Remove Trovi.com redirect (Virus Removal Guide)

Trovi.com is a browser hijacker, which is promoted via other free downloads, and once installed it will change your browser homepage and default search engine to trovi.com.

The Trovi.com homepage will display advertisements and sponsored links in your search results, and may collect search terms from your search queries. The Trovi.com hijack is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.
Trovi.com it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program.
Trovi.com is an ad-supported (users may see additional banner, search, pop-up, pop-under, interstitial and in-text link advertisements) cross web browser plugin for Internet Explorer (BHO) and Firefox/Chrome (plugin) and distributed through various monetization platforms during installation. The browser extension includes various features that will modify the default or custom settings of the browser including the home page, search settings and in some cases will modify Internet Explorer’s load time threshold, place a lock file within Firefox to prevent competing software from changing its settings as well as disable the browser’s Content Security Policy in order to allow for cross site scripting of the plugin.
Trovi.com homepage got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker.
For example, when you install “Youtube Downloader HD”, you will also agree to change your browser homepage and default search engine to trovi.com.

However when you uninstall “Youtube Downloader HD” from your computer, your web browser’s default settings will not be restored. This means that you’ll have to remove Trovi.com homepage from your favorite web browser manually.
You should always pay attention when installing software because often, a software installer includes optional installs, such as this Trovi.com browser hijacker. Be very careful what you agree to install.
Always opt for the custom installation and deselect anything that is not familiar, especially optional software that you never wanted to download and install in the first place. It goes without saying that you should not install software that you don’t trust.

How to remove Trovi.com (Virus Removal Guide)

This page is a comprehensive guide, which will remove Trovi.com from your Internet Explorer, Firefox and Google Chrome.
Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.
STEP 1: Remove Trovi.com browser hijacker from your computer with AdwCleaner
STEP 2: Remove Trovi.com from Internet Explore, Firefox and Google Chrome with Junkware Removal Tool
STEP 3: Remove Trovi.com malicious files with Malwarebytes Anti-Malware Free
STEP 4: Double-check for the Trovi.com infection with HitmanPro

STEP 1: Remove Trovi.com browser hijacker with AdwCleaner

The AdwCleaner utility will scan your computer and web browser for malicious files, adware browser extensions and registry keys, that may have been installed on your computer without your knowledge.

1. You can download AdwCleaner utility from the below link.
   ADWCLEANER DOWNLOAD LINK (This link will automatically download AdwCleaner on your computer)
2. Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.
   
   If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
3. When the AdwCleaner program will open, click on the “Scan” button as shown below.
   
   AdwCleaner will now start to search for the “Trovi.com” malicious files that may be installed on your computer.
4. To remove the “Trovi.com” malicious files that were detected in the previous step, please click on the “Clean” button.
   
5. AdwCleaner will now prompt you to save any open files or documents, as the program will need to reboot the computer. Please do so and then click on the OK button.
   

---

STEP 2: Remove Trovi.com from Internet Explore, Firefox and Google Chrome with Junkware Removal Tool

Junkware Removal Tool is a powerful utility, which will remove Trovi.com extensions from Internet Explorer, Firefox and Google Chrome.

1. You can download the Junkware Removal Tool utility from the below link:
   JUNKWARE REMOVAL TOOL DOWNLOAD LINK (This link will automatically download the Junkware Removal Tool utility on your computer)
2. Once Junkware Removal Tool has finished downloading, please double-click on the JRT.exe icon as seen below.
   
   If Windows prompts you as to whether or not you wish to run Junkware Removal Tool, please allow it to run.
3. Junkware Removal Tool will now start, and at the Command Prompt, you’ll need to press any key to perform a scan for the Trovi.com virus.
   
   Please be patient as this can take a while to complete (up to 10 minutes) depending on your system’s specifications.
4. When the scan Junkware Removal Tool will be completed, this utility will display a log with the malicious files and registry keys that were removed from your computer.
   

---

STEP 3: Remove Trovi.com malicious files from your computer with Malwarebytes Anti-Malware Free

Malwarebytes Anti-Malware Free uses industry-leading technology to detect and remove all traces of malware, including worms, Trojans, rootkits, rogues, dialers, spyware, and more.
It is important to note that Malwarebytes Anti-Malware works well and should run alongside antivirus software without conflicts.

