Apologies if you've already read this, but this is interesting news: Apparently shimgvw.dll isn't the problem; according to the Kaspersky Lab blog, gdi32.dll is. >From http://www.viruslist.com/en/weblog?discuss=176892530&return=1 (which talks about an IM worm that uses this): "Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll."
