Hi Eddy, all, :slight_smile:

I was asked to post a reply here.

Detected item is actually one file that Zoek.exe uses (nircmd) in his work as that file acts as some unknown malware. All malware removal tools acts as some unknown malware. You all should know the ComboFix example, why would zoek be so different? That’s why we do remove all used tools as they drop some files into system in attempt to beat the active malware file itself.

Here, the user Diddy, didn’t execute the DelFix after the removal (to preform the removal of used tools including zoek and zoek’s related file/folder). As you can see the date when zoek-delete.exe was created is 2014/01/17.

Why would so many anti malware applications/vendors flagging it?
It is not a problem to report zoek.exe as FP to some AV company. In that case the file shall be whitelisted.

The problem occurs when Smeenk upload a new update for zoek.exe. A new version has a new md5 hash and then the AV vendor without any peek into the file itself just allow the generic detecion. We had this same problem for years with MCShield. And after each upload of new version of most AV companies just slam generic detection without checking the file first. The RogueKiller has the same problem as well;
http://www.adlice.com/dear-avs-dont-love/
…etc …etc.

In zoek case, Smeenk get tired of persistent explaining that Zoek is legit and not for any use. A each valid helper knows what is Zoek, what can do and what it can not and his behavior.

  • Conclusion and to stop the offtopic & discussion in this:

Again, the file zoek-delete.exe is not active file (aka. file is not loaded and you can delete the file manual [if file is active you would not be able to delete it without using the force and then the file is truly suspicious]). File it is created by zoek when the tool start the forced cleaning (and only then it will be called) and it shall be removed by DelFix (tool that preform the removal of all malware removal tools and related components). By eliminating (uninstall) the used tools here, they will be no detection.

Zoek itself comes from a known source. The info for zoek usage has only the ASAP/Unite forums plus a few additional forum where zoek developer originaly comes and information are not available to the public.

Cheers,