ZHPDiag – Module O108 (SCMH).

ZHPDIAG, MODULE O108 (SCMH)

The O108 of ZHPDiag search shortcuts for menus (ContextMenuHandler). Il sont également appelés gestionnaires de menus contextuels ou gestionnaires de verbes et sont une catégorie de gestionnaire de type de fichier.

Comme tous ces gestionnaires, ce sont des objets COM (Component Object Model) en cours de processus qui sont implémentés par des ressources dynamiques (DLL).
Certains malware utilisent ces gestionnaires pour démarrer des ressources dynamiques verolées à l’insu de l’utilisateur.

La recherche s’effectue dans la Base de Registre au niveu certaines clés d’extension du Shell (ShellEx) et « ContextMenuHandlers » comme par exemple :

1 – HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\
2 – HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\
3 – HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\
4 – HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\
5 – HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\
6 – KKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\
7 – HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\

APERÇU DANS LES RAPPORTS

—\\ Conceptual menu shortcuts (SCMH) (3)
O108 – CMH1: 7-Zip [64Bits] – {23170F69-40C1 - 278-A - 1000-000100020000} . (.Orphan.)
O108 – CMH1: ANotepad++64 [64Bits] – {B298D29A-A6ED-11DE-BA8C-A68E55D89593} . (.Copyright © 2010 – ShellHandler for Notepad++ (64 bit).) — C:\Program Files (x86)\Notepad++\NppShell_06.dll =>.Notepad++®
O108 – CMH1: DefragglerShellExtension [64Bits] – {4380C993-0C43-4E02-9A7A-0D40B6EA7590} . (.Piriform Ltd. – DefragglerShell.) — C:\Program Files\Defraggler\DefragglerShell64.dll =>.Piriform Ltd®

—\\ Conceptual menu shortcuts (SCMH) (1)
O108 – CMH2: OpenContainingFolderMenu [64Bits] – {37ea3a21-7493-4208-a011-7f9ea79ce9f5} . (.Microsoft Corporation – DLL commune du shell Windows.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®

—\\ Conceptual menu shortcuts (SCMH) (2)
O108 – CMH3: CopyAsPathMenu [64Bits] – {f3d06e7c-1e45-4a26-847e-f9fcdee59be0} . (.Microsoft Corporation – DLL commune du shell Windows.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®
O108 – CMH3: SendTo [64Bits] – {7BA4C740-9E81-11CF-99D3-00AA004AE837} . (.Microsoft Corporation – DLL commune du shell Windows.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®

—\\ Conceptual menu shortcuts (SCMH) (3)
O108 – CMH4: 7-Zip [64Bits] – {23170F69-40C1 - 278-A - 1000-000100020000} . (.Orphan.)
O108 – CMH4: Sharing [64Bits] – {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} . (.Microsoft Corporation – Extensions de l’interpréteur de commandes p.) — C:\Windows\System32\ntshrui.dll =>.Microsoft Corporation
O108 – CMH4: WorkFolders [64Bits] – {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} . (.Microsoft Corporation – Extension d’environnement de Dossiers de tr.) — C:\Windows\System32\WorkfoldersShell.dll =>.Microsoft Corporation

—\\ Conceptual menu shortcuts (SCMH) (5)
O108 – CMH5: Gadgets [64Bits] – {6B9228DA-9C15-419e-856C-19E768A13BDC} . (.Orphan.)
O108 – CMH5: New [64Bits] – {D969A300-E7FF-11d0-A93B-00A0C90F2719} . (.Microsoft Corporation – DLL commune du shell Windows.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®
O108 – CMH5: NvCplDesktopContext [64Bits] – {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} . (.NVIDIA CorporationNVIDIA Display Shell Extension.) — C:\WINDOWS\System32\nvshext.dll =>.NVIDIA Corporation
O108 – CMH5: Sharing [64Bits] – {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} . (.Microsoft Corporation – Extensions de l’interpréteur de commandes p.) — C:\Windows\System32\ntshrui.dll =>.Microsoft Corporation
O108 – CMH5: WorkFolders [64Bits] – {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} . (.Microsoft Corporation – Extension d’environnement de Dossiers de tr.) — C:\Windows\System32\WorkfoldersShell.dll =>.Microsoft Corporation

—\\ Conceptual menu shortcuts (SCMH) (5)
O108 – CMH6: 7-Zip [64Bits] – {23170F69-40C1 - 278-A - 1000-000100020000} . (.Orphan.)
O108 – CMH6: DefragglerShellExtension [64Bits] – {4380C993-0C43-4E02-9A7A-0D40B6EA7590} . (.Piriform Ltd. – DefragglerShell.) — C:\Program Files\Defraggler\DefragglerShell64.dll =>.Piriform Ltd®
O108 – CMH6: Library Location [64Bits] – {3dad6c5d-2167-4cae-9914-f99e41c12cfa} . (.Microsoft Corporation – DLL commune du shell Windows.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®
O108 – CMH6: PintoStartScreen [64Bits] – {470C0EBD-5D73-4d58-9CED-E91E22E23282} . (.Microsoft Corporation – Programme de résolution d’applications.) — C:\Windows\System32\appresolver.dll =>.Microsoft Windows®
O108 – CMH6: Shell Extension for Malware scanning [64Bits] – {45AC2688-0253-4ED8-97DE-B5370FA7D48A} . (.Avira Operations GmbH & Co. KGAntiVirus context menu.) — C:\Program Files (x86)\Avira\AntiVir Desktop\shlext64.dll =>.Avira Operations GmbH & Co. KG®

—\\ Conceptual menu shortcuts (SCMH) (2)
O108 – CMH7: EnhancedStorageShell [64Bits] – {2854F705-3548-414C-A113-93E27C808C85} . (.Microsoft Corporation – DLL d’extension d’environnement de stockage.) — C:\Windows\System32\EhStorShell.dll =>.Microsoft Corporation
O108 – CMH7: Sharing [64Bits] – {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} . (.Microsoft Corporation – Extensions de l’interpréteur de commandes p.) — C:\Windows\System32\ntshrui.dll =>.Microsoft Corporation

—\\ Additional scan (11) – 0s
HKLM\Software\WOW6432Node\Classes\*\ShellEx\ContextMenuHandlers\7-Zip =>.SUP.Orphan
HKLMSoftwareClassesCLSID{23170F69-40C1 - 278-A - 1000-000100020000} =>.SUP.Orphan
HKLMSoftwareClassesCLSID{b5eedee0-c06e-11cf-8c56-444553540000} =>.SUP.Orphan
HKLM\Software\WOW6432Node\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip =>.SUP.Orphan
HKLM\Software\WOW6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets =>.SUP.Orphan
HKLM\Software\WOW6432Node\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip =>.SUP.Orphan

EXEMPLE DE DÉTECTION

—\\ Recherche de raccourcis de menu conceptuel (SCMH) (3)
O108 – CMH5: PCKeeperShell32 [64Bits] – . (.Orphan.) =>.SUP.Essentware
HKLM\Software\WOW6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers\PCKeeperShell32 =>.SUP.Essentware
HKLM\Software\WOW6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers\PCKeeperShell64 =>.SUP.Essentware

—\\ Additional scan (6) – 0s
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\PCKeeperShell32
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCKeeperShell32
HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PCKeeperShell32
HKLMSOFTWAREClassesDirectoryshellexContextMenuHandlersPCKeeperShell64
HKLMSOFTWAREClasseslnkfileshellexContextMenuHandlersPCKeeperShell32
HKLMSOFTWAREClassesDriveshellexContextMenuHandlersPCKeeperShell32


Total views 284 (Today 1 )