Jump to content


Photo

jh1d.exe not detected in mbam

jh1d jh1d.exe jh1c jh1c.exe

  • Please log in to reply
32 replies to this topic

#1 VictorValiant

VictorValiant

    New Member

  • Members
  • Pip
  • 11 posts

Posted 22 November 2013 - 07:42 AM

Hello, all

Let me get straight to the point

I have noticed this file/program jh1d.exe in my taskmanager>processes
it takes about 50% of CPU resources and 2 GB RAM. Stressing my resources and slowing things down. (my system specs: Core i7/2600k, 16GB ram, OS Win7 x64)
I can stop it by simply clicking end task, and it's location is systemroot/temp> C:/temp
Unfortunately mbam doesn't detect/remove it.(I use the free version of mbam with latest updates)
Even if removed manually from recycle bin, it manifests & executes again within 2-3mins after next boot.

I've also tried moveonboot to remove it at the next boot

but it still manifests & executes, only now it's somehow renamed to jh1c.exe and has the same properties and claim on resources
I'm not very technical and I have little knowledge concerning malware, but I'm sure there's a name/terminology for this kind of thing.
Almost forgot, the exe file shows little variation in file size, I've seen both 88kb and 126kb as filesizes upon booting.

I googled jhd1.exe and it seems more people have detected it as early as 15 nov 2013, so it's seems fairly new and little is known about it.
I simply "end task" & remove from recycle bin for now when I boot, I'll wait for the solution to be implemented in mbam free version as it is not aggressive IMO just very annoying.
Hopefully I've provided sufficient information, and I'm sorry not to be able to provide more details as I'm not adept at these things.

Thank you in advance for any additional info or tips regarding this issue

Sincerely, Victor

PS. Please just read the next as a note, as I'm sure you have no interests in ungrounded/imaginative issues.

I've gotten a notification that there was an hack/login attempt on one of my online accounts, but I don't know if it's related to this issue or a coincidence since this has never happened to me before now.



#2 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,222 posts
  • Gender:Male

Posted 22 November 2013 - 08:33 AM

Can u please zip up a copy of that file or a few copies if possible  and start a post here and attach the file so we can get this added?

 

Thanks

 

https://forums.malwa...hp?showforum=51


Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#3 HammerHode

HammerHode

    New Member

  • Members
  • Pip
  • 6 posts

Posted 22 November 2013 - 01:30 PM

I also have this problem. No clue how it entered my system, and now my system restore won't even work (Not 100% if these events are related, anyhow).

I'll make a thread there and attach the file.



#4 VictorValiant

VictorValiant

    New Member

  • Members
  • Pip
  • 11 posts

Posted 22 November 2013 - 01:54 PM

Can u please zip up a copy of that file or a few copies if possible  and start a post here and attach the file so we can get this added?

 

Thanks

 

https://forums.malwa...hp?showforum=51

Thanks for replying Rich Matteo, I will



#5 HammerHode

HammerHode

    New Member

  • Members
  • Pip
  • 6 posts

Posted 22 November 2013 - 01:57 PM

Researched a bit more, and it seemingly tries to convince the user that it is a bitcoin miner. 
Took this snapshot of what happens for .1 seconds if i open it. http://gyazo.com/8ba...9ed912bf26bf5bd

But, since this .exe seemingly is a bitcoin miner, I suspect someone to use my computer resources for their own bitcoin mining, as I don't recall downloading any bitcoin miner.



#6 VictorValiant

VictorValiant

    New Member

  • Members
  • Pip
  • 11 posts

Posted 22 November 2013 - 03:02 PM

Also I noticed the jhd1.exe reappears in C:/temp after 5hrs or so, after closing (end tasking) the previous instance.
Maybe it has to do with being triggered by the registry as a scheduled event or something like that (just guessing)
I've attached my registry here, just in case the research team needs it.

I was going to post it in the same thread where the exe was posted but it's already been locked.
So I hope you won't mind for posting it here.

A bitcoin miner? sorry I didn't know what bitcoin was had to look that up in wikipedia.
So someone is getting richer by using other peoples cpu & ram resources to generate bitcoins valuta?

