VictorValiant Posted November 22, 2013 ID:756778 Share Posted November 22, 2013 Hello, allLet me get straight to the pointI have noticed this file/program jh1d.exe in my taskmanager>processesit takes about 50% of CPU resources and 2 GB RAM. Stressing my resources and slowing things down. (my system specs: Core i7/2600k, 16GB ram, OS Win7 x64)I can stop it by simply clicking end task, and it's location is systemroot/temp> C:/tempUnfortunately mbam doesn't detect/remove it.(I use the free version of mbam with latest updates)Even if removed manually from recycle bin, it manifests & executes again within 2-3mins after next boot.I've also tried moveonboot to remove it at the next bootbut it still manifests & executes, only now it's somehow renamed to jh1c.exe and has the same properties and claim on resourcesI'm not very technical and I have little knowledge concerning malware, but I'm sure there's a name/terminology for this kind of thing.Almost forgot, the exe file shows little variation in file size, I've seen both 88kb and 126kb as filesizes upon booting.I googled jhd1.exe and it seems more people have detected it as early as 15 nov 2013, so it's seems fairly new and little is known about it.I simply "end task" & remove from recycle bin for now when I boot, I'll wait for the solution to be implemented in mbam free version as it is not aggressive IMO just very annoying.Hopefully I've provided sufficient information, and I'm sorry not to be able to provide more details as I'm not adept at these things.Thank you in advance for any additional info or tips regarding this issueSincerely, VictorPS. Please just read the next as a note, as I'm sure you have no interests in ungrounded/imaginative issues.I've gotten a notification that there was an hack/login attempt on one of my online accounts, but I don't know if it's related to this issue or a coincidence since this has never happened to me before now. Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 22, 2013 Staff ID:756800 Share Posted November 22, 2013 Can u please zip up a copy of that file or a few copies if possible and start a post here and attach the file so we can get this added? Thanks https://forums.malwarebytes.org/index.php?showforum=51 Link to post Share on other sites More sharing options...
HammerHode Posted November 22, 2013 ID:756906 Share Posted November 22, 2013 I also have this problem. No clue how it entered my system, and now my system restore won't even work (Not 100% if these events are related, anyhow).I'll make a thread there and attach the file. Link to post Share on other sites More sharing options...
VictorValiant Posted November 22, 2013 Author ID:756913 Share Posted November 22, 2013 Can u please zip up a copy of that file or a few copies if possible and start a post here and attach the file so we can get this added? Thanks https://forums.malwarebytes.org/index.php?showforum=51Thanks for replying Rich Matteo, I will Link to post Share on other sites More sharing options...
HammerHode Posted November 22, 2013 ID:756917 Share Posted November 22, 2013 Researched a bit more, and it seemingly tries to convince the user that it is a bitcoin miner. Took this snapshot of what happens for .1 seconds if i open it. http://gyazo.com/8ba0cd3638465e9139ed912bf26bf5bdBut, since this .exe seemingly is a bitcoin miner, I suspect someone to use my computer resources for their own bitcoin mining, as I don't recall downloading any bitcoin miner. Link to post Share on other sites More sharing options...
VictorValiant Posted November 22, 2013 Author ID:756938 Share Posted November 22, 2013 Also I noticed the jhd1.exe reappears in C:/temp after 5hrs or so, after closing (end tasking) the previous instance.Maybe it has to do with being triggered by the registry as a scheduled event or something like that (just guessing)I've attached my registry here, just in case the research team needs it.I was going to post it in the same thread where the exe was posted but it's already been locked.So I hope you won't mind for posting it here.A bitcoin miner? sorry I didn't know what bitcoin was had to look that up in wikipedia.So someone is getting richer by using other peoples cpu & ram resources to generate bitcoins valuta?Kind regards, Victor edit removed registry Link to post Share on other sites More sharing options...
HammerHode Posted November 22, 2013 ID:756949 Share Posted November 22, 2013 Yes, I think that is a possible conclusion to what jh1d.exe actually is. Not very familiar with bitcoin or bitcoin mining myself, but I looked up jhprotominer.exe which can be found in the DOS-window that pops up if you try to run jh1d.exe manually. (Link to screenshot in my last post)The problem at my end seems to have slightly gotten better, jh1d.exe still appears in C:/temp at boot, but it does not run at any point, not even when I manually run it. Link to post Share on other sites More sharing options...
HammerHode Posted November 22, 2013 ID:756963 Share Posted November 22, 2013 The scanner found jh1d.exe now, hopefully the fix worked aswell.Thanks to mods for a quick update! Link to post Share on other sites More sharing options...
