If you see systemku.exe and SystemkService.exe running in the Task Manager you have the Settings Manager by Aztec Media installed on your machine. SettingsManager comes bundled with some free software downloads.
Settings Manager is detected by some of the anti-virus programs. Here’s the scan result for the SystemkService.exe file:
You can simply uninstall SettingsManager from the Windows Control panel as shown in the video below:
If the Settings Manager removal failed for some reason, you can also remove it with FreeFixer, by selecting Systemku.exe, SystemkService.exe, sysapcrt.dll and the Settings Manager Firefox extension for removal.
How did you get Settings Manager on your machine? Please share your story in the comments below.
Do you see a process named dgen.exe running at 99% or even 100% CPU usage? If that is the case someone is mining Bitcoins on your machine!
The dgen.exe Bitcoin miner has been around for some time. I first spotted it about a month ago, but for some reason I chose not to blog about it at that time. However, today I found it again, bundled with another download, so I thought I should post about it after all. Many of the anti-virus programs detect it as you can see in the scan result from VirusTotal:
How did you get dgen.exe on your machine? Please share by posting a comment.
To remove the dgen.exe bitcoin miner you can check the dgen.exe process and the starthelp.exe service for removal in FreeFixer. This will also fix the high CPU usage that you probably see on your machine.
The starthelp.exe service appear as “Protect Monitor”:
Here’s a video where I show FreeFixer in action while removing dgen.exe and starthelp.exe:
Hope you found this useful. Thank you for watching!
Update 2014-08-11: I’ve seen a few cases where other filenames appear in the “c:\Program Files\PCDapp” folder:
Just found a new adware variant called MPlayerplus_01. You might have found it in the Windows Task Manager where it appears as Mplayerplus_01-nova.exe or when inspecting the add-ons in Internet Explorer and Mozilla Firefox:
Update 2014-05-22: There seems to be another variant around called MPP, that uses filenames such as MPP-bho64.dll, MPP-bho.dll, MPP-codedownloader.exe, MPP-novainstaller.exe, MPP-nova.exe and MPP-bg.exe.
Update 2014-05-26: Just found another variant. It is called MPMP.
Update 2014-05-27: Seems like the MPlayerPlus_01 constantly updates its name. I’ll list any future name here:
I found MPlayerplus_01 while checking out a free media player download. In my case the installer disclosed that MPlayerplus_01 was bundled. Currently only a few anti-virus programs flag MPlayerplus_01:
The anti-virus vendors report MPlayerPlus as CrossRider.
How did you get MPlayerplus_01 on your machine? Was it bundled with some free downloads, and if so, was it disclosed that MPlayerplus_01 would be installed along with the download?
Removing MPlayerplus_01 with FreeFixer is a piece of cake. All you need to do is to select the MPlayerplus_01 files for removal and click the Fix button.
Here’s a removal video where I show FreeFixer in action deleting Mplayerplus:
Hope this helped you to figure out what MPlayerplus_01 is and how to remove it. If you like, please post a comment and share what you know about MPlayerplus_01.
Just wanted to give you heads-up on suspicious file I found right now. The file is digitally signed by Anton Lemes.
So, what’s the problem? Well, many of the anti-virus over at VirusTotal detects the Anton Lemes file. TSULoader, Kazy, InstalleRex, AntiFW are some of the detection names:
So, what ever you do, don’t run the Anton Lemes file. It will install a whole of unwanted software on your machine.
Where did you find the file with the Anton Lemes signature?
I just found a new variant of the Freeven Pro adware called Fpro1.2, Fpro_1.2, pro123 and pro12. This will be a quick post before I’m going to bed. If you have Fpro1.2 on your machine you will probably notice it when it displays the ads that are labeled “Click to Continue – by Fpro1.2” and “Ad by Fpro1.2” as shown in the screenshots below:
The ads above are from Internet Explorer and Mozilla Firefox. You can also see FPro listed in the web browser’s add-ons list, here in Firefox:
The Fpro1.2 removal easy, just select the FPro files in FreeFixer: Fpro1.2-nova.exe, Fpro1.2-bg.exe, the Fpro Firefox Extensions, etc:
Since the removal for Fpro1.2 is the same as for Freeven Pro, for which I’ve done a removal video, I won’t do a new one. I think you’ll get the hang of it by watching the old video:
There’s also an entry in the add/remove programs dialog, but I have not tested it:
Hope you found this useful.
