4.3 / 5 - (6 votes)

ZHPFix, Script Manager

ZHPFix Script Manager is a utility designed and developed by Nicolas Coolman based on writing a script. It allows you to process the elements detected in the reports ZHP Diag, but not only !

ZHPFix has been completely rewritten in a new language, it is now portable, meaning it no longer requires installation.

ZHPFix does not delete files and folders present in the script, it moves them to quarantine folders. It cleans the Registry by keeping an export of each key in a registry quarantine folder.

This software is generally used by helpers on disinfection forums. The script provided by the expert must be imported into the utility by clicking on the import button. It is also possible to copy/paste your script into the editing area of ​​the interface.

It is strongly recommended to seek assistance from a security expert to write your ZHPFix script.

WARNING,
ZHPFix does not support a full ZHPDiag report. For security reasons, each script must be preceded by the words “ZHPFix Script” or by the string “Start::” as in the following example:

Please include the “CreateRestorePoint” command at the start of each script so that you can return to your old configuration in the event of a malfunction.

Start::
CreateRestorePoint
EmptyTemp
EmptyCLSID
EmptyPrefetch
EmptyTracing
DeleteValue: HKCU\SOFTWARE\2lhtRiaGXfCY\RiaGXfCY
DeleteKey: HKCU\SOFTWARE\2lhtRiaGXfCY
HKLM\SOFTWARE\Microsoft\Tracing\KMDDSP
[MD5.339631DF934AFC2BE35E2B27A6F7DB06] [WIS][2016/11/03 09:25:06] (.Adobe Systems, Incorporated.) — C:\WINDOWS\Installer\00000000.msp [1642496]
O90 – PUC: “0000669E3B673D1149B5000CF41B67A0” [HKCU] . (.WebAdSystem.) — C:\Windows\Installer\{A7039FE8-5B0F-4A15-8A76-8DDF0287C74E}\icon.ico
O69 – SBI: SearchScopes [HKCU] {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] – (Cassiopesa) – https://www.cassiopesa.com
O69 – SBI: prefs.js [Coolman2 – 5y4a68sg.default-1512305234396] user_pref(“app.update.lastUpdateTime.addon-background-update-timer”, 1434480329)
O61 – LFC: 11/06/2014 – 12:15:57 R–A- . (…) — C:\Temp\Test.com [2935928]
O53 – SMSR:HKLM\…\startupreg\Skype [Key] . (…) — C:\Program Files (x86)\Skype\Phone\Skype.exe
O53 – SMSR:HKLM\…\startupreg\msnmsgr (…) — C:\Program Files\MSNU Messenger\MsnMsgr.Exe /background
End::

ZHPFix is ​​available in English, German, Spanish, French, Dutch, Polish and Portuguese. The change is made via the interface by clicking on the button “Languages” and restarting the application.

The end of treatment report

At the end of processing, you can view the report in your default browser by clicking on the button “View report“. The report is also available on your Desktop in text format that you can send to your assistant. This report details all the operations carried out during processing. The distribution is done according to the sections “Software","Service","Scheduled Tasks","Browsers","Explorateur","Registre","Order","Untreated“, And“Review of".

-\ SOFTWARE. (0)
Lists software to uninstall via the Windows “Apps & Features” interface. This method is preferable because it generally allows you to completely uninstall the product.

-\ SERVICE. (0)
Specifies the action performed on  Windows services stopped, deactivated or deleted. A whitelist control will be carried out on certain system services and on certain portions of the registry. This control may result in an inability to move files or delete keys.

-\\ SERVICE. (1)
DENIED Service: HKLM\SYSTEM\CurrentControlSet\Services\Hello Service [mDNSResponder.exe]

—\\ EXPLORER (Folders, Files). (1)
DENIED Service File: C:\Program Files\Bonjour\mDNSResponder.exe

—\\ ASSESSMENT. (2)
PLEASE NOTE, This legitimate service cannot be deleted: Hello Service
WARNING, This legitimate file cannot be deleted: C:\Program Files\Bonjour\mDNSResponder.exe

—\ SCHEDULED TASK. (0)
Specifies the action performed on automatically scheduled tasks launched at system startup.

-\ WEB BROWSER. (0)
Specifies the action performed on internet browsers.

-\\ WEB BROWSER. (3)
DELETED Data: Edge HomeButtonPage [https://www.CrossRider.fr]
DELETED Data: Edge Favorites [https://www.ask.com]
MOVED Chrome folder: C:\Users\Coolman2\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbibfnkfgecaoohegoiggbodnpaefoli

—\ EXPLORER (Folders, Files). (0)
Specifies the action performed on folders and files. A whitelist control will be carried out on certain generic processes of the system. This control may result in the inability to move files.

