VT Hash Check - XP compatibility restored

[Multibooter]

UPDATE 20Apr2025: The 3 screenshots in this posting were deleted, to save posting space. The posting with the screenshots was archived at https://web.archive.org/web/20250420155134/https://msfn.org/board/topic/186770-vt-hash-check-xp-compatibility-restored/page/2/

In the screenshot below VT Hash Check displays the scan results of a rare little program which has worked OK and which is most likely OK (the mentioning of what it exactly does may not be appropriate in this forum), but the scan results by most AV programs, including Kaspersky, are displayed by VT Hash Check in red and are false flags.

 

I re-scanned this OK file with my ancient version of Kaspersky, near-current signature update of 12Apr2025. In contrast to the false flag displayed above by Virus Total for "Kaspersky, 22.0.1.28, UDS:DangerousObject.Multi.Generic" my ancient version of Kaspersky with a near-current signature update of 12Apr2025 displays "No threats detected". With old, non-current signatures, however, my ancient version of Kaspersky had also given a false flag for this OK file. Kaspersky must have corrected their false flag in the mean time.

 

Conclusions of this review:

1) The scan results displayed by Virus Total with TC Hash Check on 16Apr2025, the day before I initiated a re-analysis, were of 18Mar2022, 3 years old.

Re-analysis is very easy with VT Hash Check, you just click on the "Full Scan" button in the VT Hash Check window, then the default browser opens up and then you click on "Reanalyze", without a need to resubmit/upload the file.

2) My ancient version of Kaspersky, with a near-current signature of 12Apr2025, gives a better result than the re-scan by Virus Total of 17Apr2025 , at least for the results displayed in the table row "Kaspersky 22.0.1.28" of VT Hash Check.

3) Virus Total does NOT use a current signature for their Kaspersky scanner

4) The test results of Virus Total seem to reflect the prohibition by the US government against Kaspersky updates (of course, Virus Total belongs to Google)

5) Virus scanners marked in red AND indicating a Trojan or something serious in the results table of VT Hash Check may not be that reliable, at least with respect to false flags.

6) In my preceding VT Hash Check on 16Apr2025 (in which Virus Total had last checked the file on 18Mar2022), 47 out of 68 scanners had generated false flags for this old, rare file of the year 2008. In the re-analysis of 17Apr2025, 50 out of 72 scanners had generated false flags.

7) VT Hash Check has a Setting "Save As Plain Text". This setting facilitates an easy comparison with Beyond Compare of scan results years apart, e.g. the scans by Virus Total of 18Mar2022 vs 17Apr2025, to see how various virus scanners evolved with their false flags, for example:

- Comodo is not in the current list of scanners anymore

- GData and Malwarebytes made their false flags even more severe, from "Malware" to "Trojan"

- Yandex removed their previous false flag, and indicates everything is OK with the file in the re-scan of 17Apr2025 (maybe they are using the Kaspersky engine with current signatures?)

8) It is amazing to see how many Chinese virus scanners didNOT generate a false flag.

9) One use of VT Hash Check is to quickly compare the quality of various virus scanners, specific to files actually used instead of relying on a huge theoretical "in the wild collection", without having to upload files.

Edited April 20 by Multibooter

[AstroSkipper]

9 hours ago, genieautravail said:

At the command line, if VTHash.exe is in the path, you just need the following command:

vthash --prefs

Thanks for this information! I made a shortcut with the command line option --prefs. This is indeed working. Clicking onto the VTHash.exe file does not work in my system.

[genieautravail]

17 hours ago, Multibooter said:

You and AstroSkipper probably didn't get this message/de-selection of "Use SSL/TLS" because both of you probably have Internet Explorer 8 installed.

Yes, IE8 is installed on my computers running Windows XP.

 

18 hours ago, AstroSkipper said:

Clicking onto the vthash.exe file as described in the readme file. And it doesn't matter whether doing that from an Explorer or Total Commander window. The window is always hidden and inaccessable. Process Hacker can see its proccess, the window item is disabled, though.

Do you have a program running in the background that catch and hide windows ?

