Jump to content
Sign in to follow this  
VictorValiant

jh1d.exe not detected in mbam

Recommended Posts

Hello, all

Let me get straight to the point

I have noticed this file/program jh1d.exe in my taskmanager>processes
it takes about 50% of CPU resources and 2 GB RAM. Stressing my resources and slowing things down. (my system specs: Core i7/2600k, 16GB ram, OS Win7 x64)
I can stop it by simply clicking end task, and it's location is systemroot/temp> C:/temp
Unfortunately mbam doesn't detect/remove it.(I use the free version of mbam with latest updates)
Even if removed manually from recycle bin, it manifests & executes again within 2-3mins after next boot.

I've also tried moveonboot to remove it at the next boot

but it still manifests & executes, only now it's somehow renamed to jh1c.exe and has the same properties and claim on resources
I'm not very technical and I have little knowledge concerning malware, but I'm sure there's a name/terminology for this kind of thing.
Almost forgot, the exe file shows little variation in file size, I've seen both 88kb and 126kb as filesizes upon booting.

I googled jhd1.exe and it seems more people have detected it as early as 15 nov 2013, so it's seems fairly new and little is known about it.
I simply "end task" & remove from recycle bin for now when I boot, I'll wait for the solution to be implemented in mbam free version as it is not aggressive IMO just very annoying.
Hopefully I've provided sufficient information, and I'm sorry not to be able to provide more details as I'm not adept at these things.

Thank you in advance for any additional info or tips regarding this issue

Sincerely, Victor

PS. Please just read the next as a note, as I'm sure you have no interests in ungrounded/imaginative issues.

I've gotten a notification that there was an hack/login attempt on one of my online accounts, but I don't know if it's related to this issue or a coincidence since this has never happened to me before now.

Share this post


Link to post
Share on other sites

I also have this problem. No clue how it entered my system, and now my system restore won't even work (Not 100% if these events are related, anyhow).

I'll make a thread there and attach the file.

Share this post


Link to post
Share on other sites

Researched a bit more, and it seemingly tries to convince the user that it is a bitcoin miner. 
Took this snapshot of what happens for .1 seconds if i open it. http://gyazo.com/8ba0cd3638465e9139ed912bf26bf5bd

But, since this .exe seemingly is a bitcoin miner, I suspect someone to use my computer resources for their own bitcoin mining, as I don't recall downloading any bitcoin miner.

Share this post


Link to post
Share on other sites

Also I noticed the jhd1.exe reappears in C:/temp after 5hrs or so, after closing (end tasking) the previous instance.
Maybe it has to do with being triggered by the registry as a scheduled event or something like that (just guessing)
I've attached my registry here, just in case the research team needs it.

I was going to post it in the same thread where the exe was posted but it's already been locked.
So I hope you won't mind for posting it here.

A bitcoin miner? sorry I didn't know what bitcoin was had to look that up in wikipedia.
So someone is getting richer by using other peoples cpu & ram resources to generate bitcoins valuta?

Kind regards, 
Victor

 

edit removed registry

Share this post


Link to post
Share on other sites

Yes, I think that is a possible conclusion to what jh1d.exe actually is. Not very familiar with bitcoin or bitcoin mining myself, but I looked up jhprotominer.exe which can be found in the DOS-window that pops up if you try to run jh1d.exe manually. (Link to screenshot in my last post)

The problem at my end seems to have slightly gotten better, jh1d.exe still appears in C:/temp at boot, but it does not run at any point, not even when I manually run it.

Share this post


Link to post
Share on other sites

Updated mbam just now & indeed it detected the jh1d.exe which I zipped at C:/temp, it has now been removed, hopefully it stays that way.
kudos to the research team for such fast implementation, and please forgive the typos errors of jh1d.exe in my previous posts.
I've been google-ing for similar cases, and there was a file I'd completely forgotten all about,

It's pts5a.exe, in C:/temp
A few days ago when this issue first occured, this was the file that initially claimed 50% cpu and 2gb ram. However I ended the task and removed it normally with the windows recycle bin.