—\\ EXPLORER (Folders, Files). (3)
MOVED Shortcut File: C:\Users\Coolman\Desktop\Chrome Web Store.lnk

ABSENT Shortcut file: Chrome Web Store.lnk
DENIED Shortcut File: C:\Users\Coolman\AppData\Local\Google\Chrome\Application\chrome.exe

—\ REGISTER (Keys, Values, Data). (0)
Specifies the action performed on the keys, values ​​and data of the Registry Base. A white list control on certain portions of the registry. This control may result in an inability to delete keys.

—\\ REGISTER (Keys, Values, Data). (7)
ABSENT IFEO key: HKLM64\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe
ABSENT FirewallRules value: {C1C428BF-7318-4868-8F0F-85CD61E889F8} [ C:\Program Files (x86)\Avira\Scout\Application\scout.exe (.not file.) ]
DELETED Run Value: Anti-Malware [C:\Temp\dllhostwin.exe]
REPLACED Data: %SystemRoot%\System32\control.exe “%1”,%*
REPLACED Data: Default [HKCU\SOFTWARE\2lhtRiaGXfCY]
DELETED Value: RecordValue [HKCU\SOFTWARE\2lhtRiaGXfCY]
REPLACED Data: RzcordData [HKCU\SOFTWARE\2lhtRiaGXfCY\\GXfCY]

-\ ORDER. (0)
Indicates special commands executed during the script.

-\\ ORDER. (5)
~ EmptyCLSID: Empty CLSID folders deleted (2)
~EmptyPrefetch: Prefetcher files deleted (195)
~EmptyRecycle: Trash emptied successfully.
~ EmptyTemp: Local temp folder partially emptied (165)
~ EmptyTracing: Tracing keys deleted (3)

-\ UNTREATED. (0)
Shows the line of script lines that are not supported by the tool, this may be incorrect syntax.

—\ ASSESSMENT. (0)
The assessment provides additional information on the progress of the treatment.

—\ ASSESSMENT. (2)
“ACTION, Please change the general Chrome browser settings”
“INFORMATION, This service is locked and cannot be deleted: dhcp”

The outcome of the treatment

During processing, elements are recorded and returned at the end of the report. They may require user intervention or are only informative in nature. Here are some display formats:

“WARNING, This legitimate folder cannot be deleted: “
“WARNING, This legitimate file cannot be deleted: “
“INFORMATION, This software must be removed manually: “
“ATTENTION, This legitimate service cannot be deleted: “
“INFORMATION, This service is locked and cannot be deleted: “
“INFORMATION, This key is locked and cannot be deleted: “
“ACTION, Please change the general browser settings”

Quarantine

A quarantine module allows you to recover moved or exported items such as files, folders and registry keys. These items are placed in specific quarantine folders (File,Folder,Register). Quarantine restoration is done via a special interface. Each element retains its name but is prefixed with 'File99__' for files, 'Folder99__' and 'Key99__' for keys. In the case of a registry key, it is an export file with the '.reg' extension format.

For example:
File1__stvhosts.exe, for the stvhosts.exe file
Folder2__Crossrider, for the Crossrider folder
Key1__sys32_socket_updater.reg, for the sys32_socket_updater registry key

In the “HKCU\Software\ZHP\ZHPFix” branch of the Registry, keys, values ​​and data are created in order to control the restoration of the quarantine.

Restoration procedure:

  1. Click on the button 'Restore Quarantine‘,
  2. In the new interface, click on the button 'Restore‘,
  3. Confirm message 'Do you want to restore quarantine'.
  4. The restoration is carried out
  5. A restoration report is displayed at the end of processing.

The particular case of module O39:
It may happen that merging a registry key export is impossible, so it cannot be restored. This case occurs in particular for tasks scheduled automatically (O38) for which the “Tasks” key in the register is locked for writing. If a quarantine restore is attempted, the result will be a locked key, however its corresponding registry file will be retained in the quarantine registry.

The quarantine dump:
If you do not notice any particular malfunction after a few days after applying your script, consider emptying the quarantine using the interface button provided for this purpose.

