[Electrician 69]

Hello Nicolas,

I hope you're well.

I can't find anywhere to post feedback. Do you have a link to get them back to you?

Edit:

Microsoft One Drive line in Onage:

O4 – GS\Programs [RJ]: OneDrive.lnk. (…) C:\Users\RJ\AppData\Local\Microsoft\OneDrive\OneDrive.exe [Unsigned]
O4 – GS\Programs [Public]: OneDrive.lnk. (…) C:\Users\RJ\AppData\Local\Microsoft\OneDrive\OneDrive.exe [Unsigned]

 

Sonic II line: Asrog motherboard sound card interface:

O90 – PUC: “7B781A6E9490EAA4FBB675F93D6F5ED5” [HKLM]. (.Sonic Studio Plugin.)
O90 – PUC: “F4AFD0F222A6726439289FF81077FB05” [HKLM] . (.Sonic Radar II.) — C:\WINDOWS\Installer\{2F0DFA4F-6A22-4627-9382-F98F0177BF50}\icon.ico

 

Thank you

[Nicholas Coolman]

Hello Electrician,

I'm pinning your topic which may be useful for others.

This will be taken into account with the next version.

Regards

 

 

Free support forum
Nicholas Coolman

[Electrician 69]

Super,

I posted this link on a few sites. We'll see the feedback.

[Electrician 69]

Hello,

Zhpsuite gets caught by antiviruses and Windows firewall!

I think you can report it so that we can modify the FP. I reported it on my own.

So, I have this, from the FRST report

Chromium:

C:\Users\Claude\AppData\Local\chromium\Application\chrome.exe

Nvidia:

HKLM\…\Run: [ShadowPlay] => C:\WINDOWS\system32\nvspcap64.dll [1767712 2016-11-14] (NVIDIA Corporation PE Sign v2016 -> NVIDIA Corporation) [Unsigned file]

Booking that is embedded on all browsers:

(bookingDesktopApp.) [Unsigned file] C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe
Task: {87FEC231-8D1E-4A39-AF6A-0908EF07F3D7}-SYSTEM32 \ TASKS \ BookingdesktopappdatetaskmachineCore => C: \ Program Files (X86) \ Bookingdesktopapp \ Update \ BOOKINGDESKPDATE.EXE [102400 2020 03-30-XNUMX] (Bookingdesktopapp.) [ Unsigned file]
Task: {F4836D14-E702-455F-890D-497B98F3FD55} – System32\Tasks\bookingDesktopAppUpdateTaskMachineUA => C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe [102400 2020-03-30] (bookingDesktopApp.) [ Unsigned file]
FF Plugin-x32: @bookingdesktopapp.com/bookingDesktopApp Update;version=3 -> C:\Program Files (x86)\bookingDesktopApp\Update\1.3.99.0\npbookingDesktopAppUpdate3.dll [2020-03-30] (bookingDesktopApp.) [ Unsigned file]
FF Plugin-x32: @bookingdesktopapp.com/bookingDesktopApp Update;version=9 -> C:\Program Files (x86)\bookingDesktopApp\Update\1.3.99.0\npbookingDesktopAppUpdate3.dll [2020-03-30] (bookingDesktopApp.) [ Unsigned file]
S2 bookingdesktopapp; C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe [102400 2020-03-30] (bookingDesktopApp.) [Unsigned file]
S3 bookingdesktopappm; C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe [102400 2020-03-30] (bookingDesktopApp.) [Unsigned file]

Thank you

[Nicholas Coolman]

Hello,

Thank you for the info !

I made a submission to Microsoft.

Cdt

 

Free support forum
Nicholas Coolman

[jipid]

Good evening Nicolas,

I am following up on your response email.

First of all, I hope to find you in good health, with the end of confinement, you can go breathe the sea air on the quays of Joliette or, at the edge of the creeks.

Good.

After some research it turns out that the line.

043-CFD-15/05/2020 …..C:\User\joipid\AppData\LocalLow\lgDump, which appeared on the screen copy that I had previously communicated, came from the Firefox conf.

It's fixed and nothing to do with some uncle infection.

On the other hand, O43 – CFD: 15/05/2020 – [0] D — C:\Program Files\ModifiableWindowsApps  is, it seems, related to a PB of downloading version 1909 of Windows 10, therefore bug. (To have ?)

As for the about lines it would worry me more,

[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified

[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: Modified

 

From what I found it would be related to an infection which would have modified my settings.

Obviously, I don't have any known dirt on my computer.

Having just installed it, I would be surprised, DISM and scannow are clean.

