Здравствуите,

I have a problem viewing video files on my computer that I took with a DV-182 3.1MP Digital Video Camera .

I have downloaded the photo and video files without a problem but when I open the folder they are in and the mouse cursor hovers over a video file, before I've had the chance to click on it to open it, a pop-up appears.
( This problem only occurs with the video files.The photo files I have removed to another folder.)


Data Execution Prevention.

To help protect your computer,Windows has closed this program.

Name: Windows Explorer

Publisher: Microsoft Corporation


My operating system is 'Windows XP Home with SP2' which is fire-walled, has automatic updates for Windows and I also have Avast Antivirus with automatic updates (which hasn't detected anything).
None of the suggestions given by Microsoft seem to apply as it would not be wise to turn off D.E.P. for 'Windows Explorer'.


When I close the pop-up, another appears entitled 'Windows Explorer' which asks me to tell Microsoft about this problem by clicking on 'Send Error Report' which I do. Then Windows restarts my computer.

Exactly the same problem occurred when I copied video files from a DVD.

Video files I've downloaded from the Internet I don't have any problems with therefore it is not a problem with Windows Media Player.

I don't know if this has anything to do with the above problem but lately whenever I Left Double click on a JPEG image file it opens in Windows Media Player whereas before it always opened in Windows Picture and Fax Viewer.

Does anybody know how to solve this problem so that I may view my video files ?

I've had this problem about 7 weeks now.

I've also started a thread in Windows XP Help.

http://www.updatexp.com/data-execution-prevention.html

By default Data Execution Prevention is turned on for Windows programs and services only and for most users this is fine.

However, you can gain more protection by selecting the second option and DEP will now work for ALL programs and services on your computer. BUT this is know to generate some error messages as legitimate software can conflict with DEP.

If this happens, you get a warning dialog box on your screen informing you of an error and the software you are trying to use will not start.

If this was a nasty piece of software lurking on your computer then DEP will have done its job. BUT if it happens to you when trying to work with some software you fully trust, this can be a problem, but fortunately there is a solution...

...you will need to tell Data Execution Prevention to ignore the software you want to use!

(Note: The DEP error message should always tell you which software caused the problem and who the publisher is, if you do NOT recognise the information provided then suspect fowl play and seek the advice of a more experienced user/technician....)

Where Can I Find DEP On My PC?

1. On the My Computer icon right click with your mouse and choose Properties. (My Computer can be found on the desktop and/or the Start menu depending on how you have your Windows XP setup.)

2. A small window will have appeared called: System Properties. Look for the "tab" along the top called Advanced, now click it.

3. Now look for the section called Performance and click the button called Settings.

4. You will now see a new window appear called Performance Options, click the tab along the top called Data Execution Prevention and you should get the same window view as the image below.

Given the above, see if you can find a sufficient workaround to generate a Hijackthis log and post it here.

The program that is being closed is Windows Explorer.

Do you think it would be wise to turn DEP off for Windows Explorer?

Do you think it would be wise to turn DEP off for Windows Explorer?

It definitely doesn't like something in that folder - that is protective behavior and a warning sign to take seriously. Lets explore other options first.


Can you get into SAFE MODE with networking (Internet) support?

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Post a hijackThis log if you can.



Initially try to scan the folder in question with the following tool, if possible:

Please do an online scan (scan only tool) with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    - Extended (if available otherwise Standard)
  • Scan Options:
    - Scan Archives
    - Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

I'm new to this computer malarky.

What does 'Can you get into SAFE MODE with networking (Internet) support?' mean?

I've just read that 'in Safe Mode' a computer cannot connect to the Internet.How do I use Kaspersky Webscanner if my computer is in Safe Mode.

If you choose 'SAFE MODE with networking' it should be possible to access the Internet using an ethernet wire connection. Dialup and wireless will not work because there is no needed driver support for those devices in SAFE MODE.

Alternately,
Try running Kaspersky in NORMAL MODE, if possible.

Hello VopThis,

I performed a scan (in normal mode) with Kaspersky On-line Scanner which found 34 infected objects which included 12 viruses.I didn't believe these results so I ran my own full cleanup using the programs below set to their highest settings.

CCleaner
Complete Internet Cleanup Pro
Lavasoft Ad-Aware SE Personal
Microsoft Antispyware
Spybot-Search & Destroy
a-squared
Avast Antivirus

which found and deleted just a few cookies.

