Jump to content

What are ".sh!" files or folders?


ccleaned

Recommended Posts

Hey, sorry if this has been answered before, but I did a search here and didn't get a hit. After I use CCleaner, when I look in my user folder in "Documents and Settings", I'll see the usual "cookies" folder but I also find another folder called "cookies.sh!".When I look into my "Local Settings" folder, I see other versions of my Temp, Temporary Internet Files and History folder, called "Temp.sh!", "Tempor~1.sh!" (or something like that) and "History.sh!". These usually hold the uncleaned versions of the main folders. What is this ".sh!" all about? I Goggled it and could find nothing. It's got me concerned. I usually then use McAfee's Shredder to get rid of these extra folders, but I'd like to know what they are and what's going on. Does anyone know>?

Thanks in advance!

Link to comment
Share on other sites

These are Unix/Linux files.

 

See for instance here.

 

Fredvries,

 

OK, thanks. I did find references to ".sh" UNIX extensions on Google. But mine have the extension ".SH!" with the "!" (exclamation mark) right after the ".sh". And these are folders, not files, even though they are named with a file extension.

 

Here is what I've got in my "Documents and Settings":

 

Cookies

Cookies.SH!

Temp

Temp.SH!

Temporary Internet Files

TEMPOR~1.SH!

History

History.SH!

 

Does the added exclamation mark still mean that these are UNIX folders? I'm not a UNIX expert. And even if they are UNIX, why do they keep reappearing in new sessions even after I shred them, and what are they there for? CCleaner seems to ignore them (or generate them perhaps???). I have to shred them with McAfree's Shredder tool. Does anyone know what they are?

 

Thanks again in advance.

Link to comment
Share on other sites

This setting will help a lot towards preventing malware from entering your computer.

 

Temporary Internet files set to delete when browser closes

Internet options- advanced tab- scroll towards bottom and select to delete temp int files when browser closes.

Link to comment
Share on other sites

This setting will help a lot towards preventing malware from entering your computer.

 

Temporary Internet files set to delete when browser closes

Internet options- advanced tab- scroll towards bottom and select to delete temp int files when browser closes.

 

Glatzfront,

 

Thanks for your help. I will try the safe mode scan. CCleaner seems to do a good job deleting the contents of the Temporary Internet Files, History folder and Temp folder. And it can be set to shred multiple times, which IE won't do by itself. But CCleaner doesn't even see the new ".sh!" duplicate folders, and the automatic IE deletion you suggest won't affect them either, so I don't know how that would help. McAfee's shredder tool (or other shredder tools) works fine to remove the ".sh!" files when pointed to them manually, but I'm concerned about their source, and how to eliminate once and for all. Someone must know what these are.

Link to comment
Share on other sites

Glatzfront,

 

Thanks for your help. I will try the safe mode scan. CCleaner seems to do a good job deleting the contents of the Temporary Internet Files, History folder and Temp folder. And it can be set to shred multiple times, which IE won't do by itself. But CCleaner doesn't even see the new ".sh!" duplicate folders, and the automatic IE deletion you suggest won't affect them either, so I don't know how that would help. McAfee's shredder tool (or other shredder tools) works fine to remove the ".sh!" files when pointed to them manually, but I'm concerned about their source, and how to eliminate once and for all. Someone must know what these are.

 

Not knowing what they are suggests malware.

 

I don't know if automatic IE deletion would delete these suspect files either, the reason I suggested it is for security. Temp int files are a gateway into the computer, with this setting they would be deleted automatically each time the browser is closed.

 

I don't even want to imagine why you would need to overwrite temp int files but most would be overrwitten by other data soon after deletion. If concerned about data that can be recovered, a tool that overwrites deleted files might be a possibility because this would include all deleted files that haven't been overwritten. If that much security is needed you would also need to clean the MFT and other file tables. Just my thoughts anyway.

Link to comment
Share on other sites

Not knowing what they are suggests malware.

 

I don't know if automatic IE deletion would delete these suspect files either, the reason I suggested it is for security. Temp int files are a gateway into the computer, with this setting they would be deleted automatically each time the browser is closed.

 

I don't even want to imagine why you would need to overwrite temp int files but most would be overrwitten by other data soon after deletion. If concerned about data that can be recovered, a tool that overwrites deleted files might be a possibility because this would include all deleted files that haven't been overwritten. If that much security is needed you would also need to clean the MFT and other file tables. Just my thoughts anyway.

