Defense+ Alerts: rundll32.exe is trying to execute different dll, exe files

[Guest]

[Jags_FL]

On a fresh installation of Windows 7 RC I'm keep getting these Defense+ alerts that rundll32.exe is trying to execute one or another dll / exe files ONLY when the PC is idle.

Whenever I return to the PC after being away for 15/20 minutes, I see these alerts and each time rundll32.exe is trying execute different files. I've ran Avira (installed), Kaspersky, F-secure (both online) and Malwarebytes' Anti-Malware, many times and they've found nothing so far.

32-bit CIS Ver: 3.9.95478.509 (installed in Vista compatibility mode)

Many thanks in advance, any help is highly appreciated.

[napsterz]

The First File Is A Part of Microsoft Visual Studio .NET And No Idea About The Second One. However Both The File's Seem's To Be Suspicious. I Would Suugest You To Submit The File For Analysis.

More Information On How To Submit A Suspicious File

[Jags_FL]

[at] napsterz

Many thanks for the reply.

My main concern is the behavior of rundll32.exe, why it tries to execute any file in first place (is this normal ?) and more importantly why only when the PC is idle ? (the alert never pops up when I'm using the PC)

About submitting the file: As each time the PC is idle for 15/20 minutes rundll32.exe tries to execute different .dll / .exe files so how many should i submit ?

Thanks again.

[OmeletGuy]

it maybe for the screensaver! just saying not sure

[napsterz]

Hope You Know That Rundll32.exe Is Responsible For Running DLLs and Placing Its Libraries In The Memory.
So Rundll32.exe Executing A DLL File Is Normal. However The Issue Here Is Why Its Happening During/After The Idle Time. So We Can Conclude What's Happening Only By Recognizing The Properties Of The DLL File Executed By Rundll32.exe. Either Its A Kind Of Malicious File Try To Load Or A Genuine Windows Process Trying To Load.

[SiberLynx]

Hi Jags_FL,

Definitely if you are not sure - you have to check with Comodo as napsterz suggested

Microsoft.stdformat.dll is a part of Microsoft .Net Framework (see assembly directory)
C:\WINDOWS\assembly\GAS\Microsoft.StdFormat\
This is highly protected directory so you cannot access and get files from there except special “command line way” 

QtCore4.dll is part of C++ application development framework

Basically it belongs to Trolltech but you may find names like Nokia Corporation and/or its subsidiary(-ies) for example under Properties.

This is actually a library for building graphical user interfaces.
Therefore  you can have the file in question supplied by many companies as a part of their Software
There are GNU and comerciall versions You can read here
http://doc.trolltech.com/4.1/index.html

I have 5 instances if the said DLL. Belonging to LightScribe; LMMS audio sequencer; Stellarium (astronomy software), etc. Keep in mind that you may have different versions of QtCore4.dll belonging to each Software

My regards

[Jags_FL]

napsterz, SiberLynx thanks guys...

The screensaver is set at 40 min and turn display off is at 45 minutes but this rundll32.exe alerts I get anywhere between around 15/20 min.

Here are some of the file names rundll32.exe tries to execute:
Microsoft.stdformat.dll, QtCore4.dll, QtNetwork4.dll, jpeg62.dll, sqlceca30.dll, CamMenuPlayer.exe, CamRecorder.exe (TechSmith Camtasia files) and many others I wasn't able to get name of.

Sometimes when I return to the PC and tries to take a screenshot (or try to write down the name of the file) Defense+ alert just disappears.

I'm going to submit the files (that I know of, mentioned above) to avlab [at] Comodo through the email.

Thanks a lott.

[Quill]

I have noticed that, every morning, my D+ logs are full of entries related to rundll32.exe. It seems to happen particularly if there has been some system change or new software installation. It is curious, I wonder if it's a Windows 7 thing...

I know this is not a malware/spyware/virus/add your own definition here... as it also occurs after a clean installation of Win 7 (from Microsoft not a torrent) and CIS. It looks like rundll32.exe is just catching up with 'changes' when system activity is low.

Here is a 'sample' of my log from last night.

[Quill]

I want to revisit this as it's becoming a bit of a pain.

I get this every night, as soon as the system has been idle for a period of time. There are no tasks scheduled, no scans, defrags etc. This problem only happens on the Windows 7 PC. I have never seen anything like this on the XP PC. On occasion I wake to find CIS has crashed.

This problem is not a malware issue (maybe move this topic...), as it happens on a clean install of 7100, which came from MS.

So the question is, what the heck is rundll32 doing with all these processes/applications, and why are they appearing in the D+ log?
 
Attached another copy from last night.

sample:

Code:

Sun Jun 21 2:04:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\ATISetup.exe


Sun Jun 21 2:06:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\Setup.exe


Sun Jun 21 2:08:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\zh-Hant\system.resources.dll


Sun Jun 21 2:10:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\de\mscorrc.dll

 

[wj32]

Unless ATISetup.exe and Setup.exe export any functions, rundll32 can't do anything with them. Similarly, I have Silverlight installed and I don't even have the 2.0.40115.0 folder in Microsoft Silverlight. System.Resources.dll is a .NET assembly anyway and doesn't export any native functions, so it can't be run by rundll32 either.

There may be a malware infection...

Code:

Sun Jun 21 2:04:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\ATISetup.exe


Sun Jun 21 2:06:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\Setup.exe


Sun Jun 21 2:08:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\zh-Hant\system.resources.dll


Sun Jun 21 2:10:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\de\mscorrc.dll

 


[/quote]

[Quill]

Thanks!

There may be a malware infection...

There is not. Please read my post and please see the attached.

[Logos]

yeah just got this a few minutes ago for the first time, in Win7/7100 as well. Haven't got a clue what this is about. I had an alert for most of those events in the pic and blocked (without remembering), just in case, although I don't think either that any malware is involved.

[Ieke]

I'm having the same problem on my laptop and desktop. I'm running Windows 7 64 RTM on both. The thing I can't figure out is it doesn't happen all the time. If I reboot the problem goes away, it normally happens after the PC has been on for awhile and NOT in use. Why is it trying to run freaky things, its trying to open crysis.exe, ati apps, everything, and why does it only do it after the PC has been idle? Finally why does a reboot termporarily fix it?

Thank you

[Scam]

The same issue on Windows 7 (32bit). Fresh installation no viruses/trojans.  Seems that it is Comodo Defense+ issue. As it officially does not support Windows 7 we just should wait I think.

[troubada]

I am having this issue as well with Windows 7 32-bit Final/updated. It does happen when I'm away from the PC about 15 minutes, and my screensaver had come on the times that it happened. Mine says something about rundll32.exe trying to execute http_...

When I just checked my Defense+ events in COMODO, it became clear that in my case this is caused by VLC Media Player and also by Microsoft Games for Windows LIVE:

C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\VideoLAN\VLC\http\requests\browse.xml

C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Microsoft Games for Windows - LIVE\Client\Help\Http_error_es-es.htm

[Tags:]