Monthly Archives: May 2014

Remove Settings Manager by Aztec Media

If you see systemku.exe and SystemkService.exe running in the Task Manager you have the Settings Manager by Aztec Media installed on your machine. SettingsManager comes bundled with some free software downloads.


Settings Manager is detected by some of the anti-virus programs. Here’s the scan result for the SystemkService.exe file:


You can simply uninstall SettingsManager from the Windows Control panel as shown in the video below:

If the Settings Manager removal failed for some reason, you can also remove it with FreeFixer, by selecting Systemku.exe, SystemkService.exe, sysapcrt.dll and the Settings Manager Firefox extension for removal.

systemku.exe process in the task manager

systemk service


settings manager by aztec media in firefox

How did you get Settings Manager on your machine? Please share your story in the comments below.

DGen.exe 100% CPU Usage? – Bitcoin Miner Removal

Do you see a process named dgen.exe running at 99% or even 100% CPU usage? If that is the case someone is mining Bitcoins on your machine!

dgen.exe high cpu usage in the task manager

The dgen.exe Bitcoin miner has been around for some time. I first spotted it about a month ago, but for some reason I chose not to blog about it at that time. However, today I found it again, bundled with another download, so I thought I should post about it after all. Many of the anti-virus programs detect it as you can see in the scan result from VirusTotal:

dgen.exe virus total scan

How did you get dgen.exe on your machine? Please share by posting a comment.

To remove the dgen.exe bitcoin miner you can check the dgen.exe process and the starthelp.exe service for removal in FreeFixer. This will also fix the high CPU usage that you probably see on your machine.


The starthelp.exe service appear as “Protect Monitor”:

starthelp.exe service called "ProtectMonitor" or "Protect Monitor".

Here’s a video where I show FreeFixer in action while removing dgen.exe and starthelp.exe:

Hope you found this useful. Thank you for watching!

Update 2014-08-11: I’ve seen a few cases where other filenames appear in the “c:\Program Files\PCDapp”  folder:

  • cudaminer.exe

How To Remove MPlayerPlus_01

Just found a new adware variant called MPlayerplus_01. You might have found it in the Windows Task Manager where it appears as Mplayerplus_01-nova.exe or when inspecting the add-ons in Internet Explorer and Mozilla Firefox:

Mplayerplus_01 0.94.34 Firefox

Update 2014-05-22: There seems to be another variant around called MPP, that uses filenames such as MPP-bho64.dll, MPP-bho.dll, MPP-codedownloader.exe, MPP-novainstaller.exe, MPP-nova.exe and MPP-bg.exe.

Update 2014-05-26: Just found another variant. It is called MPMP.

Update 2014-05-27: Seems like the MPlayerPlus_01 constantly updates its name. I’ll list any future name here:

  • MediaPlayer+
  • Media_play_er+

I found MPlayerplus_01 while checking out a free media player download. In my case the installer disclosed that MPlayerplus_01 was bundled. Currently only a few anti-virus programs flag MPlayerplus_01:

MPlayerplus_01 is reported as CrossRider by Virus Total

The anti-virus vendors report MPlayerPlus as CrossRider.

How did you get MPlayerplus_01 on your machine? Was it bundled with some free downloads, and if so, was it disclosed that MPlayerplus_01 would be installed along with the download?

Removing MPlayerplus_01 with FreeFixer is a piece of cake. All you need to do is to select the MPlayerplus_01 files for removal and click the Fix button.

MPlayerplus_01 Scheduled Tasks Mplayerplus_01 in Internet-Explorer MPlayerplus_01 Firefox Extension in  Freefixer

Here’s a removal video where I show FreeFixer in action deleting Mplayerplus:

Hope this helped you to figure out what MPlayerplus_01 is and how to remove it. If you like, please post a comment and share what you know about MPlayerplus_01.

Anton Lemes Digital Signature – Don’t run that file

Just wanted to give you heads-up on suspicious file I found right now. The file is digitally signed by Anton Lemes.

Anton Lemes digital signature

So, what’s the problem? Well, many of the anti-virus over at VirusTotal detects the Anton Lemes file. TSULoader, Kazy, InstalleRex, AntiFW are some of the detection names:anton lemes virus total scan result

So, what ever you do, don’t run the Anton Lemes file. It will install a whole of unwanted software on your machine.

Where did you find the file with the Anton Lemes signature?

Fpro1.2 Ads – Removal Instruction

I just found a new variant of the Freeven Pro adware called Fpro1.2, Fpro_1.2, pro123 and pro12.  This will be a quick post before I’m going to bed. If you have Fpro1.2 on your machine you will probably notice it when it displays the ads that are labeled “Click to Continue – by Fpro1.2” and “Ad by Fpro1.2” as shown in the screenshots below:

ad by Fpro1.2        Click to Continue - by Fpro1.2

The ads above are from Internet Explorer and Mozilla Firefox. You can also see FPro listed in the web browser’s add-ons list, here in Firefox:Fpro in Firefox

The Fpro1.2 removal easy, just select the FPro files in FreeFixer: Fpro1.2-nova.exe, Fpro1.2-bg.exe, the Fpro Firefox Extensions, etc:

Fpro in Internet Explorer

fpro1.2 firefox freefixer fpro1.2-nova.exe fpro1.2 scheduled tasks

Since the removal for Fpro1.2 is the same as for Freeven Pro, for which I’ve done a removal video, I won’t do a new one. I think you’ll get the hang of it by watching the old video:

There’s also an entry in the add/remove programs dialog, but I have not tested it:fpro1.2-uninstall

Hope you found this useful.

