Pro PC Cleaner is a registry cleaner that is typically bundled with other software. It scans the Windows Registry and offers to remove outdated values, such as entries made by programs that are no longer installed and other unnecessary values, ostensibly, to reduce the size of your registry database and improve the computer’s performance. 

Pro PC Cleaner exhibits intrusive behavior, including questionable installation practices and frequent pop-ups and warnings, making it a potentially unwanted program (PUP). In this case, Pro PC Cleaner’s installation is displayed in the third dialog window during the installation of another program, with the ‘Accept’ button positioned in a way that makes it easy to inadvertently click.

As soon as Pro PC Cleaner is installed alongside the original software the user wanted, it begins a scan on the user’s computer without any user-directed prompt:

After the scan is complete the program displays a warning (with a flashing warning sign!) about the system being compromised, in an attempt to alarm and persuade the user to register and purchase a full version of the product.

If you press the Clean Now button, a dialog window opens prompting you to “fix the detected issues” and claiming that they are of a high “cleaning urgency,” asking the user to register the software and provide a license key:

If you press Register Now a webpage opens recommending that the user “Register Pro PC Cleaner below to correct these possible Windows registry errors and speed up your PC instantly.”

Once the user provides their email address they are offered a discount on the Pro version of Pro PC Cleaner with a coupon that coincidentally expires the same day as the initial installation. Also note the subtraction error in the discount below: 

Pro PC Cleaner also schedules two tasks in the Windows task scheduler without the user’s knowledge:

The first task above schedules a daily popup window that appears above the task bar:

The second scheduled task starts a new scan every time a new user logs into the computer.

To uninstall Pro PC Cleaner:

If you are using Windows 7, click the Start button on the screen’s bottom-left corner then click on the “Control Panel.”

If you are using Windows 8 or 8.1, right-click the Windows icon on the screen’s bottom-left corner and select the Control Panel from the menu.

In the Control Panel, under Programs, select Uninstall a program.

Right click Pro PC Cleaner and select Uninstall.

When you select Uninstall a dialog window opens:

Select “Yes” in this window. Then another dialog window will open asking you to reconsider your choice with the program offering to fix some of your issues for free.

To complete the Uninstall select the greyed-out button that says “Uninstall now.”

To ensure the safety and security of your computer with free antimalware software, download Ad-Aware.

To learn how to remove adware, check out our previous articles. 

Search Protection by Spigot is classified as a potentially unwanted program. This application is designed to protect its bundled programs and make sure they remain installed or unchanged by other third party programs. It creates registry entry for the current user which will allow the program to automatically start each time it is rebooted.  

Once it gets inside your PC, Search Protection will change your web browser's settings, making you to visit search engines and websites associated with it over and over again. And if you want to revert to their default settings, this program will not allow you to perform these changes. This application causes the pop-ups and various types of advertisements.  If you go to the Windows Task Manager, you should see two “SearchProtection.exe” processes running.

Search Protection by Spigot may be a reason of various system performance issues on the affected computer. It can slow down your internet browsers and also may cause redirected searches or failed keyword searches.

Search Protection is typically bundled when you install freeware or shareware (video recording/streaming, download-managers or PDF creators etc.)

 
It is very important to pay attention to additional checkboxes during the installation to avoid installing of unwanted applications or toolbars. 

 

Search Protection Automatic Removal Instructions

To remove search protection by spigot (yahoo.com) from your computer, follow these steps:

1.    Download the Web Companion 

2.    Launch the Web Companion installer "webcompanioninstaller.exe" by double-clicking on the setup file and follow the instructions to install the software.

3.    During the installation, Web Companion will remove Search protection by Spigot and prompt you to setup your desired home page and default search engine.

Search protection Manual Removal Instructions*

If the automatic removal via Web Companion failed, we recommend to follow these steps:

1.    Terminate malicious process(es) (How to End a Process With the Task Manager):

searchprotection.exe 
SearchSettings.exe
random.exe 


 

2.    Uninstall Search Protect

For Windows 7: 
- Click the "Start" button and select "Control Panel" 
- Click "Uninstall a Program" option found under the "Programs" category 
- Select the program with the name "Search Protection" 
- Click "Remove" 

For Windows Vista
- Close all open Web browsers 
- From the "Start" menu in Windows, select "Control Panel" 
- Under the "Programs" icon, select "Uninstall a program" 
- Select the program with the name "Search Protection" 
- Click "Uninstall" and then "Continue" to remove the Toolbar

For Windows XP
- From the "Start" menu in Windows, select "Control Panel" 
- Click on "Add/Remove Programs". 
- Select the program with the name "Search Protection" 
- Click "Change/Remove" 

 For Windows 8
- Go to Charm bar (key   +C) and then” Settings”, then "Control Panel" 
- Choose “Programs and Features” 
- Choose the Search Protection and delete it 



3.    Delete the following files/entries created by the Search Protect

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows’CurrentVersion\Run
C:\Users\adm\AppData\Roaming\Searchprotection


 


*Manual removal may cause unexpected system behavior and should be performed at your own risk.

4.     Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans. 

Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation. 

•  If you do not currently have an antivirus installed, please click here to download  Ad-Aware Free Antivirus+ and follow the installation instructions from Ad-Aware User Guide (‘Installation and Uninstallation’ ->‘Ad-Aware Install’ section).

•  Perform a full scan of your PC with Ad-Aware (following Ad-Aware User guide: ‘Scanning System’ ->‘Running a scan’ section).

Astromenda is an application designed to organize your browser by changing your home page, default search engine, and new tabs to Astromenda, and its goal (as per publisher) is to make “the web more accessible and more efficient, for all users." To protect your browser settings in the future downloadWeb Companion. 

Please find below a few facts about Astromenda we would like to pay your attention to.

This program is usually distributed by bundling to free software using pay-per-installmarketing method; so it may sneak to your PC as a part of another installation without you noticing this. Home page set by Astromenda usually contains attractive boxes with advertisements, but the program disclaims any liability for this content.

From the EULA:

“3rd Party Content: The content provided to you in the course of using the materials and services may include 3rd parties' software and/or services ("3rd Party Content") and Astromenda does not warrant for its quality or authenticity. Astromenda is not, and shall never be, liable for any damage that might occur when using and/or relying on 3rd Party Content and does not warrant that they will be available or accurate.”

 
A screenshot below shows how your New tab usually looks like if you have Astromenda installed on your PC:

Before Google Chrome adds Astromenda to its extensions’ list, it shares the following information with a user:

Astromenda may add an icon called ‘Cut the Rope’ to your desktop which is not an actual popular game shortcut. A click on this icon opens a website with Astromenda online games, where online version of Cut the Rope is available along with different Astromenda games.

Astromenda Manual Removal Instructions

Note. This is a self-help guide. Use it at your own risk. This article is provided "as is" and to be used for information purposes.

1.    Before you start, please make sure you are logged as a system administrator. Also, please save a copy of your important documents/files on external hard drive/cloud storage.

2.    Please close all your browsers (if any).

3.    From your desktop, click on Windows Start  button and choose Control Panel option (Windows 8 users: right-click on ‘Windows Start’ icon (by default, it is located in the left bottom corner of your screen), and choose Control Panel from the context menu):

•   Click ‘Programs and Features’ under the ‘Programs’ category (Windows Vista, 7 and 8)/‘Add or Remove Programs’ (Windows XP),
•   Please find ‘WSE_Astromenda’ -> right click on it, choose ‘Uninstall’ and follow the prompts,
•   Once uninstall is done, a webpage opens confirming the same. Simply close this page.

4.    Please make sure that hidden files in your Windows Explorer are visible: Start –> Control Panel (Appearance and Personalization) –> Folder Options –>‘View’ tab –> find ‘Hidden files and folders’ and check a box ‘Show hidden files, folders, and drives’.

5.    Follow this path - C:\Users\YOUR_USER_NAME\AppData\Local\Temp (XP users: C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temp) -> highlight all the files/folders here -> press ‘Shift’+’Delete’ and click ‘Yes’ to completely clean this folder (Note. If you receive messages that some files cannot be removed, just skip the file in question).

6.    Please find the directories below and make sure that all the Astromenda traces are removed: 
C:\Program Files\WSE_Astromenda
C:\Users\YOUR_USER_NAME\AppData\Roaming\WSE_Astromenda
C:\Users\YOUR_USER_NAME\AppData\Roaming\Mozilla\Firefox\Profiles\XXXX.default\extensions\{ad7ce998-a77b-4062-9ffb-1d0b7cb23183}
C:\Users\YOUR_USER_NAME\AppData\Roaming\Mozilla\Firefox\Profiles\XXXX.default\searchplugins\Astromenda
C:\Users\YOUR_USER_NAME\AppData\Local\Google\Chrome\UserData\Default\Extensions\pfkfdlcdbajamklbneflfbcmfgddmpae

7.    Now please make sure that your browser is clean.

Mozilla Firefox

•   Click on the Menu button   in the right upper corner of Firefox window (older versions of browser: click on the orange ‘Firefox’ logo in the upper left corner) -> find Add-ons section -> check ‘Extensions’ and ‘Plugins’ tabs, and if you findAstromenda addons here, please click on ‘Remove’ button:

•   Again click on the Menu button and choose ‘Options’ -> in the General tab ‘Home Page’ field, please highlight http://astromenda.com... link -> right click on it and press ‘Delete’ -> type a web address of your preferred home page in ‘http://…’ format.

•   In the main Firefox window, click on a small triangle in the ‘Search Engines’ field (right upper corner), and choose ‘Manage Search Engines…’ option. Highlight all the unwanted search engines including ‘Astromenda’ and click on ‘Remove’ button:

•   Restart Firefox.

 Google Chrome

•   Type chrome://extensions in the Chrome address bar and press ‘Enter’;
•   If you see  here, please click on a trash can (like shown below):

•   Now please click on ‘Settings’ tab and find ‘On startup’ section: click on ‘Set pages’ link next to ‘Open a specific page or set pages’ option -> in the opened window find astromenda.com… link, move your cursor over this link, and click the "X" button on the right to delete it:

 
•   In the Appearance section: when ‘Show Home button’ box is checked, click on ‘Change’ link -> in the next window highlight astromenda.com… link and press ‘Delete’ button on your keyboard.

 
•   In the Search section: click on ‘Manage search engines…’ button and:

1.    In the opened window set a new desired Home page from the existing list: move your cursor to the new engine for ‘Make default’ button to appear – click on this button.
2.   Once done, move your cursor to Astromenda for a ‘X’ button to appear and remove it from the list.

•   Restart Google Chrome.

Internet Explorer

•   When IE window is opened, press Alt+x keys on your keyboard to open Tools menu -> and click on Manage Add-ons; 
•   Open ‘Toolbars and Extensions’ section -> if you have Astromenda here, highlight it and click on ‘Disable’/‘Delete’ button.
•   Open ‘Search Providers’ section -> set a new desired Home page from the existing list (right click on a new search engine, and choose ‘Set as default’ from the context menu -> now please highlight Astromenda and click on ‘Remove’ button on the bottom of the window:

 
•   Again open Tools menu -> Internet Options -> General Tab ->‘Home page’ section: if you see ‘http://astromenda.com…’ link here, highlight and delete it using context right-click menu -> type a new web address you want to set up as your home page, and click ‘Apply’. You can also set other custom settings of your startup page in the ‘Startup’ section (to start with your last session, for example):

•   Restart Internet Explorer.

8.    If you see a shortcut on your desktop called ‘Cut the Rope’, highlight it, press Shift+Delete buttons on your keyboard and click on ‘Yes’ when a dialog box opens to confirm deletion.

9.    Now, please install adaware antivirus to make sure you don’t have any infections on your machine: 

•    Click here to download adaware antivirus, and follow installation instructions from adaware antivirus User Guide (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
•    Perform a full scan of your PC with adaware antivirus (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).
•    Restart your PC.

10.    If you continue facing issues with Astromenda, please remove its traces from your registry. Before you start, please make sure you understand how important this part of your PC is. You cannot restore data from here once you delete something (‘Ctrl+Z’ never works in Registry Editor). And if you delete an incorrect component by mistake, it may damage your OS or make it unusable.
•    To open the Registry, press ‘Win+R’ keys on your keyboard -> in the opened window type regedit and press ‘Enter’. 
•    Highlight main registry section called ‘Computer’ -> press Ctrl+F keys on your keyboard -> make sure Keys, Values, Data check-boxes in the ‘Find’ window are checked -> type Astromenda in the search field and click OK. Search results will highlight a key/value/data that contains Astromenda components. If you find the exact match with the name of program you want to remove, right click on the element in question and choose ‘Delete’ from the context menu. 
•    Use F3 key to continue the search and to find all the necessary files.
•    Exit the registry editor.
•    Reboot your PC.

Lastly, it is recommended to always keep your antivirus program up-to-date with a real-time protection turned on, and perform weekly full scans to stay protected at all times.

Mapsgalaxy is a browser hijacker and toolbar developed by Mindspark Interactive Network. This program is capable of modifying your browser homepages to its own. It may be unknowingly installed through product bundling with a third party application. Unfortunately, once installed it will also add the MapsGalaxy toolbar, change your browser homepage and set your default search engine to Ask.com. 

The MapsGalaxy Toolbar is theoretically not a virus but it does display plenty of malicious behaviors. It can act as rootkit capabilities to sneak deep into the operating system, browser hijacking, and also ultimately interfere with the user experience.

Homepage after Mapsgalaxy installation.

To avoid these kinds of issues in the future, it is always best to do some research online and read reviews about an application before installing. Where you are given the option to choose a custom or advanced installation, it is often possible to opt out of the bundled application install.

Mapsgalaxy Removal Instructions

Uninstall from your computer

1.    Click the Start button, then select Control Panel, under Programs, click onUninstall a program.

2.    Select for Mapsgalaxy Internet Explorer Toolbar, Mapsgalaxy Firefox Toolbarand MapsGalaxy Toolbar Chrome Extension.