I then ran an online virus scan using Trend Micro which detected 6 Greyware/Spyware:

ADW_SE.54035
BHO_SE.66436
BHO_SE.66440
BHO_SE.66444
BHO_SE.66449
ADW_SE.75680

which were removed. They also stated:

Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)



Home > Security Advisories > (MS05-009) Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)




(MS05-009) Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)




Vulnerability Identifier: CAN-2004-1244, CAN-2004-0597
Discovery Date: Feb 8, 2005
Risk: Critical
Vulnerability Assessment Pattern File: 023
Affected Software:
Microsoft MSN Messenger 6.0
Microsoft MSN Messenger 6.1
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Media Player 9 Series
Microsoft Windows Messenger version 4.7.0.2009
Microsoft Windows Messenger version 4.7.0.3000
Microsoft Windows Messenger version 5.0
Microsoft Windows Millennium Edition

Description:


This advisory discusses the vulnerability found in the processing of .PNG files. A specially-crafted PNG .files with excessive width and height values causes remote code execution.


Patch Information:

http://www.microsoft.com/technet/sec.../MS05-009.mspx

Workaround Fixes:


Workarounds for PNG Processing Vulnerability in Windows Media Player (CAN-2004-1244)

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

There are several different attack vectors that Microsoft has identified for this vulnerability. Each attack vector has a different workaround.

Static WMP File Extension Attack workaround
Disassociate the file extensions (.ASX, .WAX, .WVX, .WPL, .WMX, .WMS, .WMZ) in Windows to avoid previewing or opening files that point to malformed PNG files.

Manual Steps – Windows Media Player method:

Launch Windows Explorer
On the Tools Menu select Folder Options
Select the ‘File Types tab
Scroll to find the .ASX file extension and then press the Delete button
Repeat step 4 for each of the file extensions listed above.
In addition, enterprise customers can configure Outlook to block the dangerous files listed using the steps documented in Microsoft Knowledge Base Article 837388. Use these instructions to add the documented file extensions to the Level1 block list.

Home users can configure Outlook Express to block the dangerous files listed using the steps documented in Microsoft Knowledge Base Article 291387. Use this information to configure each of the file extensions as "confirm open after download" in the Windows file types dialog.

Impact of Workaround: Deleting the file associations with Media Player has a high potential for breaking corporate users who may be using Windows Media Server/Player to deliver web casts, training etc. Home users trying to watch streaming content on various Web sites may also be impacted by implementing this workaround.


Internet Explorer workaround for WMP ActiveX attack
Disable the Windows Media Player ActiveX Control. To prevent against an attack within a webpage follow these steps to disable the Windows Media Player ActiveX Control:

Follow the instructions documented in Microsoft Knowledge Base Article 240797 to killbit the following CLSIDs in Internet Explorer:

CLSID:{6BF52A52-394A-11D3-B153-00C04F79FAA6}PROGID:WMPlayer.OCX.7

CLSID:{22D6F312-B0F6-11D0-94AB-0080C74C7E95}PROGID:MediaPlayer.MediaPlayer.1

CLSID:{05589FA1-C356-11CE-BF01-00AA0055595A}PROGID:AMOVIE.ActiveMovieControl.2

Impact of Workaround: When you disable the Windows Media Player ActiveX control, pages using this control will no longer function as designed. This prevents any content from being played though the control, including audio and video.


Content-Type HTTP Header Attack The only way to prevent this attack is to remove all of the possible MIME type entries from the registry that associate Windows Media Player with the MIME type listed in the Content-Type header being returned by the server since they all can be abused to exploit the vulnerability. Below is a list of MIME types that are associated with the WMP CLSID:
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-wpl

HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mplayer2

HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmd

HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmz

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/aiff

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/basic

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mid

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/midi

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mp3

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpeg

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpegurl

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpg

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/wav

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-aiff

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mid

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-midi

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mp3

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpeg

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpegurl

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpg

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wax

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wma

HKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-wav

HKEY_CLASSES_ROOT\MIME\Database\Content Type\midi/mid

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/avi

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpeg

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpg

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/msvideo

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ivf

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg2a

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf-plugin

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-msvideo

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wm

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmp

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmv

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmx

HKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wvx

Impact of Workaround: These MIME type registry keys all have a CLSID value which points to the following CLSID:

HKEY_CLASSES_ROOT\CLSID\{CD3AFA8F-B84F-48F0-9393-7EDC34128127}\InprocServer32

This CLSID is associated with WMP.DLL which is responsible for launching Windows Media Player when these MIME types are used. Un-registering WMP.DLL will break Windows Media Player. The MIME types listed in this workaround are specific to Windows XP. There may be additional MIME types available on other platforms.