I am attaching my Diag story so you know more...

https://www.cjoint.com/c/JErtgrMeRyo

The other lines (about) relate to shortcuts.

Either way, the 2004 version arrives with its share of surprises!

Obviously, if I have a PB on my computer, I would see the details with Gérard for example.

Thanking you in advance and apologizing for the inconvenience.

I wish you a good evening.

Kind regards, JP

[jipid]

Good evening Nicolas,

I am following up on your response email.

First of all, I hope to find you in good health, with the end of confinement, you can go and breathe the sea air on the quays of Joliette or, at the edge of the creeks.

Good.
After some research it turns out that the line.
043-CFD-15/05/2020 …..C:\User\joipid\AppData\LocalLow\lgDump, which appeared on the screen copy that I had previously communicated, came from the Firefox conf.
It's fixed and nothing to do with some uncle infection.
On the other hand, O43 – CFD: 15/05/2020 – [0] D — C:\Program Files\ModifiableWindowsApps would, it seems, relate to a PB of downloading version 1909 of Windows 10, therefore bug. (To have ?)
As for the about lines it would worry me more,
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: Modified

From what I found it would be related to an infection which would have modified my settings.
Obviously, I don't have any known dirt on my computer.
Having just installed it, I would be surprised, DISM and scannow are clean.
I am attaching my Diag story so you know more...

Good evening Nicolas,

I am following up on your response email.

First of all, I hope to find you in good health, with the end of confinement, you can go breathe the sea air on the quays of Joliette or, at the edge of the creeks.

Good.

After some research it turns out that the line.

043-CFD-15/05/2020 …..C:\User\joipid\AppData\LocalLow\lgDump, which appeared on the screen copy that I had previously communicated, came from the Firefox conf.

It's fixed and nothing to do with some uncle infection.

On the other hand, O43 – CFD: 15/05/2020 – [0] D — C:\Program Files\ModifiableWindowsApps  is, it seems, related to a PB of downloading version 1909 of Windows 10, therefore bug. (To have ?)

As for the about lines it would worry me more,

[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified

[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: Modified

From what I found, it could be related to an infection that modified my settings?

Obviously, I don't have any known dirt on my computer.

Having just installed it, I would be surprised, DISM and scannow are clean.

I am attaching my Diag story so you know more...

https://www.cjoint.com/c/JErtgrMeRyo

The other lines (about) relate to shortcuts.

Either way, the 2004 version arrives with its share of surprises!

Obviously, if I have a PB on my computer, I would see the details with Gérard for example.

Thanking you in advance and apologizing for the inconvenience.

I wish you a good evening.

Kind regards, JP

 

[Nicholas Coolman]

Hello JP,

No worries about these 2 lines, they enter the field of information:
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: Modified

Cdt

Free support forum
Nicholas Coolman

[Griffon]

Hello Nicolas,

 

I don't know if I'm in the right forum but I have the following question.

After carrying out the analysis and diagnosis phases, I arrive at the cleaning stage.

When I want to start the cleaning script, a warning appears indicating that the script must be validated by a security expert.

However, I am not an expert and I do not know how to validate the script. So I don't continue cleaning...

I find it a shame not to complete the process but I don't want to make damaging deletions...

How can I go about it?

Thank you

Griffin.

 

[Nicholas Coolman]

Hello Griffin,

Send me your ZHPDiag report so that I can validate your cleaning.

Go to the CJoint website and provide the hosting link obtained.
https://www.cjoint.com/

Regards
Nicholas Coolman

Free support forum
Nicholas Coolman

[Griffon]

Hello,

Here it is:
https://www.cjoint.com/c/<wbr />JHvpwht2pOo</div>

Thank you
Griffin

[Nicholas Coolman]

Hello,

OK for the ZHPDiag report, you can do the cleaning with the script offered by ZHPSuite.

A+

Free support forum
Nicholas Coolman

[Griffon]

Thanks Nicolas!

I have another question: a dialog box tells me that the version of the ZHPSuite software is older than 30 days but I downloaded the latest version 3 days ago (that of 30/07/2020). Looks like it didn't update properly?

Thank you for your advice.

Griffin.

 

[Nicholas Coolman]

Hello,

The latest version of ZHPsuite dates from August 23, 2020.

It must be a shortcut target file problem.

Do this :

1) Remove the desktop shortcut.
2) Download the last version on the site :
3) Launch the new version, a new shortcut will be created

The next updates will be done normally!

