Bouncer (previously Tuersteher Light)

Hi, @Windows_Security . In the current version, the parent lists actually have the same priority as the normal lists, which means that, if I want to blacklist "C:\Windows\Fonts\*" while allowing "*\chrome.exe>C:\Windows\Fonts\*", then I should write the rules in the following manner (unrelated rules are ignored here):

[WHITELIST]
C:\Windows\*
[BLACKLIST]
[PARENTWHITELIST]
!*\chrome.exe>C:\Windows\Fonts\*
[PARENTBLACKLIST]
?:\*>C:\Windows\Fonts\*

By contrast, if the priority sequence can be changed in the way described in #699, then we can rewrite the rules as:

[WHITELIST]
C:\Windows\*
[BLACKLIST]
C:\Windows\Fonts\*
[PARENTWHITELIST]
*\chrome.exe>C:\Windows\Fonts\*
[PARENTBLACKLIST]

Please note that here we no longer need "!".

Well, both of these two cases need two rules. But I think the latter rules set is easier to understand, because, when we want to blacklist a folder, I think it is more straightforward to directly blacklist it than preventing processes from executing files in that folder.

==================================================================================

Edit:

Sorry, maybe I misunderstand your meaning...

I agree that the changes in priority sequence might make some users confused...

 

Dealing with certain directories such as C:\Windows\Fonts or C:\Windows\Temp is tricky at the moment, but I am pretty excited about the upcoming ! priority rules since that will help to clean things up and make it easier.

I have to admit, your suggestion of changing priority sequences confused me personally. I don't mean to say that it is a negative thing or a bad suggestion at all, but it was over the top of my head for now. You can always make that suggestion to the developer, Florian, and see if he thinks that it would be better as well.

Currently, the config example below is how I am dealing with C:\Windows\Temp at least until the ! priority is available. The example below is condensed to only C:\Windows directories and removed anything not so relevant for this example. You could follow similar method for dealing with the C:\Windows\Fonts directory if you want, but luckily that wont be necessary once the ! priority rules are implemented.

Code:

[LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[WHITELIST]
C:\Windows\AppPatch\*
C:\Windows\assembly\*
C:\Windows\Branding\*
C:\Windows\ImmersiveControlPanel\*
C:\Windows\Installer\*
C:\Windows\Microsoft.NET\*
C:\Windows\servicing\*
C:\Windows\SoftwareDistribution\*
C:\Windows\System32\*
C:\Windows\SystemApps\*
C:\Windows\SysWOW64\*
C:\Windows\twain_32\*
C:\Windows\WinStore\*
C:\Windows\WinSxS\*
C:\Windows\explorer.exe
C:\Windows\notepad.exe
C:\Windows\splwow64.exe
C:\Windows\Temp\DPTF\*
C:\Windows\Temp\MPGEAR.DLL
C:\Windows\Temp\MPENGINE.DLL
C:\Windows\Temp\???????.tmp\*.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-????-????-????-????????????\*.dll
C:\????????????????????\mrtstub.exe
[BLACKLIST]
[PARENTWHITELIST]
C:\Windows\*>*
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
C:\????????????????????\mrtstub.exe>C:\Windows\System32\MRT.exe
C:\????????????????????\mrtstub.exe>C:\Windows\System32\*.dll
[PARENTBLACKLIST]
C:\Users\*>C:\Windows\Microsoft.NET\Framework\*
[EOF]

From that example, I specifically leave C:\Windows\Temp\ and C:\Windows\Fonts\ out of the WHITELIST and therefore would be blocked by default.

Your example:

Code:

[WHITELIST]
C:\Windows\*
[BLACKLIST]
[PARENTWHITELIST]
!*\chrome.exe>C:\Windows\Fonts\*
[PARENTBLACKLIST]
?:\*>C:\Windows\Fonts\*

You could remove the full WHITELIST privilege of C:\Windows\* and go more granular there. And with that method, you would not need the ! priority from *\chrome.exe>C:\Windows\Fonts\* in parent whitelist section. A little bit more work, no doubt. But more granular control. However, you could just keep everything the same for now and wait until the ! priority rules come out in Beta Camp build hopefully this weekend.