3.    Right click and select Uninstall/Change.

Remove toolbar/homepage from Internet Explorer

1.    Launch your Internet Explorer browser, click on the icon  on your top right corner. Select Internet Options.

2.    Under the Internet Options dialog box, click on the Advanced tab, then click on the Reset button. A new prompt window will appear.

 
3.    In the Reset Internet Explorer settings section, check the Delete personal settings box, then click on Reset.

 
4.    Once the resetting is completed, remember to close and open Internet Explorer again.

Remove toolbar/homepage from Mozilla Firefox

1.    Open Mozilla Firefox, and click on the Menu  on the top right corner of your browser.  Select Add-ons.

2.    Click on Extensions. You will see the Mapsgalaxy toolbar add-on. SelectRemove. 












3.    Reset your default search engine and homepage from Ask.com to your preferred default settings.
•    Open Mozilla Firefox, and click on the Menu  on the top right corner of your browser.  Click on Options.
•    Under the General tab, change and type the home page of your choice. Click Ok.



Remove toolbar/homepage from Google Chrome

1.    Click the Chrome menu  on the browser toolbar, select More Tools and then click on Extensions.

2.    In the Extensions tab, remove MapsGalaxy 12.9.6.19504 and any other extensions by selecting the trash can image.

3.    Revert your default search engine and homepage from Ask.com to your preferred default settings.

•    Click the Chrome menu  on the browser toolbar, select Settings.

•    Under Search, select Manage search engines….

•    Under the Search Engines dialog, select Google and click the Make Defaultbutton.

•    To remove Ask.com from your search engines option.

Still under the Search Engines dialog, select Ask and click “X” to delete. Once deleted, click Done.

Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans.
Also, it is advisable that you to do a custom AV scan of any application downloaded from the Internet before you proceed with its installation.
If you do not have an antivirus, click here to download Ad-Aware Free Antivirus+.

Search Module by Goobzo is a potentially unwanted web browser extension that is ad-supported.  Similarly to other hijackers, Search Module has ability to change homepage, default search engine and new tab page. Once Search Module is successfully installed, it changes Windows host file, DNS settings as well as registry entries. You will notice that your PC performance becomes much slower than it was before. To protect your homepage and default search engine in the future, download Web Companion. 

It has ability to display pop-up boxes, advertisements and sponsored links when browsing on the internet. Search Module by Goobzo shows unwanted advertisements on a random webpage that you visit. Search Module may show advertisements into all well-known browsers like Internet Explorer, Mozilla Firefox and Google Chrome. It displays ads based on your browsing history. Sometime the ads are popping in your computer when you are connected to Internet but not surfing web.

If you noticed that your homepage and default search engine was replaced by Bing.com and that your new tab page was changed to 'Search Module', you should be concerned.

In some cases, the program will monitor a user's behavior and will inject rival advertisements over existing one or just inject new ones all together. Search Module also may collect your Internet browsing activity by recording IP addresses, browser types and versions, Internet Service Providers (ISPs), cookie information, and webpages visited. Such kind of behavior can lead to serious privacy issues or identity theft.

Typically, such kind of applications distributed using a misleading software marketing method called 'bundling'. That's why it’s classified as Potentially Unwanted Program. The majority of PUPs can be installed in a bundle with some freeware or shareware you want. But you don't realize that you're getting Potentially Unwanted Program in addition with it too. That is why it is always recommended to choose Custom Installation and read the full EULA. Be attentive and never install software that you don’t know or trust.

If it wasn't your intention to download Search Module by Goobzo we recommend removing it from the computer.

Manual removal*

1.    Terminate malicious process(es):
smu.exe:1120
smu.exe:988
smu.exe:3464
smu.exe:1924
%original file name%.exe:3476
PacCDFA.tmp:3356
sma.exe:440
sma.exe:1072
sma.exe:984
sma.exe:3932
sma.exe:1492
sma.exe:3656
sma.exe:2364
smp.exe:3860
smp.exe:3632
smp.exe:3016

2.    Delete the original Malware file:

Click 'Start' ->'Control Panel' or 'Uninstall a Program' -> Double-click 'Add/Remove Programs' or 'Programs and Features'. Find Search module and similar entries and select 'Uninstall' or 'Remove'.

3.    Make sure you don’t have any leftovers of the program on your PC:

C:\ProgramData\SearchModule\smhe.js (407 bytes)
C:\Windows\Temp\vup.tmp (90 bytes)
C:\Windows\Temp\PacCDFA.tmp (845642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\ns34B9.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smp.exe (4979 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smw.sys (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\AccDownload.dll (10357 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smoi32.dll (9316 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smu.exe (46634 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smi32.exe (4361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\System.dll (23 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\SMUninstall.exe (18608 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\SBIEBrowserHelperObject.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\nsExec.dll (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smfi32.dll (19406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\ns70B1.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\nsProcess.dll (12 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smri32.dll (11944 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\ns67AB.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smci32.dll (26028 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\sma.exe (2089 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smei32.dll (21971 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsFAF6.tmp (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\System.dll (23 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsExec.dll (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsF3C4.tmp (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\AccDownload.dll (10357 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsDEAD.tmp (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsProcess.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XF4QULVG\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\desktop.ini (254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0ZR62R3G\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini (254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTKRRVN5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95RM92LH\desktop.ini (67 bytes)
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (1 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\Search.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (1 bytes)


4.    Remove Internet helper from all your browsers:

Mozilla Firefox:

•    Open Mozilla Firefox, go ‘Tools’ ->‘Add-ons’ ->‘Extensions’. 
•    Find Search Module by Goobzo and similar entries, and click ‘Remove’ or 'Disable'.
•    Once you do that, go to Tools -> Options -> General -> Startup. Now select 'Show a blank page' when Firefox Starts or set a certain website, like Google or similar.

Internet Explorer:
•    Open Internet Explorer, go ‘Tools‘->”Manage Add-ons’ ->‘Toolbars and Extensions’.
•    Here, look for Search Module by Goobzo, and similar entries, and click 'Disable'.
•    Now open IE -> Tools -> Internet Option -> General tab. Enter Google or other address to make it the default start page.


 
Google Chrome:

•    Click the Chrome menu button on the Google Chrome browser, select Tools -> Extensions.
•    Here, look for Search Module by Goobzo and similar unknown extensions and get rid of them by clicking on the Recycle Bin.
•    Additionally, click on wench icon, go to settings and choose 'Manage search engines'. Change search engine to google or other. 
•    Then Go to section “On start” and make sure you get blank page while creating new tab.

 
5.    Now please install adaware antivirus to make sure you do not have any infections:

• Click here and follow the installation instructions from adaware antivirus User Guide(‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
• Perform a full scan of your PC with Ad-Aware (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).

Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans. Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation.

If you have realized that new toolbar installed on your PC and your home page was unexpectedly changed, most likely that some software may have installed in a bundle a 3rd-party browser toolbar on your system.  One such annoying toolbar is the Ask toolbar. This toolbar is a BHO: Browser Helper Add-on.

It is very important to pay attention to additional checkboxes during the installation to avoid installing of unwanted applications or toolbars. The toolbars can slow down your internet browsers and also may cause redirected searches or failed keyword searches. To protect your browser settings in the future download Web Companion. 

Usually, Ask search engine (ask.com) is promoted via other free programs and once installed on your computer; they will hijack your browser homepage and replace your default search engine.

Ask Toolbar Manual Removal

In most cases, you can go to Add\Remove Programs and quickly find Ask.com listed and uninstall it.   

For Windows 7: 
- Click the "Start" button and select "Control Panel" 
- Click "Uninstall a Program" option found under the "Programs" category 
- Select the program with the Ask logo and the text "Ask Toolbar" 
- Click "Remove" 

For Windows Vista: 
- Close all open Web browsers 
- From the "Start" menu in Windows, select "Control Panel" 
- Under the "Programs" icon, select "Uninstall a program" 
- Select the program with the Ask logo and the text "Ask Toolbar" 
- Click "Uninstall" and then "Continue" to remove the Toolbar 

For Windows XP: 
- From the "Start" menu in Windows, select "Control Panel" 
- Click on "Add/Remove Programs". 
- Select the program with the Ask logo and the text "Ask Toolbar" 
- Click "Change/Remove" 

 For Windows 8:
- Go to Charm bar (Windows key+C) and then” Settings”, then "Control Panel" 
- Choose “Programs and Features” 
- Choose the Ask toolbar and delete it

But once the toolbar is removed, you may still see Ask.com as your homepage when you open up a new browser.  In order to change that, follow the instructions below, depending on which browser you use:

Disabling Ask toolbar from Internet Explorer
•    Launch Internet Explorer browser and click the option Tools.
•    Choose the option Manage Add-ons from the sub menu that opens.
•    From the Manage Add-ons window, locate Ask toolbar and remove the check mark in the box for Enabled.
•    Select Search Providers. First of all, choose another search engine (Google, yahoo, Bing) and make it your default search provider (set as default). 
•    Then select Ask Search and click Remove button to uninstall it (lower right corner of the window).
•    Restart Internet Explorer.

Disabling Ask toolbar from Mozilla Firefox

•    Open Mozilla Firefox and go to Extensions.
•    Locate Ask Toolbar from the list of add-ons. Mozilla provides you with two options. You can either Remove the toolbar or Disable it temporarily. Click any of the options.
•    After that, go to Firefox, and then choose Help, and then Troubleshootinginformation and then Reset Firefox.







 

Disabling Ask toolbar from Google Chrome
•    Launch Google Chrome and click the icon located on the right top corner.
•    Select the option Settings from the sub menu.
•    Click on Extensions from the left pane of the Windows, which is located just above the option Settings.
•    You may Disable the toolbar by removing the check mark from the optionEnabled. If you wish to remove the toolbar, click the recycle bin icon found next to the Enabled option.



 

•    Click on Chrome menu button once again. Select Settings.
•    Click Manager Search engines button under Search.
•    Select Google or any other search engine you like from the list and make it your default search engine provider.

 
•    Select Ask Search from the list and remove it by clicking the "X" mark as shown in the image below.

Hotspot Shield by AnchorFree is program claiming that it helps you to secure your connection while surfing Wi-Fi hotspots and to access sites not normally available outside of the USA, to install on your PC without your consent.

However, it also hides in the installation package other free software to infiltrate your computer. Once it gets inside your PC, it will change your homepage tohttp://www.trovi.com/ and search engine to Hotspot Shield Customized Web Search. 

Moreover, it may install associated extensions such as Hotspot Shield toolbar and Hotspot Shield API Server to your browsers without your knowledge. Hotspot Shield Search may display advertisements and sponsored links in your search results, and may record browsing data and collect personal information. The Hotspot Shield Toolbar is used to enhance advertising revenue and to increase a site’s page position in search results.

Hotspot Shield can be downloaded from its official website. However, in most cases, such kind of applications distributed using a misleading software marketing method called 'bundling'. This means that you may download them in a bundle with other freeware. That's why they are classified as  potentially unwanted program. To avoid unwanted installation of Hotspot Shield, you should be very attentive when downloading freeware and always choose custom installation. If you feel that Hotspot Shield is not in any way helpful, we suggest removing it from the computer.

Removing Hostspot Shield (Manual Removal*)

1.    Terminate malicious process(es) (How to End a Process With the Task Manager):
tapinstall.exe
HssInstaller.exe
HssInstaller.exe
af_proxy_cmd_rep.exe
HSSCP.exe
cmw_srv.exe
hsswd.exe

2.    Delete the original file.

•    Go to 'Start' and select 'Control Panel.
•    Click 'Uninstall a Program' under 'Programs'.
•    Choose Hotspot Shield/Hotspot Shield Toolbar and select the 'Uninstall/Change' option.
•    Click 'Yes' and 'OK' to save the changes.

 
Make sure you don’t have any leftovers of the program on your PC (If you only use Windows Add/Remove programs and the build-in uninstall utilities, you will find that lots of folders of Hotspot Shield still remain on your computer):

