Being attacked by hoards of sh.exe and ssh.exe.

[bunion]

Hi, Once this computer has been on for a while, I get several instances of sh.exe (28 currently) and sh.exe (14). I've scanned for viruses and its virus free.

The instances of sh.exe all use around 3 100 K of memory and ssh.exe around 4150K.

I have run loads of anti spyware / malware scans. In safe mode the following have been run:

[cpp]LavaSoft AdAware : Full Scan - Results

- Win32.Trojan.AdClicker : 'removed'.
- Win32.Trojan.Agent : 'Quarantined'
- Win32.Trojan.Crypt : 'Quarantined'
- Win32.TrojanDownloader.Agent : 'Quarantined * 2'
- Cookies 170 : 'removed'

Spybot Search & Destroy : Full Scan - Results

Can't access log of what was removed but all was removed successfully - I have run again and nothing found.

Spybot Search & Destroy : Full Scan - Results

Scan log:

Malwarebytes Anti-Malware : Full Scan - Results
Code :
Malwarebytes' Anti-Malware 1.44
Database version: 3519
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
12/01/2010 08:55:58
mbam-log-2010-01-12 (08-55-58).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 688403
Time elapsed: 7 hour(s), 10 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\SDFix\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\SDFix\apps\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012808.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012809.sys (Malware.Trace) -> Quarantined and deleted successfully.



Afterwards ran the tool here (in safe mode) : SDFix
http://www.bleepingcomputer.com/forums/topic131299.html

The report said 'No Trojan Files Found'.
[/cpp]


I'm pretty sure im free of Malware / Spyware. However, since I logged back in - 20 mins ago, about 10 sh.exe and 7 ssh.exe have started.

If it helps the previous computer user was fighting this problem and said something about a Firefox memory leak because of one of its plugins. However I havent even run Firefox or WinSCP since ive booted up!

I have also disabled lots of startup programs via msconfig.

Thanks if you can help.

 

[blackwidow_rsa]

Try running AVG 9, it has an anti-virus and an anti-spyware. Served me well through a few infections, but the best way to get rid of a virus or spyware is a full format.

 

[deadlockedworld]

It also cant hurt to try the full gambit of other programs you have available free:
Windows Defender(check current and startup executables),
CCleaner(registry clean),
Ad-Aware... etc...

 

[kamel5547]

Besides MalWare Bytes I like to Run Spybot Search & Destroy (free www.safer-networking.org/). Between the two pretty much everything get nuked assuming it is spyware.

 

[bunion]

Thanks for the suggestions, but I said in my post I have already used almost every suggested program: Spybot S&D, Ad Aware and the virus scan was done with AVG 8. However I will run a Windows defender as well (the 6th anti crap program i will have run!) and post the result here. I think its spyware free!

 

[blackwidow_rsa]

You could try searching and deleting all sh.exe files. Do you use a usb stick often? The virus could be on there. But it looks like a format is needed.

 

[Wisecracker]

Do a scan with HiJackThis and see what pops up ...

 

[popatim]

Disable system restore before you clean the system, it looks like the virus is reinstalling itself and this is one of the ways they do that.

 

[bunion]

Hi again, well I have run windows defender, all it found was Win32/Yazzle in one of the system restores and it removed it.

http://www.microsoft.com/security/p...spx?name=Program:Win32/Yazzle&threatid=144003

Here is the HiJack this log, I cant see anything dangerous.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:48:26, on 25/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [iKeyWorks] C:\Program Files\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\DMartin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AutoVer] C:\Program Files\AutoVer\AutoVer.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: VAIO Launcher.lnk = C:\Program Files\Sony\VAIO Launcher\Launcher.exe (User 'Default user')
O4 - Startup: Shortcut to PureText.exe.lnk = C:\Documents and Settings\DMartin\Desktop\PLarner\PureText.exe
O4 - Startup: Shortcut to StickyNotes.exe.lnk = C:\Documents and Settings\DMartin\Desktop\PLarner\StickyNotes.exe
O4 - Startup: WebDrive Auto-connect.lnk = C:\Program Files\WebDrive\webdrive.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: start WampServer.lnk = C:\wamp\wampmanager.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://fs203a/ConnectComputer/nshelp.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183714695953
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview.com/product/current/svinstall_classic.exe
O16 - DPF: {9EB48385-92F7-4C17-AA62-AF53F79C76BA} (prjGetFileContent.clsFileAccess) - http://xtend.city-link.co.uk/main/prjGetFileContent.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E574A32F-7F3F-49BB-9290-2126D7E58EBA} (LabelPrint_CityLink.clsPrinter) - http://xtend.city-link.co.uk/main/LabelPrint_CityLink.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{14EB416C-2AB2-49F8-B16D-7ECD3F8CE959}: NameServer = 223.75.150.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: CYGWin cron (cron) - Unknown owner - C:\GNU\bin\cygrunsrv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

--
End of file - 10298 bytes

Thanks 4 help.

 

[bunion]

Please help - there is still an onslaught of these processes

 

[BadTrip]

the problem is in your Winsock.

try this

http://www.majorgeeks.com/download4372.html

 

[bunion]

Thanks, I have tried the winsock fix but no luck.

 

[jimmysmitty]

Windows Defender was good but in all honesty you might want to download Microsoft Security Essentials. Its basically Windows Defender plus anti-virus and the whole shabang and free.

I would also suggest trying to run those programs in safe mode.

Also, check this out:

http://www.file.net/process/sh.exe.html

 

[warmon6]

in my option, wipe the hard drive clean if nothing else is working. (just be sure save all the files to another drive like usb flash drive or an extrenal HDD. that your wantting to keep before wiping the primary HDD!)

 

[bunion]

Thanks for help. It was a program called Cygwin that was causing the problem, also a nightmare to uninstall. I had to reboot into safe mode and delete the installation directory. Searching for sh.exe led me to the program.

 

[bunion]

And deleting registry keys for the program, following these instructions:

http://pigtail.net/LRP/printsrv/remove-cygwin.html