5/5 - (1 votes)

ZHPDiag – Module O108 (SCMH).

ZHPDIAG, MODULE O108 (SCMH)

ZHPDiag module O108 searches for context menu shortcuts (ContextMenuHandler). They are also called context menu handlers or verb handlers and are a category of file type handler.

Like all these managers, they are COM (Component Object Model) objects in process which are implemented by dynamic resources (DLL).
Some malware uses these managers to start corrupted dynamic resources without the user's knowledge.

The search is carried out in the Registry at certain Shell extension keys (ShellEx) and “ContextMenuHandlers” such as for example:

1 – HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\
2 – HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\
3 – HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\
4 – HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\
5 – HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\
6 – KKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\
7 – HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\

OVERVIEW IN REPORTS

—\\ Conceptual Menu Shortcuts (SCMH) (3)
O108 – CMH1:7-Zip [64Bits] – {23170F69-40C1-278A-1000-000100020000} . (.Orphan.)
O108 – CMH1: ANotepad++64 [64Bits] – {B298D29A-A6ED-11DE-BA8C-A68E55D89593} . (.Copyright © 2010 – ShellHandler for Notepad++ (64 bit).) — C:\Program Files (x86)\Notepad++\NppShell_06.dll =>.Notepad++®
O108 – CMH1: DefragglerShellExtension [64Bits] – {4380C993-0C43-4E02-9A7A-0D40B6EA7590} . (.Piriform Ltd – DefragglerShell.) — C:\Program Files\Defraggler\DefragglerShell64.dll =>.Piriform Ltd®

—\\ Conceptual Menu Shortcuts (SCMH) (1)
O108 – CMH2: OpenContainingFolderMenu [64Bits] – {37ea3a21-7493-4208-a011-7f9ea79ce9f5} . (.Microsoft Corporation – Common Windows Shell DLL.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®

—\\ Conceptual Menu Shortcuts (SCMH) (2)
O108 – CMH3: CopyAsPathMenu [64Bits] – {f3d06e7c-1e45-4a26-847e-f9fcdee59be0} . (.Microsoft Corporation – Common Windows Shell DLL.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®
O108 – CMH3: SendTo [64Bits] – {7BA4C740-9E81-11CF-99D3-00AA004AE837} . (.Microsoft Corporation – Common Windows Shell DLL.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®

—\\ Conceptual Menu Shortcuts (SCMH) (3)
O108 – CMH4:7-Zip [64Bits] – {23170F69-40C1-278A-1000-000100020000} . (.Orphan.)
O108 – CMH4: Sharing [64Bits] – {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} . (.Microsoft Corporation – Shell Extensions p.) — C:\Windows\System32\ntshrui.dll =>.Microsoft Corporation
O108 – CMH4: WorkFolders [64Bits] – {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} . (.Microsoft Corporation – Workfolders Environment Extension) — C:\Windows\System32\WorkfoldersShell.dll =>.Microsoft Corporation

—\\ Conceptual Menu Shortcuts (SCMH) (5)
O108 – CMH5: Gadgets [64Bits] – {6B9228DA-9C15-419e-856C-19E768A13BDC} . (.Orphan.)
O108 – CMH5: New [64Bits] – {D969A300-E7FF-11d0-A93B-00A0C90F2719} . (.Microsoft Corporation – Common Windows Shell DLL.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®
O108 – CMH5: NvCplDesktopContext [64Bits] – {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} . (.NVIDIA Corporation – NVIDIA Display Shell Extension.) — C:\WINDOWS\System32\nvshext.dll =>.NVIDIA Corporation
O108 – CMH5: Sharing [64Bits] – {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} . (.Microsoft Corporation – Shell Extensions p.) — C:\Windows\System32\ntshrui.dll =>.Microsoft Corporation
O108 – CMH5: WorkFolders [64Bits] – {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} . (.Microsoft Corporation – Workfolders Environment Extension) — C:\Windows\System32\WorkfoldersShell.dll =>.Microsoft Corporation

—\\ Conceptual Menu Shortcuts (SCMH) (5)
O108 – CMH6:7-Zip [64Bits] – {23170F69-40C1-278A-1000-000100020000} . (.Orphan.)
O108 – CMH6: DefragglerShellExtension [64Bits] – {4380C993-0C43-4E02-9A7A-0D40B6EA7590} . (.Piriform Ltd – DefragglerShell.) — C:\Program Files\Defraggler\DefragglerShell64.dll =>.Piriform Ltd®
O108 – CMH6: Library Location [64Bits] – {3dad6c5d-2167-4cae-9914-f99e41c12cfa} . (.Microsoft Corporation – Common Windows Shell DLL.) — C:\Windows\System32\shell32.dll =>.Microsoft Windows®
O108 – CMH6: PintoStartScreen [64Bits] – {470C0EBD-5D73-4d58-9CED-E91E22E23282} . (.Microsoft Corporation – Application Resolver.) — C:\Windows\System32\appresolver.dll =>.Microsoft Windows®
O108 – CMH6: Shell Extension for Malware scanning [64Bits] – {45AC2688-0253-4ED8-97DE-B5370FA7D48A} . (.Avira Operations GmbH & Co. KG – AntiVirus context menu.) — C:\Program Files (x86)\Avira\AntiVir Desktop\shlext64.dll =>.Avira Operations GmbH & Co. KG®

—\\ Conceptual Menu Shortcuts (SCMH) (2)
O108 – CMH7: EnhancedStorageShell [64Bits] – {2854F705-3548-414C-A113-93E27C808C85} . (.Microsoft Corporation – Storage Environment Extension DLL.) — C:\Windows\System32\EhStorShell.dll =>.Microsoft Corporation
O108 – CMH7: Sharing [64Bits] – {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} . (.Microsoft Corporation – Shell Extensions p.) — C:\Windows\System32\ntshrui.dll =>.Microsoft Corporation

—\\ Additional Scan (11) – 0s
HKLM\Software\WOW6432Node\Classes\*\ShellEx\ContextMenuHandlers\7-Zip =>.SUP.Orphan
HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} =>.SUP.Orphan
HKLM\Software\Classes\CLSID\{b5eedee0-c06e-11cf-8c56-444553540000} =>.SUP.Orphan
HKLM\Software\WOW6432Node\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip =>.SUP.Orphan
HKLM\Software\WOW6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets =>.SUP.Orphan
HKLM\Software\WOW6432Node\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip =>.SUP.Orphan

DETECTION EXAMPLE

—\\ Concept Menu Shortcut Search (SCMH) (3)
O108 – CMH5: PCKeeperShell32 [64Bits] – . (.Orphan.) =>.SUP.Essentware
HKLM\Software\WOW6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers\PCKeeperShell32 =>.SUP.Essentware
HKLM\Software\WOW6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers\PCKeeperShell64 =>.SUP.Essentware

—\\ Additional Scan (6) – 0s
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\PCKeeperShell32
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCKeeperShell32
HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PCKeeperShell32
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCKeeperShell64
HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\PCKeeperShell32
HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\PCKeeperShell32

About the Author

Back to top