Origin:

As you are many to ask the question on the new module ZHPDiag O106, as far this development with this article.
In recent weeks, some malware processes infiltrated a particular “ShellIconOverlayIdentifiers” registry key. This registry keycontains usually pennies key need that ZHPDiag listed. Of course the keys listed are not necessarily malware, you can forexample find OneDrive, Acronis or Dropbox. The research is conducted in the branch register “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer” (32 and 64 bit)

Principle:

For the moment, I have no more information on the action taken by the malware process who settled under the key “ShellIconOverlayIdentifiers” and their operation of this feature. All I can say is that it is related to the icon overlay Manager (Icon Overlay Handler) and that this will display an icon overlay on an object to provide additional information. Forexample Dropbox uses this overlay to show whether or not the icons are synchronized. (See the screenshot on the link given in the documentation)

Sample :

—\\ ShellIconOverlayIdentifiers (SIOI) (8) – 0s
O106 – SIOI: Acronis True Image Shell Sync Error Icon Overlay Extension [AcronisSyncError] – {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}. (.Acronis – Acronis True Image Shell Extensions.) — C:\Program Files\Acronis\TrueImageHome\tishell.dll ©
O106 – SIOI: Acronis True Image Shell Sync In Progress Icon Overlay Extension [AcronisSyncInProgress] – {00F848DC-B1D4-4892-9C25-CAADC86A215D}. (.Acronis – Acronis True Image Shell Extensions.) — C:\Program Files\Acronis\TrueImageHome\tishell.dll ©
O106 – SIOI: Acronis True Image Shell Sync Ok Icon Overlay Extension [AcronisSyncOk] – {71573297-552E-46fc-BE3D-3DFAF88D47B7}. (.Acronis – Acronis True Image Shell Extensions.) — C:\Program Files\Acronis\TrueImageHome\tishell.dll ©
O106 – SIOI: Enhanced Storage Icon Overlay Handler Class [EnhancedStorageShell] – {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}. (.Microsoft Corporation – DLL d’extension d’environnement de stockage.) — C:\Windows\System32\EhStorShell.dll ©
O106 – SIOI: Sharing Overlay (Private) [SharingPrivate] – {08244EE6-92F0-47f2-9FC9-929BAA2E7235}. (.Microsoft Corporation – Extensions de l’interpréteur de commandes p.) — C:\Windows\System32\ntshrui.dll ©
O106 – SIOI: avast [00avast] – {472083B0-C522-11CF-8763-00608CC02F24}. (.AVAST Software – avast! Shell Extension.) — C:\Program Files\AVAST Software\Avast\ashShell.dll
O106 – SIOI: DropboxExt1 Class [DropboxExt1] – {FB314ED9-A251-47B7-93E1-CDD82E34AF8B}. (.Dropbox, Inc. – Dropbox Shell Extension.) — C:\Users\van den Berg\AppData\Roaming\Dropbox\bin\DropboxExt.27.dll
O106 – SIOI: Groove Explorer Icon Overlay 4 (GFS Unread Mark) [Groove Explorer Icon Overlay 4 (GFS Unread Mark)] – {2916C86E-86A6-43FE-8112-43ABE6BF8DCC}. (.Microsoft Corporation – Microsoft SharePoint Workspace Extensions.) — C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

Feedbacks:

As usual, each new module, it takes some processing time for ZHPDiag or ZHP qualify these lines on the basis of users or helpers feedbacks.

Documentation:

Microsoft How to Register Icon Overlay Handlers
.NET Shell Extensions – Shell Icon Overlay Handlers – Dropbox

2015-09-28T07:48:21+00:00 Categories: News|Tags: , |Comments Off on ZHPDiag, New module O106,