1. You can download download Malwarebytes Anti-Malware from the below link.
   MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a new web page from where you can download Malwarebytes Anti-Malware Free)
2. Once downloaded, close all programs, then double-click on the icon on your desktop named “mbam-setup-consumer-2.00.xx” to start the installation of Malwarebytes Anti-Malware.
   
   You may be presented with a User Account Control dialog asking you if you want to run this file. If this happens, you should click “Yes” to continue with the installation.
3. When the installation begins, you will see the Malwarebytes Anti-Malware Setup Wizard which will guide you through the installation process.
   
   To install Malwarebytes Anti-Malware on your machine, keep following the prompts by clicking the “Next” button.
   
4. Once installed, Malwarebytes Anti-Malware will automatically start and you will see a message stating that you should update the program, and that a scan has never been run on your system. To start a system scan you can click on the “Fix Now” button.
   
   Alternatively, you can click on the “Scan” tab and select “Threat Scan“, then click on the “Scan Now” button.
   
5. Malwarebytes Anti-Malware will now check for updates, and if there are any, you will need to click on the “Update Now” button.
   
6. Malwarebytes Anti-Malware will now start scanning your computer for the Trovi.com virus. When Malwarebytes Anti-Malware is scanning it will look like the image below.
   
7. When the scan has completed, you will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected. To remove the malicious programs that Malwarebytes Anti-malware has found, click on the “Quarantine All” button, and then click on the “Apply Now” button.
   
   Please note that the infections found may be different than what is shown in the image.
8. Malwarebytes Anti-Malware will now quarantine all the malicious files and registry keys that it has found. When removing the files, Malwarebytes Anti-Malware may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot your computer, please allow it to do so.
   
   After your computer will restart, you should open Malwarebytes Anti-Malware and perform another “Threat Scan” scan to verify that there are no remaining threats

---

STEP 4: Double check for the Trovi.com infection with HitmanPro

HitmanPro is a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti virus software, firewalls, etc.). HitmanPro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer.

1. You can download HitmanPro from the below link:
   HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download HitmanPro)
2. Double-click on the file named “HitmanPro.exe” (for 32-bit versions of Windows) or “HitmanPro_x64.exe” (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
   
   Click on the “Next” button, to install HitmanPro on your computer.
   
3. HitmanPro will now begin to scan your computer for Trovi.com malicious files.
   
4. When it has finished it will display a list of all the malware that the program found as shown in the image below. Click on the “Next” button, to remove Trovi.com virus.
   
5. Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.
   

---

Your computer should now be free of the Trovi.com infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the Premium version of Malwarebytes Anti-Malware to protect against these types of threats in the future.
If you are still experiencing problems while trying to remove Trovi.com hijacker from your machine, please start a new thread in our Malware Removal Assistance forum.

IT’S YOUR TURN TO HELP!

If we have managed to help with your computer issues, then please let other people know that this article will help them!
You can share this article on Facebook,Twitter or Google Plus by using the below buttons.

retrieved from url http://malwaretips.com/blogs/trovi-com-removal/

How to delete/eliminate the "conduit search malware"

Lesson 3: Using Process Explorer to Troubleshoot and Diagnose

Understanding how Process Explorer’s dialogs and options work is all fine and good, but what about using it for some actual troubleshooting or to diagnose a problem? Today’s Geek School lesson will try and help you learn how to do just that.

Not that long ago, we started investigating all sorts of malware and crapware that gets installed automatically any time you don’t pay attention while installing software. Nearly every piece of freeware on the market, including the “reputable” ones, are bundling toolbars, search hijacking awfulness, or adware, and some of it is hard to troubleshoot.
We’ve seen many computers from people that we know that have so much spyware and adware installed that the PC barely even loads anymore. Trying to load the web browser, especially, is nearly impossible, as all of the adware and tracking software competes for resources to steal your private information and sell it to the highest bidder.
So naturally, we wanted to do a bit of investigation into how some of these work, and there’s no better place to start than the Conduit Search malware that has claimed hundreds of millions of computers worldwide. This nefarious awfulness hijacks your search engine in your browser, changes your home page, and most annoyingly, it takes over your New Tab page no matter what your browser is set to.
We’ll start with looking at that, and then we’ll show you how to use Process Explorer to troubleshoot errors that talk about locked files and folders that are in use.
And then we’ll round it out with another look at how some adware these days are hiding themselves behind Microsoft processes so they appear legit in Process Explorer or Task Manager, even though they really aren’t.