VictorValiant Posted November 22, 2013 Author ID:756973 Share Posted November 22, 2013 Updated mbam just now & indeed it detected the jh1d.exe which I zipped at C:/temp, it has now been removed, hopefully it stays that way.kudos to the research team for such fast implementation, and please forgive the typos errors of jh1d.exe in my previous posts.I've been google-ing for similar cases, and there was a file I'd completely forgotten all about,It's pts5a.exe, in C:/tempA few days ago when this issue first occured, this was the file that initially claimed 50% cpu and 2gb ram. However I ended the task and removed it normally with the windows recycle bin.And thought nothing of it till I rebooted and found jh1d.exe in that same folder.the pts5a.exe never came back, but due to the focus on jh1d.exe it just slipped my mind, sorry....I don't know if it is relevant now, as it is maybe fixed, rebooting my system now.Hammerhode, have you also seen pts5a.exe on your system/taskmanager before? There's more people reporting pts5a and jh1d together though, on other virus related topics and forums. Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 22, 2013 Staff ID:757039 Share Posted November 22, 2013 if you can get copies of the pts5a we can get this added too. also gonna check my sources. Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 23, 2013 Staff ID:757063 Share Posted November 23, 2013 Ok i looked at the registry files. I see no load points for any of the filenames here. There may be another component to this. If only we can find the installer parent malware. It may be triggered by a job or another parent file.if these run again you can use process explorer to find the parent process. This may show us what launched these files. http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx i added some defs for the pts5a file for the 4 copies i could find. Link to post Share on other sites More sharing options...
Jukka Posted November 23, 2013 ID:757114 Share Posted November 23, 2013 Hello all I have the same problem. The exe files are:jh1d, wc1a, pts5a. Link to post Share on other sites More sharing options...
HammerHode Posted November 23, 2013 ID:757141 Share Posted November 23, 2013 No VictorValiant, I have not see any other files stored in C:/temp except jh1d.exe. Anyways, might be because I ran a system restore soon after I got rid of jh1d.exe.I hope you find a solution to this soon.-HammerHode Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 23, 2013 Staff ID:757206 Share Posted November 23, 2013 I added the defs for the wc1a file i could find but only found 1 copy of 32 bit and 1 copy of 64 bit. If you have any of these files please submit them in the malware submission forum linked above. Link to post Share on other sites More sharing options...
VictorValiant Posted November 23, 2013 Author ID:757351 Share Posted November 23, 2013 Ok i looked at the registry files. I see no load points for any of the filenames here. There may be another component to this. If only we can find the installer parent malware. It may be triggered by a job or another parent file.if these run again you can use process explorer to find the parent process. This may show us what launched these files. http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx i added some defs for the pts5a file for the 4 copies i could find.Hi, ShadowwarAfter scanning and removing, none of the malicious files has come back, so my problem is as good as solved, and I can go back to work again Thank you for your efforts I really appreciate it.Unfortunately I don't know where it came from exactly, All I recall is I browsed a lot of websites that day with lots of ad pop ups and banners and only noticed the resource drain upon booting the morning after.(I always have auto empty temp files and history on exit checked from browser to minimize such problems arising )So sorry I couldn't be of more help.Also the newly mentioned wc1a is totally unknown to me, someone newly affected may have the files you're looking for.Anyway this whole process has made me more confident in using mbam, as you given me ("us") friendly timely responses and even an fast update to get rid of it.Thanks againKind regards,Victor No VictorValiant, I have not see any other files stored in C:/temp except jh1d.exe. Anyways, might be because I ran a system restore soon after I got rid of jh1d.exe.I hope you find a solution to this soon.-HammerHodeOk, so I take it you problem is solved too then, after scanning/removing with the new definitions implemented.Cheers, Victor Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 23, 2013 Staff ID:757360 Share Posted November 23, 2013 This was a team effort. Its users like all of you that make us feel good about what we do. I appreciate the help everyone. Let me know if any problems still exist. I beefed up the definitions today some to catch and hopefully future proof against variants of this. Link to post Share on other sites More sharing options...
