- This topic contains 88 replies, 11 participants, and was last updated by Nicholas Coolman, 1 year and 7 months ago.
-
AuthorMessages
-
-
April 11 2020 to 16 12 h min #24638Electrician 69Regular
Hello Nicolas,
I hope you're well.
I can't find anywhere to post feedback. Do you have a link to get them back to you?
Edit:
Microsoft One Drive line in Onage:
O4 – GS\Programs [RJ]: OneDrive.lnk. (…) C:\Users\RJ\AppData\Local\Microsoft\OneDrive\OneDrive.exe [Unsigned]
O4 – GS\Programs [Public]: OneDrive.lnk. (…) C:\Users\RJ\AppData\Local\Microsoft\OneDrive\OneDrive.exe [Unsigned]Sonic II line: Asrog motherboard sound card interface:
O90 – PUC: “7B781A6E9490EAA4FBB675F93D6F5ED5” [HKLM]. (.Sonic Studio Plugin.)
O90 – PUC: “F4AFD0F222A6726439289FF81077FB05” [HKLM] . (.Sonic Radar II.) — C:\WINDOWS\Installer\{2F0DFA4F-6A22-4627-9382-F98F0177BF50}\icon.icoThank you
-
April 11 2020 to 21 26 h min #24639Nicholas CoolmanKey Master
Hello Electrician,
I'm pinning your topic which may be useful for others.
This will be taken into account with the next version.
Regards
Free support forum
Nicholas Coolman -
April 12 2020 to 10 06 h min #24651Electrician 69Regular
Super,
I posted this link on a few sites. We'll see the feedback.
-
April 13 2020 to 9 57 h min #24669Electrician 69Regular
Hello,
Zhpsuite gets caught by antiviruses and Windows firewall!
I think you can report it so that we can modify the FP. I reported it on my own.
So, I have this, from the FRST report
Chromium:
C:\Users\Claude\AppData\Local\chromium\Application\chrome.exe
Nvidia:
HKLM\…\Run: [ShadowPlay] => C:\WINDOWS\system32\nvspcap64.dll [1767712 2016-11-14] (NVIDIA Corporation PE Sign v2016 -> NVIDIA Corporation) [Unsigned file]
Booking that is embedded on all browsers:
(bookingDesktopApp.) [Unsigned file] C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe
Task: {87FEC231-8D1E-4A39-AF6A-0908EF07F3D7}-SYSTEM32 \ TASKS \ BookingdesktopappdatetaskmachineCore => C: \ Program Files (X86) \ Bookingdesktopapp \ Update \ BOOKINGDESKPDATE.EXE [102400 2020 03-30-XNUMX] (Bookingdesktopapp.) [ Unsigned file]
Task: {F4836D14-E702-455F-890D-497B98F3FD55} – System32\Tasks\bookingDesktopAppUpdateTaskMachineUA => C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe [102400 2020-03-30] (bookingDesktopApp.) [ Unsigned file]
FF Plugin-x32: @bookingdesktopapp.com/bookingDesktopApp Update;version=3 -> C:\Program Files (x86)\bookingDesktopApp\Update\1.3.99.0\npbookingDesktopAppUpdate3.dll [2020-03-30] (bookingDesktopApp.) [ Unsigned file]
FF Plugin-x32: @bookingdesktopapp.com/bookingDesktopApp Update;version=9 -> C:\Program Files (x86)\bookingDesktopApp\Update\1.3.99.0\npbookingDesktopAppUpdate3.dll [2020-03-30] (bookingDesktopApp.) [ Unsigned file]
S2 bookingdesktopapp; C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe [102400 2020-03-30] (bookingDesktopApp.) [Unsigned file]
S3 bookingdesktopappm; C:\Program Files (x86)\bookingDesktopApp\Update\bookingDesktopAppUpdate.exe [102400 2020-03-30] (bookingDesktopApp.) [Unsigned file]Thank you
-
April 13 2020 to 14 28 h min #24676Nicholas CoolmanKey Master
Hello,
Thank you for the info !
I made a submission to Microsoft.
Cdt
Free support forum
Nicholas Coolman -
July 23 2020 to 10 04 h min #25265jipidModerator
Good evening Nicolas,
I am following up on your response email.
First of all, I hope to find you in good health, with the end of confinement, you can go breathe the sea air on the quays of Joliette or, at the edge of the creeks.
Good.
After some research it turns out that the line.
043-CFD-15/05/2020 …..C:\User\joipid\AppData\LocalLow\lgDump, which appeared on the screen copy that I had previously communicated, came from the Firefox conf.
It's fixed and nothing to do with some uncle infection.
On the other hand, O43 – CFD: 15/05/2020 – [0] D — C:\Program Files\ModifiableWindowsApps is, it seems, related to a PB of downloading version 1909 of Windows 10, therefore bug. (To have ?)
As for the about lines it would worry me more,
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: Modified
From what I found it would be related to an infection which would have modified my settings.
Obviously, I don't have any known dirt on my computer.