 

Thank you @WildByDesign for sharing your fine-grained rules for the Temp folder.

I hope to know that, how to participate the beta test of Bouncer? Thanks.

 

@Online_Sword You're welcome.

When the beta version of Bouncer is available, it will show up on the Beta Camp page (https://excubits.com/content/en/products_beta.html). Anyone is welcome to test any of the builds. Users need to always be careful with beta versions of kernel level software and test in VMs or test machines. If you need to report bugs or make suggestions, you can always feel free to send an email to Florian, you will find his email on the bottom of his blog (http://bitnuts.de/) or contact him through an encrypted web form here: https://excubits.com/content/en/contact.html

 

Just when you thought it couldn't get any better. Nice.

Thanks for the new heads up @WildByDesign

 

I think Florian is working on a feature that prevents vulnerable applications from writing to the System Space, and Program Files. He already has a driver that does that, but it is hard coded for something else. I think that's what he meant anyway. I don't know if he is going to offer it as a separate driver, or combine it with Bouncer. I hope he combines it with Bouncer. I actually made a request for this functionality in Bouncer.

 

Agreed, some nice surprises lately. It's nice to see it progress and I believe that Florian has several more surprises that will show up over time.

You're very welcome, my pleasure.

That sounds fantastic. I will send a quick note to Florian as well to second that request of yours. I remember that you had strongly recommended the parent process feature as well a while back, and thanks to you vouching for parent process feature, that became a reality in previous releases. So I am sure that Florian will value your feedback/request for preventing vulnerable applications from writing to system space and so on.

 

Yes, I can't wait for functionality to prevent vulnerable applications from writing to System Space, and Program Files. I think the parent check feature already does this in some cases. I used a java portable application that bypassed the parent check feature though. It dropped an executable into Program Files, and then executed uncontested. It will bypass AppGuard also with default settings. AppGuard will block it if you Guard javaw.exe. I informed Florian he could add a section in the policy labeled [SANDBOXING], or [CONTAINMENT]. He could guard vulnerable applications against various different dangerous behaviors as he sees fit. I didn't want to make too many request. I just wanted to give him an ideal to work with. I honestly would like to see Florian, Blue Ridge Networks, and Andreas with NoVirusThanks working together. I think they would make a hell of a team.

 

/drool
I wonder if crowd funding could make that possible? just no .net stuff plz =(

 

I wonder if we could play match maker on here lol

 

I recall in recent weeks, one Bouncer user here was inquiring about adding comments to Bouncer.ini config file to help organize and tidy up the rules. I don't remember which user had asked the question. But anyway, I was in contact with Florian earlier today and asked him about commenting in Bouncer.ini config file, whether it was safe to do or even possible, or if it needed to be implemented into an updated Bouncer. Good news, he said that we can comment current version of Bouncer.ini without any problems.

Personally, I use Notepad++ for a lot of things, including editing Bouncer.ini config file. As suggested by Florian, you can use the # character to comment out certain lines within the config file. And when using Notepad++ in particular, it displays those lines in a different colour which makes it very nice and easy to keep your config files tidy.

From one of my test machines, I will share my Bouncer.ini config with commented lines:

Code:

[LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[WHITELIST]
#PortableApps
D:\PortableApps\*
#Office 2010 Click-to-Run
Q:\140066.enu\*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*
#Bouncer
D:\Bouncer\*
#Tools
D:\Tools\*
#Program Files and Program Files (x86)
C:\Program Files\*
C:\Program Files (x86)\*
#ProgramData
C:\ProgramData\CanonBJ\*
C:\ProgramData\Leapfrog\*
C:\ProgramData\Adguard\Temp\*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
#User Directory
C:\Users\*\AppData\Local\Packages\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*
#Process Explorer
C:\Users\*\AppData\Local\Temp\procexp64.exe
#Flash Player
C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
C:\Users\*\AppData\Local\Google\Chrome\User Data\PepperFlash\??.?.?.???\pepflashplayer.dll
#Google Chrome / Chromium
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe
#Mozilla Firefox and Mozilla Thunderbird
C:\Windows\Temp\???????.tmp\*.dll
C:\Users\*\AppData\Local\Temp\???????.tmp\*.dll
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
C:\Users\*\AppData\Local\Mozilla\updates\????????????????\updates\0\*
C:\Users\*\AppData\Local\Thunderbird\updates\????????????????\updates\0\*
*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
#DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-????-????-????-????????????\*.dll
#Windows Directory And Windows Temp
C:\Windows\AppPatch\*
C:\Windows\assembly\*
C:\Windows\Branding\*
C:\Windows\ImmersiveControlPanel\*
C:\Windows\Installer\*
C:\Windows\Microsoft.NET\*
C:\Windows\servicing\*
C:\Windows\SoftwareDistribution\*
C:\Windows\System32\*
C:\Windows\SystemApps\*
C:\Windows\SysWOW64\*
C:\Windows\twain_32\*
C:\Windows\WinStore\*
C:\Windows\WinSxS\*
C:\Windows\explorer.exe
C:\Windows\notepad.exe
C:\Windows\splwow64.exe
#Intel Dynamic Platform and Thermal Framework
C:\Windows\Temp\DPTF\*
#Malicious Software Removal Tool
C:\Windows\Temp\MPGEAR.DLL
C:\Windows\Temp\MPENGINE.DLL
C:\????????????????????\mrtstub.exe
[BLACKLIST]
*iexplore.exe
*powershell*.exe
*regedit.exe
*script.exe
*vbc.exe
*jsc.exe
*ilasm.exe
*csc.exe
*bitsadmin.exe
*hh.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*bcdedit.exe
*regedit.exe
*wordpad*.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe
[PARENTWHITELIST]
C:\Windows\*>*
#Program Files and Program Files (x86)
C:\Program Files\*>*
C:\Program Files (x86)\*>*
#ProgramData
C:\ProgramData\Microsoft\*>*
#Process Explorer
C:\Users\*\AppData\Local\Temp\procexp64.exe>*
#Adguard For Windows
C:\ProgramData\Adguard\Temp\*>*
C:\Program Files (x86)\Adguard\AdguardSvc.exe>C:\ProgramData\Adguard\Temp\*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>*
#Tools
D:\Tools\*>*
#Office 2010 Click-to-Run
Q:\140066.enu\*>*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\CVH.EXE>*
#Flash Player - PPAPI Updater
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil*_??_?_?_???*.exe>C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
#Google Chrome
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe>C:\Windows\*
#Mozilla Thunderbird
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe>*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
#DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
#PortableApps
D:\PortableApps\*>*
#Malicious Software Removal Tool
C:\????????????????????\mrtstub.exe>C:\Windows\System32\MRT.exe
C:\????????????????????\mrtstub.exe>C:\Windows\System32\*.dll
[PARENTBLACKLIST]
#Blocking user space from accessing .NET
C:\Users\*>C:\Windows\Microsoft.NET\Framework\*
[EOF]

This is how the commented lines appear in Notepad++:

 

@WildByDesign , thank you for this good news.

I hope to know that, whether we could also put the comment at the end of a line? Like this:

Code:

SHA256_Code#The name of the file corresponding to that hash code

By the way, I found that even if I havd whitelisted

Code:

C:\PROGRA~2\*

and

Code:

C:\PROGRA~2\*>C:\PROGRA~?\*

,
the following execution was still prevented:

Code:

*** excubits.com demo ***: C:\PROGRA~2\Symantec\SYMANT~1\121660~1.105\Bin\DWHWizrd.exe > C:\PROGRA~2\Symantec\SYMANT~1\121660~1.105\Bin\ccL120U.dll

Have you ever had such a problem before?

