ZHPCleaner, adware removal tool - use with caution

Discussion in 'other anti-malware software' started by roger_m, Nov 15, 2016.

  1. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    ZHPCleaner is a tool for removing adware and PUPs, which is simliar to ADWCleaner. I ran it tonight, and it deleted everything it found, even though I wanted nothing to be deleted. So it should be used with extreme caution.

    ZHP.png
    ZHP2.png

    At least I know now how to use it properly and get it to keep anything you don't want to be deleted. I ran a scan and then clicked on the Repair button to review what had been found. A number of files and registry keys were detected, but I wanted to keep almost all of these, as they belong to PUPs that I installed myself and want to keep. The results are divided into a number of categories, as you can see in the above screenshot. I clicked on the tab for each category, and clicked on Uncheck to unchceck everything in the category. With nothing selected, I was going to go back and review the results in each categorty and select the few files and registry keys that I did want to be removed. However, I decided not to worry about it for now, so I just clicked on the close button. As soon the repair window closed, ZHPCleaner deleted everything it had detected. It turns out that the close button works the same as clicking on Repair, and there is a Validate button you need to click on after making any changes to save the change, or ZHPCleaner will not take note of anything you've unchecked. I have no idea why the devleoper thought having the close button work the same as the repair button, or that you actually need to click on Validate to get it remember what you've unchecked. It's not something that would be an issue, if you always delete everything found, but for the rest of us it's not good.

    Not all of the programs ZHPCleaner tried to delete were gone, but they wouldn't run as the needed registry entries for them had been deleted. There is a cancel button which is supposed to restore everything from quarantine, but in my case at least, it did nothing. Fortunately, it's only two nights since I last did a full system backup, so I was able to restore my system from the image and get everything back.

    There is one positive thing I can say about it. Unlike AdwCleaner it actually lists the threat next to every file and registry key. So, at least you can actually see what a threat a seemingly random registry key belongs to.
     
  2. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,500
    Location:
    .
  3. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Hmm. I ran it a couple of weeks ago and saw that most of the items flagged were items that I needed to keep although they were mostly "non standard" registry entries that I had added to the registry for my own purposes. I don't remember if I clicked "Cancel" or just X'ed out of the program but nothing got automatically deleted. I also ran ZHP Diag (a similar program) this week to scan and view the report to see what it found but again it did not auto clean anything. I really do not remember which method I used for exiting the program.

    https://www.nicolascoolman.com/download/zhpdiag/
     
  4. plat1098

    plat1098 Guest

    Callender:

    I see that you've also suggested UltraAdwareKiller. I'm still deciding whether to add an adware detection software as an on-demand, and it's nice to see ZHPCleaner and the one you previously described. Do you suggest one over the other?
     
  5. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    360 total security ID this as containing a trojan and removed it.
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    cylance says NO

    ~ Removed VirusTotal Results as per Policy ~
     
    Last edited by a moderator: Nov 16, 2016
  7. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    They both seem to work differently. Personally I will keep using both. UAK requires the user to whitelist items manually. ZHP Cleaner has no whitelist but the user must uncheck items to be kept and also detects any installed proxy and asks user to approve. Note: Also scans hosts file so if using a large hosts file it's best to switch to default hosts file to decrease scan times.

    EDIT: ZHP Cleaner and ZHP Diag are not the same.
     
  8. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    When I first ran it a few weeks ago, also nothing was deleted. I'm guessing I clicked on the close button. When I ran it again, it crashed before finishng a scan, as did the next update that was released. As, it's been updated several time in the last few weeks, I thought I'd try it again. Which turned out to be a mistake, as it deleted everything.

    @taleblou @boredog Both ZHPCleaner and ZHPDiag get detected by the same three antiviruses when scanned at VirusTotal. The detection clearly is a false positive.
     
  9. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Well I just ran it again and this time it did in fact delete everything. However I just restored the deleted items by comparing quarantined items with a system image backup.

    It does crash if you have a large hosts file:

    ZHP HostsMan.jpg


    ZHP 1.jpg

    ZHP 2.jpg

    Leaving these items checked and closing the "Repair" window results in auto remediation but it can be cancelled if you are quick.

    ZHP 3.jpg

    ZHP 4.jpg

    If you leave the "Repair" button/ window alone and click on "Report" you see what was found:

