Tag Archives: bitcoin miner

cpm.exe, CPUMiner and LLC “Kelte-Proekt” – Removal Instructions

I just ran into a Bitcoin miner this morning called cpm.exe. If you have cpm.exe on your machine, you’ll see it in the Task Manager:

cpm.exe task manager

The cpm.exe file is digitally signed by a Ukrainian company called LLC “Kelte-Proekt”:LLC Kelte-Proekt cert

cpm.exe was bundled with an unofficial download of Google Chrome:

CPUMiner

You can easily remove cpm.exe with FreeFixer. Just select cpm.exe under “Registry Startups” and “Processes”.

Hope that helped you figure out what cpm.exe is, how it got onto your machine and how to remove it.

Thanks for reading.

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

LLC DE PROEKT publisher

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

LLC DE PROEKT cert

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

LLC DE PROEKT virustotal report

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

LLC DE PROEKT av report update

 

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

LLC DE PROEKT bitcoin miner

 

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

LLC DE PROEKT certificate chain

DGen.exe 100% CPU Usage? – Bitcoin Miner Removal

Do you see a process named dgen.exe running at 99% or even 100% CPU usage? If that is the case someone is mining Bitcoins on your machine!

dgen.exe high cpu usage in the task manager

The dgen.exe Bitcoin miner has been around for some time. I first spotted it about a month ago, but for some reason I chose not to blog about it at that time. However, today I found it again, bundled with another download, so I thought I should post about it after all. Many of the anti-virus programs detect it as you can see in the scan result from VirusTotal:

dgen.exe virus total scan

How did you get dgen.exe on your machine? Please share by posting a comment.

To remove the dgen.exe bitcoin miner you can check the dgen.exe process and the starthelp.exe service for removal in FreeFixer. This will also fix the high CPU usage that you probably see on your machine.

dgen.exe-process

The starthelp.exe service appear as “Protect Monitor”:

starthelp.exe service called "ProtectMonitor" or "Protect Monitor".

Here’s a video where I show FreeFixer in action while removing dgen.exe and starthelp.exe:

Hope you found this useful. Thank you for watching!

Update 2014-08-11: I’ve seen a few cases where other filenames appear in the “c:\Program Files\PCDapp”  folder:

  • cudaminer.exe