Having just installed it, I would be surprised, DISM and scannow are clean.
I am attaching my Diag story so you know more...
https://www.cjoint.com/c/JErtgrMeRyo
The other lines (about) relate to shortcuts.
Either way, the 2004 version arrives with its share of surprises!
Obviously, if I have a PB on my computer, I would see the details with Gérard for example.
Thanking you in advance and apologizing for the inconvenience.
I wish you a good evening.
Kind regards, JP
-
July 23 2020 to 10 04 h min #25264jipidModerator
Good evening Nicolas,
I am following up on your response email.
First of all, I hope to find you in good health, with the end of confinement, you can go and breathe the sea air on the quays of Joliette or, at the edge of the creeks.
Good.
After some research it turns out that the line.
043-CFD-15/05/2020 …..C:\User\joipid\AppData\LocalLow\lgDump, which appeared on the screen copy that I had previously communicated, came from the Firefox conf.
It's fixed and nothing to do with some uncle infection.
On the other hand, O43 – CFD: 15/05/2020 – [0] D — C:\Program Files\ModifiableWindowsApps would, it seems, relate to a PB of downloading version 1909 of Windows 10, therefore bug. (To have ?)
As for the about lines it would worry me more,
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: ModifiedFrom what I found it would be related to an infection which would have modified my settings.
Obviously, I don't have any known dirt on my computer.
Having just installed it, I would be surprised, DISM and scannow are clean.
I am attaching my Diag story so you know more...Good evening Nicolas,
I am following up on your response email.
First of all, I hope to find you in good health, with the end of confinement, you can go breathe the sea air on the quays of Joliette or, at the edge of the creeks.
Good.
After some research it turns out that the line.
043-CFD-15/05/2020 …..C:\User\joipid\AppData\LocalLow\lgDump, which appeared on the screen copy that I had previously communicated, came from the Firefox conf.
It's fixed and nothing to do with some uncle infection.
On the other hand, O43 – CFD: 15/05/2020 – [0] D — C:\Program Files\ModifiableWindowsApps is, it seems, related to a PB of downloading version 1909 of Windows 10, therefore bug. (To have ?)
As for the about lines it would worry me more,
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: Modified
From what I found, it could be related to an infection that modified my settings?
Obviously, I don't have any known dirt on my computer.
Having just installed it, I would be surprised, DISM and scannow are clean.
I am attaching my Diag story so you know more...
https://www.cjoint.com/c/JErtgrMeRyo
The other lines (about) relate to shortcuts.
Either way, the 2004 version arrives with its share of surprises!
Obviously, if I have a PB on my computer, I would see the details with Gérard for example.
Thanking you in advance and apologizing for the inconvenience.
I wish you a good evening.
Kind regards, JP
-
July 23 2020 to 15 32 h min #26476Nicholas CoolmanKey Master
Hello JP,
No worries about these 2 lines, they enter the field of information:
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: ModifiedCdt
Free support forum
Nicholas Coolman -
August 21 2020 to 10 20 h min #26967GriffonRegular
Hello Nicolas,
I don't know if I'm in the right forum but I have the following question.
After carrying out the analysis and diagnosis phases, I arrive at the cleaning stage.
When I want to start the cleaning script, a warning appears indicating that the script must be validated by a security expert.
However, I am not an expert and I do not know how to validate the script. So I don't continue cleaning...
I find it a shame not to complete the process but I don't want to make damaging deletions...
How can I go about it?
Thank you
Griffin.
-
August 21 2020 to 13 37 h min #26971Nicholas CoolmanKey Master
Hello Griffin,
Send me your ZHPDiag report so that I can validate your cleaning.
Go to the CJoint website and provide the hosting link obtained.
https://www.cjoint.com/Regards
Nicholas CoolmanFree support forum
Nicholas Coolman -
August 21 2020 to 23 13 h min #26976GriffonRegular
Hello,
Here it is:
https://www.cjoint.com/c/<wbr />JHvpwht2pOo</div>
Thank you
Griffin -
August 21 2020 to 23 28 h min #26977Nicholas CoolmanKey Master
Hello,
OK for the ZHPDiag report, you can do the cleaning with the script offered by ZHPSuite.
A+
Free support forum
Nicholas Coolman -
August 24 2020 to 10 19 h min #27003GriffonRegular
Thanks Nicolas!
I have another question: a dialog box tells me that the version of the ZHPSuite software is older than 30 days but I downloaded the latest version 3 days ago (that of 30/07/2020). Looks like it didn't update properly?
Thank you for your advice.
Griffin.
-
August 24 2020 to 11 10 h min #27004Nicholas CoolmanKey Master
Hello,
The latest version of ZHPsuite dates from August 23, 2020.
It must be a shortcut target file problem.
Do this :
1) Remove the desktop shortcut.
2) Download the last version on the site :
3) Launch the new version, a new shortcut will be createdThe next updates will be done normally!
