SoulRock® ScriptSyntax

[Guest]

[kail]

That sounds OK. Right, we cannot really leave wscript.exe quarantined because it breaks a part of Windows functionality & it may cause unexpected problems later. Unfortunately, we didn't really discover what created "ScriptSyntax.dll.vbs" or it's AutoRun entry in the first place either.

So, this is what I recommend.. open CFP - Defense+ - My Quarantined Files. Select the "wscript.exe" entry & hit "Remove". Now, select Add - Browse.. a second window should appear. In the top line (Add new item) enter..

      C:\Windows\ScriptSyntax.dll.vbs

.. press the little + symbol (far right) and the entry should appear in the "Selected items" pane. Hit Apply & Apply again. So, even if does come back.. you've now created a quarantine block within CFP to stop it (a virus worth anything should really try a different name). You should also remember that using the "Purge" function with CFPs My Quarantined Files will remove this entry because the actual file doesn't exist. So, reboot.. check both AutoRun & CFP to check that nothing has come back (using a different name maybe).. and if not, we're done.

[martin11ph]

Thanks. Am now going to reboot. Hope this finishes it.

[martin11ph]

Defense+ shows that svchost.exe has blocked scriptsyntax.dll.vbs. MSConfig remains unchecked in autorun. Nothing seems to have come back. I think the problem is solved. Am I right?

[kail]

Stopped maybe, resolved.. not so sure. Sorry.

svchost.exe? I'm trying to think of a reason why SVCHOST would need to access any VBS file, let alone the one we quarantined.. and I can't think of one at the moment. There are Trojan's & Malware that impact SVCHOST. What's the directory location of svchost.exe?

In any event, I think you should update both NOD32s & Avast's Virus Definitions and perform a full (over-night) scan just be sure. If you have any other scanners, you should do the same for them as well.

[martin11ph]

svchost is in C:\windows\system32. Both Avast and NOD32 are updated. I'll scan later. Whenever I run autorun, it also appears in defense+ as a block file action. Might be because we unchecked MSConfig?

[kail]

The location of svchost.exe is fine. The attempted access to the quarantined VBS file still concerns me. It might be doing that because of a registry entry (uncertain). Let's see what your full scans reveal, if anything.

Yes, AutoRun will generate a Log entry in CFP. It tries to check that the entries (both disabled & enabled) are valid and, in your case, CFP now prevents that check.

At least you know you stopped it actually running.

[martin11ph]

I guess that's it for me now. Will be posting later if the scans found anything. Thanks for everything kail.

[kail]

No problem, glad I could help.

[martin11ph]

Been busy. I will be able to scan in about 14hrs from now.

[martin11ph]

My ISP was down the whole day. Just got connected. Scanned with ESET, Avast and Spybot.
ESET and sypbot didn't find anything. Here are some screenshots and also a HJT log. I'm wondering about all those damaged CAB and OLE files.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:02 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = SoulRock® ScriptSyntax Copyright © 2007 SoulRock Develop. BinaryBit™
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: FLV Getter - C:\Program Files\FlvGetter\FlvGetter.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [ at ]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs:  C:\WINDOWS\system32\guard32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7036 bytes

[kail]

Yes, the CAB files worry me too.. mostly driver.cab in i386. I'm fairly sure that either Avast or NOD32 should be able to decompress & scan driver.cab. In explorer.exe, can you right click on driver.cab & perform a successful scan with either Avast or NOD32 that way?

The other corruptions, in places like SoftwareDistribution\Download (Windows Updates) & \Desktop (Limewire?), might be due to the update failing or, in Limewire's case, the containing file not being completely downloaded as yet, this often shows up as an apparent corruption on scans like this.

Side note: There is a MS How To on removing/changing the MSIE title bar, which I believe is also relevant to MSIE 7.

[martin11ph]

I can successfully finish a scan with NOD32. The avast on access scanner, I think did finish coz it just disappears after scanning. I did scan it again with avast antivirus and here is the screenshot.

As to the MSIE, I haven't tried it yet because I don't have a registry editor. Can you recommend one? Thanks.

[kail]

Avast says its bad (I'll find someone with Avast to confirm/deny this). I think NOD32 probably has the results of the scan logged somewhere.

Registry Editor: Yes, you do. It came with XP. Start button - Run & then type "regedit" (no quotes).

[martin11ph]

Oh yeah. I forgot about that.
Done.

[kail]

It's venerable & not exactly feature rich, but it still does the job. Well done.

No good news on the AV scanning of driver.cab as yet. It seems that other Avast users on XP can scan driver.cab without issue, where as someone recalls NOD32 not being able to scan driver.cab without errors. So, don't know what's going on here.. yet.

[Tags:]