Nicolas

Free support forum
Nicholas Coolman

[g3n]

Re, Nicholas

something else :

In the —\\ SERIAL NUMBERS part of ZHPContinued at the end, all the files of each program have the same MD5 which is impossible there must be an error in your MD5 reading loop or a forgetting to reset the value .

c/f full report:

https://up.security-x.fr/file.php?h=R6fae235b168cb3ecec7d7c21be23a1e1

Topic:

https://forums.cnetfrance.fr/desinfection-pc-virus-malwares-et-logiciels-indesirables/6600341-point-d-entree-introuvable

[g3n]

Re the messages have difficulty getting through 3rd time I rephrase it it must remain stuck in moderation I don't know why

(sorry for the duplicate)

[jipid]

Good evening g3n.

Having had similar concerns in the past, a message that is difficult to get across,

I connected using Internet Protocol version 6 (TCP/IPv6)

Kind regards, J.P

 

[g3n]

Hello

no I had to put a link not accepted by the NC.eu server

maybe the one from cnet or textup……….

[g3n]

no I tried again nothing to do it won't work you have to wait for nicolas to unblock it

certainly for new registrants or re-registered people, a post is only limited to one link

[g3n]

I'm trying again

So I told Nicolas that it is possible that he made an error in the MD5 reading loop of the files or forgot to reset the value because all the files in the same program have the same MD5 in the part:

—\\ SERIAL NUMBERS

at the end of the report

c/f full report:

https://up.security-x.fr/file.php?h=R6fae235b168cb3ecec7d7c21be23a1e1

topic:

https://forums.cnetfrance.fr/desinfection-pc-virus-malwares-et-logiciels-indesirables/6600341-point-d-entree-introuvable

[Nicholas Coolman]

Hello Gen,

In the module “Serial number“, it is not the MD5 of the file that is displayed, but rather the “Serial number” of the file owner.

Example for nVidia
62E745E92165213C971F5C490AEA12A5

C=US, S=California, L=Santa Clara, O=NVIDIA Corporation, OU=IT-MIS, CN=NVIDIA Corporation
Serial: 62e745e92165213c971f5c490aea12a5

 

Free support forum
Nicholas Coolman

[g3n]

ah ok I understand my mistake better :)

thanks to you :)

another thing, in a report I saw one of my tools (Segurazo Killer) that I had made to destroy segurazo and yet signed g3n-h@ckm@n classified as a Segurazo infection ^^

https://www.aht.li/3515489/SegurazoKiller.exe

[Nicholas Coolman]

Hello Gen,

Give me the detected report line so I can raise the FP.

Free support forum
Nicholas Coolman

[g3n]

oops it's not from yesterday lol but if I come across it again I won't miss it otherwise base yourself on my digital signature it's the same on all the tools

stamped from an online symantec dll

https://timestamp.verisign.com/scripts/timestamp.dll

 

more info on this page virustotal details tab middle of page

https://www.virustotal.com/gui/file/0e82c1c079a2f7b09fb14833ca01a04ed27f27af9ef6698d9e3f7fa947cdc0e9/details

[g3n]

And I add:

you can also contact malwarebytes about this:

[g3n]

Hi Nicolas

and for the rest, obviously some infections manage to change their startup path and manage to restart from the tools quarantine (an additional extension must be added to the files):

———- | Processes closed

8980 | [Owner: System | Parent: 5708 ()] – (. – .) – (1.0.0.1) = C:\Users\thiba\AppData\Roaming\ZHP\Quarantine\ZHPCleaner\csrss.exe

———- | Tasks

Delete: csrss

[Anonymous]

Hello Nicolas

why in ZHPSuite, the search is only done over 30 days? why not 20 or 40, it’s very random, right? is there a specific reason?

[Nicholas Coolman]

Hello Ernesto,

Why in ZHPSuite is the search only done over 30 days? why not 20 or 40, it’s very random, right? is there a specific reason?

No, no particular reason, it's just a time limit that seems reasonable to me to list the latest files created on a station.

Free support forum
Nicholas Coolman

[Anonymous]

Hello

let's admit that we created an infected file, 32 days ago, it will not be taken into account

[Nicholas Coolman]

Hello Ernesto,

Hence the importance of regularly analyzing your system!

Free support forum
Nicholas Coolman

[Anonymous]

I have doubts (once again) but justified   , you know very well that the majority of users very rarely do a regular analysis of their system. You will rightly answer me that it is their problem and not yours. But when they come by force of circumstances to be disinfected, the 30-day deadline must have long since passed.

[Nicholas Coolman]

In the event of a serious infection with a system malfunction, on the one hand I doubt that the resident antivirus will let it pass,
on the other hand I doubt that the user will come forward in more than 30 days.
Normally he requests assistance the same day, or even the few days that follow.