Nicolas
Free support forum
Nicholas Coolman -
30 September 2020 22 to 39 h min #27532g3nRegular
Re, Nicholas
something else :
In the —\\ SERIAL NUMBERS part of ZHPContinued at the end, all the files of each program have the same MD5 which is impossible there must be an error in your MD5 reading loop or a forgetting to reset the value .
c/f full report:
https://up.security-x.fr/file.php?h=R6fae235b168cb3ecec7d7c21be23a1e1
Topic:
-
30 September 2020 22 to 53 h min #27534g3nRegular
Re the messages have difficulty getting through 3rd time I rephrase it it must remain stuck in moderation I don't know why
(sorry for the duplicate)
-
30 September 2020 23 to 28 h min #27535jipidModerator
Good evening g3n.
Having had similar concerns in the past, a message that is difficult to get across,
I connected using Internet Protocol version 6 (TCP/IPv6)
Kind regards, J.P
-
October 1 2020 to 8 55 h min #27537g3nRegular
Hello
no I had to put a link not accepted by the NC.eu server
maybe the one from cnet or textup……….
-
October 1 2020 to 9 04 h min #27539g3nRegular
no I tried again nothing to do it won't work you have to wait for nicolas to unblock it
certainly for new registrants or re-registered people, a post is only limited to one link
-
October 1 2020 to 9 25 h min #27538g3nRegular
I'm trying again
So I told Nicolas that it is possible that he made an error in the MD5 reading loop of the files or forgot to reset the value because all the files in the same program have the same MD5 in the part:
—\\ SERIAL NUMBERS
at the end of the report
c/f full report:
https://up.security-x.fr/file.php?h=R6fae235b168cb3ecec7d7c21be23a1e1
topic:
-
October 1 2020 to 9 33 h min #27540Nicholas CoolmanKey Master
Hello Gen,
In the module “Serial number“, it is not the MD5 of the file that is displayed, but rather the “Serial number” of the file owner.
Example for nVidia
62E745E92165213C971F5C490AEA12A5C=US, S=California, L=Santa Clara, O=NVIDIA Corporation, OU=IT-MIS, CN=NVIDIA Corporation
Serial: 62e745e92165213c971f5c490aea12a5Free support forum
Nicholas Coolman -
October 1 2020 to 15 39 h min #27549g3nRegular
ah ok I understand my mistake better :)
thanks to you :)
another thing, in a report I saw one of my tools (Segurazo Killer) that I had made to destroy segurazo and yet signed g3n-h@ckm@n classified as a Segurazo infection ^^
-
October 1 2020 to 16 55 h min #27551Nicholas CoolmanKey Master
Hello Gen,
Give me the detected report line so I can raise the FP.
Free support forum
Nicholas Coolman -
October 1 2020 to 17 51 h min #27552g3nRegular
oops it's not from yesterday lol but if I come across it again I won't miss it otherwise base yourself on my digital signature it's the same on all the tools
stamped from an online symantec dll
https://timestamp.verisign.com/scripts/timestamp.dll
more info on this page virustotal details tab middle of page
-
October 1 2020 to 18 54 h min #27554g3nRegular
And I add:
you can also contact malwarebytes about this:
-
October 6 2020 to 10 02 h min #27599g3nRegular
Hi Nicolas
and for the rest, obviously some infections manage to change their startup path and manage to restart from the tools quarantine (an additional extension must be added to the files):
———- | Processes closed
8980 | [Owner: System | Parent: 5708 ()] – (. – .) – (1.0.0.1) = C:\Users\thiba\AppData\Roaming\ZHP\Quarantine\ZHPCleaner\csrss.exe
———- | Tasks
Delete: csrss
-
October 14 2020 to 15 34 h min #27802AnonymousInactive
Hello Nicolas
why in ZHPSuite, the search is only done over 30 days? why not 20 or 40, it’s very random, right? is there a specific reason?
-
October 14 2020 to 18 28 h min #27804Nicholas CoolmanKey Master
Hello Ernesto,
Why in ZHPSuite is the search only done over 30 days? why not 20 or 40, it’s very random, right? is there a specific reason?
No, no particular reason, it's just a time limit that seems reasonable to me to list the latest files created on a station.
Free support forum
Nicholas Coolman -
October 17 2020 to 10 35 h min #27842AnonymousInactive
Hello
let's admit that we created an infected file, 32 days ago, it will not be taken into account
-
October 17 2020 to 10 42 h min #27843Nicholas CoolmanKey Master
Hello Ernesto,
Hence the importance of regularly analyzing your system!
Free support forum
Nicholas Coolman -
October 17 2020 to 11 01 h min #27844AnonymousInactive
I have doubts (once again) but justified , you know very well that the majority of users very rarely do a regular analysis of their system. You will rightly answer me that it is their problem and not yours. But when they come by force of circumstances to be disinfected, the 30-day deadline must have long since passed.
-
October 17 2020 to 11 37 h min #27846Nicholas CoolmanKey Master
In the event of a serious infection with a system malfunction, on the one hand I doubt that the resident antivirus will let it pass,
on the other hand I doubt that the user will come forward in more than 30 days.
