I just ran into a Bitcoin miner this morning called cpm.exe. If you have cpm.exe on your machine, you’ll see it in the Task Manager:
The cpm.exe file is digitally signed by a Ukrainian company called LLC “Kelte-Proekt”:
cpm.exe was bundled with an unofficial download of Google Chrome:
You can easily remove cpm.exe with FreeFixer. Just select cpm.exe under “Registry Startups” and “Processes”.
Hope that helped you figure out what cpm.exe is, how it got onto your machine and how to remove it.
Thanks for reading.
Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.
If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.
The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).
Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.
Thanks for reading.
Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:
When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:
Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:
Do you see a process named dgen.exe running at 99% or even 100% CPU usage? If that is the case someone is mining Bitcoins on your machine!
The dgen.exe Bitcoin miner has been around for some time. I first spotted it about a month ago, but for some reason I chose not to blog about it at that time. However, today I found it again, bundled with another download, so I thought I should post about it after all. Many of the anti-virus programs detect it as you can see in the scan result from VirusTotal:
How did you get dgen.exe on your machine? Please share by posting a comment.
To remove the dgen.exe bitcoin miner you can check the dgen.exe process and the starthelp.exe service for removal in FreeFixer. This will also fix the high CPU usage that you probably see on your machine.
The starthelp.exe service appear as “Protect Monitor”:
Here’s a video where I show FreeFixer in action while removing dgen.exe and starthelp.exe:
Hope you found this useful. Thank you for watching!
Update 2014-08-11: I’ve seen a few cases where other filenames appear in the “c:\Program Files\PCDapp” folder: