SoulRock® ScriptSyntax

Anybody heard of this? It creates ScriptSyntax.txt in C: and C:\windows.
When I open it:
SoulRock® ScriptSyntax
Copyright © 2007 SoulRock Develop.
BinaryBit™
Product’s Technicality:
Enables your system’s registry editor.
-A counter attack for virus(es) w/c may have disabled your system’s registry editor.
Deletes autorun(s) from your hard drives.
-A counter attack for virus(es) w/c may have created autorun(s) on your hard drives.
-Autorun(s) are created by virus(es) to trigger their technicalities (w/c disables your hard drives).
-If your hard drives are still disabled please try to restart your computer.

Hadn’t noticed anything wrong yet. I don’t want to wait for anything to occur also. There is limited info when I search on google. Any ideas?

I scanned with the Comodo scanner and Spybot:Search and Destroy. Nothing came up.

Hi martin11ph

I’ve not heard of it before. And you are not kidding about a Google search… I found this actual topic (■■■■… that’s fast Google!) & one other reference. The poster thinks it’s a virus (got told off for double posting instead & asked to produce a HiJack log). It’s odd that the phrase “SoulRock ScriptSyntax” is so unique. Couldn’t get much on “BinaryBit” either. Did find this on “SoulRock Develop”. Rare maybe?

Is there an actual process you can identify with this Soul thing? Use SysInternals’ tools to investigate this (AutoRun, Process Explorer/Monitor, etc).

What is this SysInternals? I searched and came up with this website of Microsoft:

Don’t know which utility I should choose.

I downloaded autorun and didn’t seem to find anything odd in the list.

Edit: Here is an entry under the explorer tab:

Autorun Entry: 0 (no icon)
Description: blank
Publisher: blank
Image path: File not found: About:Home

There are many autorun entries also in the driver tab which have file not found: . . .
should I remove them?

Yes, that’s them. MS bought them & still offer the tools free! Almost unbelievable.

OK… Process Explorer is an extended Task Manager for watching processes in realtime. Process Monitor watches processes (and what they do) sequentially in a log-like listing. If this thing produces something on the desktop at any point, you can use Process Explorer to identify it & process Monitor to track it. More importantly Process Explorer will also know what started it. AutoRun is useful for seeing what automatically starts up on your system (lots of tabs to explorer). A HiJackThis log would probably be useful as well.

Sorry, you posted whilst I was typing…

Autorun Entry: 0 (no icon) Description: blank Publisher: blank Image path: File not found: About:Home

Don't worry, I think this is just a blank Homepage setting.

There are many autorun entries also in the driver tab which have file not found: . . . should I remove them?

No, you should not remove them unless you know they are redundant (old hardware device, software, etc..). You must be very cautious in the driver section, you can make your system non-bootable by stopping/disabling the wrong driver. Some drivers hide (like CFPs) and can cause AutoRun to produce this message.

With Process Monitor you should able to see what writes ScriptSyntax.txt into C:\ and C:\Windows.

How do I find which one it is? There are hundreds of thousands of event appearing. The events just recur.

Here are some screenshots:

[attachment deleted by admin]

I was about to say that adding an include filter for “ScriptSyntax.txt”… but, I see you got that (unless that’s all that was happening!).

OK, use Process Explorer to find out (a) who started those WScript.exe & ekrn.exe processes & (b) what was the command line? (might to add more columns to get these details). Also do you have .VBS files laying around your root level?

Hang on… ekrn.exe?.. isn’t that a NOD32 component? Do you have NOD32? If not, run it through Jotti.

BTW not terribly thrilled about WScript using wshom.ocx… that OCX is “ActiveX control used to create shortcuts, enumerate network drives, and so forth”.

Yes. I have NOD32. I don’t know what you mean about root level but I did search for .vbs files and there are some in c:\windows\system32

Here is the breakdown of the processes.

[attachment deleted by admin]

Sorry, by root level I meant C:. The screen shots you posted showed a file called ScriptSyntax.txt.dll.vbs being created in C:\ and what looked like the creation time being altered/set (not a good sign I’d say). Couldn’t see much more, the Detail column would need to be made wider.

OK. Back to process Explorer. Right Click on any column title - Select Columns - Process Image tab - check “Command Line”. OK. Now select/highlight wscript.exe in Process Explorer & see what the Command Line is.

Here is a screenshot with a larger detail tab.

[attachment deleted by admin]

Here is the command line:
“C:\WINDOWS\System32\WScript.exe” “C:\WINDOWS\ScriptSyntax.dll.vbs”

Hmm… and that previous shot you posted shows wscript.exe asking for things about C:\WINDOWS\ScriptSyntax.dll.vbs… does that file exists? If so, please email to me (zipped). Thanks. Also check NOD32s virus definitions are up to date, it is monitoring this activity.

I don’t see the file in the Windows folder. I guess it appears only when it creates the file again. Yes NOD32 is updated.

OK, it might still be a legitimate use. I assume you’re running CFPs Defense+? We could deny wscript.exe access to… well… everything actually. It would obviously break what was using it & that might yield some useful information… might not. But, it will certainly stop it.