Kind regards, 
Victor

 

edit removed registry



#7 HammerHode

HammerHode

    New Member

  • Members
  • Pip
  • 6 posts

Posted 22 November 2013 - 03:44 PM

Yes, I think that is a possible conclusion to what jh1d.exe actually is. Not very familiar with bitcoin or bitcoin mining myself, but I looked up jhprotominer.exe which can be found in the DOS-window that pops up if you try to run jh1d.exe manually. (Link to screenshot in my last post)

The problem at my end seems to have slightly gotten better, jh1d.exe still appears in C:/temp at boot, but it does not run at any point, not even when I manually run it.



#8 HammerHode

HammerHode

    New Member

  • Members
  • Pip
  • 6 posts

Posted 22 November 2013 - 04:11 PM

The scanner found jh1d.exe now, hopefully the fix worked aswell.
Thanks to mods for a quick update!



#9 VictorValiant

VictorValiant

    New Member

  • Members
  • Pip
  • 11 posts

Posted 22 November 2013 - 04:52 PM

Updated mbam just now & indeed it detected the jh1d.exe which I zipped at C:/temp, it has now been removed, hopefully it stays that way.
kudos to the research team for such fast implementation, and please forgive the typos errors of jh1d.exe in my previous posts.
I've been google-ing for similar cases, and there was a file I'd completely forgotten all about,

It's pts5a.exe, in C:/temp
A few days ago when this issue first occured, this was the file that initially claimed 50% cpu and 2gb ram. However I ended the task and removed it normally with the windows recycle bin.

And thought nothing of it till I rebooted and found jh1d.exe in that same folder.

the pts5a.exe never came back, but due to the focus on jh1d.exe it just slipped my mind, sorry....
I don't know if it is relevant now, as it is maybe fixed, rebooting my system now.

Hammerhode, have you also seen pts5a.exe on your system/taskmanager before? There's more people reporting pts5a and jh1d together though, on other virus related topics and forums.



#10 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,222 posts
  • Gender:Male

Posted 22 November 2013 - 06:40 PM

if you can get copies of the pts5a  we can get this added too. also gonna check my sources.


Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#11 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,222 posts
  • Gender:Male

Posted 22 November 2013 - 07:25 PM

Ok i looked at the registry files. I see no load points for any of the filenames here. There may be another component to this. If only we can find the installer parent malware.  It may be triggered by a job or another parent file.

if these run again you can use process explorer to find the parent process. This may show us what launched these files.

 

http://technet.micro...s/bb896653.aspx

 

i added some defs for the pts5a file for the 4 copies i could find.


Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#12 Jukka

Jukka

    New Member

  • Members
  • Pip
  • 1 posts

Posted 23 November 2013 - 01:54 AM

Hello all

 

I have the same problem. The exe files are:

jh1d, wc1a, pts5a.

 

 



#13 HammerHode

HammerHode

    New Member

  • Members
  • Pip
  • 6 posts

Posted 23 November 2013 - 05:13 AM

No VictorValiant, I have not see any other files stored in C:/temp except jh1d.exe. 

Anyways, might be because I ran a system restore soon after I got rid of jh1d.exe.

I hope you find a solution to this soon.

-HammerHode



#14 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,222 posts
  • Gender:Male

Posted 23 November 2013 - 09:09 AM

I added the defs for the wc1a file i could find but only found 1 copy of 32 bit and 1 copy of 64 bit. 

 

If you have any of these files please submit them in the malware submission forum linked above.


Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#15 VictorValiant

VictorValiant

    New Member

  • Members
  • Pip
  • 11 posts

Posted 23 November 2013 - 04:51 PM

Ok i looked at the registry files. I see no load points for any of the filenames here. There may be another component to this. If only we can find the installer parent malware.  It may be triggered by a job or another parent file.

if these run again you can use process explorer to find the parent process. This may show us what launched these files.

 

http://technet.micro...s/bb896653.aspx

 

i added some defs for the pts5a file for the 4 copies i could find.

Hi, Shadowwar
After scanning and removing, none of the malicious files has come back, so my problem is as good as solved, and I can go back to work again ;) Thank you for your efforts I really appreciate it.
Unfortunately I don't know where it came from exactly, All I recall is I browsed a lot of websites that day with lots of ad pop ups and banners  and only noticed the resource drain upon booting the morning after.

