Defense+ Alerts: rundll32.exe is trying to execute different dll, exe files

[Guest]

[CoPy Cat]

I have a win7 32-bit RC1 machine, and every time it goes idle the Application-Experience service kicks in.
All its actions are logged in the event viewer (App and Services Logs > Microsoft > Windows > Application- Experience) and look like this:

Compatibility fix applied to C:\Windows\system32\rundll32.exe.
Fix information: Win2000/WinXP/WinVista, {random hash}, <random address>.

for every suched logged event I find a matching event in CIS logs 'rundll32.exe is attempting to execute program X or Y'.

So I'm guessing this is normal activity, eh?

[DragonAlong]

happening on a fresh install windows 7 64bit retail fully patched... installed some new software... when i came back to the machine after several hours had several comodo dialogs waiting for me...

10/29/2009 1:18:52 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\sv.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:20:53 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Tools\VistaEssentials.dll
10/29/2009 1:22:54 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Bonjour\ExplorerPlugin.Resources\fi.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:24:56 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Bonjour\ExplorerPlugin.Resources\es.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:26:57 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Steam\bin\SteamService.exe
10/29/2009 1:28:58 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\de.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:30:58 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\it.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:33:01 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Common Files\Apple\Mobile Device Support\NetDrivers\netaapl64.sys
10/29/2009 1:35:01 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\GameSpy\Comrade\156\fr-FR\ComradeLib.resources.dll
10/29/2009 1:37:02 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\ko.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:39:03 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\nl.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:41:04 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Bonjour\ExplorerPlugin.Resources\zh_TW.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:43:05 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AOSUtils.dll
10/29/2009 1:45:07 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\nb.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:47:08 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\da.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:49:08 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Bonjour\PrinterWizard.Resources\da.lproj\PrinterWizardLocalized.dll
10/29/2009 1:51:09 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\nb.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:53:10 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\ExplorerPluginResources.dll
10/29/2009 1:55:11 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Common Files\Apple\Mobile Device Support\Drivers\usbaapl64.sys
10/29/2009 1:57:18 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\AirPort\APAgent.exe
10/29/2009 1:59:19 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\de.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:01:19 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\ru.lproj\SoftwareUpdateLocalized.dll
10/29/2009 2:03:20 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\zh_CN.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:05:21 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Steam\Steam.exe
10/29/2009 2:07:23 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\ja.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:09:23 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\sv.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:11:25 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\sv.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:13:25 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\de.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:15:26 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\fr.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:17:27 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\en.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:19:28 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\fr.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:21:30 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files\Bonjour\ExplorerPlugin.Resources\zh_CN.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:23:30 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\Benchmark_CPU.bat
10/29/2009 2:25:30 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\Benchmark_GPU.bat
10/29/2009 2:27:30 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\Cry3DEngine.dll
10/29/2009 2:29:30 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryAISystem.dll
10/29/2009 2:31:30 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryAction.dll
10/29/2009 2:33:31 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryAnimation.dll
10/29/2009 2:35:31 PM   C:\Windows\System32\rundll32.exe   Create Process, Execute Image   C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryEntitySystem.dll
... and more and more and more....

pretty much for ever file that was installed....

anyone found a way to keep it from happening? should i report it to comodo?

wonder if it would be possible for comodo to list which process actually called rundll32...

[Leon]

Same here, clean install win 7 etc, these rundll have been appearing when machine is idle, i just put it down to defense incompatibility with win 7.

There is an event viewer entry that may be related to this, it is in system log and event id is 11 a warning relating to guard32.dll ( comodo file), source wininit, as follows:

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

[jahadu]

Same problem here, thats why I came here hoping for a solution.

Everytime I come back to my computer Comodo tells me that rundll32 is trying to execute a random DLL file and they aren't malware. How can I stop Comodo from asking this all the frigging time?

I'm on Win 7 Ultimate btw.

[Matty_R]

Try this folks it may help, at least it did for me.

Control Panel->Administrative Tools->Computer Management->Task Scheduler->Task Schedular Library->Microsoft->Windows->

Highlight "Application Experience" you should have AIT Agent and ProgramDataUpdater at the top. Right click on ProgramDataUpdater and select Disable

Matt

Credit to Quill for finding this little nugget 

[jahadu]

Hey Matty, thanks man. Worked fine, no more retarded alerts over here 

[Tags:]