Regards

[Multibooter]

I had the same issue under WinXP as AstroSkipper, no program running in the background that catches and hides windows, as far as I know. AstroSkipper's trick to create a desktop shortcut with

Target: "H:\Virus Total Hash Check\VTHash.exe" --prefs

has resolved the issue for me.

I subsequently renamed the shortcut to "Virus Total Settings". Maybe it's best to create such a shortcut immediately after the installation if Internet Explorer 8 is not installed under WinXP, so that you can manually select "Use SSL/TLS" in Settings, in order to avoid getting blocked with the message "Your virus total account is not allowed to perform that action"

Edited April 17 by Multibooter

[AstroSkipper]

10 hours ago, AstroSkipper said:

I made a shortcut with the command line option --prefs. This is indeed working

Since this shortcut works perfectly, it is very unlikely that a background programme could be the cause. I have even closed Min2Tray from my ProxHTTPSProxy programme, but this has had no effect. Apart from that, it only minimises windows and does not hide them. Otherwise, no other window manager is running in the background here. If I understand you correctly, then calling VTHash.exe by double-clicking works for you under Windiws XP. Is that correct? 

Edited April 17 by AstroSkipper

[AstroSkipper]

@genieautravail The behaviour of your compiled VTHash.exe file reminds me of executables I have compiled in the past with the "invisible on startup" option. Perhaps, you can check your chosen options for compilation. Just an idea. 

[genieautravail]

1 hour ago, AstroSkipper said:

If I understand you correctly, then calling VTHash.exe by double-clicking works for you under Windiws XP. Is that correct?

Yes, tested on 3 computers, the window of the settings is always opened and visible.

 

1 hour ago, AstroSkipper said:

 The behaviour of your compiled VTHash.exe file reminds me of executables I have compiled in the past with the "invisible on startup" option. Perhaps, you can check your chosen options for compilation. Just an idea.

Nothing like this in the options of Xojo IDE.

I can't reproduce this. 

Your configuration must have something special.

I'm waiting for more feedback.

Regards

[Multibooter]

When VTHash.exe is displayed via a shortcut on my SSE2 desktop under WinXP, TWO instances of VTHash.exe are displayed by Task Manager Alt-Ctl-Del. When I close the VTHash.exe Settings window, both instances are gone.

Edited April 17 by Multibooter

[genieautravail]

16 minutes ago, Multibooter said:

When VTHash.exe is displayed via a shortcut on my SSE2 desktop under WinXP, TWO instances of VTHash.exe are displayed by Task Manager Alt-Ctl-Del. When I close the VTHash.exe Settings window, both instances are gone.

In Process Explorer, I have only one process.

[genieautravail]

I have updated the first post of the topic by adding how to use VT Hash Check with 3proxy or ProxHTTPSProxyMII.

Regards

[Multibooter]

Process Explorer v11.11 (still from the days of Win98) on this old desktop also displays under WinXP only ONE instance of VTHash.exe, while Task Manager displays TWO.

When I exit Task Manager, while VT Hash Check is loaded, and then restart Task Manager only ONE instance is displayed by Task Manager

Edited April 17 by Multibooter
UPDATE

[genieautravail]

8 minutes ago, Multibooter said:

Process Explorer v11.11 (still from the days of Win98) on this old desktop also displays under WinXP only ONE instance of VTHash.exe, while Task Manager displays TWO.

Thank you for the feedback but what can I do for that ?

I don't use the default task manager since at least 15 years.

Regards

[genieautravail]

@Multibooter

In Process Explorer, if you click on properties in the contextual menu, you will see 2 threads (in the Threads tab).

For the default task manager, 2 threads = 2 instances

Regards

[Multibooter]

2 instances just looked unusual.

Does the big file triddefs.trd in the install-to have any special use? It's a RIFF file, and contains the text "Marco PontelloRURLF.https://en.wikipedia.org/wiki/List_of_video_game_emulators" near the top,

Added: Seems to identify file types to be checked, https://www.mark0.net/soft-trid-e.html

Edited April 17 by Multibooter
UPDATE

[AstroSkipper]

I use Process Hacker for many years. It shows only one VTHash.exe process whose window entry is disabled though. I also had sometimes two processes in Process Hacker if I forgot to close the previously opened one. 

Edited April 17 by AstroSkipper
Update of content