Free support forum
Nicholas Coolman

[Anonymous]

I find you very optimistic, but in absolute terms you are right. I have a friend who does great nonsense with his PC, P2P, streaming, wild downloading, and so on, and he had been complaining for a long time about serious problems on his PC, but that didn't worry him more than that, his PC took a quarter of an hour to open, but he didn't care, I made him understand that an analysis of his PC could not be more judicious, which he decided to do do it by insisting I won't tell you the result……..there were more infected lines than legitimate lines. All this to say that while some are rightly worried about a malfunction in their system, many others don't really care, and are not even aware of the potential dangers that their PC can represent.

[Nicholas Coolman]

Yes, there can always be exceptions, there are even users who disable Windows Defender and who do not have any antivirus installed.

Free support forum
Nicholas Coolman

[Anonymous]

yes, but there, it is no longer common sense or computer science, but rather psychological support to the extent that this way of acting suggests suicidal thoughts

[g3n]

Hi Nicolas, for people using OSArmor as protection (like me who only has that, I prefer prevention to cure) do not have the thought of deactivating it like AV.

in short following the ZHPSuite test it is possible that there are blockages on ZHP with OSArmor (NoVirusThanks)

Log:

Date/Time: 01/10/2020 18:57:42
Process: [6544]C:\Windows\SysWOW64\cscript.exe
Process MD5 Hash: 13783FF4A2B614D7FBD58F5EEBDEDEF6
Parent: [9120]C:\Windows\System32\cmd.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: C:\Windows\SysWOW64\cscript.exe “C:\Windows\SysWOW64\slmgr.vbs” /dlv
Signer:
Parent Sign:
User/Domain: gen-hackman/DESKTOP-2FADNO8
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

[Nicholas Coolman]

Hello,

OSArmor (NoVirusThanks) is already authenticated as legitimate in my tables.

Free support forum
Nicholas Coolman

[g3n]

Re,

that's absolutely not what I was talking about, sorry but you are mistaken

I was simply saying that OSArmor could block certain ZHP actions, notably the execution of .vbs scripts or execution of system files by unknown parent processes ^^

[Nicholas Coolman]

Indeed certain ZHPDiag modules may be impacted by the operation of OSArmor.

Free support forum
Nicholas Coolman

[g3n]

Reason why I do not use .vbs file execution or any third party executable……

[Nicholas Coolman]

I just checked, I only use it to collect Windows license information. So it’s not very disruptive for the report.

Free support forum
Nicholas Coolman

[g3n]

yes that’s what I thought afterwards :)

Is it still Delphi?

[Nicholas Coolman]

No, it's Autoscript with the Run function.

Local $sScriptEngine = @SystemDir & ‘\cscript.exe’
Local $sLicenseFile = @SystemDir & “\slmgr.vbs”
Local $sFile = $sDirZHP & '\Licence.txt'
Local $iPID = Run( @Comspec & ‘ /c ‘ & $sScriptEngine & ‘ “‘ & $sLicenseFile & ‘”‘ & ‘ /dlv >’ & $sFile , “”, @SW_HIDE)

Free support forum
Nicholas Coolman

[g3n]

ok maybe this can give you ideas it's more object oriented than using slmgr you do with it what you want it's just to show you how I check the license status of windows :)

If _ServiceRunning(”, 'winmgmt') Then
Global $ActiveCheck, $result
Local $oWMIService = ObjGet(“winmgmts:\\.\root\cimv2”)
If IsObj($oWMIService) Then
Local $oCollection = $oWMIService.ExecQuery(“SELECT Description, LicenseStatus, GracePeriodRemaining FROM SoftwareLicensingProduct WHERE PartialProductKey <> null”)
If IsObj($oCollection) Then
For $oItem In $oCollection
Switch $oItem.LicenseStatus
Box 0, 2 TB 4, 6
$result = “Windows NOT Activated”
Case 1
$result = “Windows Activated”
Case 5
$result = “Possible Fixed Windows”
EndSwitch
FileWriteLine($txt, $result & @CRLF)
Next
EndIf
EndIf
Endif

PS: too bad there is no code tag because it doesn’t look good lol

[Nicholas Coolman]

Yes, passing through the object gives you indications but it is not as complete as the content of the license file.