Investigating the Conduit Search Malware

As we mentioned, the Conduit search hijacker is one of the most persistent, awful, and terrible things that nearly every one of your relatives probably has on their computer. They bundle their software in shady ways with any freeware they can, and in many instances, even if you select to opt-out, the hijacker will still be installed.
Conduit installs what they call “Search Protect”, which they claim prevents malware from making changes to your browser. What they don’t mention is that it also prevents you from making any changes to their browser unless you use their Search Protect panel to make those changes, which most people won’t know about since it’s buried in the system tray.
Not only will Conduit redirect all of your searches to their own custom Bing page, it will set that as  your home page. One would have to assume that Microsoft is paying them for all this traffic to Bing, since they are also passing some ?pc=conduit type of arguments in the query string.
Fun fact: the company behind this piece of garbage is worth 1.5 Billion dollars and JP Morgan invested $100 million into them. Being evil is profitable.

Conduit Hijacks the New Tab Page… But How?

Hijacking your search and home page is trivial for any malware — this is where Conduit steps up the evil and somehow rewrites the New Tab page to force it to show Conduit, even if you change every single setting.
You can uninstall all of your browsers, or even install a browser you didn’t have installed before, like Firefox or Chrome, and Conduit will still manage to hijack the New Tab page.

Somebody should be in jail, but they are probably on a yacht.

It doesn’t take much in terms of geek skills to eventually deduce that the problem is the Search Protect application running in the system tray. Kill that process, and suddenly your new tabs open just the way the browser maker intended.

But how, exactly, does it do this? There are no add-ons or extensions installed into any of the browsers. There aren’t any plugins. The registry is clean. How do they do it?
This is where we turn to Process Explorer to do some investigation. First, we’ll find the Search Protect process in the list, which is easy enough because it is properly named, but if you weren’t sure, you can always open up the window and use the little bulls-eye icon next to the binoculars to figure out which process belongs to a window.

Now you can simply select the appropriate process, which in this case was one of the three that run automatically by the Windows Service that Conduit installs. How did I know that it was a Windows Service that restarts it? Because the color of that row is pink, of course. Armed with that knowledge, I could always go stop or delete the service (though in this particular case, you can simply uninstall from Uninstall Programs in Control Panel).
Now that you’ve selected the process, you can use the CTRL + H or CTRL + D shortcut keys to open the Handles view or the DLLs view, or you can use the View -> Lower Pane View menu to do it.

Note: in the world of Windows, a “handle” is an integer value that is used to uniquely identify a resource in memory like a window, an open file, a process, or many other things. Each open application window on your computer has a unique “window handle”, for example, that can be used to reference it.
DLLs, or dynamic link libraries, are shared pieces of compiled code that are stored in a separate file to be shared among multiple applications. For instance, instead of having every application write their own File Open / Save dialogs, all applications can simply use the common dialog code provided by Windows in the comdlg32.dll file.

Looking through the list of handles for a few minutes brought us a little bit closer to what was going on, because we found handles to Internet Explorer and Chrome, both of which are currently open on the test system. We’ve definitely confirmed that Search Protect is doing something to our open browser windows, but we’ll need to do a little more research to figure out exactly what.

The next thing to do is double-click the process in the list to open up the details view, and then flip over to the Image tab, which will give you information about the full path to the executable, the command line, and even the working folder. We’ll click the Explore button to take a look at the installation folder and see what else is hiding there.

Interesting! We’ve found a number of DLL files here, but for some weird reason none of these DLL files were listed in the DLL view for the Search Protect process when we were looking at it earlier. This could be a problem.


Any time you want to see whether a DLL file is currently being used by any application on your system, you can pop up the search pane by going to the Find menu, hitting CTRL + F, or just clicking the binoculars icon on the toolbar. Now type in part of the name of the DLL, or even the full name if you’d like.
We chose to search for just the beginning, “SPVC”, since that was the common tie between them all, and sure enough, it looks like those DLLs are being loaded directly into each of the browser processes running on our computer.