%Temp%\Hotspot Shield\html\scripts\HssSafeSearchWelcomePage.js (3 bytes)
%Temp%\Hotspot Shield\html\scripts\SearchProtect.js (90 bytes)
%Temp%\Hotspot Shield\html\img\MSPoweredByAsk.png (2 bytes)
%Temp%\Hotspot Shield\html\img\RRHeader_bonus.png (10 bytes)
%Temp%\Hotspot Shield\html\MSOfferPage_bonus.html (5 bytes)
%Temp%\Hotspot Shield\html\styles\HssSafeSearchWelcomePage.css (790 bytes)
%Temp%\nsf2.tmp\nsDialogs.dll (9 bytes)
%Temp%\Hotspot Shield\html\BingDSMSNHPOffer.html (7 bytes)
%Temp%\Hotspot Shield\html\scripts\BingDSMSNHPOffer.js (2 bytes)
%Temp%\Hotspot Shield\html\img\MSInstallBtn.png (1 bytes)
%Temp%\Hotspot Shield\html\CheckAskPage.html (1 bytes)
%Temp%\Hotspot Shield\html\scripts\UnCloseBrowsers.js (1 bytes)
%Temp%\Hotspot Shield\html\slider\img\s.png (3 bytes)
%Temp%orary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Temp%\HssInstaller.exe (14336 bytes)
%Temp%\Hotspot Shield\html\img\ask_toolbar.bmp (1568 bytes)
%Temp%\Hotspot Shield\html\scripts\UnUninstallFiles.js (2 bytes)
%Temp%\Hotspot Shield\html\img\RRSubheader_bonus_FF.png (16 bytes)
%Temp%\Hotspot Shield\html\lang\Japanese.js (20 bytes)
%Temp%\Hotspot Shield\html\slider\img\s4.png (1568 bytes)
%Temp%\Hotspot Shield\html\lang\English.js (22 bytes)
%Temp%\Hotspot Shield\html\scripts\MSOfferPage.js (3 bytes)
%Temp%\Hotspot Shield\html\HssFinishPage.html (2 bytes)
%Temp%\Hotspot Shield\html\slider\img\s_icons.png (1 bytes)
%Temp%\Hotspot Shield\html\styles\HssFinishPage.css (90 bytes)
%Temp%\nsf2.tmp\psdll.dll (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Hotspot Shield\report\zlib1.dll (2104 bytes)
%Temp%\Hotspot Shield\html\HssSafeSearchWelcomePage.html (6 bytes)
%Temp%\Hotspot Shield\html\img\MSInstallOnIE.png (3 bytes)
%Temp%\Hotspot Shield\html\img\bingHeaderOption1.png (4232 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep4.html (384 bytes)
%Temp%\Hotspot Shield\html\scripts\HssFinishPage.js (1 bytes)
%Temp%\Hotspot Shield\html\img\MSGradBckg.png (275 bytes)
%Temp%\Hotspot Shield\html\img\bingNextButtonBckg.png (1 bytes)
%Temp%\Hotspot Shield\html\styles\styles.css (2 bytes)
%Temp%\nsf2.tmp\UserInfo.dll (4 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep1.html (460 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep2.html (460 bytes)
%Temp%\Hotspot Shield\html\img\conduit_toolbar.bmp (31 bytes)
%Temp%\Hotspot Shield\html\slider\img\s3.png (1568 bytes)
%Temp%\nsf2.tmp\modern-header.bmp (9 bytes)
%Temp%\nsf2.tmp\ExecDos.dll (9 bytes)
%Temp%\Hotspot Shield\html\scripts\HssWelcomePage.js (5 bytes)
%Temp%\Hotspot Shield\html\styles\AskToolbar.css (482 bytes)
%Temp%orary Internet Files\Content.IE5\WOSLWBI0\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\img\HSSLogo.png (2712 bytes)
%Temp%\Hotspot Shield\html\styles\HssWelcomePage.css (984 bytes)
%Temp%\Hotspot Shield\html\slider\img\s1.png (2104 bytes)
%Temp%\Hotspot Shield\html\AskToolbar.html (4 bytes)
%Temp%\Hotspot Shield\html\styles\SearchProtect.css (1 bytes)
%Temp%\Hotspot Shield\html\img\MSInstallOnFF.png (4 bytes)
%Temp%\Hotspot Shield\html\img\logo_grey.bmp (13 bytes)
%Temp%\Hotspot Shield\html\SearchProtect.html (4 bytes)
%Temp%\hssinst32.dll (11 bytes)
%Temp%\Hotspot Shield\html\styles\MS.css (2 bytes)
%Temp%\Hotspot Shield\html\img\RRSubheader_bonus_IE.png (16 bytes)
%Temp%\Hotspot Shield\html\img\RRHeader.png (11 bytes)
%Temp%\Hotspot Shield\html\img\bingNextButton_jpn.png (2 bytes)
%Temp%\Hotspot Shield\html\lang\Internationalization.js (8 bytes)
%Temp%\Hotspot Shield\html\img\RRDesc.png (20 bytes)
%Temp%\Hotspot Shield\html\img\bingNextButton.png (1 bytes)
%Temp%\nsf2.tmp\AfnsWBC.dll (4232 bytes)
%Temp%\Hotspot Shield\html\img\RRSubheader.png (11 bytes)
%Temp%\Hotspot Shield\html\slider\img\bg.jpg (13 bytes)
%Temp%\Hotspot Shield\html\styles\bing.css (2 bytes)
%Temp%\tapinstall.exe (2104 bytes)
%Documents and Settings%\%current user%\Application Data\Hotspot Shield\report\af_proxy_cmd_rep.exe (6720 bytes)
%Temp%orary Internet Files\Content.IE5\HONPCTWV\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\HssWelcomePage.html (6 bytes)
%Temp%\Hotspot Shield\html\scripts\common.js (7 bytes)
%Temp%\Hotspot Shield\html\scripts\Toolbars.js (4 bytes)
%Temp%\Hotspot Shield\html\slider\index.html (16 bytes)
%Temp%orary Internet Files\Content.IE5\RXP0V5TV\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\scripts\CheckAskPage.js (2 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep3.html (877 bytes)
%Temp%orary Internet Files\Content.IE5\5EJ4ZEZ6\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\img\safesearch_toolbar.bmp (27 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShow.html (3 bytes)
%Temp%\Hotspot Shield\html\slider\img\s2.png (25 bytes)
%Temp%\Hotspot Shield\html\scripts\MSOfferPage_bonus.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Hotspot Shield\report\af_proxy.dll (16304 bytes)
%Temp%\nsf2.tmp\System.dll (11 bytes)
%Temp%\Hotspot Shield\html\MSOfferPage.html (5 bytes)
%Temp%\nsf2.tmp\nsProcess.dll (6 bytes)
%Temp%\Hotspot Shield\html\scripts\AskToolbar.js (192 bytes)
%Temp%\nsf2.tmp\nsisos.dll (5 bytes)
%Temp%\Hotspot Shield\html\scripts\nsidefs.js (4 bytes)
%Temp%\HssInstaller.txt (51 bytes)
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

*Manual removal may cause unexpected system behavior and should be performed at your own risk. Before you remove any registry keys, it is highly recommended to make a backup for the whole registry list in order to avoid any potential problems. 

It is important to take note that the registry is a very important part of your PC. There is no way to restore data from here once you delete something. And if you delete an incorrect component by mistake, it may damage your OS and make it inoperative.

3.    Remove Hotspot Shield Toolbar from your browsers (Google Chrome, Mozilla Firefox and Internet Explorer):

Internet Explorer:

•    Open Internet Explorer, go ‘Tools‘->”Manage Add-ons’ ->‘Toolbars and Extensions’.
•    Here, look for Hotspot Shield Toolbar, Hotspot Shield Class, Hotspot Shield API Server and similar entries, and click 'Disable'.
•    After that, change the start page.
 

Mozilla Firefox:

•    Open Mozilla Firefox, go ‘Tools’ ->‘Add-ons’ ->‘Extensions’. 
•    Find Hotspot Shield Toolbar, Hotspot Shield Class, Hotspot Shield API Server and similar entries, and click ‘Remove’ or 'Disable'.
•    Once you do that, don't forget to change the start page. 
 

Google Chrome:

•    Click the Chrome menu button on the Google Chrome browser, select Tools -> Extensions.
•    Here, look for Hotspot Shield Toolbar, Hotspot Shield Class, Hotspot Shield API Server and similar unknown extensions and get rid of them by clicking on the Recycle Bin.
•    After that, change the settings of your start page.

4.    Install adaware antivirus to make sure you do not have any infections: 

•    Click here and follow the installation instructions from adaware antivirus User Guide (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
•    Perform a full scan of your PC with adaware antivirus (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).

Search Protect is designed by Conduit, and is spread with different free software, in most cases – it’s a pre-selected option during the main program installation. There is no direct download link for Search Protect even on the Conduit home page which is already suspicious.

Although the description says that it “saves your preferred browser's homepage”, during installation, Search Protect changes your home page to their preferred one (Conduit) and removing yours. Once installed, a blue icon with a white magnifying glass always seats in your system tray, because its service starts running when you load your PC, taking away your performance speed. To protect your homepage settings in the future, download Web Companion.

2 main symptoms of your PC affected by this browser hijacker are:

•   Your home page changes to search.conduit.com in all your browsers;

•   When you open a new tab, you see endless advertisement pop-ups that don’t have a ‘Close’ option. If you click on any part of such a small window, a new tab with advertisement opens offering you to buy different products:

Scheduled tasks may also be affected by Conduit (e.g., Background Container that registers on its own in the Windows system rundll32 process, and starts every time your system boots to collect data about all the websites you visit, in order to provide you with individual advertisements, and receive revenue from your clicks on these ads). 

If you don’t remove it properly, you may receive system start-up errors even if most parts of Conduit components were removed (like “There was a problem starting c:\users\ed\appData\local\conduit\backgroundcontainer\backgroundcontainer.dll” etc.; you will find steps to get rid of this task in the removal instructions below).

Search Protect Manual Removal Instructions

Before you proceed with the uninstallation, make sure you are logged in as a system administrator. Also, please save a copy of your important documents/files on an external hard drive. Be careful during the uninstallation process, as Conduit will attempt to keep as much its components as it can to continue slowing down your PC.

1.    From your desktop, click on Windows Start button and choose Control Paneloption (Windows 8 users: right-click on Windows Start icon (by default, it is located in the left bottom corner of your screen), and choose Control Panel from the context menu):

•    Double-click Programs and Features (Windows Vista, 7 and 8), or Add or Remove Programs (Windows XP).

•    Find ‘Search Protect’ by Conduit in the list, right-click on it and choose Uninstall.

•    When a window below opens, you have to manually choose new desired Home page, as well as to check bottom box ‘Go back to my original home page and default search settings):

•     Click on ‘Uninstall’ button and follow the removal steps. Once done, reboot your PC.

2.    Now please make sure that you don’t have a ‘Background Container’ task on your PC:

•    Press Windows+R keys on your keyboard. In the opened window type msconfigand press Enter.

•    In the System Configuration window, open ‘Startup’ tab and search for an item called ‘Background Container’. If you don’t have one in the list, jump to the step 3. If you do, finish the below instructions first.

•    Uncheck the ‘Background Container’ task, then click ‘Apply’ and ‘OK’:

•   Reboot PC again.

•   Right click on ‘My Computer’ on your desktop -> choose ‘Manage’ from the context menu -> expand ‘System Tools’ and ‘Task Scheduler’ menus-> click on ‘Task Scheduler Library’ -> once a list of tasks appears in the right part of the window, find ‘BackgroundContainer Startup Task’ and double-click on it:

•     In a new opened window, click on the ‘Actions’ tab and double-click the action in question.

•     In the next window, find ‘Add arguments (optional):’ section -> highlight ALL the path in the field box of this section -> press ‘Delete’ button on your keyboard -> click ‘OK’:

 
 

3.    Now please make sure that hidden files in your Windows Explorer are open: Start –> Control Panel (Appearance and Personalization) –> Folder Options –>‘View’ tab –> find ‘Hidden files and folders’ setting, and choose an option ‘Show hidden files, folders, and drives’.

4.    Open every path below and make sure there are no Conduit related folders/files on your disc C: (if you find some of them, delete these manually by highlighing a folder/file in question, and pressing Shift+Del keys on your keyboard):

C:\Windows\SysWOW64\SearchProtect (XP users and users with 32bit OS don’t have this folder)
C:\Program Files\SearchProtect
C:\Program Files\Conduit
C:\ProgramData\Conduit
C:\Users\YOUR_USER_NAME\AppData\Local\Conduit
C:\Users\YOUR_USER_NAME\AppData\LocalLow\Conduit
C:\Users\YOUR_USER_NAME\AppData\Roaming\SearchProtect
C:\Users\adm\AppData\Roaming\Mozilla\Firefox\Profiles\gqehixkj.default\searchplugins\conduit-search (.xml file)
C:\Users\YOUR_USER_NAME\AppData\Local\Temp – delete 2 folders called‘ct1066435’ and ‘CT3281067’. Also, please remove here all the files with SearchProtect logo:

XP

C:\program files\Conduit
C:\program files\SearchProtect
C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temp\Conduit
C:\Documents and Settings\YOUR_USER_NAME\ApplicationData\Mozilla\Firefox\Profiles\XXXX.default\searchplugins – and delete a file called ‘conduit-search’
C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temporary Internet Files\SPSetup

5.    Now please make sure that you don’t have any traces of Conduit Search Protect in your browsers:

Mozilla

•    Click on the Menu button   in the right part of Firefox window (older versions of browser: click on the orange upper left ‘Firefox’ logo) -> find Add-ons section -> Check ‘Extensions’ and ‘Plugins’ tabs, and disable/remove any add-on that contains words ‘conduit’ or ‘search protect’.

•    Again click on the Menu button -> Options :

•    In the General tab ‘Home Page’ field, make sure there is nohttp://search.conduit.com link. In you have one, either highlight and delete it, or use the ‘Restore to Default’ button (to return to your previous Home page);

•    In the Security tab make sure that all the 3 options: Warn me when sites try to install add-ons, Block reported attack sites and Block reported web forgeries are checked;

•    In the main Firefox window, click ‘Search Engines’ field (right upper corner), and open ‘Manage Search Engines…’ option. Highlight all the unwanted search engines and click on ‘Remove’ button;

•    Type about:config in the address bar of Firefox -> click on the ‘I’ll be careful, I promise!’ button - > in a new window search field, please type conduit and press ‘Enter’ -> right click on every result it finds, and choose ‘Reset’ from the context menu.

Google Chrome

•    Type chrome://settings in the Chrome address bar and press ‘Enter’ to open Chrome Settings menu -> in the ‘On Startup’ section ->‘Open a specific page or set of pages.’ option, click on the ‘Set pages’ link -> if you find ‘search.conduit.com’ here, hover your mouse to this line for a ‘Delete’ option to appear, and click ‘x’ to remove this page from startup; 

•    In the ‘Appearance’ section, when the ‘Show Home button’ is checked and you see ‘search.conduit.com…’ link, please click on ‘Change’ and remove this link from your browser;

•    In the ‘Search’ section, click on ‘Manage search engines…’ -> hover your mouse cursor to any search engine for the ‘Make default’ and ‘Delete’ menu to appear. You can delete all the unnecessary search engines, and make default the desired one:

Internet Explorer

•   When IE window is opened, press Alt+x keys on your keyboard to open a Toolsmenu -> Internet Options -> General Tab: highlight and delete everything in the Home page field box -> click on ‘Use new tab’ button, type a web address of search engine you want to set up as your home page, and click ‘Apply’. You can also set other custom settings of your startup page display in the ‘Startup’ section (to start with your last session, for example):

•    Tools menu -> click on the ‘Manage add-ons’ option -> check whether there are no Conduit Ltd Toolbars and Extensions or Search Engines here; if you find ones, either disable or remove these. 

6.    Before you start working with the Registry, please make sure that you understand how important this part of your PC is. You cannot revert data from here if you delete anything (Ctrl+Z never works here), and if you delete an incorrect component, it may damage your OS and make it unusable. 

