I’ve not heard of it before. And you are not kidding about a Google search… I found this actual topic (■■■■… that’s fast Google!) & one other reference. The poster thinks it’s a virus (got told off for double posting instead & asked to produce a HiJack log). It’s odd that the phrase “SoulRock ScriptSyntax” is so unique. Couldn’t get much on “BinaryBit” either. Did find this on “SoulRock Develop”. Rare maybe?
Yes, that’s them. MS bought them & still offer the tools free! Almost unbelievable.
OK… Process Explorer is an extended Task Manager for watching processes in realtime. Process Monitor watches processes (and what they do) sequentially in a log-like listing. If this thing produces something on the desktop at any point, you can use Process Explorer to identify it & process Monitor to track it. More importantly Process Explorer will also know what started it. AutoRun is useful for seeing what automatically starts up on your system (lots of tabs to explorer). A HiJackThis log would probably be useful as well.
Sorry, you posted whilst I was typing…
Autorun Entry: 0 (no icon)
Image path: File not found: About:Home
Don't worry, I think this is just a blank Homepage setting.
There are many autorun entries also in the driver tab which have file not found: . . .
should I remove them?
No, you should not remove them unless you know they are redundant (old hardware device, software, etc..). You must be very cautious in the driver section, you can make your system non-bootable by stopping/disabling the wrong driver. Some drivers hide (like CFPs) and can cause AutoRun to produce this message.
I was about to say that adding an include filter for “ScriptSyntax.txt”… but, I see you got that (unless that’s all that was happening!).
OK, use Process Explorer to find out (a) who started those WScript.exe & ekrn.exe processes & (b) what was the command line? (might to add more columns to get these details). Also do you have .VBS files laying around your root level?
Hang on… ekrn.exe?.. isn’t that a NOD32 component? Do you have NOD32? If not, run it through Jotti.
Sorry, by root level I meant C:. The screen shots you posted showed a file called ScriptSyntax.txt.dll.vbs being created in C:\ and what looked like the creation time being altered/set (not a good sign I’d say). Couldn’t see much more, the Detail column would need to be made wider.
OK. Back to process Explorer. Right Click on any column title - Select Columns - Process Image tab - check “Command Line”. OK. Now select/highlight wscript.exe in Process Explorer & see what the Command Line is.
Hmm… and that previous shot you posted shows wscript.exe asking for things about C:\WINDOWS\ScriptSyntax.dll.vbs… does that file exists? If so, please email to me (zipped). Thanks. Also check NOD32s virus definitions are up to date, it is monitoring this activity.
OK, it might still be a legitimate use. I assume you’re running CFPs Defense+? We could deny wscript.exe access to… well… everything actually. It would obviously break what was using it & that might yield some useful information… might not. But, it will certainly stop it.