ZHPDiag – O18 add-on (Additional protocols)

A protocol handler installation involves copying the dll to an appropriate location, then the recording of the Protocol through the registry Manager.

The installation application can also add a search root and scope rules for a scope of default analysis for the Shell data source.

The O18 of ZHPDiag module list the additional protocols in order to verify the presence of dynamic resources harmful to startup applications.

Search on certain keys in the Base of registers as example :
[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilterdeflate]
[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFiltergzip] (From Vista)

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFiltertext/html]
[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandlermsnim]

Overview ZHPDiag

—\\ Additional Protocol and Protocol hacking (O18)
O18 – Filter: text/html – {950238FB-C706-4791-8674-4D429F85897E} – (no file)
O18 – Protocol: MSNIM – {008030A1-22C1-4009-854F-8E305202313F} – « C:\PROGRA~1MSNMES~1msgrapp.dll ".

—\\ Additional Protocol and Protocol hacking (O18) v1.23
O18 – Filter: deflate – {8f6b0360-b80d-11d0-a9b3-006097942311} – C:\Windowssystem32urlmon.dll
O18 – Filter : gzip – {8f6b0360-b80d-11d0-a9b3-006097942311} – C:\Windowssystem32urlmon.dll

—\\ Additional Protocol and Protocol hacking (O18) v1.25.02
O18 – Handler: CDL – {3dd53d40-7b8b-11D0-b013-00aa0059ce02} . (.Microsoft Corporation – Extensions for Win32 OLE32.) — C:\Windowssystem32urlmon.dll

Equivalence OTL

O18 – ProtocolHandlerlivecall {828030A1-22C1-4009-854F-8E305202313F} – C:\Program FilesWindows LiveMessengermsgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 – ProtocolHandlerms-help {314111C7-a502-11d2-bbca-00c04f8ec294} – C:\Program FilesCommon Filesmicrosoft sharedHelphxds.dll (Microsoft Corporation)

Action ZHPFix

O18 – {SubBey}: {ValueKey} – {KeyCLSID} . (…) — {FileName}

{Key} : Key to the system registry [HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLS]
{SubKey} : Subkey of the key {Key} as for example «» Handler «or «» Filter »
{KeyCLSID} : The value data «» CLSID "the key {SubKey}
{FileName} : Default value of the key [HKLMSOFTWAREClassesCLSID {KeyCLSID} \InprocServer32]

1) L’outil supprime {KeyCLSID}
2) The tool deletes the key [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{CLSIDKey}]
3) The tool deletes the key [HKEY_CLASSES_ROOTCLSID{CLSIDKey}]
4) The tool deletes the file {FileName}

Example of detection

O18 – Handler: base64 – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program FilesBrowserCompaniontdataprotocol.dll
O18 – Handler: chrome – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program FilesBrowserCompaniontdataprotocol.dll
O18 – Handler: prox – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program FilesBrowserCompaniontdataprotocol.dll
O18 – Handler: base64 [64Bits] – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program Files (x86)\GinyasBrowserCompaniontdataprotocol.dll
O18 – Handler: chrome [64Bits] – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program Files (x86)\GinyasBrowserCompaniontdataprotocol.dll
O18 – Handler: prox [64Bits] – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program Files (x86)\GinyasBrowserCompaniontdataprotocol.dll
O18 – Handler: vsharechrome – {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} . (…) — C:\Program FilesvSharevshare_toolbar.dll