MRUBlaster runs script on boot?

Discussion in 'MRU Blaster Forum' started by jon123, Aug 22, 2005.

Thread Status:
Not open for further replies.
  1. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    Seems like the cleaning MRUBlaster does on startup is being blocked by ScriptDefender. This is my block list:

    .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB,.CSS,.PIF,.CHM,.WSC,.SCT,.EML,.WMD,.ASF,
    .CPL,.CRT,.ADE,.ADP,.BAS,.BAT,.OCX,.COM,.SYS,.DLL,.CMD,.MSC,.MSI,.EML,.MSG,.MSG,.SCR,.INF,.INS,.ISP,.LNK,.REG,.HTM,.HTML

    First time I noticed was when Search and Destroy caught a reg change on the first reboot from running MRUBlaster, identified as being done by Script Defender, I allowed it.
    Am I correct? (Is MRUBlaster running a script?)

    Here's Search and Destroy's log.

    8/20/05 6:32:42 PM Allowed value "MRUBlaster" (new data: "C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC") added in System Startup global entry!
    8/21/05 3:59:09 AM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/21/05 11:34:08 AM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/21/05 2:28:15 PM Allowed value "MRUBlaster" (new data: "C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC") added in System Startup global entry!
    8/21/05 2:31:11 PM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/21/05 6:10:37 PM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/21/05 11:21:25 PM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 7:55:23 AM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 11:37:24 AM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 11:57:21 AM Allowed value "" (new data: ""%1" %*") changed in Extension handler!
    8/22/05 11:57:53 AM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 11:57:54 AM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 11:57:55 AM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 12:47:38 PM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 12:47:39 PM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!
    8/22/05 12:47:40 PM Allowed value "" (new data: "C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*") changed in Extension handler!

    This one occurrs twice.
    http://cdupload.com/files/234/Script%20Defender%20prob%203.bmp

    This one, once.
    http://cdupload.com/files/234/Script%20Defender%20prob%202.bmp

    WTF?
     
    Last edited by a moderator: Aug 23, 2005
  2. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    To the mods, Ive posted this in the Privacy Problems forum as well, not sure where to put it really...
     
  3. Togg

    Togg Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    177
    If you have the IE Plugin enabled, MRU Blaster will run a script at bootup to delete the index.dat files. This is the only way they can be cleaned, as they are locked once Windows starts.

    If you want to see what's in index.dat, d/l the free viewer at the foot of this page; http://www.acesoft.net/delete_index.dat_files.htm Note that some security apps will flag the viewer, @Winspy, as a security risk because it is collecting information on your system.
     
  4. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    Ty Togg, any idea what type of script it is, so that I can allow it?
    Strange though, I thought that Script Defender was supposed to prompt me, the only prompt I've gotten from it is when I ran the test script that came with it.
     
  5. Togg

    Togg Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    177
    I don't know the nature or content of the script, but I do know that you can create your own in DOS and put it in win.ini or system.ini (or somewhere like that) so that the job gets done before bootup.

    A Google search should produce the necessary details (if you want to try the DIY approach). I just let my commercial cleaning program (Window Washer), get rid of all the junk!. It occasionally triggers an alert if I don't remember to turn my Registry monitoring tools off first.
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Having now downloaded ScriptDefender and checked a few things yesterday....what other than Spybot's log are you going by in regards to MRUblaster is running a script ?

    There appears to be nothing contained inside of the executable(indexcleaner.exe) that should cause ScriptDefender to pop up a warning.

    What I do see in your Spybot log is where MRUblaster was Allowed to place a global startup entry in the registry....but I do not see that ScriptDefender played a part. :doubt:
     
  7. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    Only Spybot's log, and that I only saw the warning (after windows loads up and Spybot does it's reg checking thing) after having installed Script Defender and run MRU Blaster with the plugins.
    So, given that this new install has seen little other than windows update (I went to analogx, diamond, grc, Jason's Toolbox, all the while having extreme restrictions on Internet Zone, no Activex in trusted but for prompt and only allowed that at microsoft, and everything but mime type blocked by ZA (and that only allowed when neccessary to dl) I figured it was probably MRU Blaster.

    I installed diamonds WSH Ant-Polymorphism Patch, WNetEnimCachedPasswords Lock Patch, grc's dcombob.
    Other than those, winupdate had two issues:
    (Edited for reasons of Paranoia, or as someone once said, "having all the facts" lol, nothing to do with Wilders or this thread, btw) Thanks for the help Bubba :)
    Perhaps one of the other MS patches is running a script?
    I'm considering uninstalling Script Defender and trying Jason's Script Sentry, 'cause this will show what the script is/is doing, but the uninstall of Script Defender has to be done properly so... check here first to ask if MRU is responsible.
     
    Last edited: Aug 23, 2005
  8. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    PS The three warnings persist without running MRU Blaster.
     
  9. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    Of course this is all working fron the assumption that script defenders actions in the reg are due to a script, perhaps it has nothing at all to do with a script, after all I get no popup warning from script defender, just search and destroy's warning of it's reg changes.

    I did also come here before installing script defender.

    My procedure for installing:

    Terminate protection apps.
    Clean boot, followed by install.
    Clean boot whether required or not by install prog.
    Then run prog, possibly followed by Shredder, Check For Problems; MRU Blaster.

    There is a possibility I neglected to terminate Tea Timer, which raises the question: would Script Defender write to the reg., as indicated by Search and Destroy, as part of it's install? and Tea Timer then fubar the install so that Script Defender repeatedly makes its' reg changes without realizing they've been done?

    If this is now in the wrong forum, please move to "noob or bonehead mistakes" thread. :)
     
    Last edited: Aug 23, 2005
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    IMHO it has nothing to do with script. As you may know Spybot's TeaTimer monitors numerous registry entries and some of these entries are the same values ScriptDefender is attempting to change so it can now be in control of certain file extensions when they are opened.

    These TeaTimer related entries:
    HKCR\batfile\shell\open\command\
    HKCR\comfile\shell\open\command\
    HKCR\exefile\shell\open\command\
    HKCR\piffile\shell\open\command\
    HKCR\scrfile\shell\open\command\
    HKCR\scrfile\shell\config\command\
    HKCR\regfile\shell\open\command\
    HKCR\cmdfile\shell\open\command\


    If you are not wanting to see the TeaTimers warning you could select Remember this decision
     
Thread Status:
Not open for further replies.