Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Are these ZHPCleaner results mostly FPs (or inactive remnants of an infection)?


  • Please log in to reply
11 replies to this topic

#1 midimusicman79

midimusicman79

  • Members
  • 616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:22 PM

Posted 27 August 2015 - 09:04 AM

Hi all!
 
I just discovered the French anti-malware tool ZHPCleaner by Nicolas Coolman, and decided to give it a try; so I downloaded and ran it, and here are the results; which IMO are mostly FPs (or inactive remnants of an infection)?
 
I have run all the files through VirusTotal, and here are the results;
 
https://www.virustotal.com/en/file/a33f29745e298299b1547f3c40a91d920bf35e2a6d6909dec8295f3ef9097537/analysis/1300305925/
 
https://www.virustotal.com/en/file/f1acbc2d7b7b38f6df383109fb7a3ecaff716a6780e16a0b38b845e8cf7bed37/analysis/1416435340/
 
https://www.virustotal.com/en/file/408abd71f43fe0f64d1327f6d1c9c01e9e473fe01bb7fcc780190d1cd17b0bed/analysis/1440597226/
 
https://www.virustotal.com/en/file/49aa48eba0894082aec51c7bb16061b799bef4f50a08895ba50681bc9b136134/analysis/1434866210/
 
Should any of these entries be removed (please note that several of them in Bold actually belong to WinPatrol (Paid)?
 
Thank you very much in advance for the help!
 
Regards,
midimusicman79
 
 
ZHPCleaner log:
 
~ ZHPCleaner v2015.8.26.332 by Nicolas Coolman (2015/08/26)
~ Run by Torbjoern Martin (Administrator)  (26/08/2015 15:11:38)
~ Site : http://www.nicolascoolman.fr
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Scan
~ Report : C:\Documents and Settings\Torbjoern Martin\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Documents and Settings\Torbjoern Martin\Program Data\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Deactivate
~ Boot Mode : Normal (Normal boot)
Windows XP, 32-bit Service Pack 3 (Build 2600)


---\\  Services (0)
~ No malicious or unnecessary items found.


---\\  Browser internet (0)
~ No malicious or unnecessary items found.


---\\  Hosts file (1)
~ The hosts file is legitimate (19)


---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.


---\\  Explorer ( File, Folder) (6)
FOUND file: C:\WINDOWS\Temp\ESUSUninstaller.exe [Telenor Norway - Telenor Software Update Service]  =>Heuristique.Suspect
FOUND file: C:\WINDOWS\Temp\Uninst.exe [LPL - Uninstaller]  =>Heuristique.Suspect
FOUND file: C:\Documents and Settings\All Users\Desktop\Musicsoft Downloader.lnk    =>PUP.Optional.Downware
FOUND file: C:\Documents and Settings\All Users\Program Data\InstallMate\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}\TsuDll.dll [Tarma Software Research Pty Ltd - InstallMate® Setup Library]  =>PUP.Optional.Tarma
FOUND folder: C:\Documents and Settings\All Users\Program Data\InstallMate\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}  =>PUP.Optional.Tarma
FOUND folder: C:\Documents and Settings\All Users\Program Data\InstallMate  =>PUP.Optional.Tarma



---\\  Registry ( Key, Value, Data) (6)
FOUND key: HKLM\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC [SearchAssistantOC]  =>PUP.Optional.SearchAssist
FOUND key: HKLM\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC.1 [SearchAssistantOC]  =>PUP.Optional.SearchAssist
FOUND key: HKLM\SOFTWARE\Classes\SrchUI.SearchAssistant [Search Assistant Control]  =>PUP.Optional.SearchAssist
FOUND key: HKLM\SOFTWARE\Classes\SrchUI.SearchAssistant.1 [Search Assistant Control]  =>PUP.Optional.SearchAssist
FOUND key: HKLM\SOFTWARE\Classes\CLSID\{2E71FD0F-AAB1-42c0-9146-6D2C4EDCF07D} [SearchAssistantOC]  =>PUP.Optional.SearchAssist
FOUND key: HKLM\SOFTWARE\Classes\CLSID\{B45FF030-4447-11D2-85DE-00C04FA35C89} [SearchAssistantOC]  =>PUP.Optional.SearchAssist


---\\ Result of repair
~ Any repair made
~ Browser not found (Google Chrome)
~ Browser not found (Opera Software)


---\\ Statistics
~ Items scanned : 53558
~ Items found : 12
~ Items cancelled : 0
~ Items repaired : 0


~ End of search in 20 minutes
===================
ZHPCleaner-[s]-26082015-15_32_24.txt

Edited by Queen-Evie, 27 August 2015 - 10:23 AM.
Moved from AV/AM Software

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


BC AdBot (Login to Remove)

 


#2 Jaycan

Jaycan

  • Members
  • 445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:22 AM

Posted 27 August 2015 - 08:25 PM

A PUP detection doesn't mean it is malware. PUP means: Potentially Unwanted Program.