You should also know the difference between Keys, Values and Values’ Data:

KEY: you can delete a key in this part of registry if its name exactly matches a program you don’t need anymore.
VALUE: you can delete all the value if its name exactly matches a program you don’t need anymore.
VALUE DATA: you can modify/delete value data by double-clicking on the Value in question.

*Note. Be attentive while working with the Value data. Some harmful programs may inject their code to the system processes. In such case, you should remove a string of the harmful program only, and always leave the initial system path.

•    To open the Registry, press ‘Win+R’ keys on your keyboard -> in the opened command prompt window type regedit and press ‘Enter’.

•    Highlight 1st section called ‘Computer’ -> press Ctrl+F keys on your keyboard -> make sure Keys, Values, Data boxes in the ‘Find’ window are checked -> typeConduit in the search field and click OK. The search result will highlight a key/value/data that contains Search Protect components. If you find the exact key name of the program you want to remove, right click on the element in question and choose ‘Delete’. If it’s a value/data, right click on the value and choose ‘Modify’, then remove harmful data (see notes how to edit separate elements below*). Use F3 key on your keyboard to find all the search results.

•    Repeat the above instructions with the words SearchProtect andBackgroundContainer.

•    Exit the registry editor and reboot your PC.

•    *Here are the values/keys/data (in bold) that may stay in your registry, and it’s better to delete these. Note. It’s normal if you don’t find some of the components in your registry – it means they were already deleted. Pay attention to the comments next to some of the paths:
o    HKEY_CURRENT_USER\Software\Conduit
o    HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit
o    HKEY_CURRENT_USER\Software\AppDataLow\Software\BackgroundContainer
o    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{18678918-2C78-4EF5-A755-CAB3CC54F45F} or {A30F335A-1BD5-4B44-82E1-76F72E1C4597}
o    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} – delete the value data of Conduit Community Alerts
o    HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32 – delete data in the value called ‘Default’(C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll)
o    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BackgroundContainer –  value is called ‘command’ -> right click on it and choose ‘Modify’ -> in the Value data leave the following string only: "C:\Windows\SysWOW64\Rundll32.exe", and delete everything after (i.e., "C:\Users\adm\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun)
o    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit
o    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D3A0F898-A6DF-468C-94BB-51C2DD24F676} or {40FA19B4-9006-41DA-BB11-F936BE177162} – delete the application path - C:\Users\user\AppData\Local\Conduit\CT3289075
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\Microsoft\Internet Explorer\SearchScopes – delete data in 3 values called: 

-    DisplayName (data: ‘Conduit Search’)
-    SuggestionsURL_JSON (data:http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms})
-    URL: (data: http://search.conduit.com/Results.aspx?ctid=CT3321897&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPBA7FBC0E-B47C-4F0A-845E-D5A7D3A0BF22&q={searchTerms}&SSPV= )

o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\BackgroundContainer
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\Conduit
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\BackgroundContainer
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\ConduitSearchScopes
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\Conduit

7.    It is recommended to always keep your antivirus up-to-date and perform weekly full scans.  Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation. 

•     If you do not have an antivirus, click here to download adaware antivirus free and follow the installation instructions from the product manual (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).

•    Perform a full scan of your PC with adaware antivirus (following the manual: ‘Scanning System’ ->‘Running a scan’ section).

If your default search engine was changed and your browser keeps redirecting you to http://trovigo.comthat means your browser was hijacked with Trovi Search.  It is able to become the startup page of your web browser via modifying browser settings. No matter which browser you are using (Internet Explorer, Safari, Google Chrome, Mozilla Firefox or Opera), you can see the browser is occupied by it completely. To protect your homepage in the future download Web Companion.

The Trovi Search is a Browser Helper Object that injects itself into users' Internet browsers. The Trovi.com website was created by Conduit Ltd but due to restrictions, as of January 1, 2014, it is operated by ClientConnect Ltd. Often, this kind of application is distributed using a misleading software marketing method called 'bundling'.

This means that you may download them in a bundle with other freeware. That's why it’s classified as potentially unwanted program. Applications created by this company can be especially annoying since they also install in a bundle a program called Search Protect. This program created to block every attempt to change Internet browser homepage and default search engine settings. To avoid installation of such browser hijackers, you should be very attentive when downloading freeware and always choose custom installation.

Once Trovi Search gets inside your browser it starts to display advertisements and sponsored links in your search results.  It may also install plug-ins, extensions and toolbars in the browser so as to record your search history as well as cookie. Your search keywords may be collected so as to put advertisements into your computer according to your preferences. Using this potentially unwanted program on your Internet browsers can lead to privacy issues and identity theft.

Even though Trovi.com redirected visitors to Bing.com research and pretends to be trustworthy it was created for advertising and monetization purposes. Thus, inattentive freeware downloading and installation can result in adware infections.

Trovi Search Manual Removal instructions

1.    Click Start -> Control Panel -> Programs (or Add/Remove Programs) -> Uninstall a Program.

2.    Here, look for Trovi, Trovi Toolbar; Conduit, Search Protect and similar entries and select Uninstall/Change.

3.    Click OK to save the changes

Remove Trovi from your browsers:

Internet Explorer

 Open Internet Explorer, go Tools -> Manage Add-ons -> Toolbars and Extensions. Here, look for Trovi Toolbar, Trovi and similar entries, and click Remove. Now open IE -> Tools -> Internet Option -> General tab. Enter Google or other address to make it the default start page.

Mozilla Firefox

Open Mozilla Firefox, go ‘Tools’ ->‘Add-ons’ ->‘Extensions’. Find Trovi.com and click ‘Uninstall’. Now go to Tools -> Options -> General -> Startup. Now select 'Show a blank page' when Firefox Starts or set a certain website, like Google or similar.

Click the Firefox menu button ( ), then Help ( ) button. From the Help menu, choose Troubleshooting Information. Click the Reset Firefox. Firefox will close itself and will revert to its default settings.


 
Google Chrome

Click the Chrome menu button on the Google Chrome browser, select Tools -> Extensions. Here, look for Trovi.com extension and get rid of it by clicking on the Recycle Bin. Additionally, click on wench icon, go to settings and choose 'Manage search engines'. Change search engine to google or other and delete Trovi.com from the list. Then Go to section “On start” and make sure you get blank page while creating new tab.

Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans.

Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation.

If you do not have an antivirus, download adaware antivirus, our great adware cleaner

Snap.Do developed by ReSoft LTD. is a tool that changes browser’s Home page and your default search engine to search.snapdo.com in IE, Mozilla and Chrome. Wikipedia mentions Snap.Do in its article about browser hijacking. To avoid browser hijacking in the future download Web Companion.
Please find below a few facts about Snap.Do we would like to pay your attention to.
In Terms & Conditions, ReSoft evades responsibility for the quality of content they provide:
“Resoft provides Users, inter alia, with a toolbar to be implemented in User's web browser. You also understand and agree that the Resoft Services may include advertisements and that these advertisements are necessary for Resoft to provide the Services.
You are entirely responsible for all content that you upload or otherwise make available via the Resoft Services. Resoft does not control the content posted via the Resoft Services. You understand that by using the Resoft Services, You may be exposed to content that is offensive, indecent or objectionable. Under no circumstances will Resoft be liable in any way for any content, including, but not limited to, any errors or omissions in any content, or any loss or damage of any kind incurred as a result of the use of any content posted, transmitted or otherwise made available via the Resoft Services.”.
In Privacy policy, ReSoft informs users about information that is being transferred to its servers if Snap.Do is installed on your PC:
“Statistical Information we collect and aggregate non-identifying information regarding users use of our Products, including, inter alia, advertisements viewed, pages browsed, search inquiries, offers and services that interest you, the type of browser you are using, your IP address, the URL you have come from and the time spent at that URL, cookies and your domain type and server.” .

It may change your default browser’s icon to this one -  , and even if you launch the browser from its original location, it is still affected by Snap.Do – picture below shows home page of your browser:


 
Your default search engine will also be changed to search.snapdo.com. Even though Snap.do is a “perfect tool to simplify the web”, when you type, for example, ‘amazon’, first search results provided by Snap.Do are always ads (marked as ‘Ads related to amazon’ – see picture below), unlike Google, for example, that shows you on a hunch amazon.com as a first result:

Popular shopping websites have ad-banners by Snap.Do, and you may not even notice that these ads are not related to the website you trust – a small note ‘By Smartbar’ is almost inconspicuous:

Instead of features’ description in Extensions tab of your browser (Mozilla or IE, for example; Chrome doesn’t allow this toolbar), Snap.Do gives short removal instructions, but this method doesn’t help to remove all the traces of Snap.Do.


 
Standard Windows directory ‘Program Files’(where new applications are usually installed) doesn’t have a folder called ‘Snap.Do’, but another one called ‘LTD’ that doesn’t seem to be related to Snap.Do at a glimpse (in fact, this it belongs to Snap.Do). Main executable file of Snap.Do is located in a hidden path (C:\Users\USER_NAME\AppData\Local), in a folder called ‘Smartbar’. 

Processes and services related to Snap.Do automatically launch with every Windows start slowing down its booting time:

   

If you want to remove Snap.Do from your PC, please find below step-by-step instructions.

Note. This is a self-help guide. Use it at your own risk. This article is provided "as is" and to be used for information purposes.

1.    Before you start, please make sure you are logged as a system administrator. Also, please save a copy of your important documents/files on an external hard drive.

2.    Close all your browsers if any.

3.    Open your Task Manager (right click on your task bar and choose ‘Task Manager’ from the context menu):

•    In the ‘Processes’ tab, please find Lrcnta.exe and SnapDo.exe, right click on each one and choose ‘End Process’ from the context menu;
•    In the ‘Services’ tab, please find LPTSystemUpdater and stop it using right-click menu.
4.    From your desktop, click on Windows Start button and choose Control Paneloption (Windows 8 users: right-click on ‘Windows Start’   icon (by default, it is located in the left bottom corner of your screen), and choose Control Panel from the context menu):

•    Click ‘Programs and Features’ (Windows Vista, 7 and 8)/‘Add or Remove Programs’ (Windows XP),
•    Find 2 entries: Snap.Do and Snap.Do Engine by ReSoft Ltd.,
•    Right click on ‘Snap.Do’ and click on ‘Uninstall’ button,
•    When a window below opens, click on a ‘CUSTOM’ button, and in the 2nd window check ‘Remove Snap.Do’ (making sure that 2 other boxes are UN-checked):



•    in the next window, click on ‘Accept’, and then – ‘Continue’ (as we’ve closed the browsers in step 2):


•     Wait a few moments for the program to finish uninstallation. Once done, please press F5 key on your keyboard (while being in ‘Programs and Features’ window making sure you don’t have Snap.Do and Snap.Do Engine here anymore.

5.    Please make sure that hidden files in your Windows Explorer are visible: Start –> Control Panel (Appearance and Personalization) –> Folder Options –>‘View’ tab –> find ‘Hidden files and folders’ and check a box ‘Show hidden files, folders, and drives’.

6.    Follow this path - C:\Users\YOUR_USER_NAME\AppData\Local\Temp (XP users: C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temp) -> highlight all the files/folders here -> press ‘Shift’+’Delete’ and click ‘Yes’ to completely clean this folder (Note. If you receive messages that some files cannot be removed, just skip the file in question).

7.    Please find the directories below and make sure that Snap.Do folders are removed: 
C:\Program Files (x86)\LPT
C:\Users\YOUR_USER_NAME\AppData\Local\Smartbar

8.    Now please make sure that your browser is clean:

Mozilla Firefox

•    Click on the Menu button   in the right upper corner of Firefox window (older versions of browser: click on the orange ‘Firefox’ logo in the upper left corner) -> findAdd-ons section -> check ‘Extensions’ and ‘Plugins’ tabs, and if you find SnapDoextension here, please click on ‘Remove’ button.
•    Again click on the Menu button -> Options :
•    In the General tab ‘Home Page’ field, please highlight Snap.Do link -> right click on it and press ‘Delete’ -> type a web address of your preferred home page in ‘http://…’ format.
•    In the Security tab make sure that all the 3 options ‘Warn me when sites try to install add-ons’, ‘Block reported attack sites’ and ‘Block reported web forgeries’ are checked.
•    In the main Firefox window, click on a small triangle in the ‘Search Engines’ field (right upper corner) , and choose ‘Manage Search Engines…’ option. Highlight all the unwanted search engines including ‘Web Search’ and click on ‘Remove’ button.
•    Restart Firefox.

 Google Chrome

•    Type chrome://settings in the Chrome address bar and press ‘Enter’ to open Chrome Settings menu;
•    In the ‘On Startup’ section ->‘Open a specific page or set of pages.’ Option -> click on the ‘Set pages’ link -> if you find ‘http://feed.sonic-search.com…’ here, hover your mouse to this line for a ‘Delete’ option to appear, and click ‘x’ to remove this page from startup; 
•    In the ‘Appearance’ section, when the ‘Show Home button’ is checked, if you see ‘search.hometab.com’ link, please click on ‘Change’ and remove it from your browser;
•    In the ‘Search’ section, click on ‘Manage search engines…’ -> hover your mouse cursor to any search engine for the ‘Make default’ and ‘Delete’ menu to appear. You can delete all the unnecessary search engines here, and make default your desired one (note. While an engine is set to ‘Default’, you are unable to delete it. Therefore, firstly choose a new default search tool. Once done, you will be able to remove old default item.):

•    Click on ‘Show advanced settings…’ link in the bottom of the page -> in the ‘Privacy’ section please make sure that ‘Enable phishing and malware protection’ box is checked;
•    Restart Google Chrome;
•    If you see this icon   left from Snap.Do Search on your desktop, please delete it;
•    Finally, please follow this path: C:\Program Files (x86)\Google\Chrome\Application -> find chrome.exe icon -> drag it to your desktop using right-click of your mouse -> choose ‘Create shortcuts here’ from the context menu.

