Sign in with
Sign up | Sign in
Your question

Loads of sh.exe and ssh.exe running

Last response: in Windows XP
Share
January 7, 2010 8:51:23 AM

Hi, Once this computer has been on for a while, I get several instances of sh.exe (28 currently) and sh.exe (14). I've scanned for viruses and its virus free.

The instances of sh.exe all use around 3 100 K of memory and ssh.exe around 4150K.

Anyone got any ideas?

Thanks
January 7, 2010 9:08:02 AM

sh.exe and ssh.exe are "shell" and "secure shell" respectively. They should not be present (AFAIK) on a standard XP install. Are you sure there is no malware on your computer?
January 8, 2010 6:32:51 AM

Try using malwarebytes in safemode. Sounds like malware to me. Unless your using putty or something.... but i would that that would have a different process name
Related resources
January 8, 2010 7:08:13 AM

The image for putty is "putty.exe". It could be CygWin, but I guess the OP would know if he had installed it. And why all those shells opening by themselves? Malware IMO.
January 8, 2010 9:12:19 AM

I have WinSCP installed which lets me open a Putty terminal, so I guess I do. Its not running though as im not using WinSCP and there is no putty.exe or CygWin.exe in task manager. However there is cygrunsrv.exe. Thanks for the advice ill try a malware scan, im doubtful though as there are no other problems.
January 8, 2010 9:27:23 AM

That might explain it. It could just be shell processes related to WinSCP. On the other hand, some malware is known to masquerade as sh.exe, ssh.exe, or cygrunsrv.exe so a thorough scan - as suggested above - is probably a good idea. It can't do any harm and it might put your mind at rest.
January 12, 2010 9:02:10 AM

Ok, I have run loads of anti spyware / malware scans. In safe mode the following have been run:

LavaSoft AdAware : Full Scan - Results

- Win32.Trojan.AdClicker : 'removed'.
- Win32.Trojan.Agent : 'Quarantined'
- Win32.Trojan.Crypt : 'Quarantined'
- Win32.TrojanDownloader.Agent : 'Quarantined * 2'
- Cookies 170 : 'removed'

Spybot Search & Destroy : Full Scan - Results

Can't access log of what was removed but all was removed successfully - I have run again and nothing found.

Spybot Search & Destroy : Full Scan - Results

Scan log:

Malwarebytes Anti-Malware : Full Scan - Results
  1. Malwarebytes' Anti-Malware 1.44
  2. Database version: 3519
  3. Windows 5.1.2600 Service Pack 3 (Safe Mode)
  4. Internet Explorer 8.0.6001.18702
  5.  
  6. 12/01/2010 08:55:58
  7. mbam-log-2010-01-12 (08-55-58).txt
  8.  
  9. Scan type: Full Scan (C:\|D:\|E:\|)
  10. Objects scanned: 688403
  11. Time elapsed: 7 hour(s), 10 minute(s), 17 second(s)
  12.  
  13. Memory Processes Infected: 0
  14. Memory Modules Infected: 0
  15. Registry Keys Infected: 0
  16. Registry Values Infected: 0
  17. Registry Data Items Infected: 1
  18. Folders Infected: 0
  19. Files Infected: 4
  20.  
  21. Memory Processes Infected:
  22. (No malicious items detected)
  23.  
  24. Memory Modules Infected:
  25. (No malicious items detected)
  26.  
  27. Registry Keys Infected:
  28. (No malicious items detected)
  29.  
  30. Registry Values Infected:
  31. (No malicious items detected)
  32.  
  33. Registry Data Items Infected:
  34. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
  35.  
  36. Folders Infected:
  37. (No malicious items detected)
  38.  
  39. Files Infected:
  40. C:\SDFix\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
  41. C:\SDFix\apps\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
  42. C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012808.sys (Malware.Trace) -> Quarantined and deleted successfully.
  43. C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012809.sys (Malware.Trace) -> Quarantined and deleted successfully.



Afterwards ran the tool here (in safe mode) : SDFix


The report said 'No Trojan Files Found'.


I'm pretty sure im free of Malware / Spyware now. However, since I logged back in - 20 mins ago, about 10 sh.exe and 7 ssh.exe have started. Argh!


If it helps the previous computer user was fighting this problem and said something about a Firefox memory leak because of one of its plugins. However I havent even run Firefox or WinSCP since ive booted up!

Thanks for the help so far.
January 12, 2010 5:53:30 PM

Check your start up config file
Type msconfig in the run box or in vista/ 7 the search bar. Then go to the tab that says start up. Uncheck anything you dont need running. See if that corrects the problem. Or just look through them and see if one looks like something that could be causing that
January 18, 2010 7:26:04 AM

Thanks I have done this as well now, but still under attack from the hoards of sh.exe and ssh.exe!
January 19, 2010 9:43:48 AM

bump
!