello Service
ATTENTION, This legitimate file cannot be deleted : C:\Program FilesBonjourmDNSResponder.exe

Specifies the action performed on tasks scheduled in automatic launched at system startup.

—\ INTERNET BROWSER. (0)
Specifies the action performed on internet browsers.

—\\ INTERNET BROWSER. (3)
DELETED data: Edge HomeButtonPage [HTTPS://www.CrossRider.fr]

—\ EXPLORER ( Records, Files ). (0)
Specifies the action performed on the folders and files. A white list control will be made on certain generic processes of the system. This control may result in an inability to move files.

—\\ EXPLORER ( Records, Files ). (3)
MOVED file Shortcut: C:\UsersCoolmanDesktopChrome Web Store.lnk

MISSING file Shortcut: Chrome Web Store.lnk

—\ REGISTRY ( Key, Values, Data ). (0)
Specifies the action performed on the keys, values and the basis of registers. Control by white list on certain portions of the registry. This control may result in an inability to delete keys.

—\\ REGISTRY ( Key, Values, Data ). (7)
ABSENT key IFEO: HKLM64SOFTWAREWow6432NodeMicrosoftWindows NTCurrentVersionImage File Execution OptionsNS.exe
ABSENT value FirewallRules: {C1C428BF-7318-4868-8F0F-85CD61E889F8} [ C:\Program Files (x86)\AviraScoutApplicationscout.exe (.not give.) ]
DELETED Run value: Anti-Malware [C:\Tempdllhostwin.exe]
REPLACED data: %SystemRoot%System32control.exe «» %1 »,%*
REPLACED data: Default [HKCUSOFTWARE2lhtRiaGXfCY]
REMOVED value: RecordValeur [HKCUSOFTWARE2lhtRiaGXfCY]
REPLACED data: RzcordData [HKCUSOFTWARE2lhtRiaGXfCY\GXfCY]

—\ ORDER. (0)
Indicates the special commands executed when the script.

—\\ ORDER. (5)
~ EmptyCLSID: Deleted empty CLSID folders (2)
~ EmptyPrefetch: Prefetcher files deleted (195)
~ EmptyRecycle: Trash emptied successfully.
~ EmptyTemp: Partially empty Local temp folder (165)
~ EmptyTracing: Tracing key removed (3)

—\ NO TREATY. (0)
Displays the line of script lines that are not supported by the tool, It may be a wrong syntax.

—\ BALANCE SHEET. (0)
The balance sheet gives further information on the course of treatment.

—\ BALANCE SHEET. (2)
'ACTION '., Please change the General settings of the Chrome browser.
'' INFORMATION. '', This service is locked and cannot be deleted : DHCP.

# The results of the treatment

Being processed, elements are recorded and returned at the end of report. They may require the intervention of the user or are only of an informative nature. Here are a few display formats :

"ATTENTION"., This legitimate folder cannot be deleted : <FolderName> »
"ATTENTION"., This legitimate file cannot be deleted : <Filename> »
'' INFORMATION. '', This software must be deleted manually : <NomDuLogiciel> »
"ATTENTION"., This legitimate service cannot be deleted : <Nameoftheservice> «
'' INFORMATION. '', This service is locked and cannot be deleted : <Nameoftheservice> «
'' INFORMATION. '', This key is locked and cannot be deleted : <NomDeLaCle> »
'ACTION '., Please change the General settings of the browser <NomDuNavigateur> »

# The quarantine

A quarantine module allows to retrieve the items moved or exported as files, files and registry keys. These items are placed in specific quarantine folders (Leader,Folder,Register). The restoration of the quarantine is via a special interface. Each canning element are name but they is prefixed with ' File99__’ for the file, ' Folder99__’ and ' Key99__’ for keys. In the case of a registry key, It is an export to the '.reg' extension format file.

Like what :
File1__stvhosts.exe, for the stvhosts.exe file
Folder2__Crossrider, for the record Crossrider
Key1__sys32_socket_updater.reg, for the sys32_socket_updater registry key

In the "HKCUSoftwareZHPZHPFix" of the Base of records branch, the keys are created, values and data in order to drive the restoration of midlife.

Restore procedure :

1. Click on the button ‘Restore quarantine',
2. In the new interface, Click on the button ‘Restore',
3. Confirm the message ‘You want to restore the quarantine'.
4. The restore is performed
5. A restore report is displayed at the end of treatment.

The particular case of the module O39 :
It can happen that the fusion of a registry key export is impossible, therefore its restoration can be done. This situation occurs especially for tasks scheduled in automatic (Ø38) for which the "Tasks" of the registry key is locked in writing. If you attempt a restore from quarantine, the result will give a locked key, However its corresponding registry file will be kept in quarantine registry.