Normally he requests assistance the same day, or even the few days that follow.Free support forum
Nicholas Coolman -
October 17 2020 to 12 00 h min #27847AnonymousInactive
I find you very optimistic, but in absolute terms you are right. I have a friend who does great nonsense with his PC, P2P, streaming, wild downloading, and so on, and he had been complaining for a long time about serious problems on his PC, but that didn't worry him more than that, his PC took a quarter of an hour to open, but he didn't care, I made him understand that an analysis of his PC could not be more judicious, which he decided to do do it by insisting I won't tell you the result……..there were more infected lines than legitimate lines. All this to say that while some are rightly worried about a malfunction in their system, many others don't really care, and are not even aware of the potential dangers that their PC can represent.
-
October 17 2020 to 13 10 h min #27848Nicholas CoolmanKey Master
Yes, there can always be exceptions, there are even users who disable Windows Defender and who do not have any antivirus installed.
Free support forum
Nicholas Coolman -
October 17 2020 to 14 24 h min #27849AnonymousInactive
yes, but there, it is no longer common sense or computer science, but rather psychological support to the extent that this way of acting suggests suicidal thoughts
-
October 20 2020 to 7 46 h min #27891g3nRegular
Hi Nicolas, for people using OSArmor as protection (like me who only has that, I prefer prevention to cure) do not have the thought of deactivating it like AV.
in short following the ZHPSuite test it is possible that there are blockages on ZHP with OSArmor (NoVirusThanks)
Log:
Date/Time: 01/10/2020 18:57:42
Process: [6544]C:\Windows\SysWOW64\cscript.exe
Process MD5 Hash: 13783FF4A2B614D7FBD58F5EEBDEDEF6
Parent: [9120]C:\Windows\System32\cmd.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: C:\Windows\SysWOW64\cscript.exe “C:\Windows\SysWOW64\slmgr.vbs” /dlv
Signer:
Parent Sign:
User/Domain: gen-hackman/DESKTOP-2FADNO8
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High -
October 20 2020 to 14 02 h min #27906Nicholas CoolmanKey Master
Hello,
OSArmor (NoVirusThanks) is already authenticated as legitimate in my tables.
Free support forum
Nicholas Coolman -
October 20 2020 to 14 08 h min #27907g3nRegular
Re,
that's absolutely not what I was talking about, sorry but you are mistaken
I was simply saying that OSArmor could block certain ZHP actions, notably the execution of .vbs scripts or execution of system files by unknown parent processes ^^
-
October 20 2020 to 14 29 h min #27908Nicholas CoolmanKey Master
Indeed certain ZHPDiag modules may be impacted by the operation of OSArmor.
Free support forum
Nicholas Coolman -
October 20 2020 to 14 34 h min #27909g3nRegular
Reason why I do not use .vbs file execution or any third party executable……
-
October 20 2020 to 14 53 h min #27910Nicholas CoolmanKey Master
I just checked, I only use it to collect Windows license information. So it’s not very disruptive for the report.
Free support forum
Nicholas Coolman -
October 20 2020 to 14 54 h min #27911g3nRegular
yes that’s what I thought afterwards :)
Is it still Delphi?
-
October 20 2020 to 15 10 h min #27912Nicholas CoolmanKey Master
No, it's Autoscript with the Run function.
Local $sScriptEngine = @SystemDir & ‘\cscript.exe’
Local $sLicenseFile = @SystemDir & “\slmgr.vbs”
Local $sFile = $sDirZHP & '\Licence.txt'
Local $iPID = Run( @Comspec & ‘ /c ‘ & $sScriptEngine & ‘ “‘ & $sLicenseFile & ‘”‘ & ‘ /dlv >’ & $sFile , “”, @SW_HIDE)Free support forum
Nicholas Coolman -
October 20 2020 to 15 22 h min #27913g3nRegular
ok maybe this can give you ideas it's more object oriented than using slmgr you do with it what you want it's just to show you how I check the license status of windows :)
If _ServiceRunning(”, 'winmgmt') Then
Global $ActiveCheck, $result
Local $oWMIService = ObjGet(“winmgmts:\\.\root\cimv2”)
If IsObj($oWMIService) Then
Local $oCollection = $oWMIService.ExecQuery(“SELECT Description, LicenseStatus, GracePeriodRemaining FROM SoftwareLicensingProduct WHERE PartialProductKey <> null”)
If IsObj($oCollection) Then
For $oItem In $oCollection
Switch $oItem.LicenseStatus
Box 0, 2 TB 4, 6
$result = “Windows NOT Activated”
Case 1
$result = “Windows Activated”
Case 5
$result = “Possible Fixed Windows”
EndSwitch
FileWriteLine($txt, $result & @CRLF)
Next
EndIf
EndIf
EndifPS: too bad there is no code tag because it doesn’t look good lol
-
October 20 2020 to 15 34 h min #27914Nicholas CoolmanKey Master
Yes, passing through the object gives you indications but it is not as complete as the content of the license file.
