Loads of sh.exe and ssh.exe running

[bunion]

Hi, Once this computer has been on for a while, I get several instances of sh.exe (28 currently) and sh.exe (14). I've scanned for viruses and its virus free.

The instances of sh.exe all use around 3 100 K of memory and ssh.exe around 4150K.

Anyone got any ideas?

Thanks

 

[Ijack]

sh.exe and ssh.exe are "shell" and "secure shell" respectively. They should not be present (AFAIK) on a standard XP install. Are you sure there is no malware on your computer?

 

[nickdave]

Try using malwarebytes in safemode. Sounds like malware to me. Unless your using putty or something.... but i would that that would have a different process name

 

[Ijack]

The image for putty is "putty.exe". It could be CygWin, but I guess the OP would know if he had installed it. And why all those shells opening by themselves? Malware IMO.

 

[bunion]

I have WinSCP installed which lets me open a Putty terminal, so I guess I do. Its not running though as im not using WinSCP and there is no putty.exe or CygWin.exe in task manager. However there is cygrunsrv.exe. Thanks for the advice ill try a malware scan, im doubtful though as there are no other problems.

 

[Ijack]

That might explain it. It could just be shell processes related to WinSCP. On the other hand, some malware is known to masquerade as sh.exe, ssh.exe, or cygrunsrv.exe so a thorough scan - as suggested above - is probably a good idea. It can't do any harm and it might put your mind at rest.

 

[bunion]

Ok, I have run loads of anti spyware / malware scans. In safe mode the following have been run:

LavaSoft AdAware : Full Scan - Results

- Win32.Trojan.AdClicker : 'removed'.
- Win32.Trojan.Agent : 'Quarantined'
- Win32.Trojan.Crypt : 'Quarantined'
- Win32.TrojanDownloader.Agent : 'Quarantined * 2'
- Cookies 170 : 'removed'

Spybot Search & Destroy : Full Scan - Results

Can't access log of what was removed but all was removed successfully - I have run again and nothing found.

Spybot Search & Destroy : Full Scan - Results

Scan log:

Malwarebytes Anti-Malware : Full Scan - Results
[cpp]Malwarebytes' Anti-Malware 1.44
Database version: 3519
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/01/2010 08:55:58
mbam-log-2010-01-12 (08-55-58).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 688403
Time elapsed: 7 hour(s), 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\SDFix\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\SDFix\apps\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012808.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012809.sys (Malware.Trace) -> Quarantined and deleted successfully.
[/cpp]


Afterwards ran the tool here (in safe mode) : SDFix
http://www.bleepingcomputer.com/forums/topic131299.html

The report said 'No Trojan Files Found'.


I'm pretty sure im free of Malware / Spyware now. However, since I logged back in - 20 mins ago, about 10 sh.exe and 7 ssh.exe have started. Argh!


If it helps the previous computer user was fighting this problem and said something about a Firefox memory leak because of one of its plugins. However I havent even run Firefox or WinSCP since ive booted up!

Thanks for the help so far.

 

[nickdave]

Check your start up config file
Type msconfig in the run box or in vista/ 7 the search bar. Then go to the tab that says start up. Uncheck anything you dont need running. See if that corrects the problem. Or just look through them and see if one looks like something that could be causing that

 

[bunion]

Thanks I have done this as well now, but still under attack from the hoards of sh.exe and ssh.exe!

 

[bunion]

bump