Hi I have a popup from defense+ everytime when I am away from keyboard. It is located in windows directory/system32. The pop displays that the rundll32.exe is trying to create process, execute image for C:\Program Files(x84)\Steam\Bin\Steamservice.exe. I had always tried to run steamservice.exe whenever I am idle. It will also sometimes try to run atdcm64.sys, steam.exe, and as well as any other files I have on my computer. Is this normal? I have Windows 7 64bit and I have scanned my computer multiple times and it came up clean.
Assuming it is a legitimate Steam file next time you get the alert you can tell rundll32.exe to allow and remember that action.
I have the same problem with Seven 64bits.
I saw older Releases Notes (184.108.40.2065) that rundll32.exe is no longer treated as trusted by default as it has execution capabilities :
IMPROVED! Handling of known code executing applications: - Defense+ has been modified such that some known code executing programs such as rundll32.exe or windows scripting host are not automatically trusted anymore.
But on my system is seems like it wants to “Create Process, Load Image” for almost all .exe, .dll and .lnk on my System drive.
The Defense+ log is full of these alerts (one every 2 minutes) and it looks like all my files are tried one after another alphabetically (However, some show “00008002” instead of the “Create Process, Load Image” label).
I’m not sure this is the right behavior for rundll32.exe as I thought is was only used to load and register DLLs in registry. I don’t understand what it is trying to do on all files that are runnable.
May be the Windows Application Experience is active. That was active by default with the Win 7 test builds and there is a choice to enable it when installing Win 7; it will ask something like if you want to send information to Microsoft for them to learn about user behaviour.
Read rundll32.dll active when system idle!! for reference.
What version of CIS are you using?
Oops, now I find this :
Ah, all those useless functions in windows…
You found the same topic as to which I pointed. Good proactive searching on your end. :-TU
Yes I just posted after reading the first hit… 88)
I was too suspicious about this…
But now, those who find this hit will see the answer, it seems to work fine now