#cs
Microsoft(R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.Software Licensing Service Version: 6.3.9600.16497
Name: Windows(R), Core edition
Description: Windows(R) Operating System, OEM_DM channel
ID d’activation: c7c00280-b24d-4e82-89ca-4f1288eb1d9e
ID d’application: 55c92734-d682-4d71-983e-d6ec3f16059f
PID ‚tendu: 06401-02586-185-984756-02-1036-9600.0000-0842015
Product Key Channel: OEM:DM
Facility ID: 403880XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
User license URL: https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=DM
Validation URL: https://validation-v2.sls.microsoft.com/SLWGA/slwga.asmx
Partial product key: M4FWQ
License Status: With License
Number of Windows resets remaining: 998
Number of SKU resets remaining: 1000
Approved time: 02/06/2015 13:19:51
#ThisFree support forum
Nicholas Coolman -
October 20 2020 to 16 46 h min #27916g3nRegular
I know this well but the problem is that I have never managed to get the contents of the slmgr window out into a txt. If I had succeeded the rest would be child's play to transcribe everything and prevent certain sensitive information from being public, I tried by all means but the output result: blank sheet lol
PS:
this morning I'm looking at a report on a topic and while reading this one, I was particularly surprised by the difference in signature detection and the signature indicated:
SR – Boot [07/12/2019] [166712] (vsmraid). (.VIA Technologies Inc.,Ltd.) – C:\WINDOWS\System32\drivers\vsmraid.sys =>.Microsoft®
SR – Boot [07/12/2019] [412176] Intel RAID Controller Wi (iaStorV) . (.Intel Corporation.) – C:\WINDOWS\System32\drivers\iaStorV.sys =>.Microsoft® -
October 23 2020 to 18 13 h min #27971ZorKasRegular
Hello Nicolas,
I have just tested your latest version: ZHPDiag v2020.10.21.246 By Nicolas Coolman (2020/10/21) so I will provide you with the information:
When analyzing the report demonstrates 2 Hijacker.Hosts below:
—\ STUDY OF THE HOSTS FILE (3) – 0s
O1 – Hosts: 178.255.86.194 download.comodo.com =>Hijacker.Hosts
O1 – Hosts: 178.255.86.194 http://www.download.comodo.com =>Hijacker.Hosts
~ Number of diverted or corrupted lines 2/24 (Hosts file redirected or corrupted)In fact, these are legitimate Comodo servers for downloading CIS (Comodo Internet Security) antiviral databases. FYI in Beta versions the hosts file must be modified manually before installation.
This ZHPSuite version is really good, good work, thank you!
cordially
-
October 23 2020 to 23 17 h min #27973Nicholas CoolmanKey Master
Hello Patrick,
OK, I will take into account the IP address of comodo.
https://whois.domaintools.com/178.255.86.194
Free support forum
Nicholas Coolman -
October 29 2020 to 18 01 h min #28081g3nRegular
hello obviously my message relating the erroneous detection of capicom.dll as adware did not go through it must have remained stuck in the approval. from WordPress
C:\Windows\Capicom.dll
if you want to study the file
https://gen-hackman.serveftp.com/Temp/CapiCom.dll
-
October 29 2020 to 18 03 h min #28083g3nRegular
ah I understood it's the link of my server which is blocking that's why my message is not getting through I'm sending it to you by joint then
Detection:
C:\Windows\capicom.dll => Adware
Virustotal:
If you want to study the file
-
October 29 2020 to 18 05 h min #28075g3nRegular
Hi Nicolas
I'm notifying you of a bad detection:
C:\WINDOWS\capicom.dll =>Adware.Suspect
if you want to study the file:
-
October 29 2020 to 18 05 h min #28067FirebirdRegular
Hello Nicolas,
Firefox, although installed, is not listed in the ZHPDiag report.
Extract from the ZHPDiag report ---\\ INTERNET BROWSERS (2) - 0s ~ MSIE: Internet Explorer v11.572.19041.0 ~ OBIE: Microsoft Edge v86.0.622.51 Extract from the FRST report Default browser: FF
Wondershare is listed by ZHPSuite, but not listed as a PUP by ZHPSuite.
https://www.pcsansvirus.com/pages/supprimer-wondershare.htmlExtract from the ZHPDiag Report
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]:Wondershare Helper Compact.exe =>.Wondershare---\\ SUMMARY OF ELEMENTS FOUND (4) - 0s https://nicolascoolman.eu/2017/09/12/origine-lignes-orphanes/ =>.SUP.Orphan https://nicolascoolman.eu/wp-content/uploads/2017/12/26/sup-advancedsystemcare/ =>SUP.Optional.AdvancedSystemCare https://nicolascoolman.eu/forum/Topic/warning-eventlogapp-evenement-dapplication/ =>Warning.EventLogApp https://nicolascoolman.eu/forum/Topic/warning-eventlogsys-evenement-systeme/ =>Warning.EventLogSys
Reports
- ZHPDiag: https://www.cjoint.com/doc/20_10/JJCvXGLq2n7_ZHPDiag.txt
- FRSThttps://www.cjoint.com/doc/20_10/JJCvYv8a5F7_FRST.txt
- Addition: https://www.cjoint.com/doc/20_10/JJCvWS3J867_Addition.txt
@+
Patricia -
October 29 2020 to 18 06 h min #28068FirebirdRegular
Hello Nicolas,
I sent a message to ZHPSuite, but it does not appear, perhaps time for moderation.