And thought nothing of it till I rebooted and found jh1d.exe in that same folder.

the pts5a.exe never came back, but due to the focus on jh1d.exe it just slipped my mind, sorry....
I don't know if it is relevant now, as it is maybe fixed, rebooting my system now.

Hammerhode, have you also seen pts5a.exe on your system/taskmanager before? There's more people reporting pts5a and jh1d together though, on other virus related topics and forums.

Share this post


Link to post
Share on other sites

Ok i looked at the registry files. I see no load points for any of the filenames here. There may be another component to this. If only we can find the installer parent malware.  It may be triggered by a job or another parent file.

if these run again you can use process explorer to find the parent process. This may show us what launched these files.

 

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

 

i added some defs for the pts5a file for the 4 copies i could find.

Share this post


Link to post
Share on other sites

No VictorValiant, I have not see any other files stored in C:/temp except jh1d.exe. 

Anyways, might be because I ran a system restore soon after I got rid of jh1d.exe.

I hope you find a solution to this soon.

-HammerHode

Share this post


Link to post
Share on other sites

I added the defs for the wc1a file i could find but only found 1 copy of 32 bit and 1 copy of 64 bit. 

 

If you have any of these files please submit them in the malware submission forum linked above.

Share this post


Link to post
Share on other sites

Ok i looked at the registry files. I see no load points for any of the filenames here. There may be another component to this. If only we can find the installer parent malware.  It may be triggered by a job or another parent file.

if these run again you can use process explorer to find the parent process. This may show us what launched these files.

 

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

 

i added some defs for the pts5a file for the 4 copies i could find.

Hi, Shadowwar

After scanning and removing, none of the malicious files has come back, so my problem is as good as solved, and I can go back to work again ;) Thank you for your efforts I really appreciate it.

Unfortunately I don't know where it came from exactly, All I recall is I browsed a lot of websites that day with lots of ad pop ups and banners  and only noticed the resource drain upon booting the morning after.

(I always have auto empty temp files and history on exit checked from browser to minimize such problems arising )

So sorry I couldn't be of more help.

Also the newly mentioned wc1a is totally unknown to me, someone newly affected may have the files you're looking for.

Anyway this whole process has made me more confident in using mbam, as you given me ("us") friendly timely responses and even an fast update to get rid of it.

Thanks again

Kind regards,

Victor

 

No VictorValiant, I have not see any other files stored in C:/temp except jh1d.exe. 

Anyways, might be because I ran a system restore soon after I got rid of jh1d.exe.

I hope you find a solution to this soon.

-HammerHode

Ok, so I take it you problem is solved too then, after scanning/removing with the new definitions implemented.

Cheers, 

Victor

Share this post


Link to post
Share on other sites

This was a team effort. Its users like all of you that make us feel good about what we do. I appreciate the help everyone. Let me know if any problems still exist. I beefed up the definitions today some to catch and hopefully future proof against variants of this.

Share this post


Link to post
Share on other sites

Hi, shadowwar
I hooked up my ipod and tried to access it with foobar audio player, it froze 'not responding'

and suddenly jh1e.exe appears in C:/temp with the same symptom/resource claim.
I uploaded jh1e.exe to the research center here > https://forums.malwarebytes.org/index.php?showtopic=137168
(NOTE: mbam didn't detect it after scanning with latest updates)

I end tasked jh1e.exe,
I ran process explorer which you posted earlier, and double clicked jh1e.exe, a cmd screen appeared and an error "stopped working" box appeared instantly, and it showed up in process explorer.

