Full Version: If Spelling The Name Is So Important Than Why ?
BleepingComputer.com > Bleeping Computer Applications and Guides > Windows Startup Programs Database
In my computer files
shmgrate C:\WINDOWS\system\32 42 KB Application 8/3/2004
shmgrate C:\WINDOWS\ServicePa... 42 KB Application
When I search this term spelling it in lower case I get this ?
Startup Programs Database Search
Shmgrate.exe ibot4.exe X Added by the GASTER TROJAN!
Why am I not getting the actual file information ?
It is often very important with spelling, lower/upper case.
Maybe you need to go in folder options in your windows explorer and untick hide extention for known file types (windows xp)
The extention is just as important.
Maybe this entry was missed by staff, but here a good search alternative -
Those where not staff but just my cents.
*edited out commercial link, please re-read.
Maybe you need to go in folder options in your windows explorer and untick hide extention for known file types (windows xp)
The extention is just as important.
Maybe this entry was missed by staff, but here a good search alternative -
QUOTE
shmgrate.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system
(liutilities)Those where not staff but just my cents.
*edited out commercial link, please re-read.
In other words, ahh.... Your saying I have a Trojan Virus here, . . correct ?
Thank you if I do or don't !!
But if you don't mind, Do I ?
Because I have been searching all over the place for the solutions to a variety of problems I have been having.
Thank you if I do or don't !!
But if you don't mind, Do I ?
Because I have been searching all over the place for the solutions to a variety of problems I have been having.
That would seem to be the unfortunate case, if we agree the process is shmgrate.exe, that you got an intruder on your system. 
I'm not sure what you have done allready about that, but maybe check you got the right info posted on the forum, like the hijack this log and so forth.
I 'll look around for a fix.
EDIT1
Seems to be part of the GASTER virus, according to CastleCops.
Here's removal instructions from symmantec site.
Risk asssesment VERY LOW, so that might be a relief.
This is in NO WAY a suggestion that you install Norton anti-virus. Don't do that, but maybe there are clues in here you can use. Anyway the symmantec site often offers reliable info in these matters I think.
Like I said I'm not sure what steps you have allready taken and maybe you should wait for more advice, before you alter the registry.
It's highly sensitive and windows depend on it.
It's up to you, hope I haven't broken any rules.
One thing I recommend is Firefox instead of Internet Explorer. Browse insecure sites with javascipt turned off, but that some generel advice.
Good luck with whatever you decide.
I'm not sure what you have done allready about that, but maybe check you got the right info posted on the forum, like the hijack this log and so forth.
I 'll look around for a fix.
EDIT1
Seems to be part of the GASTER virus, according to CastleCops.
Here's removal instructions from symmantec site.
QUOTE
Discovered: December 29, 2003
Updated: February 13, 2007 12:15:34 PM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected as Backdoor.Gaster.
4. Delete the value and key that were added to the registry.
For specific details on each of these steps, read the following instructions:
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
* "How to disable or enable Windows Me System Restore"
* "How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal procedure, and you are satisfied that the threat has been removed, you should re-enable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
3. Scanning for and deleting the infected files
1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with Backdoor.Gaster, click Delete.
4. Deleting the value and key from the registry
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
Then click OK. (The Registry Editor opens.)
3. Navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"Shmgrate.exe"="%System%\ibot4.exe"
5. Navigate to and delete the following key:
HKEY_CURRENT_USER\SOFTWARE\DateTime
6. Exit the Registry Editor.
Updated: February 13, 2007 12:15:34 PM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected as Backdoor.Gaster.
4. Delete the value and key that were added to the registry.
For specific details on each of these steps, read the following instructions:
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
* "How to disable or enable Windows Me System Restore"
* "How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal procedure, and you are satisfied that the threat has been removed, you should re-enable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
3. Scanning for and deleting the infected files
1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with Backdoor.Gaster, click Delete.
4. Deleting the value and key from the registry
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
Then click OK. (The Registry Editor opens.)
3. Navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"Shmgrate.exe"="%System%\ibot4.exe"
5. Navigate to and delete the following key:
HKEY_CURRENT_USER\SOFTWARE\DateTime
6. Exit the Registry Editor.
Risk asssesment VERY LOW, so that might be a relief.
This is in NO WAY a suggestion that you install Norton anti-virus. Don't do that, but maybe there are clues in here you can use. Anyway the symmantec site often offers reliable info in these matters I think.
Like I said I'm not sure what steps you have allready taken and maybe you should wait for more advice, before you alter the registry.
It's highly sensitive and windows depend on it.
It's up to you, hope I haven't broken any rules.
One thing I recommend is Firefox instead of Internet Explorer. Browse insecure sites with javascipt turned off, but that some generel advice.
Good luck with whatever you decide.
Thanks nightspydk,
That will be helpful, my feelings are since I have been having my share of problems, and have recently got into Virus protection and scanning, I am wondering what else I might have missed, I have found shmgrate on both on my 4403US and 5300US,
and on the 4403, I have scanned with Hitman Pro and AVG, niether has detected this. I have AVG on the 5300US.
I will read over this and post results and see if I can get a HJT posted.
Thanks again.
Jove
That will be helpful, my feelings are since I have been having my share of problems, and have recently got into Virus protection and scanning, I am wondering what else I might have missed, I have found shmgrate on both on my 4403US and 5300US,
and on the 4403, I have scanned with Hitman Pro and AVG, niether has detected this. I have AVG on the 5300US.
I will read over this and post results and see if I can get a HJT posted.
Thanks again.
Jove
I would try Kaspersky.
I believe it got a trial period of 30 days.
It has got the largest defination database and is rated no1 in detection/removal in a lot of review. Especially concerning trojans.
Don't trust all it says though. There is also the risk of a false positive.
The best AV I have ever run.
Well commercial out and you are welcome mate.
I believe it got a trial period of 30 days.
It has got the largest defination database and is rated no1 in detection/removal in a lot of review. Especially concerning trojans.
Don't trust all it says though. There is also the risk of a false positive.
The best AV I have ever run.
Well commercial out and you are welcome mate.
shmgrate.exe located in C:\Windows\System32\ and the service pack folder are valid files. You do not have a trojan in respect to this file.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.