Yes, Malwarebytes is whitelisted.
Since this problem, I've run numerous time the scan by MB and that particular message didn't return. Even if a open the registry of VoodooShield, I only found that particular entry listed two times, when the popup first occured.
I deleted the block setting and the registry to see if the message come back, but to this moment that particulat "script" didn't run.
I believe that the MB trigger was only a coincidence. In that particular moment something runs rundll with that option and at the same moment I was trying the scan from MB. I try again immediatly after and the blocked script popup again.
I don't know if a need to open another thread becuase now this seems uncorrelated.
I tried searching online and "rundll32.exe c:\windows\system32\davclnt.dll,davsetcookie" seems used by malware, buti n my case the host is note an IP, but the name of my PC... It seems like davsetcookie accessed /root/subscription:nteventlogeventconsumer.name:d"scm event log consumer" (I cleaned the previous script which contains many %).
I don't know how this nteventlogeventconsumer work. From my basic understanding davsetcookie in related to WebDav, a client to access remote documents. But I do not use remote document and I don't know if it's normal that the scm event log consumer was accessed via http or like a webpage, instead that normally written locally like a normal file.
Please see my upper quote. At this moment I believe the strange behaviour with MB was only a coincidence, and VoodooShiled only alerted the execution of the previous code, which I don't know if is maliciuos or not...