 

This question I am not certain of. I would suggest being very careful about that. One possibility here would be to run Bouncer with logging on but with lethal mode off just to be on the safe side, and test with some non-critical paths. Please report back if you find out if this works or not. Otherwise, I may actually give this a try later on tonight and will report back as well if I find out anything worthwhile.

Code:

C:\PROGRA~2\*>C:\PROGRA~?\*

Your code (above) looks perfect and should work. However, as we can see from your blocked code log, for whatever reason this rule failed.

Yes, actually I have seen only one other situation myself where the rules failed and it also involved ? wildcards. Oddly, I also have dozens of rules that rely on ? wildcards that work perfectly. So I don't yet understand why these rare problems occur at the moment.

Code:

[WHITELIST]
*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
*\extensions\{????????-????-????-????-????????????}\components\calbasecomps.dll
[PARENTWHITELIST]
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe>*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe>*\extensions\{????????-????-????-????-????????????}\components\calbasecomps.dll

From my code example above, the rules with ? wildcards were still being blocked. But when I just used the regular path without wildcards, it allowed the Lightning calendar extension work perfectly without being blocked. I still don't understand why this failed yet. But with my example and your example, I can bring this odd/rare issue to Florian to see what is happening. Luckily, the path for the Lightning calendar never changes, despite the fact that it looks randomly generate. So in my case, I can work around this issue by just using the regular path without wildcards. So in your issue and my issue, both seem to involve ? wildcards and also both involve parent checking feature.

As a temporary work around and also just to dig into this deeper, can you try this rule:

Code:

C:\PROGRA~2\*>C:\PROGRA~2\*

Let me know if this works for you. Also, you could try various rules for curiosity:

Code:

C:\PROGRA~2\*>C:\PROGRA~2\*
C:\PROGRA~1\*>C:\PROGRA~1\*
C:\PROGRA~?\*>C:\PROGRA~?\*

Or actually, in your particular case I am curious about trying to switch the ? wildcard to * wildcard just for testing purposes to rule this out:

Code:

C:\PROGRA~2\*>C:\PROGRA~*\*

Hopefully we can narrow this down and I can report it to Florian. Thanks for sharing your feedback as well.

 

@WildByDesign , thank you for your reply.

I have tested the comment at the end of a line. It does not work. So, the only way to use "#" is to put it at the beginning of a line.

I cannot immediately confirm whether replacing "?" in the rules with actual characters/digits could solve my problem. This is because the following execution:

Code:

*** excubits.com demo ***: C:\PROGRA~2\Symantec\SYMANT~1\121660~1.105\Bin\DWHWizrd.exe > C:\PROGRA~2\Symantec\SYMANT~1\121660~1.105\Bin\ccL120U.dll

is launched by Symantec Endpoint Protection automatically and silently in the background. I am not sure when this event will happen again. I have added the following rules to Bouncer.ini, and now what I can do is just waiting.

Code:

C:\PROGRA~2\*>C:\PROGRA~2\*

 

I recently tried replacing the 5 [PARENTWHITELIST] rules below in black with option 1 in green, and it would not work. Am I doing something wrong? If that will not work then will option 2 in red work to replace the 5 [PARENTWHITELIST]? You can see I already have the needed rule in my [WHITELIST].

Option 1
C:\Users\achilles\AppData\Local\Temp\procexp64.exe\*

Option 2
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>C:\*
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>I:\*

[WHITELIST]
C:\Users\achilles\AppData\Local\Temp\procexp64.exe

[PARENTWHITELIST]
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>C:\Windows\*
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>C:\Program Files\*
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>C:\Program Files (x86)\*
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>C:\Users\achilles\AppData\Local\Temp\procexp64.exe
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>I:\*

 

The mistake here is the symbol "\" in blue.
You need to replace it with ">". Then this rule will become:

Code:

C:\Users\achilles\AppData\Local\Temp\procexp64.exe>*

I think this should work.