How did you get Fpro1.2 on your machine? Please share by posting a comment. – Removal Instructions

Found another search engine called that is installed as a bundled offer. Here’s how looks like in Internet Explorer: in Internet Explorer

The removal is pretty straightforward with FreeFixer, just select the entries. Here are a few of in in Internet Explorer

I’ve made a quick video where I show FreeFixer in action removing

Hope you found this useful.

Freeven Pro – Removal Instructions

Are you getting ads while browsing the web labeled “Click to Continue > by Freeven pro 1.2“, like the one shown below?

Click to Continue by Freeven Pro 1.2

Then you have a piece of software called Freeven Pro installed on your machine. Freeven Pro comes bundled with various software downloads. In my case I found it while testing a non-official download of the Google Chrome browser.

So, what is Freeven Pro? Obviously it’s adware since it shows advertisements. The anti-virus programs over at VirusTotal classify the Freeven pro 201.2-bho.dll file with names such as MultiBundle.RWin32.Application.Plush.BAdWare.PlusHD and AppRider.

Preeven Pro VirusTotal scan result

Removing Freeven Pro is pretty easy. Simply check the Freven Pro files for removal in FreeFixer. The screenshots below shows which files to remove:

Freeven Pro DLL in Internet ExplorerFreeven Pro Scheduled TasksFreeven Pro in Firefox

I’ve also captured a video that shows FreeFixer in action while deleting the Freeven Pro files. Hope you find it useful:

It seems as the Freeven developers are randomizing the product name. These are the variants I’ve found so far:

  • Frevens Pro 13
  • Fre_Ven_s Pro 23
  • Free_Ven_s_pro 25
  • Frieven_s_Prox_1.8
  • Fraven 1.1

What variants of Freeven have you found?

WebGet Adware – Removal Instructions

Yesterday I was reviewing some of the files recently added to the FreeFixer library. Currently there are around 125 000 files added to the database. One of the files that caught my attention was WebGetBho.dll, digitally signed by WebGet, which looked like a new variant of the Altbrowse/BrowseFox adware. The scan result from VirusTotal clearly shows that this is the case:

webget webgetbho.dll

I have not found out how WebGet is distributed. If you have some hints on where I can find the software that bundles WebGet, please let me know since I’d like to test it and see how the WebGet ads looks like. In case you have WebGet on your machine and it displays one of its ads, please take a screenshot and post it comments field below so me and the other readers can have a look at it.

I assume that WebGet works like the other Altbrowse/BrowseFox variants: WebGet adds itself into Internet Explorer and Mozilla Firefox, and show some sort of ads. The ads may be labelled “WebGet”.

To remove WebGet, simply check the WebGet files for removal in the FreeFixer scan result. The WebGet files are usually located in “C:\Program Files\webget\” or “C:\Program Files\webget (x86)\” if you are running 64-bit Windows. These are some of the files that may appear in the scan result:

  • webgetbho.dll
  • updatewebget.exe
  • webget.FFUpdate.dll
  • webget.FirstRun.exe
  • webget.CompatibilityChecker.dll
  • webget.IEUpdate.dll

Hope this helped you figure out what WebGet is and how to remove it.

Sergey Petrov Digital Signature – Don’t Run The File

Recently I’ve been browsing around on some torrent sites to see what software downloads that are hiding behind the ads on these sites. One of the names that often shows up in the digital signature field is Sergey Petrov:

Sergey Petrov digital signature

You will also see Sergey Petrov listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file:

Sergey Petrov AppReady

The Sergey Petrov signed files often use names of known TV-series or movies to trick users into running the file.

The scan result from VirusTotal below clearly shows why you should immediately delete the Sergey Petrov file. It is detected under names such as InstalleRex and Trojan.WebPick. 17 of the 52 anti-virus programs detect the file:

Sergey Petrov Virustotal

Hope this saved you from some unnecessary malware cleaning. In case you’ve already run one of the Sergey Petrov signed files, you can examine your system with FreeFixer to make sure your computer is clean.

How To Remove Search-NewTab

I’m currently looking at what is advertised on some of the torrent sites. Today I found another adware called Search-NewTab that installed into Internet Explorer and Mozilla Firefox:

search-newtab Firefox add-on 

The software seems to use some semi-random naming. I’ve seen in appear as “Seeaerch-oNeewTAb”, “Seearch-NewTTab”, “Sieaarch-NewTab” and “Search-NewTaBi”. What name did Search-Newtab use on your machine?

Currently, Search-NewTab is detected by many of the anti-virus program under names such as MultiPlug and MultiPlag. Most of the antivirus programs classify it as adware, but some report Search-NewTTab as a trojan, as you can see in the screenshot from VirusTotal below:

search-newtab virustotal results

So how about the removal? You can easily remove Search-NewTab by checking its files in FreeFixer:search-newtab bho in Internet ExplorerSearch-newtab as it appears in Freefixer

There’s also a Search-NewTab entry in the Add/Remove programs dialog in the Windows Control Panel, but I have not tested it. So no guarantees there.Seearch-newttab Uninstall from the Programs and Features dialog

Hope this helped you with the Search-Newtab removal.

How did you get Search-Newtab on your machine Please share by posting a comment.