#cs
Microsoft(R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Software Licensing Service Version: 6.3.9600.16497

Name: Windows(R), Core edition
Description: Windows(R) Operating System, OEM_DM channel
ID d’activation: c7c00280-b24d-4e82-89ca-4f1288eb1d9e
ID d’application: 55c92734-d682-4d71-983e-d6ec3f16059f
PID ‚tendu: 06401-02586-185-984756-02-1036-9600.0000-0842015
Product Key Channel: OEM:DM
Facility ID: 403880XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
User license URL: https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=DM
Validation URL: https://validation-v2.sls.microsoft.com/SLWGA/slwga.asmx
Partial product key: M4FWQ
License Status: With License
Number of Windows resets remaining: 998
Number of SKU resets remaining: 1000
Approved time: 02/06/2015 13:19:51
#This

Free support forum
Nicholas Coolman

[g3n]

I know this well but the problem is that I have never managed to get the contents of the slmgr window out into a txt. If I had succeeded the rest would be child's play to transcribe everything and prevent certain sensitive information from being public, I tried by all means but the output result: blank sheet lol

PS:

this morning I'm looking at a report on a topic and while reading this one, I was particularly surprised by the difference in signature detection and the signature indicated:

SR – Boot [07/12/2019] [166712] (vsmraid). (.VIA Technologies Inc.,Ltd.) – C:\WINDOWS\System32\drivers\vsmraid.sys =>.Microsoft®
SR – Boot [07/12/2019] [412176] Intel RAID Controller Wi (iaStorV) . (.Intel Corporation.) – C:\WINDOWS\System32\drivers\iaStorV.sys =>.Microsoft®

[ZorKas]

Hello Nicolas,

I have just tested your latest version: ZHPDiag v2020.10.21.246 By Nicolas Coolman (2020/10/21) so I will provide you with the information:

When analyzing the report demonstrates 2 Hijacker.Hosts below:

—\ STUDY OF THE HOSTS FILE (3) – 0s
O1 – Hosts: 178.255.86.194 download.comodo.com =>Hijacker.Hosts
O1 – Hosts: 178.255.86.194 http://www.download.comodo.com =>Hijacker.Hosts
~ Number of diverted or corrupted lines 2/24 (Hosts file redirected or corrupted)

In fact, these are legitimate Comodo servers for downloading CIS (Comodo Internet Security) antiviral databases. FYI in Beta versions the hosts file must be modified manually before installation.

This ZHPSuite version is really good, good work, thank you!

cordially

 

 

[Nicholas Coolman]

Hello Patrick,

OK, I will take into account the IP address of comodo.

https://whois.domaintools.com/178.255.86.194

Free support forum
Nicholas Coolman

[g3n]

hello obviously my message relating the erroneous detection of capicom.dll as adware did not go through it must have remained stuck in the approval. from WordPress

C:\Windows\Capicom.dll

https://www.virustotal.com/gui/file/a95c379fc9755d2f814423d416efffa2351814925f0285f077955e572bef35da/detection

if you want to study the file

https://gen-hackman.serveftp.com/Temp/CapiCom.dll

 

[g3n]

ah I understood it's the link of my server which is blocking that's why my message is not getting through I'm sending it to you by joint then

Detection:

C:\Windows\capicom.dll => Adware

Virustotal:

https://www.virustotal.com/gui/file/a95c379fc9755d2f814423d416efffa2351814925f0285f077955e572bef35da/detection

If you want to study the file

https://www.cjoint.com/doc/20_10/JJDrhcX2vsA_CapiCom.zip

[g3n]

Hi Nicolas

I'm notifying you of a bad detection:

C:\WINDOWS\capicom.dll =>Adware.Suspect

https://www.virustotal.com/gui/file/a95c379fc9755d2f814423d416efffa2351814925f0285f077955e572bef35da/detection

if you want to study the file:

https://gen-hackman.serveftp.com/Temp/CapiCom.dll

[Firebird]

Hello Nicolas,

Firefox, although installed, is not listed in the ZHPDiag report.

Extract from the ZHPDiag report
---\\ INTERNET BROWSERS (2) - 0s
~ MSIE: Internet Explorer v11.572.19041.0
~ OBIE: Microsoft Edge v86.0.622.51

Extract from the FRST report
Default browser: FF

Wondershare is listed by ZHPSuite, but not listed as a PUP by ZHPSuite.
https://www.pcsansvirus.com/pages/supprimer-wondershare.html

Extract from the ZHPDiag Report
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]:Wondershare Helper Compact.exe =>.Wondershare

