Sign in with
Sign up | Sign in
Your question

Being attacked by hoards of sh.exe and ssh.exe.

Last response: in CPUs
Share
January 21, 2010 7:27:18 AM

Hi, Once this computer has been on for a while, I get several instances of sh.exe (28 currently) and sh.exe (14). I've scanned for viruses and its virus free.

The instances of sh.exe all use around 3 100 K of memory and ssh.exe around 4150K.

I have run loads of anti spyware / malware scans. In safe mode the following have been run:

  1. LavaSoft AdAware : Full Scan - Results
  2.  
  3. - Win32.Trojan.AdClicker : 'removed'.
  4. - Win32.Trojan.Agent : 'Quarantined'
  5. - Win32.Trojan.Crypt : 'Quarantined'
  6. - Win32.TrojanDownloader.Agent : 'Quarantined * 2'
  7. - Cookies 170 : 'removed'
  8.  
  9. Spybot Search & Destroy : Full Scan - Results
  10.  
  11. Can't access log of what was removed but all was removed successfully - I have run again and nothing found.
  12.  
  13. Spybot Search & Destroy : Full Scan - Results
  14.  
  15. Scan log:
  16.  
  17. Malwarebytes Anti-Malware : Full Scan - Results
  18. Code :
  19. Malwarebytes' Anti-Malware 1.44
  20. Database version: 3519
  21. Windows 5.1.2600 Service Pack 3 (Safe Mode)
  22. Internet Explorer 8.0.6001.18702
  23. 12/01/2010 08:55:58
  24. mbam-log-2010-01-12 (08-55-58).txt
  25. Scan type: Full Scan (C:\|D:\|E:\|)
  26. Objects scanned: 688403
  27. Time elapsed: 7 hour(s), 10 minute(s), 17 second(s)
  28. Memory Processes Infected: 0
  29. Memory Modules Infected: 0
  30. Registry Keys Infected: 0
  31. Registry Values Infected: 0
  32. Registry Data Items Infected: 1
  33. Folders Infected: 0
  34. Files Infected: 4
  35. Memory Processes Infected:
  36. (No malicious items detected)
  37. Memory Modules Infected:
  38. (No malicious items detected)
  39. Registry Keys Infected:
  40. (No malicious items detected)
  41. Registry Values Infected:
  42. (No malicious items detected)
  43. Registry Data Items Infected:
  44. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
  45. Folders Infected:
  46. (No malicious items detected)
  47. Files Infected:
  48. C:\SDFix\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
  49. C:\SDFix\apps\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
  50. C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012808.sys (Malware.Trace) -> Quarantined and deleted successfully.
  51. C:\System Volume Information\_restore{D3A5CE20-4511-4B1E-92F8-4E10323EE8BF}\RP39\A0012809.sys (Malware.Trace) -> Quarantined and deleted successfully.
  52.  
  53.  
  54.  
  55. Afterwards ran the tool here (in safe mode) : SDFix
  56. [urlExt=http://www.bleepingcomputer.com/forums/topic131299.html][/urlExt]
  57.  
  58. The report said 'No Trojan Files Found'.



I'm pretty sure im free of Malware / Spyware. However, since I logged back in - 20 mins ago, about 10 sh.exe and 7 ssh.exe have started.

If it helps the previous computer user was fighting this problem and said something about a Firefox memory leak because of one of its plugins. However I havent even run Firefox or WinSCP since ive booted up!

I have also disabled lots of startup programs via msconfig.

Thanks if you can help.