Clicking on one of the items in the list and switching over to the Threads page confirmed what we were worried about. Both Chrome and Internet Explorer were running threads using the SPVC32.dll or SPVC64.dll files from the Search Protect malware, and this is how they were hijacking our new tab page — not by changing settings, but by hijacking the browser from within.

Note: In Windows, a thread is what the operating system allocates processor time to run. A process in Windows is what we’re used to thinking of as geeks and system admin types, but technically threads are actually the only thing that runs in Windows, not processes. Certain processes may have only one thread of execution, but others may have many threads that are all running separately from one another, usually communicating with some sort of in-process communication mechanism.

You can also double-click on any of the threads to see the full execution stack, which can be useful to see what functions are being called and attempt to figure out what the problem is.

You might be wondering how the Search Protect application managed to get Google Chrome to load that DLL, and the answer is that Windows provides a feature called DLL Injection. A process can inject a DLL into another process, and then hijack certain API functions. This is how certain applications override Windows features or features in other applications. It’s a very complicated subject that we definitely can’t get into in this lesson, but if you really want to read more, you can check out this guide.
It’s also worth noting that you can see the CPU usage per thread by digging into this level of details, which can be very useful when troubleshooting an application that has plugins. You could use this to figure out that a particular DLL file is taking up too much of the processor time, and then do some research on what that component belongs to.

Dealing with Locked Files or Folders

Since it’s unlikely that you’ll be investigating malware all the time, it’s also helpful to use Process Explorer for other tasks, like dealing with those “In Use” dialogs that you can any time you try to delete or move or modify a file or folder that is being used by another process, especially when you aren’t sure what process is locking it up.

When you get an error like that one, just head over to Process Explorer, open up the search with CTRL + F or the icon, and then type in the name of the folder listed above (or more descriptive full path if the name is very vague).
You’ll very quickly see a process in the list that has your file or folder open, and you can double-click on it to identify the process in the list.

Your immediate reaction might be to just close that process, but you don’t necessarily have to do that. You can also right-click on the file or folder in the list of handles (Use the CTRL + H option to bring up the Handles list) and choose the Close Handle option. That resource is now unlocked!

Note: If you’re deleting something, this is a perfectly fine option, but if you are just trying to edit or move that item, you should probably open the offending application and deal with it there so you don’t lose any data.

Researching Processes that Look Safe but Aren’t

During our malware research we’ve noticed another problem that is becoming more prevalent, so it is wise to keep an eye on it in the future. What is that problem? Malware is hiding behind legitimate Windows processes, and it’s doing a good job.
The problem is the Windows rundll32.exe utility, which can be used to arbitrarily run functions from DLL files. Since this utility is signed by Microsoft it shows up as a completely legit process in the list, but in reality what they are doing is just moving all of their malware / adware code into a .DLL file instead of a .EXE file, and then loading up the malware with rundll32.exe instead. In fact, if you see rundll32.exe running as an “own process” in the light blue color shown below, it’s nearly always something that shouldn’t be running.
In the example below, you can see that even though we used the Verified Signer feature to validate that item, when we hover over it and look at the full path, it is actually loading up a DLL that turns out to be part of an adware product.
Note: before you start screaming about running an anti-virus scan, we’ll note that we did, and it didn’t come back with anything. Much of this crapware, adware, and spyware is ignored by anti-virus utilities.

Double-clicking to open up the details shows more of the problem, and we can also see the directory that the badware is running out of, which we’ll use to investigate further.

Inside that directory we found a number of files that were being updated constantly in the background.

The rest of the investigation led into some other tools that weren’t SysInternals, and that we’ll probably cover at a later date, but suffice it to say that this is just a piece of malware that was running in conjunction with another crapware application.
The important point here is that malware is able to hide itself behind legitimate Windows executables, so be sure to keep your eyes peeled for anything similar.

