Defense+ Alerts: rundll32.exe is trying to execute different dll, exe files

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
#1

On a fresh installation of Windows 7 RC I’m keep getting these Defense+ alerts that rundll32.exe is trying to execute one or another dll / exe files ONLY when the PC is idle.

Whenever I return to the PC after being away for 15/20 minutes, I see these alerts and each time rundll32.exe is trying execute different files. I’ve ran Avira (installed), Kaspersky, F-secure (both online) and Malwarebytes’ Anti-Malware, many times and they’ve found nothing so far.

32-bit CIS Ver: 3.9.95478.509 (installed in Vista compatibility mode)

Many thanks in advance, any help is highly appreciated.

[attachment deleted by admin]

run32.dll
#2

The First File Is A Part of Microsoft Visual Studio .NET And No Idea About The Second One. However Both The File’s Seem’s To Be Suspicious. I Would Suugest You To Submit The File For Analysis.

More Information On How To Submit A Suspicious File

#3

@ napsterz

Many thanks for the reply.

My main concern is the behavior of rundll32.exe, why it tries to execute any file in first place (is this normal ?) and more importantly why only when the PC is idle ? (the alert never pops up when I’m using the PC)

About submitting the file: As each time the PC is idle for 15/20 minutes rundll32.exe tries to execute different .dll / .exe files so how many should i submit ?

Thanks again.

#4

it maybe for the screensaver! just saying not sure

#5

Hope You Know That Rundll32.exe Is Responsible For Running DLLs and Placing Its Libraries In The Memory.
So Rundll32.exe Executing A DLL File Is Normal. However The Issue Here Is Why Its Happening During/After The Idle Time. So We Can Conclude What’s Happening Only By Recognizing The Properties Of The DLL File Executed By Rundll32.exe. Either Its A Kind Of Malicious File Try To Load Or A Genuine Windows Process Trying To Load.

#6

Hi Jags_FL,

Definitely if you are not sure - you have to check with Comodo as napsterz suggested

Microsoft.stdformat.dll is a part of Microsoft .Net Framework (see assembly directory)
C:\WINDOWS\assembly\GAS\Microsoft.StdFormat
This is highly protected directory so you cannot access and get files from there except special “command line way” :wink:

QtCore4.dll is part of C++ application development framework

Basically it belongs to Trolltech but you may find names like Nokia Corporation and/or its subsidiary(-ies) for example under Properties.

This is actually a library for building graphical user interfaces.
Therefore you can have the file in question supplied by many companies as a part of their Software
There are GNU and comerciall versions You can read here
http://doc.trolltech.com/4.1/index.html

I have 5 instances if the said DLL. Belonging to LightScribe; LMMS audio sequencer; Stellarium (astronomy software), etc. Keep in mind that you may have different versions of QtCore4.dll belonging to each Software

My regards

#7

napsterz, SiberLynx thanks guys…

The screensaver is set at 40 min and turn display off is at 45 minutes but this rundll32.exe alerts I get anywhere between around 15/20 min.

Here are some of the file names rundll32.exe tries to execute:
Microsoft.stdformat.dll, QtCore4.dll, QtNetwork4.dll, jpeg62.dll, sqlceca30.dll, CamMenuPlayer.exe, CamRecorder.exe (TechSmith Camtasia files) and many others I wasn’t able to get name of.

Sometimes when I return to the PC and tries to take a screenshot (or try to write down the name of the file) Defense+ alert just disappears.

I’m going to submit the files (that I know of, mentioned above) to avlab @ Comodo through the email.

Thanks a lott.

#8

I have noticed that, every morning, my D+ logs are full of entries related to rundll32.exe. It seems to happen particularly if there has been some system change or new software installation. It is curious, I wonder if it’s a Windows 7 thing…

I know this is not a malware/spyware/virus/add your own definition here… as it also occurs after a clean installation of Win 7 (from Microsoft not a torrent) and CIS. It looks like rundll32.exe is just catching up with ‘changes’ when system activity is low.

Here is a ‘sample’ of my log from last night.

[attachment deleted by admin]

#9

I want to revisit this as it’s becoming a bit of a pain.

I get this every night, as soon as the system has been idle for a period of time. There are no tasks scheduled, no scans, defrags etc. This problem only happens on the Windows 7 PC. I have never seen anything like this on the XP PC. On occasion I wake to find CIS has crashed.

This problem is not a malware issue (maybe move this topic…), as it happens on a clean install of 7100, which came from MS.

So the question is, what the heck is rundll32 doing with all these processes/applications, and why are they appearing in the D+ log?

Attached another copy from last night.

sample:



Sun Jun 21 2:04:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\ATISetup.exe


Sun Jun 21 2:06:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\Setup.exe


Sun Jun 21 2:08:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\zh-Hant\system.resources.dll


Sun Jun 21 2:10:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\de\mscorrc.dll

[attachment deleted by admin]

#10

Unless ATISetup.exe and Setup.exe export any functions, rundll32 can’t do anything with them. Similarly, I have Silverlight installed and I don’t even have the 2.0.40115.0 folder in Microsoft Silverlight. System.Resources.dll is a .NET assembly anyway and doesn’t export any native functions, so it can’t be run by rundll32 either.

There may be a malware infection…



Sun Jun 21 2:04:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\ATISetup.exe


Sun Jun 21 2:06:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\Setup.exe


Sun Jun 21 2:08:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\zh-Hant\system.resources.dll


Sun Jun 21 2:10:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\de\mscorrc.dll

[/quote]

#11

Thanks!

There may be a malware infection...

There is not. Please read my post and please see the attached.

#12

yeah just got this a few minutes ago for the first time, in Win7/7100 as well. Haven’t got a clue what this is about. I had an alert for most of those events in the pic and blocked (without remembering), just in case, although I don’t think either that any malware is involved.