 

No, IE doesn't recognize them nor remove them. I suspect malware too, but it's interesting that all the Web searches I've done for ".SH!" have turned up nothing. Surely someone knows what these are, malware or not. Overnight I ran scans of McAfee, Spybot and Adaware (all latest versions) in SAFE mode, as you suggested. Nothing was found at all. I don't know what the "MFT" is. I will have to look into that. Again, thanks for your help.

Link to comment
Share on other sites

Found a thread here where the user has the same files, they also used McAfee.

 

http://www.d-a-l.com/help/showthread.php?p=144036

 

Is it this HJT entry you are referring to?

 

I want to see if this line clears:

O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\Mike\LOCALS~1\Temp\TEMPOR~1\Content.SH ! C:\DOCUME~1\Mike\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Mike\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Mike\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Mike\LOCALS~1\Temp\Cookies.SH!

Link to comment
Share on other sites

Found a thread here where the user has the same files, they also used McAfee.

 

http://www.d-a-l.com/help/showthread.php?p=144036

 

Hazelnut,

 

Thanks for that. That's the first I've seen where someone else has those same files/folders. I'll look into that thread some more. I know that McAfee says that it delays shredding some files until you reboot, and perhaps these are temporary back-ups that are destroyed upon rebooting. There's a hint about that in one registry line from your linked thread:

 

HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\Mike\LOCALS~1\Temp\TEMPOR~1\Content.SH ! C:\DOCUME~1\Mike\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Mike\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Mike\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Mike\LOCALS~1\Temp\Cookies.SH!

 

I had searched the McAfee site before, and again a few minutes ago, for ".SH!"references, but found none. Oh, well...

 

I posted here in the CCleaner forum because I thought these files might have something to do with CCleaner, but now I'm thinking not.

Link to comment
Share on other sites

  • Moderators

An older, but perhaps more, interesting thread

 

http://www.techsupportforum.com/security-c...izer-supar.html

 

Bare in mind, I'm not suggesting you follow the instructions given above, just posting it for info.

 

Support contact

https://support.ccleaner.com/s/contact-form?language=en_US&form=general

or

support@ccleaner.com

 

Link to comment
Share on other sites

An older, but perhaps more, interesting thread

 

http://www.techsupportforum.com/security-c...izer-supar.html

 

Bare in mind, I'm not suggesting you follow the instructions given above, just posting it for info.

 

 

OK, thanks. This suggests even more strongly that these are holding files for a reboot shred by McAfee, and not malware after all.

Link to comment
Share on other sites

OK, thanks. This suggests even more strongly that these are holding files for a reboot shred by McAfee, and not malware after all.

 

The poster's first HJT isn't dated so we don't know when it was but there must have been a reboot because he didn't get help that soon. This suggests to me that the McAfee entry wasn't clearing for some reason and it could be that it wasn't shreading those files and was caught in a loop????? I haven't used this so I don't know if that is even possible (loop) sounds good though :).

 

For what ever reason the entry and files were still present after rebooting.

Link to comment
Share on other sites

  • Moderators
and was caught in a loop????? I haven't used this so I don't know if that is even possible (loop) sounds good though :).

 

For what ever reason the entry and files were still present after rebooting.

 

 

I agree, loop sounds good :)

 

If they are not clearing on reboot, that's the next problem.

 

Support contact

https://support.ccleaner.com/s/contact-form?language=en_US&form=general

or

support@ccleaner.com

 

Link to comment
Share on other sites

I should revise my statement "For what ever reason the entry and files were still present after rebooting." to For what ever reason the entry was still present after rebooting and maybe the files.

 

Can you visually verify that these files are present?

Link to comment
Share on other sites

I should revise my statement "For what ever reason the entry and files were still present after rebooting." to For what ever reason the entry was still present after rebooting and maybe the files.

 

Can you visually verify that these files are present?

 

 

Oh yes, they're visible when you explore the Local Settings and also up one level (where the cookies are). Hidden files must be set to "Show'. Unlike CCleaner or IE Delete, you can point McAfee shredder to any arbitrary file or folder for shredding. So McAfee shredder can eliminate those".SH!" files. But they pop up again later. I will try to sort out when and how, and what happens at reboot.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.