SoulRock® ScriptSyntax

[Guest]

[martin11ph]

Here is a screenshot with a larger detail tab.

[martin11ph]

Here is the command line:
"C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\ScriptSyntax.dll.vbs"

[kail]

Hmm.. and that previous shot you posted shows wscript.exe asking for things about C:\WINDOWS\ScriptSyntax.dll.vbs.. does that file exists? If so, please email to me (zipped). Thanks. Also check NOD32s virus definitions are up to date, it is monitoring this activity.

[martin11ph]

I don't see the file in the Windows folder. I guess it appears only when it creates the file again. Yes NOD32 is updated.

[kail]

OK, it might still be a legitimate use. I assume you're running CFPs Defense+? We could deny wscript.exe access to.. well.. everything actually. It would obviously break what was using it & that might yield some useful information.. might not. But, it will certainly stop it.

[martin11ph]

Err. . .I register it as a New Blocked Application in the firewall or terminate and quarantine in the defense+?

[kail]

I guess adding wscript.exe to your Quarantined files is the easiest to do & undo. I'm uncertain if having existing rules impacts this (never considered testing that). But, I'm sure you'd find out fairly quickly.

[martin11ph]

I guess adding wscript.exe to your Quarantined files is the easiest to do & undo. I'm uncertain if having existing rules impacts this (never considered testing that). But, I'm sure you'd find out fairly quickly.

I don't quite get what you mean about the rules. Sorry.

[kail]

Sorry, nothing of importance. It will either work & block wscript.exe totally once its quarantined or it will not work.

[martin11ph]

Well, I quarantined wscript.exe but the files are still created.

[kail]

Anything in the Defense+ Log? Check Process Explorer again.. wscript.exe still running?

[martin11ph]

Defense + just shows the process monitor accessing the memory. wscript.exe is still in the process explorer but there is no more icon, description and company name.

[kail]

Yes, that's because Process Explorer cannot query it any more because CFP has quarantined it. I was going to suggest killing it, but I don't think CFP would let you do that! So, how about a reboot?

[martin11ph]

Will you look a that. Delete and it stays deleted. Thanks a lot kail for guiding me the whole time. Really appreciate it.

Off-topic: How are you all so good at this? Is it experience,profession or maybe both? Coz you know, I am currently a computer engineering student, no major subjects yet though. Will we learn about this stuff as well?

[kail]

Will you look a that. Delete and it stays deleted. Thanks a lot kail for guiding me the whole time. Really appreciate it.

Erm.. sorry, but we didn't actually fix it.. whatever it is. We merely broke it so it couldn't work anymore. You should check the Defense+ log now to see what tried to gain access to wscript.exe.

..
Off-topic: How are you all so good at this? Is it experience,profession or maybe both? Coz you know, I am currently a computer engineering student, no major subjects yet though. Will we learn about this stuff as well?

I'm sorry, I don't know. I'm way too old to know what they teach you, or not, these days.  Someone.. younger.. might know. I could call one of the younger Mods?

edit: Ooo sorry. Sort of both: Experience caused by Profession & a cat-like curiosity.

[Tags:]