If you did install Tarma willingly, then you can ignore this detection. Highly unlikely as it is installed as a 3rd party hanger-on to many legit programs.
Otherwise it is regarded as a P.U.P.  Potentially Unwanted Program by Malwarebytes and others.

Looking also shows this second item is detected by Malwarebytes Anti-Malware PUP.Optional.SearchAssist

So both are detected as P.U.P,s by Anti malware programs... The ZHPCleaner did what it was meant to do. I would now hit Repair, and these should be gone..



#3 Jaycan

Jaycan

  • Members
  • 445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:22 AM

Posted 27 August 2015 - 08:54 PM

You may note that the program has a constant (almost daily) updater, and if you use Search first you are given the option to take these off the list.

This is the same as AdwCleaner and any detection made by that program.

However JRT has no such option, and as it is a batch file, it simply removes whatever has been added to it's list.

 

Always use a program where the option to Quarantine and re-install, or not remove, are offered.

 

This is typical of the use of programs when not directed by correctly trained people (Combofix being the main one). You seem to know what is good / bad, and so it becomes hard to advise you, outside of the Malware Removal Forum area.

I personally have nothing to do with that program, but my reply has been to always use a program that gives you (or a helper) options in deletions  :wizardball:

That program is installed, updated, and used on 2 of my computers, but each system is individual in it's needs.

 

You can always email the developer at their Official site (he runs a small forum), or choose not to use it, and ignore your problems.

 

EDIT  English version of the Program


Edited by Jaycan, 27 August 2015 - 09:02 PM.


#4 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:22 PM

Posted 29 August 2015 - 09:20 AM

Hi, Jaycan!

 

Thank you for the prompt and helpful replies! :)

 

Sorry for not replying back sooner, but yesterday I had to pay some bills, and then I reran ZHPCleaner in order to choose to repair the only entries which I deemed safe, which were five registry entries. It is 'funny' though, that MBAM (Free) does in fact not pick up these PUPs (Tarma and SearchAssist).

 

However, as I hit the Repair button, something unexpected happened: ZHPCleaner moved and deleted almost everything, thereby only leaving intact one out of 12 entries. I had to run System Restore in order to reverse the changes, but two of the files that were located in C:/WINDOWS/Temp were gone, obviously because System Restore does not monitor this folder... :(

 

Hence I do not trust ZHPCleaner anymore, and would therefore encourage the developer to fix this IMO serious bug, and until then I would not recommend the tool to anyone.

 

Thank you very much for the help! :) The issue has been successfully resolved! :thumbup2:

 

Regards,

midimusicman79

 

 

ZHPCleaner Repair log:

 

~ ZHPCleaner v2015.8.29.335 by Nicolas Coolman (2015/08/29)
~ Run by Torbjoern Martin (Administrator)  (29/08/2015 14:49:01)
~ Site : http://www.nicolascoolman.fr
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Documents and Settings\Torbjoern Martin\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Documents and Settings\Torbjoern Martin\Program Data\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Deactivate
~ Boot Mode : Normal (Normal boot)
Windows XP, 32-bit Service Pack 3 (Build 2600)


---\\  Services (0)
~ No malicious or unnecessary items found.


---\\  Browser internet (0)
~ No malicious or unnecessary items found.


---\\  Hosts file (1)
~ The hosts file is legitimate (19)


---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.


---\\  Explorer ( File, Folder) (5)
MOVED file: C:\WINDOWS\Temp\ESUSUninstaller.exe [Telenor Norway - Telenor Software Update Service]  =>Heuristique.Suspect
MOVED file: C:\WINDOWS\Temp\Uninst.exe [LPL - Uninstaller]  =>Heuristique.Suspect
MOVED file: C:\Documents and Settings\All Users\Desktop\Musicsoft Downloader.lnk    =>PUP.Optional.Downware
MOVED file: C:\Documents and Settings\All Users\Program Data\InstallMate\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}\TsuDll.dll [Tarma Software Research Pty Ltd - InstallMate® Setup Library]  =>PUP.Optional.Tarma
MOVED folder: C:\Documents and Settings\All Users\Program Data\InstallMate  =>PUP.Optional.Tarma


---\\  Registry ( Key, Value, Data) (6)
DELETED key*: HKLM\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC [SearchAssistantOC]  =>PUP.Optional.SearchAssist
DELETED key*: HKLM\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC.1 [SearchAssistantOC]  =>PUP.Optional.SearchAssist
DELETED key*: HKLM\SOFTWARE\Classes\SrchUI.SearchAssistant [Search Assistant Control]  =>PUP.Optional.SearchAssist
DELETED key*: HKLM\SOFTWARE\Classes\SrchUI.SearchAssistant.1 [Search Assistant Control]  =>PUP.Optional.SearchAssist
DELETED key*: HKLM\SOFTWARE\Classes\CLSID\{2E71FD0F-AAB1-42c0-9146-6D2C4EDCF07D} [SearchAssistantOC]  =>PUP.Optional.SearchAssist
DELETED key*: HKLM\SOFTWARE\Classes\CLSID\{B45FF030-4447-11D2-85DE-00C04FA35C89} [SearchAssistantOC]  =>PUP.Optional.SearchAssist


Edited by midimusicman79, 29 August 2015 - 09:25 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#5 Jaycan

Jaycan

  • Members
  • 445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:22 AM

Posted 29 August 2015 - 08:02 PM

Hello again.

As stated above, I am in no way linked to this program, nor do I promote it for use outside of Malware Removal Forum Areas ! !

This is typical of the use of programs when not directed by correctly trained people (Combofix being the main one). You seem to know what is good / bad, and so it becomes hard to advise you, outside of the Malware Removal Forum area.

I personally have nothing to do with that program, but my reply has been to always use a program that gives you (or a helper) options in deletions

I simply decided to reply to your post, as no other person had.

As said, I would advise you to contact the program writer, as this is their script, and I have nothing to do with it.

 

Always set a Restore Point, or run ERUNT (or similar) if you are not sure of any program that you run at any time

 

I can only re-quote that PUP.Optional.SearchAssist, and PUP.Optional.Tarma are quarantined by Malwarebytes as Potentially Unwanted Programs, so it may be an idea to stay with known programs. When running unknown programs you are the one who takes responsibility for the results.. I know that the 2 listed items are Quarantined, because Malwarebytes did it on my system when I had Malwarebytes Malware Removal Forum check my system for an infection. Please contact the developer for more details, as I only know what is written about it.

Finally 2 things, you set ~ UAC : Deactivate which meant you were open to outside forces, and it lists ~ Quarantine : C:\Documents and Settings\Torbjoern Martin\Program Data\ZHP\ZHPCleaner_Quarantine.txt so these items were only Quarantined, and not removed fully as you thought ! !



#6 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:22 PM

Posted 30 August 2015 - 08:47 AM

Hi again, Jaycan!

 

...you set ~ UAC : Deactivate which meant you were open to outside forces...

 

Windows XP, 32-bit Service Pack 3 (Build 2600)

 

I have never heard of any UAC (User Account Control) in Windows XP... :lol:

 

And furthermore, I would assume ZHPCleaner to be similar in functionality to AdwCleaner and JRT, both of which are not restricted to use in the Malware Removal Forum Area...

 

So, once again:

 

Thank you very much for the help! :) The issue has been successfully resolved! :thumbup2:

 

Regards,

midimusicman79


Edited by midimusicman79, 30 August 2015 - 08:51 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 AM

Posted 31 August 2015 - 07:53 AM

Hi,

 

In the most recent version of ZHPCleaner you have the possibility to uncheck what you think shouldn't be moved or deleted like adwcleaner does.

 

 

Regards,

Georgi


cXfZ4wS.png


#8 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:22 PM

Posted 31 August 2015 - 08:08 AM

Hi, Georgi!

 

Yeah, I know, that is exactly what I did; only trouble is: ZHPCleaner actually ignores my 'unchecking' and goes beyond its territory...

 

Regards,

midimusicman79


Edited by midimusicman79, 01 September 2015 - 06:02 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#9 Nicolas Coolman

Nicolas Coolman

  • Security Developer
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 02 September 2015 - 01:56 AM

Hi, Georgi!, 
 
When You unchecks, you must click on 'Validate' to confirm your new selection.
 
Regards

Amicalement Nicolas Coolman

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 AM

Posted 02 September 2015 - 03:13 AM

Hi Nicolas,

 

Thank you for your input but however I am not the author of the topic and don't have any concerns when using ZPHCleaner.

Please reply to midimusicman79 instead. :)

 

Thank you!

 

 

Regards,

Georgi


cXfZ4wS.png


#11 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:22 PM

Posted 03 September 2015 - 08:13 AM

Hi, Nicolas & Georgi!

 

Thanks to both of you for the insightful replies! :)

 

I would like to apologize for not having taken the time to read the Tutorial for ZHPCleaner, which clearly states; and I quote:

 

In the repair interface, validate the lines and / or click on "Clean".

 

Now I would recommend the tool to anyone who may be interested, and I can confirm that the 'Validate'-button actually works as intended. :thumbup2:

 

So, once again and for the last time:

 

Thank you very much for the help! :) The issue has been successfully resolved! B)

 

Regards,
midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 AM

Posted 08 September 2015 - 03:47 AM

Thank you for your feedback! :)

Glad to hear you sorted this out.

 

 

Cheers,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users