Internet Explorer

•    When IE window is opened, press Alt+x keys on your keyboard to open Tools menu -> Manage Add-ons ->‘Search Providers’ section -> if you have ‘WebSearch’ here, highlight it and click on ‘Disable’ button;
•    Again open Tools menu -> Internet Options -> General Tab ->‘Home page’ section: if you see ‘http://feed.sonic-search.com…’ link here, highlight and delete it using context right-click menu -> type a new web address you want to set up as your home page, and click ‘Apply’. You can also set other custom settings of your startup page display in the ‘Startup’ section (to start with your last session, for example):



•    In the Privacy tab, ‘Pop-up Blocker’ section you can restrict any pop-ups to appear by checking appropriate button (you can exclude websites you trust using a ‘Settings’ button)
•    Restart Internet Explorer.

9.   Now, please install adaware antivirus to make sure you don’t have any infections on your machine: 

•    Click here to download adaware antivirus, and follow installation instructions from adaware antivirus User Guide (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
•    Perform a full scan of your PC with adaware antivirus (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).
•    Restart your PC.

10.  If you continue facing issues with Snap.Do, please remove its traces from your registry. Before you start, please make sure you understand how important this part of your PC is. You cannot restore data from here once you delete something (‘Ctrl+Z’ never works in Registry Editor). And if you delete an incorrect component by mistake, it may damage your OS and make it unusable. 

•    To open the Registry, press ‘Win+R’ keys on your keyboard -> in the opened window type regedit and press ‘Enter’. 
•    Highlight main registry section called ‘Computer’ -> press Ctrl+F keys on your keyboard -> make sure Keys, Values, Data check-boxes in the ‘Find’ window are checked -> type snapdo in the search field and click OK. Search results will highlight a key/value/data that contains Snap.Do components. If you find the exact match with the name of program you want to remove, right click on the element in question and choose ‘Delete’ from the context menu. 
•    Use F3 key to continue the search and to find all the necessary files.
•    Exit the registry editor.
•    Reboot your PC.

Lastly, it is recommended to always keep your antivirus program up-to-date with a real-time protection turned on, and perform weekly full scans to stay protected at all times.

Pro PC Cleaner is a registry cleaner that is typically bundled with other software. It scans the Windows Registry and offers to remove outdated values, such as entries made by programs that are no longer installed and other unnecessary values, ostensibly, to reduce the size of your registry database and improve the computer’s performance. 

Pro PC Cleaner exhibits intrusive behavior, including questionable installation practices and frequent pop-ups and warnings, making it a potentially unwanted program (PUP). In this case, Pro PC Cleaner’s installation is displayed in the third dialog window during the installation of another program, with the ‘Accept’ button positioned in a way that makes it easy to inadvertently click.

As soon as Pro PC Cleaner is installed alongside the original software the user wanted, it begins a scan on the user’s computer without any user-directed prompt:

After the scan is complete the program displays a warning (with a flashing warning sign!) about the system being compromised, in an attempt to alarm and persuade the user to register and purchase a full version of the product.

If you press the Clean Now button, a dialog window opens prompting you to “fix the detected issues” and claiming that they are of a high “cleaning urgency,” asking the user to register the software and provide a license key:

If you press Register Now a webpage opens recommending that the user “Register Pro PC Cleaner below to correct these possible Windows registry errors and speed up your PC instantly.”

Once the user provides their email address they are offered a discount on the Pro version of Pro PC Cleaner with a coupon that coincidentally expires the same day as the initial installation. Also note the subtraction error in the discount below: 

Pro PC Cleaner also schedules two tasks in the Windows task scheduler without the user’s knowledge:

The first task above schedules a daily popup window that appears above the task bar:

The second scheduled task starts a new scan every time a new user logs into the computer.

To uninstall Pro PC Cleaner:

If you are using Windows 7, click the Start button on the screen’s bottom-left corner then click on the “Control Panel.”

If you are using Windows 8 or 8.1, right-click the Windows icon on the screen’s bottom-left corner and select the Control Panel from the menu.

In the Control Panel, under Programs, select Uninstall a program.

Right click Pro PC Cleaner and select Uninstall.

When you select Uninstall a dialog window opens:

Select “Yes” in this window. Then another dialog window will open asking you to reconsider your choice with the program offering to fix some of your issues for free.

To complete the Uninstall select the greyed-out button that says “Uninstall now.”

To ensure the safety and security of your computer with free antimalware software, download Ad-Aware.

To learn how to remove adware, check out our previous articles. 

Search Protection by Spigot is classified as a potentially unwanted program. This application is designed to protect its bundled programs and make sure they remain installed or unchanged by other third party programs. It creates registry entry for the current user which will allow the program to automatically start each time it is rebooted.  

Once it gets inside your PC, Search Protection will change your web browser's settings, making you to visit search engines and websites associated with it over and over again. And if you want to revert to their default settings, this program will not allow you to perform these changes. This application causes the pop-ups and various types of advertisements.  If you go to the Windows Task Manager, you should see two “SearchProtection.exe” processes running.

Search Protection by Spigot may be a reason of various system performance issues on the affected computer. It can slow down your internet browsers and also may cause redirected searches or failed keyword searches.

Search Protection is typically bundled when you install freeware or shareware (video recording/streaming, download-managers or PDF creators etc.)

 
It is very important to pay attention to additional checkboxes during the installation to avoid installing of unwanted applications or toolbars. 

 

Search Protection Automatic Removal Instructions

To remove search protection by spigot (yahoo.com) from your computer, follow these steps:

1.    Download the Web Companion 

2.    Launch the Web Companion installer "webcompanioninstaller.exe" by double-clicking on the setup file and follow the instructions to install the software.

3.    During the installation, Web Companion will remove Search protection by Spigot and prompt you to setup your desired home page and default search engine.

Search protection Manual Removal Instructions*

If the automatic removal via Web Companion failed, we recommend to follow these steps:

1.    Terminate malicious process(es) (How to End a Process With the Task Manager):

searchprotection.exe 
SearchSettings.exe
random.exe 


 

2.    Uninstall Search Protect

For Windows 7: 
- Click the "Start" button and select "Control Panel" 
- Click "Uninstall a Program" option found under the "Programs" category 
- Select the program with the name "Search Protection" 
- Click "Remove" 

For Windows Vista
- Close all open Web browsers 
- From the "Start" menu in Windows, select "Control Panel" 
- Under the "Programs" icon, select "Uninstall a program" 
- Select the program with the name "Search Protection" 
- Click "Uninstall" and then "Continue" to remove the Toolbar

For Windows XP
- From the "Start" menu in Windows, select "Control Panel" 
- Click on "Add/Remove Programs". 
- Select the program with the name "Search Protection" 
- Click "Change/Remove" 

 For Windows 8
- Go to Charm bar (key   +C) and then” Settings”, then "Control Panel" 
- Choose “Programs and Features” 
- Choose the Search Protection and delete it 



3.    Delete the following files/entries created by the Search Protect

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows’CurrentVersion\Run
C:\Users\adm\AppData\Roaming\Searchprotection


 


*Manual removal may cause unexpected system behavior and should be performed at your own risk.

4.     Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans. 

Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation. 

•  If you do not currently have an antivirus installed, please click here to download  Ad-Aware Free Antivirus+ and follow the installation instructions from Ad-Aware User Guide (‘Installation and Uninstallation’ ->‘Ad-Aware Install’ section).

•  Perform a full scan of your PC with Ad-Aware (following Ad-Aware User guide: ‘Scanning System’ ->‘Running a scan’ section).

Astromenda is an application designed to organize your browser by changing your home page, default search engine, and new tabs to Astromenda, and its goal (as per publisher) is to make “the web more accessible and more efficient, for all users." To protect your browser settings in the future downloadWeb Companion. 

Please find below a few facts about Astromenda we would like to pay your attention to.

This program is usually distributed by bundling to free software using pay-per-installmarketing method; so it may sneak to your PC as a part of another installation without you noticing this. Home page set by Astromenda usually contains attractive boxes with advertisements, but the program disclaims any liability for this content.

From the EULA:

“3rd Party Content: The content provided to you in the course of using the materials and services may include 3rd parties' software and/or services ("3rd Party Content") and Astromenda does not warrant for its quality or authenticity. Astromenda is not, and shall never be, liable for any damage that might occur when using and/or relying on 3rd Party Content and does not warrant that they will be available or accurate.”

 
A screenshot below shows how your New tab usually looks like if you have Astromenda installed on your PC:

Before Google Chrome adds Astromenda to its extensions’ list, it shares the following information with a user:

Astromenda may add an icon called ‘Cut the Rope’ to your desktop which is not an actual popular game shortcut. A click on this icon opens a website with Astromenda online games, where online version of Cut the Rope is available along with different Astromenda games.

Astromenda Manual Removal Instructions

Note. This is a self-help guide. Use it at your own risk. This article is provided "as is" and to be used for information purposes.

1.    Before you start, please make sure you are logged as a system administrator. Also, please save a copy of your important documents/files on external hard drive/cloud storage.

2.    Please close all your browsers (if any).

3.    From your desktop, click on Windows Start  button and choose Control Panel option (Windows 8 users: right-click on ‘Windows Start’ icon (by default, it is located in the left bottom corner of your screen), and choose Control Panel from the context menu):

•   Click ‘Programs and Features’ under the ‘Programs’ category (Windows Vista, 7 and 8)/‘Add or Remove Programs’ (Windows XP),
•   Please find ‘WSE_Astromenda’ -> right click on it, choose ‘Uninstall’ and follow the prompts,
•   Once uninstall is done, a webpage opens confirming the same. Simply close this page.

4.    Please make sure that hidden files in your Windows Explorer are visible: Start –> Control Panel (Appearance and Personalization) –> Folder Options –>‘View’ tab –> find ‘Hidden files and folders’ and check a box ‘Show hidden files, folders, and drives’.

5.    Follow this path - C:\Users\YOUR_USER_NAME\AppData\Local\Temp (XP users: C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temp) -> highlight all the files/folders here -> press ‘Shift’+’Delete’ and click ‘Yes’ to completely clean this folder (Note. If you receive messages that some files cannot be removed, just skip the file in question).

6.    Please find the directories below and make sure that all the Astromenda traces are removed: 
C:\Program Files\WSE_Astromenda
C:\Users\YOUR_USER_NAME\AppData\Roaming\WSE_Astromenda
C:\Users\YOUR_USER_NAME\AppData\Roaming\Mozilla\Firefox\Profiles\XXXX.default\extensions\{ad7ce998-a77b-4062-9ffb-1d0b7cb23183}
C:\Users\YOUR_USER_NAME\AppData\Roaming\Mozilla\Firefox\Profiles\XXXX.default\searchplugins\Astromenda
C:\Users\YOUR_USER_NAME\AppData\Local\Google\Chrome\UserData\Default\Extensions\pfkfdlcdbajamklbneflfbcmfgddmpae

7.    Now please make sure that your browser is clean.

Mozilla Firefox

•   Click on the Menu button   in the right upper corner of Firefox window (older versions of browser: click on the orange ‘Firefox’ logo in the upper left corner) -> find Add-ons section -> check ‘Extensions’ and ‘Plugins’ tabs, and if you findAstromenda addons here, please click on ‘Remove’ button:

•   Again click on the Menu button and choose ‘Options’ -> in the General tab ‘Home Page’ field, please highlight http://astromenda.com... link -> right click on it and press ‘Delete’ -> type a web address of your preferred home page in ‘http://…’ format.

•   In the main Firefox window, click on a small triangle in the ‘Search Engines’ field (right upper corner), and choose ‘Manage Search Engines…’ option. Highlight all the unwanted search engines including ‘Astromenda’ and click on ‘Remove’ button:

•   Restart Firefox.

 Google Chrome

•   Type chrome://extensions in the Chrome address bar and press ‘Enter’;
•   If you see  here, please click on a trash can (like shown below):

•   Now please click on ‘Settings’ tab and find ‘On startup’ section: click on ‘Set pages’ link next to ‘Open a specific page or set pages’ option -> in the opened window find astromenda.com… link, move your cursor over this link, and click the "X" button on the right to delete it:

 
•   In the Appearance section: when ‘Show Home button’ box is checked, click on ‘Change’ link -> in the next window highlight astromenda.com… link and press ‘Delete’ button on your keyboard.

 
•   In the Search section: click on ‘Manage search engines…’ button and:

1.    In the opened window set a new desired Home page from the existing list: move your cursor to the new engine for ‘Make default’ button to appear – click on this button.
2.   Once done, move your cursor to Astromenda for a ‘X’ button to appear and remove it from the list.

•   Restart Google Chrome.

Internet Explorer

•   When IE window is opened, press Alt+x keys on your keyboard to open Tools menu -> and click on Manage Add-ons; 
•   Open ‘Toolbars and Extensions’ section -> if you have Astromenda here, highlight it and click on ‘Disable’/‘Delete’ button.
•   Open ‘Search Providers’ section -> set a new desired Home page from the existing list (right click on a new search engine, and choose ‘Set as default’ from the context menu -> now please highlight Astromenda and click on ‘Remove’ button on the bottom of the window:

 
•   Again open Tools menu -> Internet Options -> General Tab ->‘Home page’ section: if you see ‘http://astromenda.com…’ link here, highlight and delete it using context right-click menu -> type a new web address you want to set up as your home page, and click ‘Apply’. You can also set other custom settings of your startup page in the ‘Startup’ section (to start with your last session, for example):

•   Restart Internet Explorer.

8.    If you see a shortcut on your desktop called ‘Cut the Rope’, highlight it, press Shift+Delete buttons on your keyboard and click on ‘Yes’ when a dialog box opens to confirm deletion.

9.    Now, please install adaware antivirus to make sure you don’t have any infections on your machine: 

•    Click here to download adaware antivirus, and follow installation instructions from adaware antivirus User Guide (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
•    Perform a full scan of your PC with adaware antivirus (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).
•    Restart your PC.

