This process does not end, even though all other processes are closed already. Does anybody have the same problem?

This is the lingering process.

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-
013beafce793} -Embedding

Any idea what could solve this issue?

google told me that your system is infected with a trojan... --> SHCreateLocalServerRunDll

get the avira rescue cd - burn the ISO as an image a boot
http://www.avira.de/en/support/support_downloads.html

that wont delete malware, but it is a secure action to determine malware.
if something is found - rescue important data, then format and install windows from scratch. after it change any password.

Rundll32 is a commonly used command line utility that is used to invoke a function from a 32 bit DLL file.
In this case, from the normal Windows Shell.dll file, using the entry point called "SHCreateLocalServerRunDll".

I wouldn't assume that there's anything wrong here. The question though, is what is utilizing this utility.
It sounds kind of like a program wants to work as a server, on your PC. That's certainly not unknown. I have a number of programs on my computer that my Zone Alarm firewall pre-configures to allow them to work as a server in the Trusted Zone, as well as some of them in the Internet Zone. I'm not real crazy about that, since only some Windows programs should really have that permission, but it hasn't created any known problems for me.

Have you narrowed it down to one particular program that causes this utility to run in the sandbox?
Possibly, the argument: {3eef301f-b596-4c0b-bd92-013beafce793} might shed a clue, if you can use the Registry Editor to search your Registry for it.

When you see that listed in Control's window, after other processes have ended, have you tried right-clicking on it.
Then Program Settings > check "Stop this program if it lingers in the sandbox..." ?

If there's any question at all about whether your computer has a malware infection, download and run the free version of MalwareBytes.

Thanks for the help!

I scanned the system with various tools (s&d, malwarebytes,comodo and so on). No malware detected.

I have checked two Vista systems, both have the entry in the registry. Unfortunately I couldn't find anything meaningful there. Two entries are linked to {3eef301f-b596-4c0b-bd92-013beafce793} and contain:
Default = Destkop Undo Manager (yes, including the typo!!!)
Run As = Interactive user

That's all I could find. Yes, I can setup Sandboxie to stop this lingering process, but of course I am wondering why this process runs in the first place (seemingly only in Sandboxie).

thats rubbish - i didnt wrote without purpose to use a rescue cd - its a clean system!
and you are not sure if a rootkit was installed - those tools can NOT detect that.

and google aint really helpful
http://www.google.com/search?q=3eef301f-b596-4c0b-bd92-013beafce793
and nothing to "Destkop Undo Manager"

either internal undocumentated function or at least however malware

I agree, and I actually had used the VistaPE avira plugin, but no malware was detected.

I could not find any information about this function either, but it would be nice to know what it does.

One other interesting question is, why the process is only visible in a sandbox and why it lingers.

To me, the most troubling aspect is the miss-spelling:
Default = Destkop Undo Manager

Miss-spelling has often been associated with malware, scams, etc.
I wonder if any others also have this item in their Registry.

Do you have anything like 3D Desktop installed? Notice the spelling in the first sentence (but not in the title). http://freshmeat.net/projects/3ddesktop/
since it involves shell32.dll and desktop undo - just a guess .......

Also if it does turn out to be a malware and you have it on two different setups - there may be something on a usb stick if you are going back and forth between the two setups.

Download this Program from Sysinternals and see if it's running from the List of running Process. Just Create a Folder Called Process Explorer and put the Executable in it. Then make a Shortcut to the Desktop. Nothing gets Installed.

Run the Program to see who its Registered to. It's a very handy Program.

Process Explorer v11.33

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Ken:

Hmm, I have the registry entry as well, except without the '-Embedding' part. However I've never seen the process actually running on my computer, either with Process Explorer or Autoruns. Google is really no help here either.

Vista SP1

It says "microsoft" (signed). I guess because the actual process is rundll32.

No, I did not install 3d desktop.

I am almost tempted to say that this is a legitimate Microsoft function. But then again, the typo is kind of strange, as somebody pointed out already.

I've got a variation on that rundll32 command in my registry.. It seems to be connected to Microsofts DCOM Server Process Launcher.

[quote="Anonymous"]It says "microsoft" (signed). I guess because the actual process is rundll32.]

exactly. the host process (rundll) is the process (just like svchost for hosting services). if you ask for processes, generally you get processes, not dlls. there are tools to see dlls, including one mentioned above, sysinternals.com's procexp. nirsoft has a few, too. and don't forget ms task manager, though it doesn't do dlls.

about the desktop undo thing, i have a guess (just a guess). if you try, you'll notice that the undo function is available on the windows desktop. example: click to select an icon. drag it to trash. the pretend (this is important ) to have lost it and need it back. type control-z (the universal key for undo, just like ctl-x, c, and v.). the icon pops back onto the desktop. a timesaver at times.

so, my guess is that this process implements that desktop undo feature. i don't think windows has an undo feature itself. seems to be written into applications. but, despite lack of menus from which to choose it, undo is there. a process might be a reasonable way to implement it. don't know how much asynch it needs.

I think you are right. Actually when I do drag an item to the recycle bin (within a sandboxed explorer) three things happen:
1. I get an error message "Item not found" (but the item was moved)
2. The rundll32 process as described above appears in the sandboxie control window
3. The process lingers after all processes (in my example: Explorer) are closed

Maybe somebody else is able to reproduce this?

I can reproduce it on Vista SP1. In fact, my HIPS app (Malware Defender) logs the following when I first right-clicked on a sandboxed Desktop icon...

4/28/2009 21:35:20 c:\program files\sandboxie\sandboxiedcomlaunch.exe Create new process c:\windows\system32\rundll32.exe Permitted [App]* Cmd line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding