Hidden.ADS - explorer.exe:$CmdTcID / Right-Click Menu is gone!

[CoolOliver]

Operating System: Windows 10 (10.0.10240) 64 bits version
Program used: RogueKillerX64
Anti-Virus: Bitdefender Anti-Virus Plus 2016

Hello,

I tried today your software on my computer because I have two really strange issues: The Right-Click menu when I try to Run as an Administrator on the Task-bar icons is literally empty. I can see the "menu" box but there is no more commands in it... just an empty box, expect Open or Run but that's all. And when I click on a picture, it says something like "photoviewer.dll is not a valid win32 application."

Your Software find some issues but if I click on the Delete button, at the end it says:
No replacement found | [Hidden.ADS][[[ADS]]] C:\Windows\explorer.exe:$CmdTcID
Honestly, I was like: Wait, what?... The heck?! ...  um, are you kidding me? Hmm...

I did of course some research on the Internet before that but I'm still literally stuck with this "Hidden.ADS" crap. I can't do anything to remove this stuff anymore. I also tried Malwarebyte, HerdProtect and many other programs out there, I mean MANY other programs, even Windows Repair (as an administrator, indeed). What can I do now and most importantly; how can I recover my Right-Click menu when I click on icons, on the task-bar and how to fix the PhotoViewer.dll too because I tried the regsrv32 command and tried also the SFC/SCANNOW command... no nothing, no corrupted files, no issues or anything like that. Well, according to Windows 10 anyway. This is really weird, isn't?...

OK, here is the report:

************************************

RogueKiller V11.0.5.0 (x64) [Dec 28 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Started from : C:\Users\bob\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 01/02/2016 20:35:10

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hidden.ADS][[[ADS]]] C:\Windows\explorer.exe:$CmdTcID -> Found

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 38 (Driver: Loaded) ¤¤¤
[IAT:Addr(Hook.IEAT)] (explorer.exe) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ user32.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ ole32.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ shlwapi.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ msctf.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ shell32.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ uxtheme.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ dwmapi.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ comctl32.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ explorerframe.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ twinui.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ ApplicationFrame.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ ntshrui.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ NetworkExplorer.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ GdiPlus.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ stobject.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ batmeter.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ InputSwitch.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ prnfldr.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ authui.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ hgcpl.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ duser.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ werconcpl.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ Windows.Internal.Shell.Broker.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ CoreSync_x64.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ DropboxExt64.28.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ bdshellext.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ fshredctx.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ RarExt.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ WDContextMenuHandler.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ comdlg32.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ cavshell.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ syncui.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ nvapi64.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ dui70.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ UIRibbon.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ Mp3tagShell64.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000
[IAT:Addr(Hook.IEAT)] (explorer.exe @ NppShell_06.dll) gdi32!DeleteDC : Unknown @ 0x7ff9d9a80000

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SiImage  SCSI Disk Device +++++
--- User ---
[MBR] 925393a67b854881010d785b3b10133a
[BSP] ce319fb6e48e010e77555d689865ec78 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 686809 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Fonction incorrecte. )

+++++ PhysicalDrive1: WDC WD10EADS-00M2B0 +++++
--- User ---
[MBR] f3c4f4e4206427766d62e2997f5d46f4
[BSP] 78766fa964bb992566fb2a6d7431ab8a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: SAMSUNG HD103UJ +++++
--- User ---
[MBR] 998dcfb892c750f736f4286512afafe8
[BSP] 33b5e3cd6006c1550d745345851f5d42 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953859 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: KINGSTON SV300S37A240G SCSI Disk Device +++++
--- User ---
[MBR] 371158cd48cfe19cd47b2d455f7b07e6
[BSP] cff4b84e072c9c9773d0b0bdddd5b409 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 228935 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive4: INTEL SSDSA2M160G2GC +++++
--- User ---
[MBR] 9c42c00b6f4eb62782cbbb7fc96776c0
[BSP] c2e1dc03f373daf4482a2591c847ae4e : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152625 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive5: WDC WD20EZRX-00D8PB0 +++++
--- User ---
[MBR] dd0f6844155e5daa73be52440e546055
[BSP] 1357a024c95c3b5816bbf738c798c2e8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive6: WDC WD20EZRX-00D8PB0 +++++
--- User ---
[MBR] 416e1fe56091204aef411557c5b6531b
[BSP] 05b893730d48b75d3922b2b68422782c : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
************************************

Thank you in advance for your help and I wish you an Happy New Year 2016!
CoolOliver.

[Curson]

Hi CoolOliver,

Welcome to Adlice.com Forum.

Your Software find some issues but if I click on the Delete button, at the end it says:
No replacement found | [Hidden.ADS][[[ADS]]] C:\Windows\explorer.exe:$CmdTcID
Honestly, I was like: Wait, what?... The heck?! ...  um, are you kidding me? Hmm...

This ADS is harmless and is believed to be created by Comodo antivirus / firewall.
Did you install any Comodo product before ?