I then right clicked on jh1e.exe > properties and made screenshots of every tab, as I did not know which one you need most.(8 shots @1920x1080 jpg's)
I left out the gpu tab as it was completely empty and N/A

there was also a strings tab with a save option, so I saved that and included it with the screenshots in a zip package

They don't make much sense to me, but I hope you can figure it out

it's 2.38am here now, so calling it a day...
I'll check here later in the morning, if you have any suggestions or new procedures I should follow let me know

Sincerely,
Victor

screenshots and strings.zip

Share this post


Link to post
Share on other sites

I have the same problem.

The scanner detected and removed jh1d.exe yesterday.

However, when starting my computer today, jh1e.exe appears in C:/temp at boot and runs in the same way that jh1d.exe does.

 

I also ran process explorer, and clicked "View -> Show Process Tree" and found that the parent process of "jh1e.exe" is "monitor.exe" and "Mutual Monitor" service is registered in this process.

 

So, I am going to stop this parent process and delete monitor.exe, and stop the service.  Further, I am going to delete this service using DOS command (sc delete Mutual Monitor).

Is this procedure OK?

 

Please give me some suggestions.

 

Sincerely,

Yuyu

Share this post


Link to post
Share on other sites

Hi everyone

I have/had the same issue.

I deleted the jh1e.exe file in C:\temp yesterday and this morning it was back using up my cpu resources. I did a full scan and quick scan with malwarebytes latest version while the process was running and it didn't pick up anything...

So I deleted the file manually after stopping the process.

 

After reading yuyujiten's post, I did some more googling and found that I also had a folder called 'mutualpublic' containing monitor.exe in Program Files, which seems to be related to a lot of differently named exe problems people are having. The folder also contained an uninstall exe and a freeproxyserver exe (something like that). I checked my Programs and Features list and saw that it had something called Mutual Public listed which I uninstalled.

 

Will keep you guys updated if anything changes after deleting it.

Share this post


Link to post
Share on other sites

I also did the same thing as stuniq. I uninstalled "Mutual Public" and the service and "jh1c.exe" both went with it. I will also post if I notice anything fishy again.

.

Share this post


Link to post
Share on other sites

Can i get a copy of the mutual public folder zipped and submitted to the file submission forum so i can get this added?

 

I should of explained myself better but the parent process is as described here the one right above it to the left  in process explorer. Like svchost.exe would have a bunch of files listed under it to the right. Svchost.exe is the parent.

Share this post


Link to post
Share on other sites

I am adding detection now for this service and parent files. Update should be in a few minutes. Would still appreciate a copy of the folder zipped though before someone removes its.

Share this post


Link to post
Share on other sites

I am adding detection now for this service and parent files. Update should be in a few minutes. Would still appreciate a copy of the folder zipped though before someone removes its.

Just uploaded the zipped mutualpublic folder here > https://forums.malwarebytes.org/index.php?showtopic=137190

I didn't have the process tree checked when I found jh1e.exe last night that's why I couldn't see it.

So I guess the screenshots weren't of much use. Although on pic 005 it said under the TCP/IP tab Local address victorvaliant:50573 remote address ypool.net:8086 when jh1e.exe was running.

Is this a connection like someone is accessing my cpu? the numbers are port numbers right? and can I block this ypool.net somehow? Can this be implemented in mbam?

 

I don't use a firewall, because it slows my system down when working.

But now I'm open for suggestion granted it's light on the resources/system.

Am surprised that there's so many people affected by it, and this topic being viewed nearly 1000 times.

I haven't deleted the mutualpublic yet, just in case you need me to check other things out.

grtz, V

PS just now double clicked jh1e.exe  and I see in tcp/ip that there is connection established with a full IP address but parent process is now wininit.exe

please see attached files for screenshot

jh1e.exe re-run IP address pic.jpg.zip

Share this post


Link to post
Share on other sites

explorer.exe was the parent process. parent is right above and up only one level. This is because you double clicked it.

 

 

I am researching this some more and this is a mess. no one seems to detect monitor.exe so i need to dig deeper as to why this is happening and such.

it comes down from amazon servers and contacts ypool.net for the cpu bitcoin mining group

 

We should remove most of this now and stop it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.