---\\ SUMMARY OF ELEMENTS FOUND (4) - 0s
https://nicolascoolman.eu/2017/09/12/origine-lignes-orphanes/ =>.SUP.Orphan
https://nicolascoolman.eu/wp-content/uploads/2017/12/26/sup-advancedsystemcare/ =>SUP.Optional.AdvancedSystemCare
https://nicolascoolman.eu/forum/Topic/warning-eventlogapp-evenement-dapplication/ =>Warning.EventLogApp
https://nicolascoolman.eu/forum/Topic/warning-eventlogsys-evenement-systeme/ =>Warning.EventLogSys

Reports

• ZHPDiag: https://www.cjoint.com/doc/20_10/JJCvXGLq2n7_ZHPDiag.txt
• FRSThttps://www.cjoint.com/doc/20_10/JJCvYv8a5F7_FRST.txt
• Addition: https://www.cjoint.com/doc/20_10/JJCvWS3J867_Addition.txt

 

@+
Patricia

[Firebird]

Hello Nicolas,

I sent a message to ZHPSuite, but it does not appear, perhaps time for moderation.

I pointed out that WonderShare is listed in the ZHPDiag report but not listed as a PUP in the summary elements.

In addition, FF, the default browser is not listed by ZHPDiag, verified in several reports.

Reports
https://cjoint.com/doc/20_10/JJCwn1t0r47_ZHPDiag.txt
https://cjoint.com/doc/20_10/JJCwox6lDb7_FRST.txt
https://cjoint.com/doc/20_10/JJCwnyHSry7_Addition.txt

@+
Patricia

[Nicholas Coolman]

Hello g3n,

There is a suspicious detection of this dynamic resource because it is not installed in its default folder “System32”
C:\WINDOWS\capicom.dll =>Adware.Suspect

Since the resource is healthy, you can ignore the detection, but I prefer to keep the warning...

Free support forum
Nicholas Coolman

[g3n]

heard :)

Personally I don't have it in system32, it's a dll which is used to sign a file digitally because it works with signtool.exe

[Nicholas Coolman]

Hello g3n,

Personally I don't have it in system32, it's a dll which is used to sign a file digitally because it works with signtool.exe

I also use signtool.exe, and this DLL is not present in the root of Windows but in system32.

Free support forum
Nicholas Coolman

[Firebird]

Hello Nicolas

Did you see the two messages I posted yesterday?

Question about ZHPsuite

Question about ZHPsuite

@+
Patricia

[Nicholas Coolman]

Hello Firebird,

Yes, I read your messages!

For Firefox,
Check if you now have Firefox with v248 that I just put online.

For Wondershare,
Wondershare is not adware, so it remains classified as legitimate and is not listed in the items found.

Free support forum
Nicholas Coolman

[Firebird]

Legitimacy of WonderShare

Hello Nicolas

OK for the legitimacy of WonderShare.

However, installed Firefox remains absent from the ZHPDiag report, with ZHPSuite latest version downloaded just now.

Example: Extract from a ZHPDiag report carried out just now.
https://www.cjoint.com/doc/20_10/JJEwNkCIFq7_ZHPDiag.txt

@+
Patricia

[Nicholas Coolman]

Hello Nicolas

OK for the legitimacy of WonderShare.

However, installed Firefox remains absent from the ZHPDiag report, with ZHPSuite latest version downloaded just now.

Example: Extract from a ZHPDiag report carried out just now.
https://www.cjoint.com/doc/20_10/JJEwNkCIFq7_ZHPDiag.txt

Free support forum
Nicholas Coolman

[Nicholas Coolman]

Hello Firebird,
You would need to tell me if you have a registry key under “Uninstall” that refers to “Mozilla”:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall
HKEY_LOCAL_MACHINE \ SOFTWARE \ WOW6432Node \ Microsoft \ Windows \ CurrentVersion \ Uninstall

If so, make a key export.

Free support forum
Nicholas Coolman

[Firebird]

Hello Nicolas

Yes, I have a Registry Key under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall

https://cjoint.com/doc/20_10/JJFvLPDkIN7_Mozilla-clé.txt

 

@+
Patricia

[Nicholas Coolman]

Hello Firebird,

Thank you for the export, I will work on it, I will let you know as soon as I have a result.

Free support forum
Nicholas Coolman

[Firebird]

Hello Nicolas,

Thank you for coming back.

The ZHPSuite scan that I performed on a test machine is just an example, but I see the same anomaly on other ZHPDiag reports that I analyze in disinfection, regardless of the OS.

I can't ask the DA for a key export. :)

https://www.cjoint.com/doc/20_11/JKbvGy72HX7_ZHPDiag-pas-FF.txt

In the following report, Firefox is well listed among browsers.

https://www.cjoint.com/doc/20_11/JKbvGkI0iH7_ZHPDiag-FF.txt
Does ZHPDiag only detect 32-bit FF?