Additional information about Windows Media Player File Name Extensions if available at the following MSDN Web site.

Workarounds for PNG Processing Vulnerability in Windows Messenger (CAN-2004-0597)

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

Turn off the .NET Alerts feature in Windows Messenger
Open Windows Messenger
Go to the Tools menu and select “Options”
In the Options Dialog go to the “Privacy” tab.
Check the option that says “Don’t download any tabs to my computer”
(Note: This setting will take effect the next time you sign into Windows Messenger.)
.Net Alerts are only available on Passport accounts that have signed up to receive them. Users who have never configured their account to receive these alerts will not have this setting available.

Workarounds for PNG Processing Vulnerability in MSN Messenger (CAN-2004-0597)

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

Do not add addresses that you do not recognize or trust to your contacts list

Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need

Disable display picture in MSN Messenger using the following steps:
Click Tools>Options, then click the Personal Tab.
Clear the check box Show Display Picture from Others in Instant Message Conversations.

Disable Emoticons using the following steps:
Click Tools>Options, then click the Messages Tab
Clear the check box Show emoticons in instant messages.

Do not agree to accept file transfers from contacts you do not know or trust.


I don't understand why they informed me of the above as I don't have:


Microsoft MSN Messenger 6.0
Microsoft MSN Messenger 6.1
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Media Player 9 Series
Microsoft Windows Messenger version 4.7.0.2009
Microsoft Windows Messenger version 4.7.0.3000
Microsoft Windows Messenger version 5.0
Microsoft Windows Millennium Edition


on my computer.

I then ran a virus scan again with Kaspersky On-line Scanner which again detected 34 infected objects of which 12 were viruses.





-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, February 05, 2006 03:28:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 5/02/2006
Kaspersky Anti-Virus database records: 174848
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 150385
Number of viruses found: 12
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 7156 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP281\A0064963.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP281\A0064964.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.i
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP281\A0064965.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064991.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064992.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064993.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064994.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064995.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064996.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.p
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064998.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0064999.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065000.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065001.DLL Infected: not-a-virus:AdWare.Win32.IWon.a
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065002.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065003.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065004.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065005.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065006.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065007.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.v
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065008.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065009.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065010.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065011.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065012.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065013.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.z
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065014.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065017.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.i
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065018.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065019.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065020.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065021.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP283\A0065023.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP322\A0081164.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.i
C:\System Volume Information\_restore{92AC9C9F-A737-4B80-8310-79022B133ED4}\RP327\A0084501.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch

Scan process completed.



I performed a Windows Search on 4 of these files to see what they were and if I could remove them manually but the Search revealed nothing.

Why were they not detected?

Where are they?

Are 12 viruses really on my computer or is Kaspersky pulling my plonker?

Please keep the following in mind:

Microsoft Windows Media Player is likely a default install in XP. So is Microsoft Windows Messenger:

Video files I've downloaded from the Internet I don't have any problems with therefore it is not a problem with Windows Media Player.

If you use PNG, DEP may pick up on this potential vulnerability:

....you will need to tell Data Execution Prevention to ignore the software you want to use!

Try ignoring 'Windows Media Player' to see if matters improve. You ultimately don't want to knowingly ignore this potential vulnerability, however.





Kaspersky (primarily an antivirus tool) is picking up on resident badware contents in your 'System Restore Points'. Strange - none of the listed items are labelled as viruses but may be potential virus enablers. Such infected restore points have the means to reinfect your PC should you ever use them. There is a simple way to remove those as a last step once your PC is clean.

I may have Microsoft Windows Messenger on my computer but I don't use it,I use MSN Messenger 7.5.Should I remove Microsoft Windows Messenger if it is present and if yes how?


If I want to turn off DEP for Windows Media Player do I just type 'Windows Media Player' in the box (in the Performance Options box under the DEP tab) or is there some other name I should use?


Cheers.