[attachment deleted by admin]

#13

I’m having the same problem on my laptop and desktop. I’m running Windows 7 64 RTM on both. The thing I can’t figure out is it doesn’t happen all the time. If I reboot the problem goes away, it normally happens after the PC has been on for awhile and NOT in use. Why is it trying to run freaky things, its trying to open crysis.exe, ati apps, everything, and why does it only do it after the PC has been idle? Finally why does a reboot termporarily fix it?

Thank you

#14

The same issue on Windows 7 (32bit). Fresh installation no viruses/trojans. Seems that it is Comodo Defense+ issue. As it officially does not support Windows 7 we just should wait I think. :slight_smile:

#15

I am having this issue as well with Windows 7 32-bit Final/updated. It does happen when I’m away from the PC about 15 minutes, and my screensaver had come on the times that it happened. Mine says something about rundll32.exe trying to execute http_…

When I just checked my Defense+ events in COMODO, it became clear that in my case this is caused by VLC Media Player and also by Microsoft Games for Windows LIVE:

C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\VideoLAN\VLC\http\requests\browse.xml
C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Microsoft Games for Windows - LIVE\Client\Help\Http_error_es-es.htm
#16

I have a win7 32-bit RC1 machine, and every time it goes idle the Application-Experience service kicks in.
All its actions are logged in the event viewer (App and Services Logs > Microsoft > Windows > Application- Experience) and look like this:

Compatibility fix applied to C:\Windows\system32\rundll32.exe. Fix information: Win2000/WinXP/WinVista, {random hash}, .

for every suched logged event I find a matching event in CIS logs ‘rundll32.exe is attempting to execute program X or Y’.

So I’m guessing this is normal activity, eh?

#17

happening on a fresh install windows 7 64bit retail fully patched… installed some new software… when i came back to the machine after several hours had several comodo dialogs waiting for me…

10/29/2009 1:18:52 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\sv.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:20:53 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Tools\VistaEssentials.dll
10/29/2009 1:22:54 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Bonjour\ExplorerPlugin.Resources\fi.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:24:56 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Bonjour\ExplorerPlugin.Resources\es.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:26:57 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Steam\bin\SteamService.exe
10/29/2009 1:28:58 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\de.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:30:58 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\it.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:33:01 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Common Files\Apple\Mobile Device Support\NetDrivers\netaapl64.sys
10/29/2009 1:35:01 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\GameSpy\Comrade\156\fr-FR\ComradeLib.resources.dll
10/29/2009 1:37:02 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\ko.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:39:03 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\nl.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:41:04 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Bonjour\ExplorerPlugin.Resources\zh_TW.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:43:05 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AOSUtils.dll
10/29/2009 1:45:07 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\nb.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:47:08 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\da.lproj\ExplorerPluginLocalized.dll
10/29/2009 1:49:08 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Bonjour\PrinterWizard.Resources\da.lproj\PrinterWizardLocalized.dll
10/29/2009 1:51:09 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\nb.lproj\SoftwareUpdateLocalized.dll
10/29/2009 1:53:10 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\ExplorerPluginResources.dll
10/29/2009 1:55:11 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Common Files\Apple\Mobile Device Support\Drivers\usbaapl64.sys
10/29/2009 1:57:18 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\AirPort\APAgent.exe
10/29/2009 1:59:19 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\de.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:01:19 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.Resources\ru.lproj\SoftwareUpdateLocalized.dll
10/29/2009 2:03:20 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\zh_CN.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:05:21 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Steam\Steam.exe
10/29/2009 2:07:23 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\ja.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:09:23 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\sv.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:11:25 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\sv.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:13:25 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\de.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:15:26 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Apple Software Update\SoftwareUpdateFiles.Resources\fr.lproj\SoftwareUpdateFilesLocalized.dll
10/29/2009 2:17:27 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\en.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:19:28 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\fr.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:21:30 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files\Bonjour\ExplorerPlugin.Resources\zh_CN.lproj\ExplorerPluginLocalized.dll
10/29/2009 2:23:30 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\Benchmark_CPU.bat
10/29/2009 2:25:30 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\Benchmark_GPU.bat
10/29/2009 2:27:30 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\Cry3DEngine.dll
10/29/2009 2:29:30 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryAISystem.dll
10/29/2009 2:31:30 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryAction.dll
10/29/2009 2:33:31 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryAnimation.dll
10/29/2009 2:35:31 PM C:\Windows\System32\rundll32.exe Create Process, Execute Image C:\Program Files (x86)\Electronic Arts\Crytek\Crysis\Bin32\CryEntitySystem.dll
… and more and more and more…

pretty much for ever file that was installed…

anyone found a way to keep it from happening? should i report it to comodo?

wonder if it would be possible for comodo to list which process actually called rundll32…

#18

Same here, clean install win 7 etc, these rundll have been appearing when machine is idle, i just put it down to defense incompatibility with win 7.

There is an event viewer entry that may be related to this, it is in system log and event id is 11 a warning relating to guard32.dll ( comodo file), source wininit, as follows:

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

#19

Same problem here, thats why I came here hoping for a solution.

Everytime I come back to my computer Comodo tells me that rundll32 is trying to execute a random DLL file and they aren’t malware. How can I stop Comodo from asking this all the frigging time?

I’m on Win 7 Ultimate btw.

#20

Try this folks it may help, at least it did for me.

Control Panel->Administrative Tools->Computer Management->Task Scheduler->Task Schedular Library->Microsoft->Windows->

Highlight “Application Experience” you should have AIT Agent and ProgramDataUpdater at the top. Right click on ProgramDataUpdater and select Disable

Matt

Credit to Quill for finding this little nugget :-TU