 

Thank you Online_Sword! That worked. I thought I tried that, but I guess I didn't.

 

There must be a bug in the latest build of Bouncer. I'm using the following rule below for [PARENTWHITELIST], but it is still blocking the following below. I just rolled back my computer using a full image backup, and I downloaded the latest build of Bouncer from the website. The rule below worked yesterday, and I did not get any blocked events. I think maybe I was using a different build. I just installed Bouncer. I will check to see if a reboot fixes the problem after I finish watching this video.

[PARENTWHITELIST]
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>*

BLOCKED EVENT
C:\Users\achilles\AppData\Local\Temp\procexp64.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json >

 

I went ahead, and checked. A reboot did not help. I guess this will be one I will have to report to Florian. Well, I got to leave for the dentist.

 

@Cutting_Edgetech

You also need to add

Code:

C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json

to the WHITELIST.

To see this, please consider the case that A.exe invokes B.exe. It will be allowed only when:

1. A.exe is in WHITELIST
2. B.exe is in WHITELIST
3. A.exe>B.exe is in PARENTWHITELIST

According to your post in #715, the Condition 1 and Condition 3 have been satisfied in your rules. But I am afraid that you forget Condition 2.

 

@Cutting_Edgetech I have a feeling that you mentioned this issue in this thread a few weeks back and I thought that we had a small bit of discussion about it. I don't recall hearing back from you whether or not it was successful in the end. I do have an idea for your to try with your current configuration. What it appears to me is, it looks as though the storage.json file is requesting execution itself, which seems very strange to me. I don't understand why that type of file would act similar to executable. That is something that you could potentially speak with the development team from that particular extension since I personally don't understand why it does that or how it does that. But anyway, from Bouncer perspective, since it is requesting execution status, we need to give it that. Since, that is exactly what it would be doing and how it would be behaving if you did not have an anti-exec to control it. Here is my suggestion for you to try:

Code:

[WHITELIST]
C:\Users\achilles\AppData\Local\Temp\procexp64.exe
C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json
[PARENTWHITELIST]
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>*
C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json>*

After adding those rules, simply restart the Bouncer driver. No need to reboot. I hope that is successful for you. If that is successful, that's great, then we can look into shortening those rules if you want or making the rules more strict. I don't think that malware would try to utilize that storage.json in particular file to exploit a system.

 

@Online_Sword is correct. You beat me to the answer.

 

@WildByDesign

Since you are also using EMET with Bouncer, I hope to know whether you have ever seen such block event:

Code:

*** excubits.com demo ***: C:\Program Files (x86)\EMET 5.2\EMET_GUI.exe > C:\Users\Online_Sword\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\Paths\000067.log

After I installed Bouncer, such kind of strange prevention often appear in the log. I say it is strange because of course a ".log" file cannot be executed.

I don't mean that this problem is related to EMET. In fact, in such strange log events, the parent process can be many other applications, and the object at the right side of ">" can be log files, pdf fils, png files (pictures!), ..., many kinds of files that should be just data, rather than executable. In the above I use EMET as an example only because I think you are familiar with EMET. Here is another example:

Code:

*** excubits.com demo ***: C:\Program Files (x86)\Internet Explorer\iexplore.exe > D:\Downloads\Vir\pack_15.zip

This event happened today when I opened IE, but the zip file was downloaded in May. I forgot which browser is used to download this pack, but I am sure it is not in the download list of IE.

I should say I cannot understand why data files could be "executed"...
I am not sure whether this is a bug or not...The most interesting thing here is that, preventing those data files from "execution" has not caused any problem yet. I mean, no program has broken down due to this issue.