(I always have auto empty temp files and history on exit checked from browser to minimize such problems arising )

So sorry I couldn't be of more help.
Also the newly mentioned wc1a is totally unknown to me, someone newly affected may have the files you're looking for.
Anyway this whole process has made me more confident in using mbam, as you given me ("us") friendly timely responses and even an fast update to get rid of it.
Thanks again

Kind regards,

Victor
 

No VictorValiant, I have not see any other files stored in C:/temp except jh1d.exe. 

Anyways, might be because I ran a system restore soon after I got rid of jh1d.exe.

I hope you find a solution to this soon.

-HammerHode

Ok, so I take it you problem is solved too then, after scanning/removing with the new definitions implemented.

Cheers, 
Victor



#16 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,222 posts
  • Gender:Male

Posted 23 November 2013 - 05:31 PM

This was a team effort. Its users like all of you that make us feel good about what we do. I appreciate the help everyone. Let me know if any problems still exist. I beefed up the definitions today some to catch and hopefully future proof against variants of this.


Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#17 VictorValiant

VictorValiant

    New Member

  • Members
  • Pip
  • 11 posts

Posted 23 November 2013 - 08:35 PM

Hi, shadowwar
I hooked up my ipod and tried to access it with foobar audio player, it froze 'not responding'

and suddenly jh1e.exe appears in C:/temp with the same symptom/resource claim.
I uploaded jh1e.exe to the research center here > https://forums.malwa...howtopic=137168
(NOTE: mbam didn't detect it after scanning with latest updates)

I end tasked jh1e.exe,
I ran process explorer which you posted earlier, and double clicked jh1e.exe, a cmd screen appeared and an error "stopped working" box appeared instantly, and it showed up in process explorer.

I then right clicked on jh1e.exe > properties and made screenshots of every tab, as I did not know which one you need most.(8 shots @1920x1080 jpg's)
I left out the gpu tab as it was completely empty and N/A

there was also a strings tab with a save option, so I saved that and included it with the screenshots in a zip package

They don't make much sense to me, but I hope you can figure it out

it's 2.38am here now, so calling it a day...
I'll check here later in the morning, if you have any suggestions or new procedures I should follow let me know

Sincerely,
Victor

Attached Files



#18 yuyujiten

yuyujiten

    New Member

  • Members
  • Pip
  • 2 posts

Posted 23 November 2013 - 09:53 PM

I have the same problem.

The scanner detected and removed jh1d.exe yesterday.

However, when starting my computer today, jh1e.exe appears in C:/temp at boot and runs in the same way that jh1d.exe does.

 

I also ran process explorer, and clicked "View -> Show Process Tree" and found that the parent process of "jh1e.exe" is "monitor.exe" and "Mutual Monitor" service is registered in this process.

 

So, I am going to stop this parent process and delete monitor.exe, and stop the service.  Further, I am going to delete this service using DOS command (sc delete Mutual Monitor).

Is this procedure OK?

 

Please give me some suggestions.

 

Sincerely,

Yuyu



#19 stuniq

stuniq

    New Member

  • Members
  • Pip
  • 2 posts

Posted 24 November 2013 - 02:44 AM

Hi everyone

I have/had the same issue.

I deleted the jh1e.exe file in C:\temp yesterday and this morning it was back using up my cpu resources. I did a full scan and quick scan with malwarebytes latest version while the process was running and it didn't pick up anything...

So I deleted the file manually after stopping the process.

 

After reading yuyujiten's post, I did some more googling and found that I also had a folder called 'mutualpublic' containing monitor.exe in Program Files, which seems to be related to a lot of differently named exe problems people are having. The folder also contained an uninstall exe and a freeproxyserver exe (something like that). I checked my Programs and Features list and saw that it had something called Mutual Public listed which I uninstalled.

 

Will keep you guys updated if anything changes after deleting it.



#20 Kirt142

Kirt142

    New Member

  • Members
  • Pip
  • 2 posts

Posted 24 November 2013 - 03:40 AM

I also did the same thing as stuniq. I uninstalled "Mutual Public" and the service and "jh1c.exe" both went with it. I will also post if I notice anything fishy again.

.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users