Special script commands

You can include special commands in your script, a list of which is:

  • EmptyCLSID, moves empty folders in CLSID format.
  • EmptyFlash, empties the flash cookies folder.
  • EmptyTemp, moves the user's temporary folders to the quarantine.
  • EmptyTracing, processes all registry keys tracing
  • EmptyPrefetch, empties the Windows Prefetcher folder.
  • EmptyProxy, default configuration of a network without Proxy.
  • EmptyRecycle, permanently empties the contents of the Windows Recycle Bin.
  • ExportKey, exports a registry key to the Windows Desktop
  • DCM, executes a windows command (cmd)
  • OPT, prevents the deletion of a process.
  • ShortcutFix, abandoned, the processing is done according to the O4GS line of the script.
  • IEFOFix, abandoned, processing is done according to line O50 of the script.
  • WinsockFix, Initializes all Winsock settings.
  • TestSigningFix, removes the TestSigning value from the BCD startup configuration.
  • IntegrityChecksFix, removes the IntegrityChecks value from the BCD startup configuration.
  • FirewallRaz, abandoned because under W10 there is no longer a list of authorized applications (key: authorizedapplications).
  • CreateRestorePoint, allows you to create a system restore point.
  • ProxyFix, abandoned and replaced by EmptyProxy.
  • DeleteKey, deletes a registry key.
  • DeleteFile, moves the file to quarantine.
  • DeleteFolder, moves the folder to quarantine.
  • DeleteValue, deletes a registry key value.
  • MaskSoftware, Allows you to make installed software invisible.
  • UnMaskSoftware, Allows you to make installed software visible.

The CreateRestorePoint command

The CreateRestorePoint command creates a system restore point. It is recommended to include this command at the beginning of your script.

Syntax : CreateRestorePoint

Preview in the report:

-\\ ORDER. (1)
CreateRestorePoint: OK

-\\ ORDER. (1)
CreateRestorePoint:KO

The EmptyCLSID command

The EmptyCLSID command concerns moving empty folders to CLSID format. The Windows operating system and more precisely its registry widely uses the Class Identifier format, more commonly called CLSID.

CLSIDs are in the form of “ GUID » (Globally Unique IDentifier) ​​and are stored in the Windows Registry. They are used to identify objects of the “COM” class (Component Object Model)

Even if empty folders pose no risk to the system, their presence and number pollute your storage units. No quarantine is planned for these files because they are recreated, if necessary, when the corresponding software is launched. The number in parentheses corresponds to the deleted files.

Syntax : EmptyCLSID

Preview in report :

—\\ EXPLORER (Folders, Files). (2)
DEPLACÉ Dossier EmptyCLSID: C:\Users\Coolman\AppData\Local\Temp\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
DEPLACÉ Dossier EmptyCLSID: C:\Users\Coolman\AppData\Local\Temp\{0733EE93-D776-472f-A0FF-E1416B8B2E3A}

-\\ ORDER. (1)
~ EmptyCLSID: Empty CLSID folders deleted (2)

The EmptyFlash command

The EmptyFlash command is for moving flash cookie files from Macromedia FlashPlayer.

No quarantine is planned for these files because they are recreated when the corresponding software is launched. The number in parentheses corresponds to the deleted files.

Syntax : EmptyFlash

Preview in the report:

-\\ ORDER. (1)
~ EmptyFlash: Empty FlashPlayer folder.

The EmptyPrefetch command

The EmptyPrefetch command allows you to empty the Windows Prefetcher folder. 

Le prefect is a component of Microsoft Windows that was introduced starting with Windows XP. It is a memory manager component that can speed up the Windows startup process and shorten the amount of time it takes to start programs.

No quarantine is planned for these files because they are recreated when the corresponding software is launched. The number in parentheses corresponds to the deleted files.

Syntax : EmptyPrefetch

Preview in the report:

-\\ ORDER. (1)
~EmptyPrefetch: Prefetcher files deleted (195)

The EmptyProxy command

The EmptyProxy command allows you to reconfigure your network without a proxy. This command allows you to deactivate parasitic proxies, i.e. proxies configured without user consent.

The processing is done on the registry key values ​​ProxyServer, ProxyEnable, MigrateProxy, EnableHttp1_1, ProxyHttp1.1, ProxyOverride,…

This command replaces ProxyFix from the old version of ZHPFix.

Syntax : EmptyProxy

Preview in the report:

—\\ REGISTER (Keys, Values, Data). (1)
~EmptyProxy: No changes.

The EmptyRecycle command

The EmptyRecycle command allows you to empty the recycle bin. Deleting the contents of the recycle bin is permanent. The number in parentheses corresponds to the number of deleted files.

Syntax : EmptyRecycle

Preview in the report:

-\\ ORDER. (1)
~EmptyRecycle: Trash emptied successfully.

The EmptyTemp command

The EmptyTemp command allows you to delete temporary files. The search is done in many user folders. The files are moved to the ZHPFix file quarantine directory. The number in parentheses corresponds to the number of files moved. Each file is preceded by its action mode, Moved, Absent or Locked depending on the case encountered.