 

It was a similar issue, but not the same. I was trying to use a different rule then. I decided to use one rule now to replace all my rules for procexp64.exe. Refer to post #715.
Thank you! I will try adding the following to the whitelist as you guys have suggested. C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json I think that will fix the problem. I will add C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json>* to the [PARENTWHITELIST] if I have to.

The fact that it is requesting execution status in memory is being caused by Superfetch. I believe it is a bug, or Florian needs to figure a way to filter out Superfetch. Bouncer also constantly alerts to a bunch of installers, and .txt files I have on an external drive. I have the same results on 3 different machines, and 2 other users have reported the same issue in this thread. There's only a hand full of members using Bouncer, and if 3 users in the thread have reported this then imagine how many users it would effect out of thousands, or even millions of users. See post #304 for an explanation of Superfetch. https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-13#post-2502528

Edited 12/15 @1:39
After looking back at the post it actually had to do with some different browser components than storage.json. I think I looked at the right post anyway. Bouncer is always blocking something to do with WOT, but WOT seems to work ok anyways. That may be because it's not actually blocking it. It may just be saying it's blocking it. It could be that it is being triggered by Superfetch opening it up in memory.

 

Here is a sample of Superfetch in action just after installing Bouncer. I just ignore it, and it usually comes down after a while.

*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\mshta.exe > 949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe > a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\msiexec.exe > 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\msiexec.exe > 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Program Files\Windows Journal\Journal.exe > a99e689468fde0f267ff1ab42ebf27912ca621311d65897bc3224b8259226f3a
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\mstsc.exe > a485d87caebe897bcca2b4ccdb9ca357e99bc8c85a37c3d6020c9920c0dac1a3
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\msiexec.exe > 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\msiexec.exe > 72c027273297ccf2f33f5b4c5f5bce3eecc69e5f78b6bbc1dec9e58780a6fd02
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Program Files\Internet Explorer\iexplore.exe > c4b7d97a1cbad209838dbfd7307db692d52b388182b77bb43a86f6f4702bd07b
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe > 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\ProgramData\Package Cache\{15134cb0-b767-4960-a911-f2d16ae54797}\vcredist_x64.exe > d969a8513eb67ae3f28f3a27ab8f490123948d1d4620a86543a930eda98a603d
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe > f2d60c0f8688f3036bdc48c37f93b204bed596b8707a5f96c9bc69e8cb6efeab
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\places.sqlite-shm > 8443fc8bb38ae6e33024d14954fc5f7aaaa535bc30fcc696edda9e0a8a7f4837
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Program Files\Windows Journal\Journal.exe > a99e689468fde0f267ff1ab42ebf27912ca621311d65897bc3224b8259226f3a
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\mstsc.exe > a485d87caebe897bcca2b4ccdb9ca357e99bc8c85a37c3d6020c9920c0dac1a3
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\msiexec.exe > 72c027273297ccf2f33f5b4c5f5bce3eecc69e5f78b6bbc1dec9e58780a6fd02
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\msiexec.exe > 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Program Files\Internet Explorer\iexplore.exe > c4b7d97a1cbad209838dbfd7307db692d52b388182b77bb43a86f6f4702bd07b
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe > 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe > f2d60c0f8688f3036bdc48c37f93b204bed596b8707a5f96c9bc69e8cb6efeab
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\ProgramData\Package Cache\{15134cb0-b767-4960-a911-f2d16ae54797}\vcredist_x64.exe > d969a8513eb67ae3f28f3a27ab8f490123948d1d4620a86543a930eda98a603d
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\places.sqlite-shm > 8443fc8bb38ae6e33024d14954fc5f7aaaa535bc30fcc696edda9e0a8a7f4837
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\msiexec.exe > 72c027273297ccf2f33f5b4c5f5bce3eecc69e5f78b6bbc1dec9e58780a6fd02
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\msiexec.exe > 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\msiexec.exe > 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\msiexec.exe > 72c027273297ccf2f33f5b4c5f5bce3eecc69e5f78b6bbc1dec9e58780a6fd02