How did you get Fpro1.2 on your machine? Please share by posting a comment.
Found another search engine called websearch.eazytosearch.info that is installed as a bundled offer. Here’s how eazytosearch.info looks like in Internet Explorer:
The removal is pretty straightforward with FreeFixer, just select the websearch.eazytosearch.info entries. Here are a few of them:
I’ve made a quick video where I show FreeFixer in action removing websearch.eazytosearch.info:
Hope you found this useful.
Are you getting ads while browsing the web labeled “Click to Continue > by Freeven pro 1.2“, like the one shown below?
Then you have a piece of software called Freeven Pro installed on your machine. Freeven Pro comes bundled with various software downloads. In my case I found it while testing a non-official download of the Google Chrome browser.
So, what is Freeven Pro? Obviously it’s adware since it shows advertisements. The anti-virus programs over at VirusTotal classify the Freeven pro 201.2-bho.dll file with names such as MultiBundle.R, Win32.Application.Plush.B, AdWare.PlusHD and AppRider.
Removing Freeven Pro is pretty easy. Simply check the Freven Pro files for removal in FreeFixer. The screenshots below shows which files to remove:
I’ve also captured a video that shows FreeFixer in action while deleting the Freeven Pro files. Hope you find it useful:
It seems as the Freeven developers are randomizing the product name. These are the variants I’ve found so far:
- Frevens Pro 13
- Fre_Ven_s Pro 23
- Free_Ven_s_pro 25
- Fraven 1.1
What variants of Freeven have you found?
Yesterday I was reviewing some of the files recently added to the FreeFixer library. Currently there are around 125 000 files added to the database. One of the files that caught my attention was WebGetBho.dll, digitally signed by WebGet, which looked like a new variant of the Altbrowse/BrowseFox adware. The scan result from VirusTotal clearly shows that this is the case:
I have not found out how WebGet is distributed. If you have some hints on where I can find the software that bundles WebGet, please let me know since I’d like to test it and see how the WebGet ads looks like. In case you have WebGet on your machine and it displays one of its ads, please take a screenshot and post it comments field below so me and the other readers can have a look at it.
I assume that WebGet works like the other Altbrowse/BrowseFox variants: WebGet adds itself into Internet Explorer and Mozilla Firefox, and show some sort of ads. The ads may be labelled “WebGet”.
To remove WebGet, simply check the WebGet files for removal in the FreeFixer scan result. The WebGet files are usually located in “C:\Program Files\webget\” or “C:\Program Files\webget (x86)\” if you are running 64-bit Windows. These are some of the files that may appear in the scan result:
Hope this helped you figure out what WebGet is and how to remove it.
Recently I’ve been browsing around on some torrent sites to see what software downloads that are hiding behind the ads on these sites. One of the names that often shows up in the digital signature field is Sergey Petrov:
You will also see Sergey Petrov listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file:
The Sergey Petrov signed files often use names of known TV-series or movies to trick users into running the file.
The scan result from VirusTotal below clearly shows why you should immediately delete the Sergey Petrov file. It is detected under names such as InstalleRex and Trojan.WebPick. 17 of the 52 anti-virus programs detect the file:
Hope this saved you from some unnecessary malware cleaning. In case you’ve already run one of the Sergey Petrov signed files, you can examine your system with FreeFixer to make sure your computer is clean.
I’m currently looking at what is advertised on some of the torrent sites. Today I found another adware called Search-NewTab that installed into Internet Explorer and Mozilla Firefox:
The software seems to use some semi-random naming. I’ve seen in appear as “Seeaerch-oNeewTAb”, “Seearch-NewTTab”, “Sieaarch-NewTab” and “Search-NewTaBi”. What name did Search-Newtab use on your machine?
Currently, Search-NewTab is detected by many of the anti-virus program under names such as MultiPlug and MultiPlag. Most of the antivirus programs classify it as adware, but some report Search-NewTTab as a trojan, as you can see in the screenshot from VirusTotal below:
So how about the removal? You can easily remove Search-NewTab by checking its files in FreeFixer:
There’s also a Search-NewTab entry in the Add/Remove programs dialog in the Windows Control Panel, but I have not tested it. So no guarantees there.
Hope this helped you with the Search-Newtab removal.
How did you get Search-Newtab on your machine Please share by posting a comment.