I did of course some research on the Internet before that but I'm still literally stuck with this "Hidden.ADS" crap. I can't do anything to remove this stuff anymore. I also tried Malwarebyte, HerdProtect and many other programs out there, I mean MANY other programs, even Windows Repair (as an administrator, indeed). What can I do now and most importantly; how can I recover my Right-Click menu when I click on icons, on the task-bar and how to fix the PhotoViewer.dll too because I tried the regsrv32 command and tried also the SFC/SCANNOW command... no nothing, no corrupted files, no issues or anything like that. Well, according to Windows 10 anyway. This is really weird, isn't?...

Right click issues seems to be common with Windows 10. I suggest you to try this solution.
If the issue is still not solved, creating a new user profile might help.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

[CoolOliver]

Hello, Curson.

Thank you very much for your response and your help!

Yes, I do have COMODO FIREWALL (only) installed on my computer. I am not really sure about your solution because your suggestion was to use ShellMenuView or RegDllView? I used RegDllView, just in case and as you can see, there is four missing files on my Windows/System32 folder which is of course, really annoying and strange... What do you think about it? (By the way, I have still no right-click menu if I click on icons, on the Windows task-bar).



Again, I really thank you in advance, Curson.

[Curson]

Hi CoolOliver,

Those missing entries are not critical.
The tool to use is ShellExView. I will copy/paste the full solution below :

If re-copying the WinX folder doesn't solve the problem, there is probably an obsolete registry entry pointing to a shell extension. You can track it down with this little jewel: http://www.nirsoft.net/utils/shexview.html

Sort by manufacturer and then disable all the non-Microsoft entries. Restart Windows Explorer (ctrl-e in the program) and see if your right-click works on something like Control Panel.

Then just re-enable them one at a time (or in small groups) and ctrl-e to restart Windows Explorer each time. Test each time to be sure your links are still working. Eventually you'll find the culprit. You can then use the program to locate the CLSID in the registry and delete or disable it. Done and done! Good luck -- hope it works for you!

Here is an article about the issue : Right-click is slow or weird behavior caused by context menu handlers.

Regards.

[Tigzy]

Hello,
Just to clarify the thing about ADS.
This is fixed and will be in the next version.

The right click issue is a different thing, very often caused by buggy/badly coded shell extensions. Just one of such extension is enough to break or slow down the whole context menu. Quite a pain to diagnose though, good luck!

[CoolOliver]

Hello, guys.

Thank you very much for your responses and thank you for the information, Tigzy!
Unfortunately, nothing work. So just in case, I opened regedit.exe and exported the "runas" section... what do you guys think about this?

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
  00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
  32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
  00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]
"HasLUAShield"=""

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runasuser]
@="@shell32.dll,-50944"
"Extended"=""
"SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"

[HKEY_CLASSES_ROOT\exefile\shell\runasuser\command]
"DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers]
@="Compatibility"

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\CmdLineExt]
@="{F0407C3D-349C-42B9-B83E-821E31623DF9}"

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility]
@="{1d27f844-3a1f-4410-85ac-14651078412d}"

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\NvAppShExt]
@="{A929C4CE-FD36-4270-B4F5-34ECAC5BD63C}"

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\OpenGLShExt]
@="{E97DEC16-A50D-49bb-AE24-CF682282E08D}"

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\PintoStartScreen]
@="{470C0EBD-5D73-4d58-9CED-E91E22E23282}"

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}]
@=""

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]
@=""

Once again, thank you very much for your help,  I really appreciate it! 
CoolOliver

[Curson]

Hi CoolOliver,

Let's try an alternative.
- Go to C:\Users\Default\AppData\Local\Microsoft\Windows\WinX, and copy all folders to C:\Users\bob\AppData\Local\Microsoft\Windows\WinX.
- Restart Explorer.

Regards.

[CoolOliver]

Hello, Curson!

I did it already few days ago but... it doesn't work... sorry. 
So again, just in case, here is my problem:


As you can see, if I right-click on an icon, on the Windows 10 Taskbar... there is an empty box and um, yeah... that's it, really.
I really don't know what's going on... I'm lost to be honest with you. BUT... I have absolutely NO problem or whatsoever if I right-click
on the Windows Desktop or for example on folders, programs... everything is fine. The right-click menu works fine and there is no delay,
no nothing and of course, I can run a program with "Run as administrator" --- I have this problem with the Windows 10 Taskbar, only.

(I don't know why we can't see my mouse cursor on this Screen Capture for some strange reason but you get the idea anyway, I think...)

Any idea, guys?... 

Once again, thanks a lot for your help, guys... really!
CoolOliver

[Curson]

Hi CoolOliver,

I'm sorry, but I run out of ideas.
I suggest you to open a new thread on the Windows 10 Microsoft Community Forum. They will be more qualified than me to help you with this particular issue.

Regards.

[CoolOliver]

Hi Curson and Tigzy!

I did a lot of research on the Internet, installed and used a bunch of Anti-Malware (yes, some files were suspicious and some real malware but not really dangerous.)
I finally used your tool, called "TasksRun". Please, take a look at this screen capture, guys. Do you see something suspicious here?

Again guys, I really appreciate your help!

[Curson]

Hi CoolOliver,

All the item displayed here are legit.

Regards.