10.    If you continue facing issues with Astromenda, please remove its traces from your registry. Before you start, please make sure you understand how important this part of your PC is. You cannot restore data from here once you delete something (‘Ctrl+Z’ never works in Registry Editor). And if you delete an incorrect component by mistake, it may damage your OS or make it unusable.
•    To open the Registry, press ‘Win+R’ keys on your keyboard -> in the opened window type regedit and press ‘Enter’. 
•    Highlight main registry section called ‘Computer’ -> press Ctrl+F keys on your keyboard -> make sure Keys, Values, Data check-boxes in the ‘Find’ window are checked -> type Astromenda in the search field and click OK. Search results will highlight a key/value/data that contains Astromenda components. If you find the exact match with the name of program you want to remove, right click on the element in question and choose ‘Delete’ from the context menu. 
•    Use F3 key to continue the search and to find all the necessary files.
•    Exit the registry editor.
•    Reboot your PC.

Lastly, it is recommended to always keep your antivirus program up-to-date with a real-time protection turned on, and perform weekly full scans to stay protected at all times.

Mapsgalaxy is a browser hijacker and toolbar developed by Mindspark Interactive Network. This program is capable of modifying your browser homepages to its own. It may be unknowingly installed through product bundling with a third party application. Unfortunately, once installed it will also add the MapsGalaxy toolbar, change your browser homepage and set your default search engine to Ask.com. 

The MapsGalaxy Toolbar is theoretically not a virus but it does display plenty of malicious behaviors. It can act as rootkit capabilities to sneak deep into the operating system, browser hijacking, and also ultimately interfere with the user experience.

Homepage after Mapsgalaxy installation.

To avoid these kinds of issues in the future, it is always best to do some research online and read reviews about an application before installing. Where you are given the option to choose a custom or advanced installation, it is often possible to opt out of the bundled application install.

Mapsgalaxy Removal Instructions

Uninstall from your computer

1.    Click the Start button, then select Control Panel, under Programs, click onUninstall a program.

2.    Select for Mapsgalaxy Internet Explorer Toolbar, Mapsgalaxy Firefox Toolbarand MapsGalaxy Toolbar Chrome Extension.

3.    Right click and select Uninstall/Change.

Remove toolbar/homepage from Internet Explorer

1.    Launch your Internet Explorer browser, click on the icon  on your top right corner. Select Internet Options.

2.    Under the Internet Options dialog box, click on the Advanced tab, then click on the Reset button. A new prompt window will appear.

 
3.    In the Reset Internet Explorer settings section, check the Delete personal settings box, then click on Reset.

 
4.    Once the resetting is completed, remember to close and open Internet Explorer again.

Remove toolbar/homepage from Mozilla Firefox

1.    Open Mozilla Firefox, and click on the Menu  on the top right corner of your browser.  Select Add-ons.

2.    Click on Extensions. You will see the Mapsgalaxy toolbar add-on. SelectRemove. 












3.    Reset your default search engine and homepage from Ask.com to your preferred default settings.
•    Open Mozilla Firefox, and click on the Menu  on the top right corner of your browser.  Click on Options.
•    Under the General tab, change and type the home page of your choice. Click Ok.



Remove toolbar/homepage from Google Chrome

1.    Click the Chrome menu  on the browser toolbar, select More Tools and then click on Extensions.

2.    In the Extensions tab, remove MapsGalaxy 12.9.6.19504 and any other extensions by selecting the trash can image.

3.    Revert your default search engine and homepage from Ask.com to your preferred default settings.

•    Click the Chrome menu  on the browser toolbar, select Settings.

•    Under Search, select Manage search engines….

•    Under the Search Engines dialog, select Google and click the Make Defaultbutton.

•    To remove Ask.com from your search engines option.

Still under the Search Engines dialog, select Ask and click “X” to delete. Once deleted, click Done.

Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans.
Also, it is advisable that you to do a custom AV scan of any application downloaded from the Internet before you proceed with its installation.
If you do not have an antivirus, click here to download Ad-Aware Free Antivirus+.

Search Module by Goobzo is a potentially unwanted web browser extension that is ad-supported.  Similarly to other hijackers, Search Module has ability to change homepage, default search engine and new tab page. Once Search Module is successfully installed, it changes Windows host file, DNS settings as well as registry entries. You will notice that your PC performance becomes much slower than it was before. To protect your homepage and default search engine in the future, download Web Companion. 

It has ability to display pop-up boxes, advertisements and sponsored links when browsing on the internet. Search Module by Goobzo shows unwanted advertisements on a random webpage that you visit. Search Module may show advertisements into all well-known browsers like Internet Explorer, Mozilla Firefox and Google Chrome. It displays ads based on your browsing history. Sometime the ads are popping in your computer when you are connected to Internet but not surfing web.

If you noticed that your homepage and default search engine was replaced by Bing.com and that your new tab page was changed to 'Search Module', you should be concerned.

In some cases, the program will monitor a user's behavior and will inject rival advertisements over existing one or just inject new ones all together. Search Module also may collect your Internet browsing activity by recording IP addresses, browser types and versions, Internet Service Providers (ISPs), cookie information, and webpages visited. Such kind of behavior can lead to serious privacy issues or identity theft.

Typically, such kind of applications distributed using a misleading software marketing method called 'bundling'. That's why it’s classified as Potentially Unwanted Program. The majority of PUPs can be installed in a bundle with some freeware or shareware you want. But you don't realize that you're getting Potentially Unwanted Program in addition with it too. That is why it is always recommended to choose Custom Installation and read the full EULA. Be attentive and never install software that you don’t know or trust.

If it wasn't your intention to download Search Module by Goobzo we recommend removing it from the computer.

Manual removal*

1.    Terminate malicious process(es):
smu.exe:1120
smu.exe:988
smu.exe:3464
smu.exe:1924
%original file name%.exe:3476
PacCDFA.tmp:3356
sma.exe:440
sma.exe:1072
sma.exe:984
sma.exe:3932
sma.exe:1492
sma.exe:3656
sma.exe:2364
smp.exe:3860
smp.exe:3632
smp.exe:3016

2.    Delete the original Malware file:

Click 'Start' ->'Control Panel' or 'Uninstall a Program' -> Double-click 'Add/Remove Programs' or 'Programs and Features'. Find Search module and similar entries and select 'Uninstall' or 'Remove'.

3.    Make sure you don’t have any leftovers of the program on your PC:

C:\ProgramData\SearchModule\smhe.js (407 bytes)
C:\Windows\Temp\vup.tmp (90 bytes)
C:\Windows\Temp\PacCDFA.tmp (845642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\ns34B9.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smp.exe (4979 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smw.sys (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\AccDownload.dll (10357 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smoi32.dll (9316 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smu.exe (46634 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smi32.exe (4361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\System.dll (23 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\SMUninstall.exe (18608 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\SBIEBrowserHelperObject.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\nsExec.dll (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smfi32.dll (19406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\ns70B1.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\nsProcess.dll (12 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smri32.dll (11944 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3266.tmp\ns67AB.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smci32.dll (26028 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\sma.exe (2089 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\smei32.dll (21971 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsFAF6.tmp (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\System.dll (23 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsExec.dll (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsF3C4.tmp (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\AccDownload.dll (10357 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsDEAD.tmp (14 bytes)
C:\Windows\Temp\nsdDA48.tmp\nsProcess.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XF4QULVG\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\desktop.ini (254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0ZR62R3G\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini (254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTKRRVN5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95RM92LH\desktop.ini (67 bytes)
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (1 bytes)
%Program Files%\Common Files\Goobzo\GBUpdate\Search.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (1 bytes)


4.    Remove Internet helper from all your browsers:

Mozilla Firefox:

•    Open Mozilla Firefox, go ‘Tools’ ->‘Add-ons’ ->‘Extensions’. 
•    Find Search Module by Goobzo and similar entries, and click ‘Remove’ or 'Disable'.
•    Once you do that, go to Tools -> Options -> General -> Startup. Now select 'Show a blank page' when Firefox Starts or set a certain website, like Google or similar.

Internet Explorer:
•    Open Internet Explorer, go ‘Tools‘->”Manage Add-ons’ ->‘Toolbars and Extensions’.
•    Here, look for Search Module by Goobzo, and similar entries, and click 'Disable'.
•    Now open IE -> Tools -> Internet Option -> General tab. Enter Google or other address to make it the default start page.


 
Google Chrome:

•    Click the Chrome menu button on the Google Chrome browser, select Tools -> Extensions.
•    Here, look for Search Module by Goobzo and similar unknown extensions and get rid of them by clicking on the Recycle Bin.
•    Additionally, click on wench icon, go to settings and choose 'Manage search engines'. Change search engine to google or other. 
•    Then Go to section “On start” and make sure you get blank page while creating new tab.

 
5.    Now please install adaware antivirus to make sure you do not have any infections:

• Click here and follow the installation instructions from adaware antivirus User Guide(‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
• Perform a full scan of your PC with Ad-Aware (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).

Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans. Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation.

If you have realized that new toolbar installed on your PC and your home page was unexpectedly changed, most likely that some software may have installed in a bundle a 3rd-party browser toolbar on your system.  One such annoying toolbar is the Ask toolbar. This toolbar is a BHO: Browser Helper Add-on.

It is very important to pay attention to additional checkboxes during the installation to avoid installing of unwanted applications or toolbars. The toolbars can slow down your internet browsers and also may cause redirected searches or failed keyword searches. To protect your browser settings in the future download Web Companion. 

Usually, Ask search engine (ask.com) is promoted via other free programs and once installed on your computer; they will hijack your browser homepage and replace your default search engine.

Ask Toolbar Manual Removal

In most cases, you can go to Add\Remove Programs and quickly find Ask.com listed and uninstall it.   

For Windows 7: 
- Click the "Start" button and select "Control Panel" 
- Click "Uninstall a Program" option found under the "Programs" category 
- Select the program with the Ask logo and the text "Ask Toolbar" 
- Click "Remove" 

For Windows Vista: 
- Close all open Web browsers 
- From the "Start" menu in Windows, select "Control Panel" 
- Under the "Programs" icon, select "Uninstall a program" 
- Select the program with the Ask logo and the text "Ask Toolbar" 
- Click "Uninstall" and then "Continue" to remove the Toolbar 

For Windows XP: 
- From the "Start" menu in Windows, select "Control Panel" 
- Click on "Add/Remove Programs". 
- Select the program with the Ask logo and the text "Ask Toolbar" 
- Click "Change/Remove" 

 For Windows 8:
- Go to Charm bar (Windows key+C) and then” Settings”, then "Control Panel" 
- Choose “Programs and Features” 
- Choose the Ask toolbar and delete it

But once the toolbar is removed, you may still see Ask.com as your homepage when you open up a new browser.  In order to change that, follow the instructions below, depending on which browser you use:

Disabling Ask toolbar from Internet Explorer
•    Launch Internet Explorer browser and click the option Tools.
•    Choose the option Manage Add-ons from the sub menu that opens.
•    From the Manage Add-ons window, locate Ask toolbar and remove the check mark in the box for Enabled.
•    Select Search Providers. First of all, choose another search engine (Google, yahoo, Bing) and make it your default search provider (set as default). 
•    Then select Ask Search and click Remove button to uninstall it (lower right corner of the window).
•    Restart Internet Explorer.

Disabling Ask toolbar from Mozilla Firefox

•    Open Mozilla Firefox and go to Extensions.
•    Locate Ask Toolbar from the list of add-ons. Mozilla provides you with two options. You can either Remove the toolbar or Disable it temporarily. Click any of the options.
•    After that, go to Firefox, and then choose Help, and then Troubleshootinginformation and then Reset Firefox.







 

Disabling Ask toolbar from Google Chrome
•    Launch Google Chrome and click the icon located on the right top corner.
•    Select the option Settings from the sub menu.
•    Click on Extensions from the left pane of the Windows, which is located just above the option Settings.
•    You may Disable the toolbar by removing the check mark from the optionEnabled. If you wish to remove the toolbar, click the recycle bin icon found next to the Enabled option.



 

•    Click on Chrome menu button once again. Select Settings.
•    Click Manager Search engines button under Search.
•    Select Google or any other search engine you like from the list and make it your default search engine provider.

 
•    Select Ask Search from the list and remove it by clicking the "X" mark as shown in the image below.

Hotspot Shield by AnchorFree is program claiming that it helps you to secure your connection while surfing Wi-Fi hotspots and to access sites not normally available outside of the USA, to install on your PC without your consent.

However, it also hides in the installation package other free software to infiltrate your computer. Once it gets inside your PC, it will change your homepage tohttp://www.trovi.com/ and search engine to Hotspot Shield Customized Web Search. 

Moreover, it may install associated extensions such as Hotspot Shield toolbar and Hotspot Shield API Server to your browsers without your knowledge. Hotspot Shield Search may display advertisements and sponsored links in your search results, and may record browsing data and collect personal information. The Hotspot Shield Toolbar is used to enhance advertising revenue and to increase a site’s page position in search results.

Hotspot Shield can be downloaded from its official website. However, in most cases, such kind of applications distributed using a misleading software marketing method called 'bundling'. This means that you may download them in a bundle with other freeware. That's why they are classified as  potentially unwanted program. To avoid unwanted installation of Hotspot Shield, you should be very attentive when downloading freeware and always choose custom installation. If you feel that Hotspot Shield is not in any way helpful, we suggest removing it from the computer.

Removing Hostspot Shield (Manual Removal*)

1.    Terminate malicious process(es) (How to End a Process With the Task Manager):
tapinstall.exe
HssInstaller.exe
HssInstaller.exe
af_proxy_cmd_rep.exe
HSSCP.exe
cmw_srv.exe
hsswd.exe

2.    Delete the original file.

•    Go to 'Start' and select 'Control Panel.
•    Click 'Uninstall a Program' under 'Programs'.
•    Choose Hotspot Shield/Hotspot Shield Toolbar and select the 'Uninstall/Change' option.
•    Click 'Yes' and 'OK' to save the changes.