---\\ INTERNET BROWSERS (4) - 1s
~GCIE: Google Chrome v86.0.4240.111
~ MFIE: Mozilla Firefox 82.0.2 (x86 fr)
~ MSIE: Internet Explorer v11.1139.18362.0
~ OBIE: Microsoft Edge v86.0.622.51

   

@+
Patricia

[Firebird]

Re Nicolas

Another example of a ZHPDiag report with FF listed in browsers, and again, this is the 32-bit FF version.
https://www.cjoint.com/doc/20_11/JKbv0ZKdt57_ZHPDiag-FF2.txt

@+
Patricia

[Firebird]

Hello Nicolas,

An example which contradicts my suggestion of the 32 bit/64 bit architecture, example unearthed just now.

https://www.cjoint.com/doc/20_11/JKbw21W0vL7_ZHPDiag-ff3.txt

---\\ INTERNET BROWSERS (3) - 0s
~GCIE: Google Chrome v86.0.4240.111
~MFIE: Mozilla Firefox v79.0.0.7506
~ MSIE: Internet Explorer v11.0.10240.17443
   

@+
Patricia

[Nicholas Coolman]

Hello Firebird,

This was indeed linked to a 64bit redirection with a 32bit compilation. Mozilla Firefox and other browsers like Waterfox and Slimbrowser were affected.

—\ INTERNET BROWSERS (10) – 0s
~GCIE: Google Chrome v86.0.4240.111
~ MFIE: Mozilla Firefox 82.0.2 (x64 fr)
~ MFIE: Waterfox Classic 56.3 (x64 en-US)
~ OBIE: SlimBrowser v11.0.7.0
~ MSIE: Internet Explorer v11.572.19041.0
~ OBIE: BraveSoftware Brave-Browser v86.1.16.68
~ OBIE: Slimjet v20.0.4.0
~ OBIE: Vivaldi v2.5.1525.48
~ OBIE: Microsoft Edge v86.0.622.56
~ OBIE: Comodo Dragon v83.0.4103.116

v249 should resolve this display case.

Free support forum
Nicholas Coolman

[Firebird]

Hello Nicolas,

Thank you for your research and your quick response.

This was indeed linked to a 64bit redirection with a 32bit compilation.

If I understood correctly, this error concerned Firefox installed in 32-bit on a 64-bit OS, which is validated by my reports above.

@+
Patricia

[Firebird]

Hello Nicolas

I sent a message a few minutes ago, but it is not showing up on the forum.

@+
Patricia

[Firebird]

Hello Nicolas,

I am resending my message, since it seems lost.

1- ZHPDiag.txt report
HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB =>Trojan.Bifrose HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Features\0BAB99B394BE1DD4080E99CBBEE9E3DB =>Trojan.Bifrose

2- My FRST script
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Features\0BAB99B394BE1DD4080E99CBBEE9E3DB

3- Fixlog.txt report
“HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB” => non trouvé(e) “HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Features\0BAB99B394BE1DD4080E99CBBEE9E3DB” => non trouvé(e)

4- ZHPCleaner-R-.txt report
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB [Bifrost Extension 2.0.5.1 for Maya 2019] =>Trojan.Bifrose
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bifrost Extension 2.0.5.1 for Maya 2019 [] =>Trojan.Bifrose

Full reports
https://www.cjoint.com/doc/20_12/JLAdgqOX8r7_ZHPDiag.txt
https://www.cjoint.com/doc/20_12/JLzwq6Byof7_Fixlog.txt
https://www.cjoint.com/doc/20_12/JLAdfOIDOS7_ZHPCleaner-R-.txt

=> Do you know why

• keys detected in Trojan.Bifrose by ZHPDiag are not found by the FRST script
• ZHPCleaner deletes one and only one of the two keys detected by ZHPDiag?

Thanks for your help.

@+
Patricia

[Nicholas Coolman]

Hello Firebird,

This is a false detection of Bifrost Extension 2.0.5.1 for Maya 2019, I am doing what is necessary for the next versions

Thank you for the info !

Free support forum
Nicholas Coolman

[Firebird]

Hello Nicolas,

This is a false detection of Bifrost Extension 2.0.5.1 for Maya 2019, I am doing what is necessary for the next versions

Can you be more specific ?
In which tool is there false detection, ZHPDiag or ZHPCleaner?

ZHPDiag detects keys, I script them, but FRST can't find them.
Then ZHPCleaner deletes key*: [X64] HKLM\…

I don't understand the differences in results in these three tools.