Quarantine purging :
If you don't see a particular failure a few days after the application of your script, Remember to empty the quarantine with the button of the interface provided for this purpose.

# Special script commands

You have the option to include special commands in your script with the following :

• EmptyCLSID, move the empty folders to the CLSID format.
• EmptyFlash, empty the folder of flash cookies.
• EmptyTemp, move the user temporary files in quarantine.
• EmptyTracing, treats all the tracing registry keys
• EmptyPrefetch, empty the windows Prefetcher folder.
• EmptyProxy, default configuration of a network without Proxy.
• EmptyRecycle, permanently empty the contents of the Recycle Bin Windows.
• ExportKey, exports a registry on the Windows desktop key
• CMD, execute a windows command (cmd)
• OPT, prevents the removal of a process.
• ShortcutFix, abandoned, the treatment is based on the O4GS of the script line.
• IEFOFix, abandoned, the treatment is based on the line of the script ø50.
• WinsockFix, Initializes all the Winsock settings.
• TestSigningFix, Deletes the startup of the BCD configuration TestSigning value.
• IntegrityChecksFix, remove the IntegrityChecks from the startup of the BCD configuration value.
• FirewallRaz, abandoned because there is more enumeration of allowed applications under W10 (key: AuthorizedApplications).
• CreateRestorePoint, create a system restore point.
• ProxyFix, abandoned and replaced by EmptyProxy.
• DeleteKey, Deletes a registry key.
• DeleteFile, move the file in the quarantine.
• DeleteFolder, move the file in the quarantine.
• DeleteValue, Deletes a value from registry key.
• MaskSoftware, Allows to make invisible the installed software.
• UnMaskSoftware, Allows to show installed software.

# The CreateRestorePoint command

CreateRestorePoint command to create a system restore point. It is recommended to include this command at the beginning of your script.

Syntax : CreateRestorePoint

In the report preview :

—\\ ORDER. (1)
CreateRestorePoint: OK

—\\ ORDER. (1)
CreateRestorePoint: KO

# The EmptyCLSID command

The EmptyCLSID command is for moving empty folders to the format CLSID. The Windows operating system and more precisely its register widely used format Class identify more commonly known as CLSID.

The CLSIDS are in the form of «» GUID » (Globally Unique identifying) and are stored in the Windows registry Base. They are used to identify objects of the class "COM." (Component Object Model)

Even if empty files pose no risk to the system, their presence and their number pollute your storage units. No quarantine is planned for these files because they are wavebands, in case of need, the launch of the corresponding software. The number placed between parenthesis correspond to deleted files.

Syntax : EmptyCLSID

In the report preview :

—\\ EXPLORER ( Records, Files ). (2)
MOVE folder EmptyCLSID: C:\UsersCoolmanAppDataLocalTemp{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
MOVE folder EmptyCLSID: C:\UsersCoolmanAppDataLocalTemp{0733EE93-D776-472f-A0FF-E1416B8B2E3A}

—\\ ORDER. (1)
~ EmptyCLSID: Deleted empty CLSID folders (2)

# The EmptyFlash command

The EmptyFlash command is for moving flash Macromedia FlashPlayer cookies files.

No quarantine is planned for these files as they re-create the launch of the corresponding software. The number placed between parenthesis correspond to deleted files.

Syntax : EmptyFlash

In the report preview :

—\\ ORDER. (1)
~ EmptyFlash: FlashPlayer empty folder.

# The EmptyPrefetch command

The EmptyPrefetch command allows to empty the Prefetcher in Windows folder.

The prefetcher is a component of Microsoft Windows that was introduced in Windows XP. It is a component of the memory manager that can speed up the Windows startup process and shorten the amount of time it takes to start programs.

No quarantine is planned for these files as they re-create the launch of the corresponding software. The number placed between parenthesis correspond to deleted files.

Syntax : EmptyPrefetch

In the report preview :

—\\ ORDER. (1)
~ EmptyPrefetch: Prefetcher files deleted (195)

# The EmptyProxy command

EmptyProxy command to reconfigure your network without proxy. This command turns off the Proxy parasites, that is to say the set proxies without the consent of users.

The treatment is done on the ProxyServer registry key values, ProxyEnable, MigrateProxy, EnableHttp1_1, ProxyHttp1.1, ProxyOverride,…

This command replaces the old version of ZHPFix ProxyFix.

Syntax : EmptyProxy

In the report preview :

—\\ REGISTRY ( Key, Values, Data ). (1)
~ EmptyProxy: No changes.

# The EmptyRecycle command

The EmptyRecycle command allows to empty the trash. The removal of the contents of the Recycle Bin is final. The number placed in brackets matches that of deleted files.

