Windows shell open commands

[Vivacious]

My McAfee security program opened and asked if I wanted to block this change
to my system. I eventually decided to block it, but have no idea what this is
for about. It stated that this was trying to make a change to my registry.
Does anyone have an idea as to what this is and whether or not I should have
allowed it or blocked it?
The problem with these security programs is that they ask questions of a
basic user who has no idea of what the issue is. This is the message as I
copied it in order to help you understand what it is:
Prevents changes to your Windows Shell (explore.exe) Open Commands. Shell
Open Commands allow a specific program to run every time a certain type of
file is run. For example, a worm might attempt to run automatically every
time an .exe application is run.
Rule Type: Registry
Process: C:\WINDOWS\system32\regsvr32.exe
Process description: Microsoft © Register Server
Process publisher: Microsoft Corporation
Process version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158
HKEY_LOCAL_MACHINE\SOFTWARE\classes\Applications\shimgvw.dll\shell\open\commandrundll32.exe
Thank you very much and this stuff is driving me crazy; I'm too old and busy
for this.;-)

 

[Mark L. Ferguson]

You probably installed a picture viewer that wanted to set itself as the
default app for that type of file.

--
Was this helpful? Then click the "Yes" Ratings button. Voting helps the web
interface.
http://www.microsoft.com/wn3/locales/help/help_en-us.htm#RateAPost

Mark L. Ferguson

..

 

[Alan Edwards]

The key is normal for Image preview.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\shimgvw.dll\shell\open\command
has been used for many years with a value:
rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_Fullscreen %1

Have a look here for a description in an older operating system which
is still valid in XP:
http://support.microsoft.com/kb/272969

....Alan

 

[David H. Lipman]

From: "Vivacious" <[email protected]>

| My McAfee security program opened and asked if I wanted to block this change
| to my system. I eventually decided to block it, but have no idea what this is
| for about. It stated that this was trying to make a change to my registry.
| Does anyone have an idea as to what this is and whether or not I should have
| allowed it or blocked it?
| The problem with these security programs is that they ask questions of a
| basic user who has no idea of what the issue is. This is the message as I
| copied it in order to help you understand what it is:
| Prevents changes to your Windows Shell (explore.exe) Open Commands. Shell
| Open Commands allow a specific program to run every time a certain type of
| file is run. For example, a worm might attempt to run automatically every
| time an .exe application is run.
| Rule Type: Registry
| Process: C:\WINDOWS\system32\regsvr32.exe
| Process description: Microsoft © Register Server
| Process publisher: Microsoft Corporation
| Process version: 5.1.2600.2180
| (xpsp_sp2_rtm.040803-2158)HKEY_LOCAL_MACHINE\SOFTWARE\classes\Applications\shimgvw.dll\she
| ll\open\commandrundll32.exe Thank you very much and this stuff is driving me crazy; I'm
| too old and busy for this.;-)

It looks like a process tried to Register a DLL using REGSVR32.EXE.

If you were deliberately installing a software utility, this is OK.

If you were not installing some utility when this popped up then the process may be
malicious and M<cafee thought so to so it gave you the option to block it, which you did.

 

[Vivacious]

I was trying to make changes on a picture in "My Pictures" using the "Windows
Picture and Fax Viewer." That is when it popped up. Should I allow it or not
is what I need to know.Thanks.

 

[Mark L. Ferguson]

Yes, allow. If you want to open the file in a picture 'editor' to make
changes, you should let the Viewer set it as default.

--
Was this helpful? Then click the "Yes" Ratings button. Voting helps the web
interface.
http://www.microsoft.com/wn3/locales/help/help_en-us.htm#RateAPost

Mark L. Ferguson

..

 

[Vivacious]

What really threw me off was that the Process Publisher is Microsoft
Corporation. So adware can present itself as being legit and state that it is
from Microsoft when it actually is not?

 

[David H. Lipman]

From: "Vivacious" <[email protected]>

| What really threw me off was that the Process Publisher is Microsoft
| Corporation. So adware can present itself as being legit and state that it is
| from Microsoft when it actually is not?
|

No, no...

The malware may USE the service(s) of Microsoft utilities such as REGSVR32.EXE to get
installed. That's what you saw.

Not to confuse you but malware authors may make their EXE files LOOK like they came from
microsoft to obfuscate their malicious intent.

So...
Were you deliberately installing a software utility that caused this ?

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

< snip >

| So...
| Were you deliberately installing a software utility that caused this ?
|

Nevermind...
I saw in you other reply you were making "...changes on a picture in "My Pictures" using the
"Windows Picture and Fax Viewer.

That's legitimate and not malware related and should be allowed.