I pointed out that WonderShare is listed in the ZHPDiag report but not listed as a PUP in the summary elements.
In addition, FF, the default browser is not listed by ZHPDiag, verified in several reports.
Reports
https://cjoint.com/doc/20_10/JJCwn1t0r47_ZHPDiag.txt
https://cjoint.com/doc/20_10/JJCwox6lDb7_FRST.txt
https://cjoint.com/doc/20_10/JJCwnyHSry7_Addition.txt@+
Patricia -
October 29 2020 to 18 12 h min #28084Nicholas CoolmanKey Master
Hello g3n,
There is a suspicious detection of this dynamic resource because it is not installed in its default folder “System32”
C:\WINDOWS\capicom.dll =>Adware.SuspectSince the resource is healthy, you can ignore the detection, but I prefer to keep the warning...
Free support forum
Nicholas Coolman -
October 29 2020 to 20 37 h min #28085g3nRegular
heard :)
Personally I don't have it in system32, it's a dll which is used to sign a file digitally because it works with signtool.exe
-
October 30 2020 to 8 49 h min #28087Nicholas CoolmanKey Master
Hello g3n,
Personally I don't have it in system32, it's a dll which is used to sign a file digitally because it works with signtool.exe
I also use signtool.exe, and this DLL is not present in the root of Windows but in system32.
Free support forum
Nicholas Coolman -
October 30 2020 to 8 51 h min #28086FirebirdRegular
Hello Nicolas
Did you see the two messages I posted yesterday?
@+
Patricia -
October 30 2020 to 9 27 h min #28088Nicholas CoolmanKey Master
Hello Firebird,
Yes, I read your messages!
For Firefox,
Check if you now have Firefox with v248 that I just put online.For Wondershare,
Wondershare is not adware, so it remains classified as legitimate and is not listed in the items found.Free support forum
Nicholas Coolman -
October 30 2020 to 23 40 h min #28101FirebirdRegular
Legitimacy of WonderShare
Hello Nicolas
OK for the legitimacy of WonderShare.
However, installed Firefox remains absent from the ZHPDiag report, with ZHPSuite latest version downloaded just now.
Example: Extract from a ZHPDiag report carried out just now.
https://www.cjoint.com/doc/20_10/JJEwNkCIFq7_ZHPDiag.txt@+
Patricia -
October 31 2020 to 11 22 h min #28106Nicholas CoolmanKey Master
Hello Nicolas
OK for the legitimacy of WonderShare.
However, installed Firefox remains absent from the ZHPDiag report, with ZHPSuite latest version downloaded just now.
Example: Extract from a ZHPDiag report carried out just now.
https://www.cjoint.com/doc/20_10/JJEwNkCIFq7_ZHPDiag.txtFree support forum
Nicholas Coolman -
October 31 2020 to 11 32 h min #28107Nicholas CoolmanKey Master
Hello Firebird,
You would need to tell me if you have a registry key under “Uninstall” that refers to “Mozilla”:HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall
HKEY_LOCAL_MACHINE \ SOFTWARE \ WOW6432Node \ Microsoft \ Windows \ CurrentVersion \ UninstallIf so, make a key export.
Free support forum
Nicholas Coolman -
October 31 2020 to 22 38 h min #28115FirebirdRegular
Hello Nicolas
Yes, I have a Registry Key under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall
https://cjoint.com/doc/20_10/JJFvLPDkIN7_Mozilla-clé.txt
@+
Patricia -
November 1 2020 to 8 42 h min #28116Nicholas CoolmanKey Master
Hello Firebird,
Thank you for the export, I will work on it, I will let you know as soon as I have a result.
Free support forum
Nicholas Coolman -
November 2 2020 to 8 19 h min #28124FirebirdRegular
Hello Nicolas,
Thank you for coming back.
The ZHPSuite scan that I performed on a test machine is just an example, but I see the same anomaly on other ZHPDiag reports that I analyze in disinfection, regardless of the OS.
I can't ask the DA for a key export. :)
https://www.cjoint.com/doc/20_11/JKbvGy72HX7_ZHPDiag-pas-FF.txt
In the following report, Firefox is well listed among browsers.
https://www.cjoint.com/doc/20_11/JKbvGkI0iH7_ZHPDiag-FF.txt Does ZHPDiag only detect 32-bit FF?