 
Make sure you don’t have any leftovers of the program on your PC (If you only use Windows Add/Remove programs and the build-in uninstall utilities, you will find that lots of folders of Hotspot Shield still remain on your computer):

%Temp%\Hotspot Shield\html\scripts\HssSafeSearchWelcomePage.js (3 bytes)
%Temp%\Hotspot Shield\html\scripts\SearchProtect.js (90 bytes)
%Temp%\Hotspot Shield\html\img\MSPoweredByAsk.png (2 bytes)
%Temp%\Hotspot Shield\html\img\RRHeader_bonus.png (10 bytes)
%Temp%\Hotspot Shield\html\MSOfferPage_bonus.html (5 bytes)
%Temp%\Hotspot Shield\html\styles\HssSafeSearchWelcomePage.css (790 bytes)
%Temp%\nsf2.tmp\nsDialogs.dll (9 bytes)
%Temp%\Hotspot Shield\html\BingDSMSNHPOffer.html (7 bytes)
%Temp%\Hotspot Shield\html\scripts\BingDSMSNHPOffer.js (2 bytes)
%Temp%\Hotspot Shield\html\img\MSInstallBtn.png (1 bytes)
%Temp%\Hotspot Shield\html\CheckAskPage.html (1 bytes)
%Temp%\Hotspot Shield\html\scripts\UnCloseBrowsers.js (1 bytes)
%Temp%\Hotspot Shield\html\slider\img\s.png (3 bytes)
%Temp%orary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Temp%\HssInstaller.exe (14336 bytes)
%Temp%\Hotspot Shield\html\img\ask_toolbar.bmp (1568 bytes)
%Temp%\Hotspot Shield\html\scripts\UnUninstallFiles.js (2 bytes)
%Temp%\Hotspot Shield\html\img\RRSubheader_bonus_FF.png (16 bytes)
%Temp%\Hotspot Shield\html\lang\Japanese.js (20 bytes)
%Temp%\Hotspot Shield\html\slider\img\s4.png (1568 bytes)
%Temp%\Hotspot Shield\html\lang\English.js (22 bytes)
%Temp%\Hotspot Shield\html\scripts\MSOfferPage.js (3 bytes)
%Temp%\Hotspot Shield\html\HssFinishPage.html (2 bytes)
%Temp%\Hotspot Shield\html\slider\img\s_icons.png (1 bytes)
%Temp%\Hotspot Shield\html\styles\HssFinishPage.css (90 bytes)
%Temp%\nsf2.tmp\psdll.dll (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Hotspot Shield\report\zlib1.dll (2104 bytes)
%Temp%\Hotspot Shield\html\HssSafeSearchWelcomePage.html (6 bytes)
%Temp%\Hotspot Shield\html\img\MSInstallOnIE.png (3 bytes)
%Temp%\Hotspot Shield\html\img\bingHeaderOption1.png (4232 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep4.html (384 bytes)
%Temp%\Hotspot Shield\html\scripts\HssFinishPage.js (1 bytes)
%Temp%\Hotspot Shield\html\img\MSGradBckg.png (275 bytes)
%Temp%\Hotspot Shield\html\img\bingNextButtonBckg.png (1 bytes)
%Temp%\Hotspot Shield\html\styles\styles.css (2 bytes)
%Temp%\nsf2.tmp\UserInfo.dll (4 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep1.html (460 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep2.html (460 bytes)
%Temp%\Hotspot Shield\html\img\conduit_toolbar.bmp (31 bytes)
%Temp%\Hotspot Shield\html\slider\img\s3.png (1568 bytes)
%Temp%\nsf2.tmp\modern-header.bmp (9 bytes)
%Temp%\nsf2.tmp\ExecDos.dll (9 bytes)
%Temp%\Hotspot Shield\html\scripts\HssWelcomePage.js (5 bytes)
%Temp%\Hotspot Shield\html\styles\AskToolbar.css (482 bytes)
%Temp%orary Internet Files\Content.IE5\WOSLWBI0\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\img\HSSLogo.png (2712 bytes)
%Temp%\Hotspot Shield\html\styles\HssWelcomePage.css (984 bytes)
%Temp%\Hotspot Shield\html\slider\img\s1.png (2104 bytes)
%Temp%\Hotspot Shield\html\AskToolbar.html (4 bytes)
%Temp%\Hotspot Shield\html\styles\SearchProtect.css (1 bytes)
%Temp%\Hotspot Shield\html\img\MSInstallOnFF.png (4 bytes)
%Temp%\Hotspot Shield\html\img\logo_grey.bmp (13 bytes)
%Temp%\Hotspot Shield\html\SearchProtect.html (4 bytes)
%Temp%\hssinst32.dll (11 bytes)
%Temp%\Hotspot Shield\html\styles\MS.css (2 bytes)
%Temp%\Hotspot Shield\html\img\RRSubheader_bonus_IE.png (16 bytes)
%Temp%\Hotspot Shield\html\img\RRHeader.png (11 bytes)
%Temp%\Hotspot Shield\html\img\bingNextButton_jpn.png (2 bytes)
%Temp%\Hotspot Shield\html\lang\Internationalization.js (8 bytes)
%Temp%\Hotspot Shield\html\img\RRDesc.png (20 bytes)
%Temp%\Hotspot Shield\html\img\bingNextButton.png (1 bytes)
%Temp%\nsf2.tmp\AfnsWBC.dll (4232 bytes)
%Temp%\Hotspot Shield\html\img\RRSubheader.png (11 bytes)
%Temp%\Hotspot Shield\html\slider\img\bg.jpg (13 bytes)
%Temp%\Hotspot Shield\html\styles\bing.css (2 bytes)
%Temp%\tapinstall.exe (2104 bytes)
%Documents and Settings%\%current user%\Application Data\Hotspot Shield\report\af_proxy_cmd_rep.exe (6720 bytes)
%Temp%orary Internet Files\Content.IE5\HONPCTWV\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\HssWelcomePage.html (6 bytes)
%Temp%\Hotspot Shield\html\scripts\common.js (7 bytes)
%Temp%\Hotspot Shield\html\scripts\Toolbars.js (4 bytes)
%Temp%\Hotspot Shield\html\slider\index.html (16 bytes)
%Temp%orary Internet Files\Content.IE5\RXP0V5TV\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\scripts\CheckAskPage.js (2 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShowStep3.html (877 bytes)
%Temp%orary Internet Files\Content.IE5\5EJ4ZEZ6\desktop.ini (67 bytes)
%Temp%\Hotspot Shield\html\img\safesearch_toolbar.bmp (27 bytes)
%Temp%\Hotspot Shield\html\HSSSlideShow.html (3 bytes)
%Temp%\Hotspot Shield\html\slider\img\s2.png (25 bytes)
%Temp%\Hotspot Shield\html\scripts\MSOfferPage_bonus.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Hotspot Shield\report\af_proxy.dll (16304 bytes)
%Temp%\nsf2.tmp\System.dll (11 bytes)
%Temp%\Hotspot Shield\html\MSOfferPage.html (5 bytes)
%Temp%\nsf2.tmp\nsProcess.dll (6 bytes)
%Temp%\Hotspot Shield\html\scripts\AskToolbar.js (192 bytes)
%Temp%\nsf2.tmp\nsisos.dll (5 bytes)
%Temp%\Hotspot Shield\html\scripts\nsidefs.js (4 bytes)
%Temp%\HssInstaller.txt (51 bytes)
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

*Manual removal may cause unexpected system behavior and should be performed at your own risk. Before you remove any registry keys, it is highly recommended to make a backup for the whole registry list in order to avoid any potential problems. 

It is important to take note that the registry is a very important part of your PC. There is no way to restore data from here once you delete something. And if you delete an incorrect component by mistake, it may damage your OS and make it inoperative.

3.    Remove Hotspot Shield Toolbar from your browsers (Google Chrome, Mozilla Firefox and Internet Explorer):

Internet Explorer:

•    Open Internet Explorer, go ‘Tools‘->”Manage Add-ons’ ->‘Toolbars and Extensions’.
•    Here, look for Hotspot Shield Toolbar, Hotspot Shield Class, Hotspot Shield API Server and similar entries, and click 'Disable'.
•    After that, change the start page.
 

Mozilla Firefox:

•    Open Mozilla Firefox, go ‘Tools’ ->‘Add-ons’ ->‘Extensions’. 
•    Find Hotspot Shield Toolbar, Hotspot Shield Class, Hotspot Shield API Server and similar entries, and click ‘Remove’ or 'Disable'.
•    Once you do that, don't forget to change the start page. 
 

Google Chrome:

•    Click the Chrome menu button on the Google Chrome browser, select Tools -> Extensions.
•    Here, look for Hotspot Shield Toolbar, Hotspot Shield Class, Hotspot Shield API Server and similar unknown extensions and get rid of them by clicking on the Recycle Bin.
•    After that, change the settings of your start page.

4.    Install adaware antivirus to make sure you do not have any infections: 

•    Click here and follow the installation instructions from adaware antivirus User Guide (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
•    Perform a full scan of your PC with adaware antivirus (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).

Search Protect is designed by Conduit, and is spread with different free software, in most cases – it’s a pre-selected option during the main program installation. There is no direct download link for Search Protect even on the Conduit home page which is already suspicious.

Although the description says that it “saves your preferred browser's homepage”, during installation, Search Protect changes your home page to their preferred one (Conduit) and removing yours. Once installed, a blue icon with a white magnifying glass always seats in your system tray, because its service starts running when you load your PC, taking away your performance speed. To protect your homepage settings in the future, download Web Companion.

2 main symptoms of your PC affected by this browser hijacker are:

•   Your home page changes to search.conduit.com in all your browsers;

•   When you open a new tab, you see endless advertisement pop-ups that don’t have a ‘Close’ option. If you click on any part of such a small window, a new tab with advertisement opens offering you to buy different products:

Scheduled tasks may also be affected by Conduit (e.g., Background Container that registers on its own in the Windows system rundll32 process, and starts every time your system boots to collect data about all the websites you visit, in order to provide you with individual advertisements, and receive revenue from your clicks on these ads). 

If you don’t remove it properly, you may receive system start-up errors even if most parts of Conduit components were removed (like “There was a problem starting c:\users\ed\appData\local\conduit\backgroundcontainer\backgroundcontainer.dll” etc.; you will find steps to get rid of this task in the removal instructions below).

Search Protect Manual Removal Instructions

Before you proceed with the uninstallation, make sure you are logged in as a system administrator. Also, please save a copy of your important documents/files on an external hard drive. Be careful during the uninstallation process, as Conduit will attempt to keep as much its components as it can to continue slowing down your PC.

1.    From your desktop, click on Windows Start button and choose Control Paneloption (Windows 8 users: right-click on Windows Start icon (by default, it is located in the left bottom corner of your screen), and choose Control Panel from the context menu):

•    Double-click Programs and Features (Windows Vista, 7 and 8), or Add or Remove Programs (Windows XP).

•    Find ‘Search Protect’ by Conduit in the list, right-click on it and choose Uninstall.

•    When a window below opens, you have to manually choose new desired Home page, as well as to check bottom box ‘Go back to my original home page and default search settings):

•     Click on ‘Uninstall’ button and follow the removal steps. Once done, reboot your PC.

2.    Now please make sure that you don’t have a ‘Background Container’ task on your PC:

•    Press Windows+R keys on your keyboard. In the opened window type msconfigand press Enter.

•    In the System Configuration window, open ‘Startup’ tab and search for an item called ‘Background Container’. If you don’t have one in the list, jump to the step 3. If you do, finish the below instructions first.

•    Uncheck the ‘Background Container’ task, then click ‘Apply’ and ‘OK’:

•   Reboot PC again.

•   Right click on ‘My Computer’ on your desktop -> choose ‘Manage’ from the context menu -> expand ‘System Tools’ and ‘Task Scheduler’ menus-> click on ‘Task Scheduler Library’ -> once a list of tasks appears in the right part of the window, find ‘BackgroundContainer Startup Task’ and double-click on it:

•     In a new opened window, click on the ‘Actions’ tab and double-click the action in question.

•     In the next window, find ‘Add arguments (optional):’ section -> highlight ALL the path in the field box of this section -> press ‘Delete’ button on your keyboard -> click ‘OK’:

 
 

3.    Now please make sure that hidden files in your Windows Explorer are open: Start –> Control Panel (Appearance and Personalization) –> Folder Options –>‘View’ tab –> find ‘Hidden files and folders’ setting, and choose an option ‘Show hidden files, folders, and drives’.

4.    Open every path below and make sure there are no Conduit related folders/files on your disc C: (if you find some of them, delete these manually by highlighing a folder/file in question, and pressing Shift+Del keys on your keyboard):

C:\Windows\SysWOW64\SearchProtect (XP users and users with 32bit OS don’t have this folder)
C:\Program Files\SearchProtect
C:\Program Files\Conduit
C:\ProgramData\Conduit
C:\Users\YOUR_USER_NAME\AppData\Local\Conduit
C:\Users\YOUR_USER_NAME\AppData\LocalLow\Conduit
C:\Users\YOUR_USER_NAME\AppData\Roaming\SearchProtect
C:\Users\adm\AppData\Roaming\Mozilla\Firefox\Profiles\gqehixkj.default\searchplugins\conduit-search (.xml file)
C:\Users\YOUR_USER_NAME\AppData\Local\Temp – delete 2 folders called‘ct1066435’ and ‘CT3281067’. Also, please remove here all the files with SearchProtect logo:

XP

C:\program files\Conduit
C:\program files\SearchProtect
C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temp\Conduit
C:\Documents and Settings\YOUR_USER_NAME\ApplicationData\Mozilla\Firefox\Profiles\XXXX.default\searchplugins – and delete a file called ‘conduit-search’
C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temporary Internet Files\SPSetup

5.    Now please make sure that you don’t have any traces of Conduit Search Protect in your browsers:

Mozilla

•    Click on the Menu button   in the right part of Firefox window (older versions of browser: click on the orange upper left ‘Firefox’ logo) -> find Add-ons section -> Check ‘Extensions’ and ‘Plugins’ tabs, and disable/remove any add-on that contains words ‘conduit’ or ‘search protect’.