Syntax : EmptyTemp

Preview in the report:

—\\ EXPLORER (Folders, Files). (165)
MOVED Temp File: C:\Users\Coolman\AppData\Local\Temp\AdobeARM.log
LOCKED Temp File^: C:\Users\Coolman\AppData\Local\Temp\IPVanish.log
ABSENT Temp File: C:\Users\Coolman\AppData\Local\Temp\161
MOVED Temp File: C:\Users\Coolman\AppData\Local\Temp\~DF00300041886B7F94.TMP

-\\ ORDER. (1)
~ EmptyTemp: Local temp folder partially emptied (165)

The EmptyTracing command

The EmptyTracing command allows you to delete Tracing registry keys. No quarantine is planned for these keys because they are recreated when the corresponding software is launched. The number placed in parentheses corresponds to that of the deleted keys.

Syntax : EmptyTracing

Preview in the report:

-\\ ORDER. (1)
~ EmptyTracing: Tracing keys deleted (3)

The ExportKey command

The ExportKey command allows you to export a registry key to the Windows Desktop. The key is exported to a registry file (.reg). It is possible to use the command several times in the same script.

Syntax : ExportKey:

Example :

ExportKey: HKCU\SOFTWARE\89htRiaGXfCZ
ExportKey: HKCU\SOFTWARE\99htRiaGXfCZ

Preview in the report:

-\\ ORDER. (2)
ExportKey: C:\Users\JML\Desktop\Key1__ExportZHPFix.reg
ExportKey: C:\Users\JML\Desktop\Key2__ExportZHPFix.reg

The DeleteKey command

The DeleteKey command allows you to delete a Registry key. Beforehand, an export of the key with all its values ​​and data is placed in the quarantine folder. 'Register' by ZHPFix.

Syntax :DeleteKey:

Example : DeleteKey: HKCU\SOFTWARE\2lhtRiaGXfCY

Preview in reports:

—\\ REGISTER (Keys, Values, Data). (1)
DELETED Key: HKCU\SOFTWARE\2lhtRiaGXfCY []

—\\ REGISTER (Keys, Values, Data).
RESTORED Key: HKCU\SOFTWARE\2lhtRiaGXfCY

The DeleteValue command

The DeleteValue command allows you to delete a Registry key value. Beforehand, an export of the key with all its values ​​and data is placed in the ZHPFix 'Register' quarantine folder.

Syntax :DeleteValue:\

Example : DeleteValue: HKCU\SOFTWARE\2lhtRiaGXfCY\RiaGXfCY

Preview in reports:

—\\ REGISTER (Keys, Values, Data). (1)
DELETED Value: RiaGXfCY [HKCU\SOFTWARE\2lhtRiaGXfCY]

—\\ REGISTER (Keys, Values, Data).
RESTORED Key: HKCU\SOFTWARE\2lhtRiaGXfCY

The CMD command

The “CMD” command allows you to execute a Windows “CMD” command.

Each command line must be preceded by the prefix “CMD: ” as in the example below. The command is case insensitive.

Syntax :CMD:

Example :

CMD: Ipconfig /flushdns
cmd: netsh winsock reset
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD:bootrec /FixMbr

Preview in the report:

-\\ ORDER. (5)
~ Special command executed successfully: Ipconfig /flushdns
~ Special command executed successfully: netsh winsock reset
~ Special command executed successfully: netsh advfirewall reset
~ Special command executed successfully: netsh advfirewall set allprofiles state on
~ Special command executed successfully: bootrec /FixMbr

The OPT command

The OPT command allows you to restrict an action on a script line. When a script line includes both the explorer and the registry, the OPT option will only process the registry part. Beforehand, an export of the key with all its values ​​and data is placed in the ZHPFix “Register” quarantine folder.

In the particular case of the O4GS module, which deals with file shortcuts, the OPT command keeps the target file and moves the shortcut to the ZHPFix 'File' quarantine folder.

The restriction information is recorded in the balance sheet.

Syntax :OPT:

Example : delete a “Run” key and keep the process it starts.

OPT:O4 – HKCU\..\Run: [Anti-Malware] . (…) — C:\Temp\dllhostwin.exe

Preview in the report:

—\\ REGISTER (Keys, Values, Data). (1)
DELETED Run Value: Anti-Malware [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]

—\\ ASSESSMENT. (1)
RESTRICTION on the line: O4 – HKCU\..\Run: [Anti-Malware] . (…) — C:\Temp\dllhostwin.exe

The UnMaskSoftware command

The UnMaskSoftware command makes an installed software key visible in the Registry.