January 21, 2010 9:18:04 AM

Try running AVG 9, it has an anti-virus and an anti-spyware. Served me well through a few infections, but the best way to get rid of a virus or spyware is a full format.
a b à CPUs
January 21, 2010 2:11:58 PM

It also cant hurt to try the full gambit of other programs you have available free:
Windows Defender(check current and startup executables),
CCleaner(registry clean),
Ad-Aware... etc...
Related resources
January 21, 2010 2:28:15 PM

Besides MalWare Bytes I like to Run Spybot Search & Destroy (free www.safer-networking.org/). Between the two pretty much everything get nuked assuming it is spyware.
January 21, 2010 4:26:06 PM

Thanks for the suggestions, but I said in my post I have already used almost every suggested program: Spybot S&D, Ad Aware and the virus scan was done with AVG 8. However I will run a Windows defender as well (the 6th anti crap program i will have run!) and post the result here. I think its spyware free!
January 21, 2010 6:18:50 PM

You could try searching and deleting all sh.exe files. Do you use a usb stick often? The virus could be on there. But it looks like a format is needed.
a c 117 à CPUs
January 22, 2010 12:51:42 PM

Do a scan with HiJackThis and see what pops up ...
a c 149 à CPUs
January 22, 2010 9:42:27 PM

Disable system restore before you clean the system, it looks like the virus is reinstalling itself and this is one of the ways they do that.
January 26, 2010 7:07:49 AM

Hi again, well I have run windows defender, all it found was Win32/Yazzle in one of the system restores and it removed it.



Here is the HiJack this log, I cant see anything dangerous.

Quote:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:48:26, on 25/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [iKeyWorks] C:\Program Files\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\DMartin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AutoVer] C:\Program Files\AutoVer\AutoVer.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: VAIO Launcher.lnk = C:\Program Files\Sony\VAIO Launcher\Launcher.exe (User 'Default user')
O4 - Startup: Shortcut to PureText.exe.lnk = C:\Documents and Settings\DMartin\Desktop\PLarner\PureText.exe
O4 - Startup: Shortcut to StickyNotes.exe.lnk = C:\Documents and Settings\DMartin\Desktop\PLarner\StickyNotes.exe
O4 - Startup: WebDrive Auto-connect.lnk = C:\Program Files\WebDrive\webdrive.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: start WampServer.lnk = C:\wamp\wampmanager.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://fs203a/ConnectComputer/nshelp.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview.com/product/current/svinstall_clas...
O16 - DPF: {9EB48385-92F7-4C17-AA62-AF53F79C76BA} (prjGetFileContent.clsFileAccess) - http://xtend.city-link.co.uk/main/prjGetFileContent.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/curre...
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx...
O16 - DPF: {E574A32F-7F3F-49BB-9290-2126D7E58EBA} (LabelPrint_CityLink.clsPrinter) - http://xtend.city-link.co.uk/main/LabelPrint_CityLink.C...
O17 - HKLM\System\CCS\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{14EB416C-2AB2-49F8-B16D-7ECD3F8CE959}: NameServer = 223.75.150.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{09758AAD-CF0C-4EE8-BD11-5E840E97E194}: NameServer = 158.152.1.59,195.99.65.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: CYGWin cron (cron) - Unknown owner - C:\GNU\bin\cygrunsrv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

--
End of file - 10298 bytes


Thanks 4 help.
January 26, 2010 8:10:08 AM

Please help - there is still an onslaught of these processes
February 1, 2010 7:13:19 AM

Thanks, I have tried the winsock fix but no luck.
a c 127 à CPUs
February 1, 2010 7:31:03 AM

Windows Defender was good but in all honesty you might want to download Microsoft Security Essentials. Its basically Windows Defender plus anti-virus and the whole shabang and free.

I would also suggest trying to run those programs in safe mode.

Also, check this out:

http://www.file.net/process/sh.exe.html
a b à CPUs
February 1, 2010 12:46:02 PM

in my option, wipe the hard drive clean if nothing else is working. (just be sure save all the files to another drive like usb flash drive or an extrenal HDD. that your wantting to keep before wiping the primary HDD!)
February 3, 2010 7:09:36 AM

Thanks for help. It was a program called Cygwin that was causing the problem, also a nightmare to uninstall. I had to reboot into safe mode and delete the installation directory. Searching for sh.exe led me to the program.
!