---\\ INTERNET BROWSERS (4) - 1s ~GCIE: Google Chrome v86.0.4240.111 ~ MFIE: Mozilla Firefox 82.0.2 (x86 fr) ~ MSIE: Internet Explorer v11.1139.18362.0 ~ OBIE: Microsoft Edge v86.0.622.51
@+
Patricia -
November 2 2020 to 8 20 h min #28126FirebirdRegular
Re Nicolas
Another example of a ZHPDiag report with FF listed in browsers, and again, this is the 32-bit FF version.
https://www.cjoint.com/doc/20_11/JKbv0ZKdt57_ZHPDiag-FF2.txt@+
Patricia -
November 2 2020 to 8 20 h min #28127FirebirdRegular
Hello Nicolas,
An example which contradicts my suggestion of the 32 bit/64 bit architecture, example unearthed just now.
https://www.cjoint.com/doc/20_11/JKbw21W0vL7_ZHPDiag-ff3.txt
---\\ INTERNET BROWSERS (3) - 0s ~GCIE: Google Chrome v86.0.4240.111 ~MFIE: Mozilla Firefox v79.0.0.7506 ~ MSIE: Internet Explorer v11.0.10240.17443
@+
Patricia -
November 2 2020 to 8 53 h min #28130Nicholas CoolmanKey Master
Hello Firebird,
This was indeed linked to a 64bit redirection with a 32bit compilation. Mozilla Firefox and other browsers like Waterfox and Slimbrowser were affected.
—\ INTERNET BROWSERS (10) – 0s
~GCIE: Google Chrome v86.0.4240.111
~ MFIE: Mozilla Firefox 82.0.2 (x64 fr)
~ MFIE: Waterfox Classic 56.3 (x64 en-US)
~ OBIE: SlimBrowser v11.0.7.0
~ MSIE: Internet Explorer v11.572.19041.0
~ OBIE: BraveSoftware Brave-Browser v86.1.16.68
~ OBIE: Slimjet v20.0.4.0
~ OBIE: Vivaldi v2.5.1525.48
~ OBIE: Microsoft Edge v86.0.622.56
~ OBIE: Comodo Dragon v83.0.4103.116v249 should resolve this display case.
Free support forum
Nicholas Coolman -
November 2 2020 to 21 56 h min #28147FirebirdRegular
Hello Nicolas,
Thank you for your research and your quick response.
This was indeed linked to a 64bit redirection with a 32bit compilation.
If I understood correctly, this error concerned Firefox installed in 32-bit on a 64-bit OS, which is validated by my reports above.
@+
Patricia -
December 26 2020 to 4 44 h min #29055FirebirdRegular
Hello Nicolas
I sent a message a few minutes ago, but it is not showing up on the forum.
@+
Patricia -
December 26 2020 to 9 18 h min #29056FirebirdRegular
Hello Nicolas,
I am resending my message, since it seems lost.
1- ZHPDiag.txt report
HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB =>Trojan.Bifrose HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Features\0BAB99B394BE1DD4080E99CBBEE9E3DB =>Trojan.Bifrose2- My FRST script
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Features\0BAB99B394BE1DD4080E99CBBEE9E3DB3- Fixlog.txt report
“HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB” => non trouvé(e) “HKLM\SOFTWARE\Wow6432Node\Classes\Installer\Features\0BAB99B394BE1DD4080E99CBBEE9E3DB” => non trouvé(e)4- ZHPCleaner-R-.txt report
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Installer\Products\0BAB99B394BE1DD4080E99CBBEE9E3DB [Bifrost Extension 2.0.5.1 for Maya 2019] =>Trojan.Bifrose
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bifrost Extension 2.0.5.1 for Maya 2019 [] =>Trojan.BifroseFull reports
https://www.cjoint.com/doc/20_12/JLAdgqOX8r7_ZHPDiag.txt
https://www.cjoint.com/doc/20_12/JLzwq6Byof7_Fixlog.txt
https://www.cjoint.com/doc/20_12/JLAdfOIDOS7_ZHPCleaner-R-.txt=> Do you know why
- keys detected in Trojan.Bifrose by ZHPDiag are not found by the FRST script
- ZHPCleaner deletes one and only one of the two keys detected by ZHPDiag?
Thanks for your help.
@+
Patricia -
December 26 2020 to 9 28 h min #29057Nicholas CoolmanKey Master
Hello Firebird,
This is a false detection of Bifrost Extension 2.0.5.1 for Maya 2019, I am doing what is necessary for the next versions
Thank you for the info !
Free support forum
Nicholas Coolman -
December 26 2020 to 21 48 h min #29074FirebirdRegular
Hello Nicolas,
This is a false detection of Bifrost Extension 2.0.5.1 for Maya 2019, I am doing what is necessary for the next versions
Can you be more specific ?
In which tool is there false detection, ZHPDiag or ZHPCleaner?ZHPDiag detects keys, I script them, but FRST can't find them.
Then ZHPCleaner deletes key*: [X64] HKLM\…I don't understand the differences in results in these three tools.
@+
Patricia -
December 26 2020 to 22 37 h min #29075Nicholas CoolmanKey Master
In fact ZHPDiag and ZHPCleaner work on the same databases.
Free support forum
Nicholas Coolman -
December 26 2020 to 23 04 h min #29076FirebirdRegular
Hi,
In fact ZHPDiag and ZHPCleaner work on the same databases.