Some uninstall keys are made invisible in the Registry so that they are not deleted by mistake. It can also happen that unwanted software is installed and hides so as not to be found.

Syntax :UnMaskSoftware:

Example : Make the software key visible “Task Killer” in the Registry.

UnMaskSoftware: O42 – Software: Task Killer (remove only) – (.RSD Software.) [HKLM][64Bits] — Task Killer =>.RSD Software (Hidden)

Preview in the report:

—\\ REGISTER (Keys, Values, Data). (1)
REPLACED Software Data: 1 [HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Task Killer\\SystemComponent]

The MaskSoftware command

The MaskSoftware command makes an installed software key invisible in the Registry.

Some uninstall keys are made invisible in the Registry so that they are not deleted by mistake. It can also happen that unwanted software is installed and hides so as not to be found.

Syntax :MaskSoftware:

Example : Make the software key invisible “Task Killer” in the Registry.

MaskSoftware: O42 – Software: Task Killer (remove only) – (.RSD Software.) [HKLM][64Bits] — Task Killer =>.RSD Software

Preview in the report:

—\\ REGISTER (Keys, Values, Data). (1)
REPLACED Software Data: 0 [HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Task Killer\\SystemComponent]

The DeleteFile command

The DeleteFile command allows you to move a file. The move takes place in the 'File' quarantine folder  from ZHPFix.

Syntax :DeleteFile:

Example : DeleteFile: C:\Temp\dllhostwin.exe

Preview in reports:

—\\ EXPLORER (Folders, Files). (1)
MOVED File: C:\Temp\dllhostwin.exe

—\\ EXPLORER (Folders, Files).
RESTORED File: C:\Temp\dllhostwin.exe

The DeleteFolder command

The DeleteFolder command allows you to move a folder. The move takes place in the quarantine folder 'Folder'  from ZHPFix.

Syntax :DeleteFolder:

Example : DeleteFolder: C:\Temp

Preview in reports:

—\\ EXPLORER (Folders, Files). (1)
MOVED File: C:\Temp

—\\ EXPLORER (Folders, Files).
RESTORED File: C:\Temp

The TestSigningFix command

The TestSigningFix command allows you to delete a BCD value “TestSigning“, system startup configuration data. The boot configuration option testsigning determines whether Windows Vista and later versions of Windows load any type of test-signed kernel mode code. This option is not set by default, which means that test-signed kernel mode drivers will not be loaded by default on 64-bit versions since Windows Vista. Note For 64-bit versions since Windows Vista, the kernel mode code signing policy requires all kernel mode code to have a digital signature. However, in most cases, an unsigned driver can be installed and loaded on 32-bit versions since Windows Vista. The testigning startup configuration option is enabled or disabled via the bcdedit command. The command TestSigningFix launches “bcdedit.exe” with parameters “deletevalue testsigning”

Syntax :TestSigningFix

Example : TestSigningFix

Preview in reports:

—\ ADDITIONAL SCAN (3) – 23s
TestSigning is enabled. Check with the ZHPFix TestSigningFix command if your drivers are signed. =>Riskware.unsigned.Drivers

-\\ ORDER. (1)
~ Special command executed successfully: TestSigningFix

The IntegrityChecksFix command

The TestSigningFix command allows you to delete a BCD value, system startup configuration data. Windows encountered a problem to install the driver software for your device. Windows found the driver software for your device, but encountered an error when trying to install it. The file hash is not present in the specified catalog file. The file is probably corrupted or the victim of tampering. The noIntegrityChecks startup configuration option is enabled or disabled through the bcdedit command. The command IntegrityChecksFix launch “bcdedit.exe” with the parameters “deletevalue blackntegritychecksfix"

Syntax : IntegrityChecksFix

Example : IntegrityChecksFix

Preview in reports:

—\ ADDITIONAL SCAN (3) – 23s
noIntegrityChecksFix is activated. Check with the ZHPFix command IntegrityChecksFix if your drivers are signed. =>Riskware.unsigned.Drivers

-\\ ORDER. (1)
~ Special command executed successfully: WinsockFix

The WinsockFix command

The WinsockFix command allows you to initialize all parameters Winsock. Winsock (WINdows SOCKand) is a software library for Windows whose aim is to implement a programming interface inspired by Berkeley sockets.

Syntax : WinsockFix

Example : WinsockFix

Preview in reports:

-\\ ORDER. (1)
~ Special command executed successfully: WinsockFix

Download ZHPFix, Script Manager (Free)

About the Author

Back to top