    FOUND file: C:\Users\Chris\AppData\Roaming\SwiftSearch.exe =>PUP.Optional.Pirrit
    FOUND file: C:\Users\Chris\AppData\Roaming\SwiftSearch.exe =>Adware.Suspect
    FOUND file: C:\Users\Chris\AppData\Roaming\SwiftSearch.exe =>Adware.GenericTask
    FOUND file: C:\Users\Chris\Desktop\No_OpenCandy.bat =>PUP.Optional.OpenCandy
    FOUND file: C:\Users\Chris\Desktop\SwiftSearch.lnk =>.Superfluous.SwiftSearch
    FOUND file: C:\Users\Chris\AppData\Roaming\SwiftSearch.exe =>.Superfluous.SwiftSearch
    FOUND folder: C:\Program Files (x86)\MSECACHE Win Installer Cleanup\WICU3 =>PUP.Optional.CrossRider
    FOUND folder: C:\Program Files (x86)\MSECACHE Win Installer Cleanup =>PUP.Optional.CrossRider
    FOUND folder: C:\ProgramData\WildBit Viewer =>.Superfluous.Privoxy
    FOUND file: C:\Users\Chris\AppData\Roaming\WildBit Viewer\Viewer.ini =>.Superfluous.Privoxy
    FOUND file: C:\Users\Chris\AppData\Roaming\WildBit Viewer\ViewerMRU.cfg =>.Superfluous.Privoxy
    FOUND file: C:\Users\Chris\AppData\Roaming\WildBit Viewer\ViewerToolBarSettings.cfg =>.Superfluous.Privoxy
    FOUND file: C:\Users\Chris\AppData\Roaming\WildBit Viewer\ViewerWindowColumnStates.ini =>.Superfluous.Privoxy
    FOUND folder: C:\Users\Chris\AppData\Roaming\WildBit Viewer =>.Superfluous.Privoxy
    FOUND folder: C:\Users\Chris\AppData\Local\SlimWare Utilities Inc\SlimCleaner =>.Superfluous.SlimWareUtilities
    FOUND folder: C:\Users\Chris\AppData\Local\SlimWare Utilities Inc\SlimDrivers =>.Superfluous.SlimWareUtilities
    FOUND folder: C:\Users\Chris\AppData\Local\SlimWare Utilities Inc =>.Superfluous.SlimWareUtilities
    FOUND folder: C:\Users\Chris\AppData\Local\WildBit Viewer =>.Superfluous.Privoxy

    I'm going to run it again and see if I can figure out how to avoid auto remediation other than using the "Cancel" button.
     
  10. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    If you select Uncheck on every tab, followed by Validate (I'm not sure if you have to validate every tab, or you can just do this at the end), the repair will start, but nothing will get deleted. This is a hassle of course.

    Perhaps in earlier versions, pressing the close button, did just that, and it a bug in the current version which causes it to start the cleanup.
     
  11. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Okay I figured it out. Once the scan is complete if you open the repair window then close it - detected files will be removed. If you just view the report (text file) and exit the program no repairs are carried out.

    If you open the repair window you must inspect each tab and uncheck items that you want to keep. On each tab you must then Validate your choices.
    ZHPCleaner Réparation.jpg

    Once Validated those files will not be removed. Closing the repair window initiates "Scan and repair" but only checked items will be removed.

    If there are no checked items you strangely still get a "repairs carried out" message


    ZHPCleaner Réparation 2.jpg

    As far as I can work out Validated items are added to an exclusion list for next time which would explain why there were no registry detections which I had expected to see after I saw them a couple of weeks ago.

    EDIT: Actually there's no exclusion list that is remembered for subsequent scans.

    So I agree - use with caution and have a backup first time.
     
    Last edited: Nov 16, 2016
  12. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Posted at the same time. :)
     
  13. plat1098

    plat1098 Guest

    OK, thanks Callender, this was helpful. I d/l it from roger_m's link. It's a rapid scan and gave a report revealing a whopping 7 empty temp folders, but then appeared to freeze. It wouldn't respond to "repair," "close" or minimize, so I don't know. I had to end it in task manager. Anyway, it's in Downloads, so as an on-demand, it seems to be OK, keeping in mind the caveats outlined in this thread.

    Edit: a normal Hosts file. It's not a big deal, I'll try to figure it out. It should be W10 compatible so it must be something else. I also have VoodooShield, HitmanPro Alert and Windows stuff. It's probably something minor, no worries.

    ZHP freeze.PNG
     
    Last edited by a moderator: Nov 16, 2016
  14. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    I wonder why it freezes for you but not for me. As I said if I keep a large hosts file enabled then it does freeze. I wonder if other onboard security could hamper it?

    I have realtime:
    Comdodo CIS
    VoodooShield
    Threatfire
    EMET
    Zemana AM Pro

    All were left enabled.
     
  15. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    On my system, it didn't add anything to an ignore list, and everything was detected again the next time I did a scan.
     
  16. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Okay I will try another scan.
     
  17. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Okay so it does indeed add previously "validated" false positive detections to new scan results so there can't be an exclusion list.
     
  18. plat1098

    plat1098 Guest

    HitmanPro Alert makes ZHPCleaner hang. Disabling "exploit mitigations" makes it function completely. I added it to "exclusions" so that's that.
     
  19. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    I see you are running the application directly from your downloads folder. On may machine (Windows 7) it runs from:

    "C:\Users\Chris\ZHPCleaner.exe"

    "C:\Users\Chris\Desktop\ZHPCleaner.lnk" = desktop shortcut

    Although there is also a copy here:

    "C:\Users\Chris\AppData\Roaming\ZHP\ZHPCleaner.exe"

    Maybe try downloading to your desktop then launch from there?
     
  20. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Well figured out!
     
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    it was cylance that did not like the file as per their use of VT
     
  22. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    did a scan with 2021 version, it crashed when doing repairs, spawns lots of web pages when it finishes scanning

    to be be used with caution since it tends to find too many malwares
     
    Last edited: May 7, 2021
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That's pretty lame. Thanks for the heads up on a new form of coolwebsearch. Remember that one?
     
  24. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    @EASTER fortunately I don't , I used to like ZHP cleaner but it tends to exaggerate, also that window spawn is not necessary
    that said, the programme is safe, but it doesn't work on my host, pretty much like Zemana antimalware now
     
    Last edited: May 7, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.