Syntax : EmptyRecycle

In the report preview :

—\\ ORDER. (1)
~ EmptyRecycle: Trash emptied successfully.

# The command EmptyTemp

EmptyTemp command to delete temporary files. The research being done in many files of the user. Files are moved to the quarantine files from ZHPFix directory. The number placed in brackets matches that of the moved files. Each file is preceded by its mode of action, Moved, Absent or locked as the case may be met.

Syntax : EmptyTemp

In the report preview :

—\\ EXPLORER ( Records, Files ). (165)
LOCKED file Temp.: C:\UsersCoolmanAppDataLocalTempIPVanish.log
MISSING file Temp: C:\UsersCoolmanAppDataLocalTemp161
MOVED file Temp: C:\UsersCoolmanAppDataLocalTemp ~ DF00300041886B7F94. TMP

—\\ ORDER. (1)
~ EmptyTemp: Partially empty Local temp folder (165)

# The EmptyTracing command

The EmptyTracing command allows to remove the Tracing registry keys. No quarantine is planned for these keys as they re-create the launch of the corresponding software. The number placed between parenthesis corresponds to that of the deleted keys.

Syntax : EmptyTracing

In the report preview :

—\\ ORDER. (1)
~ EmptyTracing: Tracing key removed (3)

# The ExportKey command

The ExportKey command to export a key from the registry on the Windows desktop. The key export is done in a registry file (.Reg). It is possible to use the command several times in the same script.

Syntax : ExportKey: <Name of the key>

Example :

ExportKey: HKCUSOFTWARE89htRiaGXfCZ
ExportKey: HKCUSOFTWARE99htRiaGXfCZ

In the report preview :

—\\ ORDER. (2)
ExportKey: C:\UsersJMLDesktopKey1__ExportZHPFix.reg
ExportKey: C:\UsersJMLDesktopKey2__ExportZHPFix.reg

# The DeleteKey command

DeleteKey command to remove a key Base of registers. Beforehand an export of the key with all its values and data is placed in the quarantine folder ' Register’ of ZHPFix.

Syntax : DeleteKey: <Name of the key>

Example : DeleteKey: HKCUSOFTWARE2lhtRiaGXfCY

Aperçu dans les rapports :

—\\ REGISTRY ( Key, Values, Data ). (1)
REMOVED key: HKCUSOFTWARE2lhtRiaGXfCY []

—\\ REGISTRY ( Key, Values, Data ).
RESTORED key: HKCUSOFTWARE2lhtRiaGXfCY

# The DeleteValue command

DeleteValue command to remove a key value of Base of registers. Beforehand an export of the key with all its values and data is placed in the quarantine folder ' Register’ of ZHPFix.

Syntax : DeleteValue: <Name of the key>\<Name of the key value>

Example : DeleteValue: HKCUSOFTWARE2lhtRiaGXfCYRiaGXfCY

Aperçu dans les rapports :

—\\ REGISTRY ( Key, Values, Data ). (1)
REMOVED value: RiaGXfCY [HKCUSOFTWARE2lhtRiaGXfCY]

—\\ REGISTRY ( Key, Values, Data ).
RESTORED key: HKCUSOFTWARE2lhtRiaGXfCY

# The command CMD

The "CMD" command to run a command Windows ' CMD'.

Each command line must be preceded by the prefix "CMD".: "as in the example below. The command is case-insensitive.

Syntax : CMD: <order>

Example :

CMD: Ipconfig /flushdns
cmd: netsh winsock reset
CMD: netsh advfirewall set allprofiles state we
CMD: Bootrec /FixMbr

In the report preview :

—\\ ORDER. (5)
~ Special command completed successfully: Ipconfig /flushdns
~ Special command completed successfully: netsh winsock reset
~ Special command completed successfully: netsh advfirewall reset
~ Special command completed successfully: netsh advfirewall set allprofiles state we
~ Special command completed successfully: Bootrec /FixMbr

# The OPT command

The OPT command allows to restrict an action on a line in script. When a line of script has both the Explorer and the registry, the OPT option will treat only the registry part. Beforehand an export of the key with all its values and data is placed in the quarantine folder 'Register' of ZHPFix.

In the particular case of the O4GS module, dealing with file shortcuts, "the OPT command keeps the target file and move the shortcut in the quarantine folder ' file ' of ZHPFix.

The restriction information is recorded in the balance sheet.

Syntax : OPT:<script line>

Example : delete a 'Run' key and keep the process that she starts.

OPT:O4 – HKCU.. Run: [Anti-Malware] . (…) — C:\Tempdllhostwin.exe

In the report preview :

—\\ REGISTRY ( Key, Values, Data ). (1)
DELETED Run value: Anti-Malware [HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]

—\\ BALANCE SHEET. (1)
RESTRICTION on the line : O4 – HKCU.. Run: [Anti-Malware] . (…) — C:\Tempdllhostwin.exe

The UnMaskSoftware command allows to make visible a software key in the registry.

