rundll32.exe trying to execute .js file(s) on Firefox.

That is the same problem as this topic:

I want to reply on it but I saw this ‘’ Warning: this topic has not been posted in for at least 120 days.
Unless you’re sure you want to reply, please consider starting a new topic. ‘’ so I came here and started this topic.

On the old topic the file is sessionstore.js , but in my Defense+ alert the file is WebContentConverter.js, however I see alerts in random times, yesterday I allow it without Remember My Answer then today it came again, I didn’t do anything and Comodo block it as auto. After that I restarted my computer, than it will came again. This time I checked Remember My Answer and Allow this Request section.

sessionstore.js and WebContentConverter.js, they are both components of Mozilla Firefox. But I don’t know they are safe or unsafe. What the head heck with this rundll32.exe module? And I’ve understand this: Why this alert did start to come these days, not in past days?

One more thing. I used CCleaner also. Day by day or power off to power off. Thanks a lot.

I took another alert several minutes ago. It was like this :

Rundll32.exe trying to execute sessionstore.js . The same as the old topic.

I blocked both with unchecked Remember My Answer. I’m waiting for response to put these files on my Computer Security Policy, allowed or blocked.

Firefox running sessionstore.js each time you quit seems to me, as its name tells, a normal behaviour.

I do not have such alerts.

The question therefore is what are your personal settings for firefox and rundll32 in defense+ (access rights and settings); can you tell us about them?

Rundll32 and Firefox both like this ; Run an executable (ask) , Protected Registry Keys (ask), Protected Files/Folders (ask) the others are allow. Comodo did this, I didn’t touch anything.

If you want I can give you Firewall policies too.

sessionstore.js and WebContentConverter.js, I pointed if I use or not use CCleaner they are still coming as an alert of Defense+ . I blocked them until I take an answer in there about these things, block or allow.

Is that during “idle” on a Win Vista/Win7 system?


I’ve used this computer since three or four months, Windows 7. That is a clear system, I first installed my modem than Comodo. Everything was OK. But after a few months, my connection is gonna blow. I did everything but it didn’t come back. I uninstalled Comodo and see it came back, after that quickly I installed Comodo back too. Just this I did. I hadn’t got any problems like these before.

Just in this week. Only I did these: I opened my computer and connected to internet. After that I started Firefox then in about one or two minutes these alerts had came. Only this.

I apologize for spelling errors because of my limited English.

Do you happen to have Windows Defender and/or Microsoft Security Essentials active?

I happen to notice this behavior also but only on system “idle” situations, but that’s because i changed some settings for Windows Defender…

Do you also have rundll32 creating other alerts?

I have Windows Defenser as active.

None. I noticed this behavior after running Firefox not on system idle position. I didn’t take any alerts except these from rundll32. I said my policies too. My Firewall and Defense+ settings are like Kyle’s suggestion on Guides forum section.

About Windows Defender. Should I check something?


My own Firefox (3.6 for xp sp3 pro) firewall policy is default web browser, its defense+ policy has every item at ask, HKLM\SYSTEM\ControlSet???\Services* is allowed in registry keys.

rundll32.exe has no firewall specific rule, and does not have to have one, as it is part of system as it lies under \system32; system is set as custom, with LAN specific rules, but no one is set at less then “ask”, and i am never asked anything for js.

I have a specific defense+ rule for %windir%\system32\rundll32.exe, set to custom altough i don’t remember to have it created myself and i am not sure it’s such a good idea , and edicting in “access rights” that items 1,8 and 9 are “ask”, all others “allow”, permission for item 1 is %windir%*, HKLM\SYSTEM\ControlSet???\Services* for item 8.
“settings” are not active.

rundll32 can be a real security threat: no one cares for it running standard firefox js, but what about a malicious javascript in another location?

Some firefox settings themselves could be responsible of the related behaviour (i run a no script addon?, maybe checking the “clear history” box clears the session.js file and asks for modification?), but i also would like to know the general policy of Comodo towards javascript.

Take a look here at the functions of sessionstore.js:
WebContentConverter.js also is a legit firefox file, but remains a script, and as such vulnerable, see:

That is right. It is Javascript. That is why I flutters here to known what is going on.

rundll32 is crucial because of it is a system processor. My Defense+ rules are like you. But I have no rule for 8.

My Firewall rule was appointed by Comodo after re-install (I mentioned it my post). Should I remove it?

I looked both sessionstore.js and WebContentConverter.js about them there are limited informations. My Firefox don’t hold any cookies. They are all gone after I close it and yes I can do clear history all the time when I close my Firefox.

rundll32 is also used on Vista/Win7 if there are some things run under UAC or admin level instead of standard user… could that have anything to do with it?

Do you have add-ons installed lately?

What happens if you write the same 8 rule that Comodo wrote for me?
What happens if you choose not to clear history when you close Firefox?

Again, sessionstore and webcontentconverter are perfectly legit and innocuous: the first one registers informations to restore from crash (and is thus rewritten each time you quit Firefox) and the second one what to do in the firefox “applications” menu, not to be changed so often, but only when you install a new concerned software.

Nothing to worry about and, at least concerning sessionstore, it is under the xxxxx.slt folder, xxxxx is random precisely to keep whatever software (including Comodo?) to reach it. You can disable it in about:config (session restore). Or allow them.

No, the REAL question is the behaviour of Comodo with a js file downloaded in a temp file or wherever else from a malicious software.

Did you put your Firefox profile on the “My protected files” maybe?

I’m running D+ in paranoid and can’t remember having seen these ever…

Comodo did change the behavior of script handling in V4 it now alerts also on for example a perl script that chains other commands or tools is now added on the security policy as the script name and path, and not just as an action caused by perl.exe. This way you have more granular control over scripts…

But that should not be the case here.

UAC is enabled on my computer.

My Firefox have only one add-on : AdBlock Plus. There is no thing except this. But I can remember, I installed McAfee SiteAdvisor but it cause problems. My Firefox was working too slow and I uninstalled it. I installed and uninstalled it on 24 February. And these started to come on this day or 25 February. So there is something associated with SideAdvisor and these alerts I think. How can I clear SiteAdvisor’s history from my computer. If you say use CSC (Comodo System Cleaner), I can say I’m afraid of it because of it found much thing and I don’t know what they are. So I can’t use it. But if you say you have to use it, I can try. :slight_smile:

brucine, I think there is no need to write ControlSet rule for rundll32, because it is for services.

Ronny, Firefox is not in My Protected Files.


Try this tool if Add/Remove Programs fails:

brucine, I think there is no need to write ControlSet rule for rundll32, because it is for services.

And why not?

It can be set to forbid/allow a specific executable or, for what we are concerned with, to allow specific files (i.e. firefox concerned js files).

None. McAfee’s CleanUp Tool doesn’t work. It cleaned too much thing but the alert came backs again. Right now only sessionstore.js . McAfee’s CleanUp Tool also said that Incomplete CleanUp.

brucine, ControlSet is primary objective for services.exe , I think like this. Maybe you are right, that is my fault to think wrong.

Can you please verify, if your rundll32.exe is signed by Microsoft, their seem to be infectious versions available…

Maybe also upload rundll32.exe to to see if it’s detected…

One other thing do you have .js active to check for Image Execution on Defense+ ?
(Image Execution, Files to check)…

I ran McAfee’s CleanUp Tool on Safe Mode. But it gave an error. There is limited permission for this clean up. I think again Comodo.

rundll32.exe is signed by Microsoft. Comodo said it. And I check yeah it is signed by Microsoft.

About Image Execution, .js is not active. Right now I’m gonna use CSC. I will send logs here.