Okay, but in the example cited above, ZHPDiag and ZHPCleaner do not detect the same lines.
And FRST cannot find the lines detected by ZHPDiag, which is what alerted me.
@+
Patricia -
December 26 2020 to 23 43 h min #29077Nicholas CoolmanKey Master
To be able to study this case exactly I would need to be able to put myself in a real situation with this Bifrost version installed on a machine. But since it's a false detection, I don't think it's very useful to spend time on it.
Otherwise for FRST, I have no idea because I don’t use it!
Free support forum
Nicholas Coolman -
December 26 2020 to 23 54 h min #29078FirebirdRegular
Hello Nicolas,
Indeed, as it is a false detection, which you are going to correct, there is no point in dwelling on it.
Thank you for your quick response.@+
Patricia -
March 27 2021 to 16 30 h min #31968Vincent_l17Regular
Hello,
I came to you to ask for a little help, I don't know if this section is appropriate for my request, I would obviously move it if this is not the case!
That's it, I downloaded and used the ZHPSuite software, followed the online tutorial and proceeded with the cleaning with ZHPFix, my problem being simple, I accidentally deleted the generated reports, and was not able to go to the quarantine management tool to “completely” delete files,
I wanted to know if there is a way to fix this and/or if it is important or not!Thank you in advance for your time!
Vincent
-
March 27 2021 to 16 56 h min #31969Nicholas CoolmanKey Master
Hello,
You can view the reports in the folder:
C:\Users\Your assignment name\AppData\Roaming\ZHP\All items quarantined by ZHPFix can be found here:
C:\Users\Your assignment name\AppData\Roaming\ZHP\Qurantine\ZHPFix\If the files “Fillet","Folder"And"Sign up” are empty, this means that all items in the quarantine have been deleted.
Free support forum
Nicholas Coolman -
March 27 2021 to 17 22 h min #31971Vincent_l17Regular
Thank you for your response Nicolas!
Indeed they are empty! Thank you so much !
I was also wondering if using the System Restore Point tool would bring back everything that was deleted by ZHPFix?
I must admit that I am not very informed on the subject and it was after having done all these manipulations that I read on various forums that it was better not to erase everything alone without knowledge, and to ask for the advice of a expert on reports...Would returning to a previous point correct the situation in order to do a guided cleaning which would be cleaner?
thanks again
-
March 27 2021 to 17 52 h min #31973Alain MasModerator
I confirm that we must maintain the quarantine, that is why it was created. You must also validate the creation of the system restore point.
If a system malfunction occurs after deleting items, you must first restore the ZHPFix quarantine. This will put all moved files/folders back in their place and recreate the corresponding registry keys.
If, despite this, the system does not regain its stability, then the restore point will return your system to stable operation as it was before your cleaning operation.
-
March 27 2021 to 17 57 h min #31974Nicholas CoolmanKey Master
Hello,
I would add that a support forum is available to help you read reports and write cleaning scripts with different utilities.
Free support forum
Nicholas Coolman -
March 27 2021 to 18 00 h min #31975Vincent_l17Regular
Hello Alain, and thank you both for your advice!
I'm thinking of using the system restore tool, at first glance, nothing serious or unstable, but I have various small problems like a 13 GB application now indicated at over 700 GB, as well as various small things like that .
In any case I will go through the restoration and probably try ZHPSuite again in the company of experts thanks to your link Nicolas.
Thanks again and have a nice day !
-
January 29 2022 11 to 48 h min #38507EliotRegular
Hello everyone,
Hello Nicolas,
Why does Zhpdiag not declare Windows 11 but as Windows 10?
Thank you and good day -
January 29 2022 13 to 59 h min #38508Nicholas CoolmanKey Master
-
January 29 2022 15 to 41 h min #38512
-
January 29 2022 17 to 36 h min #38514Nicholas CoolmanKey Master
22000.469
OK, I'm taking this build of Windows 11 into account for the next version.
Free support forum
Nicholas Coolman -
January 29 2022 17 to 53 h min #38515EliotRegular
Thank you and good luck
-
April 1 2022 to 16 04 h min #38511EliotRegular
-
20 September 2022 9 to 43 h min #40062Nicholas CoolmanKey Master
Hello,
For security reasons, the direct link to my software server is no longer accessible.
Updates will therefore no longer be possible with your old version.
1) Remove the software shortcut from your Desktop
2) Download the software again to get a new desktop shortcut.ZHPCleaner: https://nicolascoolman.eu/download/telechargez-zhpcleaner-gratuit/
ZHPuite: https://nicolascoolman.eu/download/telechargez-zhpsuite-gratuit/
ZHPFix: https://nicolascoolman.eu/download/zhpfix-script-manager/
ZHPDiag: https://nicolascoolman.eu/download/zhpdiag/3) Launch the software from the new shortcut.
Free support forum
Nicholas Coolman
-
-
AuthorMessages
- You must be logged in to reply to this topic.