Some uninstall keys are made invisible in the registry so that they are not deleted by mistake. It can also happen that an unwanted software installs and hides for not being found.

Example : Make it visible to the software key. Task Killer "in the registry.

UnMaskSoftware: O42 – Logiciel: Task Killer (Remove only) – (.RSD Software.) [HKLM][64Bits] — Task Killer =>.RSD Software (Hidden)

In the report preview :

—\\ REGISTRY ( Key, Values, Data ). (1)
REPLACED data Software: 1 [HKLMSOFTWAREWOW6432NodeMicrosoftWindowsCurrentVersionUninstallTask Killer\SystemComponent]

The MaskSoftware command allows to make invisible a software key in the registry.

Some uninstall keys are made invisible in the registry so that they are not deleted by mistake. It can also happen that an unwanted software installs and hides for not being found.

Example : Invisible software key «» Task Killer "in the registry.

MaskSoftware: O42 – Logiciel: Task Killer (Remove only) – (.RSD Software.) [HKLM][64Bits] — Task Killer =>.RSD Software

In the report preview :

—\\ REGISTRY ( Key, Values, Data ). (1)
REPLACED data Software: 0 [HKLMSOFTWAREWOW6432NodeMicrosoftWindowsCurrentVersionUninstallTask Killer\SystemComponent]

# The DeleteFile command

DeleteFile command to move a file. The movement is done in the quarantine folder ' leader’ of ZHPFix.

Syntax : DeleteFile: <Full path of the file>

Example : DeleteFile: C:\Tempdllhostwin.exe

Aperçu dans les rapports :

—\\ EXPLORER ( Records, Files ). (1)
MOVED file : C:\Tempdllhostwin.exe

—\\ EXPLORER ( Records, Files ).
RESTORED file: C:\Tempdllhostwin.exe

# The DeleteFolder command

DeleteFolder command to move a folder. The movement is done in the quarantine folder ' Folder’ of ZHPFix.

Syntax : DeleteFolder: <Full path of the folder>

Example : DeleteFolder: C:\Temp

Aperçu dans les rapports :

—\\ EXPLORER ( Records, Files ). (1)
MOVED file : C:\Temp

—\\ EXPLORER ( Records, Files ).
RESTORED file: C:\Temp

# The TestSigningFix command

The TestSigningFix command allows to remove a BCD value «» TestSigning« , system boot configuration data. The boot configuration option testsigning determines whether Windows Vista and later versions of Windows load any type of signed by test kernel-mode code. This option is not set by default, which means that signed by test drivers in kernel mode will not be loaded by default on the versions 64 bits for Windows Vista. Note for versions 64 bits for Windows Vista, the kernel mode code signing policy requires that all the codes in kernel mode have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on the versions 32 bits for Windows Vista. Testsigning boot configuration option is turned on or off using the bcdedit command. The command TestSigningFix Lance 'bcdedit.exe' with parameters 'deletevalue testsigning.

Syntax : TestSigningFix

Example : TestSigningFix

Aperçu dans les rapports :

—\ ADDITIONAL SCAN (3) – 23s
TestSigning is enabled. Check with the command ZHPFix TestSigningFix if your drivers are signed. =>Riskware.unsigned.Drivers

—\\ ORDER. (1)
~ Special command completed successfully: TestSigningFix

# The IntegrityChecksFix command

The TestSigningFix command allows to remove a BCD value, system boot configuration data. Windows has encountered a problem installation of the driver for your device software. Windows has found the driver for your device software, but encoutered an error when trying to install it. The hash of the file is not present in the specified catalog file. The file is probably corrupt or the victim of tampering. NoIntegrityChecks boot configuration option is turned on or off using the bcdedit command. The command IntegrityChecksFix Lance 'bcdedit.exe' with parameters ' DeleteValue nointegritychecksfix«

Syntax : IntegrityChecksFix

Example : IntegrityChecksFix

Aperçu dans les rapports :

—\ ADDITIONAL SCAN (3) – 23s
noIntegrityChecksFix is enabled. Check with the command ZHPFix IntegrityChecksFix If your drivers are signed. =>Riskware.unsigned.Drivers

—\\ ORDER. (1)
~ Special command completed successfully: WinsockFix

# The WinsockFix command

The WinsockFix command to initialize all the parameters Winsock. Winsock (WINdows SOCKand) is a software library for Windows whose purpose is to implement a programming interface inspired by Berkeley sockets.

Syntax : WinsockFix

Example : WinsockFix

Aperçu dans les rapports :

—\\ ORDER. (1)
~ Special command completed successfully: WinsockFix