1st January 2006

This article is four days old, and I meant to post on it right away. All versions of Windows are affeceted, regardless of whether you’re updated with Windows patches.

One of my customers got infected already, and there was nothing I could do to fix it. By the time I got my hands on the computer, I took the hard drive out, stuck it in another machine, and could not even read the Windows directory anymore.

Watch for the large circular RED X in your tray area by the clock. If you have it, it may be too late, but CounterSpy will likely be the first to have a successful removal tool, if they haven’t already.

IMMEDIATELY DO THIS TO PROTECT YOURSELF! –
Logon as a user with full administrative rights.
Click the Windows “Start” button and select “Run…”
Enter the following (copy and paste) into the “Open” field:
regsvr32 -u shimgvw.dll
Click “OK”
and, you will receive a confirmation prompt, and your system is now safe.
* (Note that this WILL temporarily disable the “Thumbnail” view in Windows Explorer and Window’s Image and FAX viewer, because THEY ARE NOT SAFE!)

To eventually re-enable the “SHIMGVW.DLL” component once Microsoft finally patches it…
Logon as a user with full administrative rights.
“Start” button and select “Run…”
Enter the following:
regsvr32 shimgvw.dll

(Note this is the same as the one above, but no “-u” for “uninstall”)
Click “OK” to re-register the .dll file that is being exploited.
((Thanks to http://grc.com/sn/notes-020.htm for this detailed information)

Basically, you know you that should stay out of bad neighborhoods on the web, but this article will really open your eyes. Now you have proof!

Here’s the blog that I first read this news on…
Sunbelt BLOG: New exploit blows by fully patched Windows XP systems

If you like what you've seen here, would you please share this?
    PDXTC & Search Commander, Inc.
    11124 NE Halsey St. #481 PortlandOR97220 USA 
     • 503-946-6881
    twitter / shendison

    2 Comments    

    • Ville says:

      Or even better, use an unofficial patch that can be found, along with vulnerability detection tool, from the following URL: http://www.hexblog.com/

      The patch is un-installable via “Add or Remove Programs”.

      While not certified by Microsoft, for example F-Secure (www.f-secure.com) recommends using it until Microsoft releases a patch of their own.

    • Scott says:

      Yes Ville, you’re correct. In fact, the solution above was a stopgap measure that actually disables certain Windows functions.

      This solution is better – thanks for posting, ville, and thanks to Ilfak Guilfanov for coming up with this solution.

    Leave a Comment