Coming Up Next

Stay tuned tomorrow for even more SysInternals knowledge, as we show you how to use the Process Monitor utility to track what applications are actually doing behind the scenes. It’ll be eye-opening.

credit to url http://www.howtogeek.com/school/sysinternals-pro/lesson3/all/

How to Remove Trovi / Conduit / Search Protect Browser Hijack Malware

How to Remove Trovi / Conduit / Search Protect Browser Hijack Malware

If your computer has been hijacked with an obnoxious malware that won’t let you change your home page, there’s a strong chance you’ve been infected with the Trovi Search Protect malware, which used to be known as Conduit. Here’s how to remove it.

RELATED ARTICLE

Why We Hate Recommending Software Downloads To Our Readers
Windows software downloads are a mess. Many programs try to drag adware and other malicious junk onto your computer. Even... [Read Article]

How do you know this is malware? Instead of installing like it should, as a Google Chrome Extension, you’ll probably see that your extensions list doesn’t mention Trovi or Conduit at all. Instead, they are hijacking the browser process using Windows API techniques that no legitimate application should be using. For more details on that, you can read our series on using Process Explorer to troubleshoot Windows.

How Did You Get Infected?

Usually at some point you made the huge mistake of trusting a site like Download.com, which bundled it into an installer for a completely different application. This is why you should be really careful when downloading freeware on the Internet.

They get around the legality issue with their long terms of service that nobody reads and by making sure there’s actually a way to uninstall the thing. But as far as we’re concerned, anything that installs in a sneaky fashion and hijacks your other running processes is malware.

Removing the Trovi Search Protect Malware

This is really sad to say, but it’s actually important to use the Search Protect panel to turn off the bad settings first before uninstalling it. You can find the Search Protect icon in the system tray and then double-click on it to open up the panel.

In here, change your Home Page back to Google or whatever you want.

Now change your New Tab page back to Browser Default.

Change your Default Search back to “Browser default search engine.”

And then uncheck the “Enhance my search experience,” which is a lie, because it doesn’t enhance it at all.

Now head to Control Panel, find the Uninstall Programs section, and then find Search Protect and click the Uninstall button. While you are in here, you might want to uninstall anything else that says anything similar to “Search Protect.” If you see SaveSense, remove that too.

At this point your browser should be back to normal… but we aren’t done quite yet. There are still a lot of traces of this thing that we need to clean up.

Use the Google Chrome  Software Removal Tool

If you are using Google Chrome, you are in luck because Google provides their own Software Removal Tool to make sure that all of these things are removed. Just head to the Google SRT page, download and run it, and it will automatically detect and remove everything.

Once you start up your browser again, it will ask if you want to reset your browser settings. This will reset everything to defaults, including removing all troublesome extensions. It’s probably a good idea, although note that you’ll have to login to all of your sites again.

Download the Software Removal Tool from google.com

Clean Up IE Settings

If you are using Internet Explorer, you should go to the Tools menu and find the Manage Add-ons item. In here, you can click on Search Providers and change your search back to what it should be. If you see Trovi in the list, click on it and then click Remove.

Use Malwarebytes to Scan Your PC

All of the above techniques will get your computer back to normal — at least as far as Trovi is concerned. But there’s a very strong chance that you’ve got other things hijacking your browser and spying on you.
The best bet for cleaning up spyware and malware is Malwarebytes. You might ask yourself why you wouldn’t just use your regular antivirus product, but the fact is that antivirus just doesn’t detect spyware very often. It’s only useful for viruses that try to destroy your PC, which are few and far between at this point. Almost all of the malware out there is trying to spy on you, redirect your browsing, and insert more ads into pages that you’re viewing. It’s all about the money.
So the only really good product on the market that will find and remove spyware, adware, and other malware is Malwarebytes. Luckily they have a free version that will let you clean up and remove everything — if you want to pay for the full version that has active protection to prevent these things from happening, that’s fine too.
Once you’ve downloaded and installed it, you’ll be prompted to run a scan, so click that big green Scan Now button.

After it completes scanning, it’ll find a big huge list of things to remove. Click the Apply Actions button to actually remove all the malware.

You’ll want to reboot your computer to make sure that everything is fully cleaned up. If anything seems to come back, run Malwarebytes again, remove anything found, and then reboot again.

retrieved from url:http://www.howtogeek.com/198386/how-to-remove-trovi-conduit-search-protect-browser-hijack-malware/