IE script error: can`t find add_url.htm

Author Message
Jonathan 03/29/2006 07:02 am
Longtime techy user of MPDE here.

IE repeatedly cannot locate DE`s installed path to
C:\Program Files\Download Express\add_url.htm

To re-register the file I have been through several remove/install cycles (easier with your super-fast installer than finding/using MSs file registration tool) which fixes it for a few hours of usage then something breaks it again.

During uninstall the error "MDPPH.DLL unregistration error!(3) 126" displays. Is this related & any idea what`s breaking it?

Thanks, Jonathan
Jonathan .... Again 03/29/2006 07:02 am
This under win2k,SP4 + IE6,SP1 + MPDE 1.4.0.193

Text of Script Error:

An error has occurred in the script of this page.

Line: 4
Char: 1
Error: the specified module could not be found.
Code: 0
URL: file://C:\Program Files\Download Express\Add_Url.htm

Which makes me want to retract earlier claim of what`s not being found. Best guess is that add_url.htm cannot locate MDPPH.DLL because something is knocking it out of registry. Am I on the right track here? Any guesses what may be stripping MDPPH.DLL from reg?

Thx, Jonathan
Alexander 03/29/2006 07:02 am
Dear Jonathan,

Do you have any Registry cleaning software?
This may be caused by incorrect work of such program.
Please try the following procedure:
1. Uninstall Download Express
2. Reboot Windows (necessary step)
3. Install Download Express
4. Reboot Windows for a sure (optional)

Test your system for some time and write me about the result. Thank you.

Sincerely,
Alexander.
| Alexander Bednyakov
| Senior Developer
| MetaProducts Corporation



Jonathan Price 03/29/2006 07:02 am
Alexander et al,

The cause of my DE woes has, I believe, been isolated. If I`m correct (testing not complete) then you`re not going to like it `cause this will be a growing problem & support headache for MetaProducts.

Currently Download Express (DE) relies on Microsoft Visual Basic Scripting Host`s MSHTA (stands for MicroSoft HyperText Application) - a serious weak spot in MS`s IE architecture if we are to believe the folks at
http://www.spywareinfo.com/articles/htasploit/
and
www.nsclean.com.
The claims made on these sites make perfect sense to me they (so far) mirror my experience & testing.

A yet-to-be identified app has succeeded in planting a trojan onto my system that essentially runs MSHTA.exe as a service rather than as intended - which is an occassionally invoked, discrete process. Unfortunately when run as a service, MSHTA.exe - and all scripts run through it - gain from the OS "local & fully trusted" status rather than "remotely invoked & untrusted" status that was intended for MSHTA.exe to have as a File invoked by IE webpage scripts.

I discovered the trojan because a DOS process loads MSHTA into memory at logon & sometimes - but not everytime - I could see the black flash of a DOS window when the other services loaded. On a faster/newer comp the flash would be so brief that visually detection would be impossible. Periodically I review all background processes & was reasonably confident that all were native win32 processes, so I got suspicious. That computer`s currently installed malware scanner (PestPatrol) does not detect MSHTA-as-service because mshta.exe is an OS/IE native file being mis-used rather than distinctly malicious code: it is the use of MSHTA as a service that constitutes a trojan, not the code itself. Assumedly PestPatrol and other scanners will soon begin to scan for MSHTA in memory and, because it has no business persisting there, alert users if it has been loaded.

Anyway, this MSHTA-as-service was interfering with DE`s use of HTA (call to MDPPH.DLL) - or at least that`s my current best guess. As you suspected I do use registry cleaning tools (mostly Iolo`s System Mechanic), but only as scheduled events - not as registry monitors with authorization to modify at-will. Prior to my first post I too had suspected reg cleaning as possibly the cause of DE troubles, but simple testing ruled that out. For the present I have removed MSHTA.exe from my systems, which of course renders DE useless. As yet - only a few hours usage - I have observed no other MSHTA dependencies on that particular computer.

I type all this to benefit others in this forum - but also in hopes that you will minimize my further testing by confirming these expressed suspicions of why DE broke & reply in this forum with what MP already knows about MSHTA exploits & conflicts with usage of your MD, DE and other products. Have other users surfaced with this behavior? Is MP aware of the growing problem of HTA exploits? Will MP resort to another method of integrating DE/MD into IE? .... and finally, can/will/does MD or DE plan to support other browsers so users can <dreamy sigh of relief> once-and-for-all abandon IE and it`s constant security headaches? (I will soon be testing mozilla`s nearly finished product - by all accounts it is very good.)

Thanks for a good, free product AND the maintenance expense MP continues to shoulder by offering & monitoring these open forums. For 2-1/2 years I have recommended DE & MD to my clients in part because your documentation and support response is so good. That this issue with MSHTA has cropped-up is unfortunate. VBscripting has always been a weak layer and I hope MP abandons it`s use. I will have to contact my clients and advise them to remove MSHTA from their systems if further testing confirms my current suspicions and/or popular security scanners fail to incorporate MSHTA-as-service detection and identification of the offending apps that create the p
Alexander 03/29/2006 07:02 am
Dear Jonathan Price,

Thank you very much for your information.
Our products use IE script engine only for IE right-click menu item support. Offline Explorer and Mass Downloader allow to switch this feature off.
The main browser integration will not be affected by removing MSHTA.exe file.

Regarding the other browsers support, we are working in this direction.

Thank you for your help and kind words.

Sincerely,
Alexander.
| Alexander Bednyakov
| Senior Developer
| MetaProducts Corporation
03/29/2006 07:02 am
It`s left+right=all clicks that breaks in my test-box installation. Same repeated behavior: fresh install works fine, briefly, then fails. Have doen no more testing since my last post. Any ideas?

- Jonathan
Alexander 03/29/2006 07:02 am
Dear Jonathan,

Do you mean this error message when you just click the file link?
The left click monitoring system doesn`t use any scripts at all.
So, the described security problem should not affect this system.

Thanks,
Alexander.