Defense+ and *.doc files

I have two HDDs, and the second HDD has my pics, videos, and backup files stored on it.

When I opened it up I got a Defense+ notice asking me if rundll32.exe wants to access Contact.doc, a file of mine, which is not on the second HDD. The odd thing about it is that rundll32.exe even wants to access this file.

Another note: This happened after I set Defense+ to “Safe Mode” after having it in “Clean PC mode” for a long time.

It doesn’t look reassuring.

It could prove useful to track that rundll32.exe and its related DLL, find any possible related startup entry, confirm that rundll32.exe is a legitimate microsoft app and eventually submit that rundll32.exe and related file to an online virusscan service like virustotal.

The result of this preliminary analisys could provide some clues to take additional steps.

rundll32.exe is usually a microsoft stub executable whose purpose is to lauch other function provided in separate DLL files.

Even if rundll32.exe is legit and it is placed in \WINDOWS\system32 folder the related DLL may or may not be legit.

If rundll32.exe path does not belong to WINDOWS\system32 it could be a suspicios file.

MS sigverif is able to report if the rundll32.exe in windows subfolder is a legit MS executable.

On a specific PC there may be many different rundll32.exe instances running at the same time and task manager is unable to list the DLL each rundll32.exe launched.

Using Process Explorer (treat as Trusted app) it is possible to either confirm the path of each rundll32.exe and check the loaded DLLs (right-click on each rundll32.exe> properties > Image Tab command line and path ; Process Explorer Menu View> Lower Pane View > DLLs)

AutoRuns for Windows provide an easy way to find the related startup entry (eg in the Logon tab) and to disable it

I used process explorer and have been able to verify both running instances of rundll32.exe. I looked at all the related dll’s for each rundll32.exe instance and I couldn’t find anything unusual.

Another note: When I renamed the Contact.doc file, I stopped receiving Defense+ alerts for rundll32.exe.

What vendor/software those DLLs in rundll32.exe command line refer to?
Can you post a screenshot of that alert?