VictorValiant Posted November 24, 2013 Author ID:757400 Share Posted November 24, 2013 Hi, shadowwarI hooked up my ipod and tried to access it with foobar audio player, it froze 'not responding'and suddenly jh1e.exe appears in C:/temp with the same symptom/resource claim.I uploaded jh1e.exe to the research center here > https://forums.malwarebytes.org/index.php?showtopic=137168(NOTE: mbam didn't detect it after scanning with latest updates)I end tasked jh1e.exe,I ran process explorer which you posted earlier, and double clicked jh1e.exe, a cmd screen appeared and an error "stopped working" box appeared instantly, and it showed up in process explorer.I then right clicked on jh1e.exe > properties and made screenshots of every tab, as I did not know which one you need most.(8 shots @1920x1080 jpg's)I left out the gpu tab as it was completely empty and N/Athere was also a strings tab with a save option, so I saved that and included it with the screenshots in a zip packageThey don't make much sense to me, but I hope you can figure it outit's 2.38am here now, so calling it a day...I'll check here later in the morning, if you have any suggestions or new procedures I should follow let me knowSincerely,Victorscreenshots and strings.zip Link to post Share on other sites More sharing options...
yuyujiten Posted November 24, 2013 ID:757404 Share Posted November 24, 2013 I have the same problem.The scanner detected and removed jh1d.exe yesterday.However, when starting my computer today, jh1e.exe appears in C:/temp at boot and runs in the same way that jh1d.exe does. I also ran process explorer, and clicked "View -> Show Process Tree" and found that the parent process of "jh1e.exe" is "monitor.exe" and "Mutual Monitor" service is registered in this process. So, I am going to stop this parent process and delete monitor.exe, and stop the service. Further, I am going to delete this service using DOS command (sc delete Mutual Monitor).Is this procedure OK? Please give me some suggestions. Sincerely,Yuyu Link to post Share on other sites More sharing options...
stuniq Posted November 24, 2013 ID:757424 Share Posted November 24, 2013 Hi everyoneI have/had the same issue.I deleted the jh1e.exe file in C:\temp yesterday and this morning it was back using up my cpu resources. I did a full scan and quick scan with malwarebytes latest version while the process was running and it didn't pick up anything...So I deleted the file manually after stopping the process. After reading yuyujiten's post, I did some more googling and found that I also had a folder called 'mutualpublic' containing monitor.exe in Program Files, which seems to be related to a lot of differently named exe problems people are having. The folder also contained an uninstall exe and a freeproxyserver exe (something like that). I checked my Programs and Features list and saw that it had something called Mutual Public listed which I uninstalled. Will keep you guys updated if anything changes after deleting it. Link to post Share on other sites More sharing options...
Kirt142 Posted November 24, 2013 ID:757429 Share Posted November 24, 2013 I also did the same thing as stuniq. I uninstalled "Mutual Public" and the service and "jh1c.exe" both went with it. I will also post if I notice anything fishy again.. Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 24, 2013 Staff ID:757483 Share Posted November 24, 2013 Can i get a copy of the mutual public folder zipped and submitted to the file submission forum so i can get this added? I should of explained myself better but the parent process is as described here the one right above it to the left in process explorer. Like svchost.exe would have a bunch of files listed under it to the right. Svchost.exe is the parent. Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 24, 2013 Staff ID:757494 Share Posted November 24, 2013 I am adding detection now for this service and parent files. Update should be in a few minutes. Would still appreciate a copy of the folder zipped though before someone removes its. Link to post Share on other sites More sharing options...
VictorValiant Posted November 24, 2013 Author ID:757537 Share Posted November 24, 2013 I am adding detection now for this service and parent files. Update should be in a few minutes. Would still appreciate a copy of the folder zipped though before someone removes its.Just uploaded the zipped mutualpublic folder here > https://forums.malwarebytes.org/index.php?showtopic=137190I didn't have the process tree checked when I found jh1e.exe last night that's why I couldn't see it.So I guess the screenshots weren't of much use. Although on pic 005 it said under the TCP/IP tab Local address victorvaliant:50573 remote address ypool.net:8086 when jh1e.exe was running.Is this a connection like someone is accessing my cpu? the numbers are port numbers right? and can I block this ypool.net somehow? Can this be implemented in mbam? I don't use a firewall, because it slows my system down when working.But now I'm open for suggestion granted it's light on the resources/system.Am surprised that there's so many people affected by it, and this topic being viewed nearly 1000 times.I haven't deleted the mutualpublic yet, just in case you need me to check other things out.grtz, VPS just now double clicked jh1e.exe and I see in tcp/ip that there is connection established with a full IP address but parent process is now wininit.exeplease see attached files for screenshotjh1e.exe re-run IP address pic.jpg.zip Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 24, 2013 Staff ID:757543 Share Posted November 24, 2013 explorer.exe was the parent process. parent is right above and up only one level. This is because you double clicked it. I am researching this some more and this is a mess. no one seems to detect monitor.exe so i need to dig deeper as to why this is happening and such.it comes down from amazon servers and contacts ypool.net for the cpu bitcoin mining group We should remove most of this now and stop it. Link to post Share on other sites More sharing options...
Staff shadowwar Posted November 25, 2013 Staff ID:757658 Share Posted November 25, 2013 Uninstalling this seems to work. We have the main installer now. We also target it as a bitminer Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now