@+
Patricia

[Nicholas Coolman]

In fact ZHPDiag and ZHPCleaner work on the same databases.

Free support forum
Nicholas Coolman

[Firebird]

Hi,

In fact ZHPDiag and ZHPCleaner work on the same databases.

Okay, but in the example cited above, ZHPDiag and ZHPCleaner do not detect the same lines.

And FRST cannot find the lines detected by ZHPDiag, which is what alerted me.

@+
Patricia

[Nicholas Coolman]

To be able to study this case exactly I would need to be able to put myself in a real situation with this Bifrost version installed on a machine. But since it's a false detection, I don't think it's very useful to spend time on it.

Otherwise for FRST, I have no idea because I don’t use it!

Free support forum
Nicholas Coolman

[Firebird]

Hello Nicolas,

Indeed, as it is a false detection, which you are going to correct, there is no point in dwelling on it.
Thank you for your quick response.

@+
Patricia

[Vincent_l17]

Hello,

I came to you to ask for a little help, I don't know if this section is appropriate for my request, I would obviously move it if this is not the case!

That's it, I downloaded and used the ZHPSuite software, followed the online tutorial and proceeded with the cleaning with ZHPFix, my problem being simple, I accidentally deleted the generated reports, and was not able to go to the quarantine management tool to “completely” delete files,
I wanted to know if there is a way to fix this and/or if it is important or not!

Thank you in advance for your time!

Vincent

[Nicholas Coolman]

Hello,

You can view the reports in the folder:
C:\Users\Your assignment name\AppData\Roaming\ZHP\

All items quarantined by ZHPFix can be found here:
C:\Users\Your assignment name\AppData\Roaming\ZHP\Qurantine\ZHPFix\

If the files “Fillet","Folder"And"Sign up” are empty, this means that all items in the quarantine have been deleted.

Free support forum
Nicholas Coolman

[Vincent_l17]

Thank you for your response Nicolas!

Indeed they are empty! Thank you so much !

I was also wondering if using the System Restore Point tool would bring back everything that was deleted by ZHPFix?
I must admit that I am not very informed on the subject and it was after having done all these manipulations that I read on various forums that it was better not to erase everything alone without knowledge, and to ask for the advice of a expert on reports...

Would returning to a previous point correct the situation in order to do a guided cleaning which would be cleaner?

thanks again

[Alain Mas]

I confirm that we must maintain the quarantine, that is why it was created. You must also validate the creation of the system restore point.

If a system malfunction occurs after deleting items, you must first restore the ZHPFix quarantine. This will put all moved files/folders back in their place and recreate the corresponding registry keys.

If, despite this, the system does not regain its stability, then the restore point will return your system to stable operation as it was before your cleaning operation.

[Nicholas Coolman]

Hello,

I would add that a support forum is available to help you read reports and write cleaning scripts with different utilities.

Support Forum

Free support forum
Nicholas Coolman

[Vincent_l17]

Hello Alain, and thank you both for your advice!

I'm thinking of using the system restore tool, at first glance, nothing serious or unstable, but I have various small problems like a 13 GB application now indicated at over 700 GB, as well as various small things like that .

In any case I will go through the restoration and probably try ZHPSuite again in the company of experts thanks to your link Nicolas.

Thanks again and have a nice day !

[Eliot]

Hello everyone,
Hello Nicolas,
Why does Zhpdiag not declare Windows 11 but as Windows 10?
Thank you and good day

[Nicholas Coolman]

Hello eliot,

What build of Windows 11 is it?

Free support forum
Nicholas Coolman

[Eliot]

Hello Nicolas,

22000.469

Thank you

Attachments:

You must be connected to access attached files.

[Nicholas Coolman]

eliot wrote:

22000.469

OK, I'm taking this build of Windows 11 into account for the next version.

Free support forum
Nicholas Coolman

[Eliot]

Thank you and good luck

[Eliot]

Hello,

Here:

[Nicholas Coolman]

Hello,

For security reasons, the direct link to my software server is no longer accessible.

Updates will therefore no longer be possible with your old version.

1) Remove the software shortcut from your Desktop
2) Download the software again to get a new desktop shortcut.

ZHPCleaner: https://nicolascoolman.eu/download/telechargez-zhpcleaner-gratuit/
ZHPuite: https://nicolascoolman.eu/download/telechargez-zhpsuite-gratuit/
ZHPFix: https://nicolascoolman.eu/download/zhpfix-script-manager/
ZHPDiag: https://nicolascoolman.eu/download/zhpdiag/

3) Launch the software from the new shortcut.

Free support forum
Nicholas Coolman

[Author]

Messages