•    Again click on the Menu button -> Options :

•    In the General tab ‘Home Page’ field, make sure there is nohttp://search.conduit.com link. In you have one, either highlight and delete it, or use the ‘Restore to Default’ button (to return to your previous Home page);

•    In the Security tab make sure that all the 3 options: Warn me when sites try to install add-ons, Block reported attack sites and Block reported web forgeries are checked;

•    In the main Firefox window, click ‘Search Engines’ field (right upper corner), and open ‘Manage Search Engines…’ option. Highlight all the unwanted search engines and click on ‘Remove’ button;

•    Type about:config in the address bar of Firefox -> click on the ‘I’ll be careful, I promise!’ button - > in a new window search field, please type conduit and press ‘Enter’ -> right click on every result it finds, and choose ‘Reset’ from the context menu.

Google Chrome

•    Type chrome://settings in the Chrome address bar and press ‘Enter’ to open Chrome Settings menu -> in the ‘On Startup’ section ->‘Open a specific page or set of pages.’ option, click on the ‘Set pages’ link -> if you find ‘search.conduit.com’ here, hover your mouse to this line for a ‘Delete’ option to appear, and click ‘x’ to remove this page from startup; 

•    In the ‘Appearance’ section, when the ‘Show Home button’ is checked and you see ‘search.conduit.com…’ link, please click on ‘Change’ and remove this link from your browser;

•    In the ‘Search’ section, click on ‘Manage search engines…’ -> hover your mouse cursor to any search engine for the ‘Make default’ and ‘Delete’ menu to appear. You can delete all the unnecessary search engines, and make default the desired one:

Internet Explorer

•   When IE window is opened, press Alt+x keys on your keyboard to open a Toolsmenu -> Internet Options -> General Tab: highlight and delete everything in the Home page field box -> click on ‘Use new tab’ button, type a web address of search engine you want to set up as your home page, and click ‘Apply’. You can also set other custom settings of your startup page display in the ‘Startup’ section (to start with your last session, for example):

•    Tools menu -> click on the ‘Manage add-ons’ option -> check whether there are no Conduit Ltd Toolbars and Extensions or Search Engines here; if you find ones, either disable or remove these. 

6.    Before you start working with the Registry, please make sure that you understand how important this part of your PC is. You cannot revert data from here if you delete anything (Ctrl+Z never works here), and if you delete an incorrect component, it may damage your OS and make it unusable. 

You should also know the difference between Keys, Values and Values’ Data:

KEY: you can delete a key in this part of registry if its name exactly matches a program you don’t need anymore.
VALUE: you can delete all the value if its name exactly matches a program you don’t need anymore.
VALUE DATA: you can modify/delete value data by double-clicking on the Value in question.

*Note. Be attentive while working with the Value data. Some harmful programs may inject their code to the system processes. In such case, you should remove a string of the harmful program only, and always leave the initial system path.

•    To open the Registry, press ‘Win+R’ keys on your keyboard -> in the opened command prompt window type regedit and press ‘Enter’.

•    Highlight 1st section called ‘Computer’ -> press Ctrl+F keys on your keyboard -> make sure Keys, Values, Data boxes in the ‘Find’ window are checked -> typeConduit in the search field and click OK. The search result will highlight a key/value/data that contains Search Protect components. If you find the exact key name of the program you want to remove, right click on the element in question and choose ‘Delete’. If it’s a value/data, right click on the value and choose ‘Modify’, then remove harmful data (see notes how to edit separate elements below*). Use F3 key on your keyboard to find all the search results.

•    Repeat the above instructions with the words SearchProtect andBackgroundContainer.

•    Exit the registry editor and reboot your PC.

•    *Here are the values/keys/data (in bold) that may stay in your registry, and it’s better to delete these. Note. It’s normal if you don’t find some of the components in your registry – it means they were already deleted. Pay attention to the comments next to some of the paths:
o    HKEY_CURRENT_USER\Software\Conduit
o    HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit
o    HKEY_CURRENT_USER\Software\AppDataLow\Software\BackgroundContainer
o    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{18678918-2C78-4EF5-A755-CAB3CC54F45F} or {A30F335A-1BD5-4B44-82E1-76F72E1C4597}
o    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} – delete the value data of Conduit Community Alerts
o    HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32 – delete data in the value called ‘Default’(C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll)
o    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BackgroundContainer –  value is called ‘command’ -> right click on it and choose ‘Modify’ -> in the Value data leave the following string only: "C:\Windows\SysWOW64\Rundll32.exe", and delete everything after (i.e., "C:\Users\adm\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun)
o    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit
o    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D3A0F898-A6DF-468C-94BB-51C2DD24F676} or {40FA19B4-9006-41DA-BB11-F936BE177162} – delete the application path - C:\Users\user\AppData\Local\Conduit\CT3289075
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\Microsoft\Internet Explorer\SearchScopes – delete data in 3 values called: 

-    DisplayName (data: ‘Conduit Search’)
-    SuggestionsURL_JSON (data:http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms})
-    URL: (data: http://search.conduit.com/Results.aspx?ctid=CT3321897&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPBA7FBC0E-B47C-4F0A-845E-D5A7D3A0BF22&q={searchTerms}&SSPV= )

o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\BackgroundContainer
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\Conduit
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\BackgroundContainer
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\AppDataLow\Software\ConduitSearchScopes
o    HKEY_USERS\S-1-5-21-2858020935-2156992550-3658131804-1003\Software\Conduit

7.    It is recommended to always keep your antivirus up-to-date and perform weekly full scans.  Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation. 

•     If you do not have an antivirus, click here to download adaware antivirus free and follow the installation instructions from the product manual (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).

•    Perform a full scan of your PC with adaware antivirus (following the manual: ‘Scanning System’ ->‘Running a scan’ section).

If your default search engine was changed and your browser keeps redirecting you to http://trovigo.comthat means your browser was hijacked with Trovi Search.  It is able to become the startup page of your web browser via modifying browser settings. No matter which browser you are using (Internet Explorer, Safari, Google Chrome, Mozilla Firefox or Opera), you can see the browser is occupied by it completely. To protect your homepage in the future download Web Companion.

The Trovi Search is a Browser Helper Object that injects itself into users' Internet browsers. The Trovi.com website was created by Conduit Ltd but due to restrictions, as of January 1, 2014, it is operated by ClientConnect Ltd. Often, this kind of application is distributed using a misleading software marketing method called 'bundling'.

This means that you may download them in a bundle with other freeware. That's why it’s classified as potentially unwanted program. Applications created by this company can be especially annoying since they also install in a bundle a program called Search Protect. This program created to block every attempt to change Internet browser homepage and default search engine settings. To avoid installation of such browser hijackers, you should be very attentive when downloading freeware and always choose custom installation.

Once Trovi Search gets inside your browser it starts to display advertisements and sponsored links in your search results.  It may also install plug-ins, extensions and toolbars in the browser so as to record your search history as well as cookie. Your search keywords may be collected so as to put advertisements into your computer according to your preferences. Using this potentially unwanted program on your Internet browsers can lead to privacy issues and identity theft.

Even though Trovi.com redirected visitors to Bing.com research and pretends to be trustworthy it was created for advertising and monetization purposes. Thus, inattentive freeware downloading and installation can result in adware infections.

Trovi Search Manual Removal instructions

1.    Click Start -> Control Panel -> Programs (or Add/Remove Programs) -> Uninstall a Program.

2.    Here, look for Trovi, Trovi Toolbar; Conduit, Search Protect and similar entries and select Uninstall/Change.

3.    Click OK to save the changes

Remove Trovi from your browsers:

Internet Explorer

 Open Internet Explorer, go Tools -> Manage Add-ons -> Toolbars and Extensions. Here, look for Trovi Toolbar, Trovi and similar entries, and click Remove. Now open IE -> Tools -> Internet Option -> General tab. Enter Google or other address to make it the default start page.

Mozilla Firefox

Open Mozilla Firefox, go ‘Tools’ ->‘Add-ons’ ->‘Extensions’. Find Trovi.com and click ‘Uninstall’. Now go to Tools -> Options -> General -> Startup. Now select 'Show a blank page' when Firefox Starts or set a certain website, like Google or similar.

Click the Firefox menu button ( ), then Help ( ) button. From the Help menu, choose Troubleshooting Information. Click the Reset Firefox. Firefox will close itself and will revert to its default settings.


 
Google Chrome

Click the Chrome menu button on the Google Chrome browser, select Tools -> Extensions. Here, look for Trovi.com extension and get rid of it by clicking on the Recycle Bin. Additionally, click on wench icon, go to settings and choose 'Manage search engines'. Change search engine to google or other and delete Trovi.com from the list. Then Go to section “On start” and make sure you get blank page while creating new tab.

Finally, it is recommended to always keep your antivirus up-to-date and perform weekly full scans.

Also, we advise you to do a custom AV scan of any application downloaded from the internet before you proceed with its installation.

If you do not have an antivirus, download adaware antivirus, our great adware cleaner

Snap.Do developed by ReSoft LTD. is a tool that changes browser’s Home page and your default search engine to search.snapdo.com in IE, Mozilla and Chrome. Wikipedia mentions Snap.Do in its article about browser hijacking. To avoid browser hijacking in the future download Web Companion.
Please find below a few facts about Snap.Do we would like to pay your attention to.
In Terms & Conditions, ReSoft evades responsibility for the quality of content they provide:
“Resoft provides Users, inter alia, with a toolbar to be implemented in User's web browser. You also understand and agree that the Resoft Services may include advertisements and that these advertisements are necessary for Resoft to provide the Services.
You are entirely responsible for all content that you upload or otherwise make available via the Resoft Services. Resoft does not control the content posted via the Resoft Services. You understand that by using the Resoft Services, You may be exposed to content that is offensive, indecent or objectionable. Under no circumstances will Resoft be liable in any way for any content, including, but not limited to, any errors or omissions in any content, or any loss or damage of any kind incurred as a result of the use of any content posted, transmitted or otherwise made available via the Resoft Services.”.
In Privacy policy, ReSoft informs users about information that is being transferred to its servers if Snap.Do is installed on your PC:
“Statistical Information we collect and aggregate non-identifying information regarding users use of our Products, including, inter alia, advertisements viewed, pages browsed, search inquiries, offers and services that interest you, the type of browser you are using, your IP address, the URL you have come from and the time spent at that URL, cookies and your domain type and server.” .

It may change your default browser’s icon to this one -  , and even if you launch the browser from its original location, it is still affected by Snap.Do – picture below shows home page of your browser:


 
Your default search engine will also be changed to search.snapdo.com. Even though Snap.do is a “perfect tool to simplify the web”, when you type, for example, ‘amazon’, first search results provided by Snap.Do are always ads (marked as ‘Ads related to amazon’ – see picture below), unlike Google, for example, that shows you on a hunch amazon.com as a first result:

Popular shopping websites have ad-banners by Snap.Do, and you may not even notice that these ads are not related to the website you trust – a small note ‘By Smartbar’ is almost inconspicuous:

Instead of features’ description in Extensions tab of your browser (Mozilla or IE, for example; Chrome doesn’t allow this toolbar), Snap.Do gives short removal instructions, but this method doesn’t help to remove all the traces of Snap.Do.


 
Standard Windows directory ‘Program Files’(where new applications are usually installed) doesn’t have a folder called ‘Snap.Do’, but another one called ‘LTD’ that doesn’t seem to be related to Snap.Do at a glimpse (in fact, this it belongs to Snap.Do). Main executable file of Snap.Do is located in a hidden path (C:\Users\USER_NAME\AppData\Local), in a folder called ‘Smartbar’. 

Processes and services related to Snap.Do automatically launch with every Windows start slowing down its booting time:

   

If you want to remove Snap.Do from your PC, please find below step-by-step instructions.

Note. This is a self-help guide. Use it at your own risk. This article is provided "as is" and to be used for information purposes.

1.    Before you start, please make sure you are logged as a system administrator. Also, please save a copy of your important documents/files on an external hard drive.

2.    Close all your browsers if any.

3.    Open your Task Manager (right click on your task bar and choose ‘Task Manager’ from the context menu):

•    In the ‘Processes’ tab, please find Lrcnta.exe and SnapDo.exe, right click on each one and choose ‘End Process’ from the context menu;
•    In the ‘Services’ tab, please find LPTSystemUpdater and stop it using right-click menu.
4.    From your desktop, click on Windows Start button and choose Control Paneloption (Windows 8 users: right-click on ‘Windows Start’   icon (by default, it is located in the left bottom corner of your screen), and choose Control Panel from the context menu):

•    Click ‘Programs and Features’ (Windows Vista, 7 and 8)/‘Add or Remove Programs’ (Windows XP),
•    Find 2 entries: Snap.Do and Snap.Do Engine by ReSoft Ltd.,
•    Right click on ‘Snap.Do’ and click on ‘Uninstall’ button,
•    When a window below opens, click on a ‘CUSTOM’ button, and in the 2nd window check ‘Remove Snap.Do’ (making sure that 2 other boxes are UN-checked):



•    in the next window, click on ‘Accept’, and then – ‘Continue’ (as we’ve closed the browsers in step 2):


•     Wait a few moments for the program to finish uninstallation. Once done, please press F5 key on your keyboard (while being in ‘Programs and Features’ window making sure you don’t have Snap.Do and Snap.Do Engine here anymore.

5.    Please make sure that hidden files in your Windows Explorer are visible: Start –> Control Panel (Appearance and Personalization) –> Folder Options –>‘View’ tab –> find ‘Hidden files and folders’ and check a box ‘Show hidden files, folders, and drives’.

6.    Follow this path - C:\Users\YOUR_USER_NAME\AppData\Local\Temp (XP users: C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temp) -> highlight all the files/folders here -> press ‘Shift’+’Delete’ and click ‘Yes’ to completely clean this folder (Note. If you receive messages that some files cannot be removed, just skip the file in question).

7.    Please find the directories below and make sure that Snap.Do folders are removed: 
C:\Program Files (x86)\LPT
C:\Users\YOUR_USER_NAME\AppData\Local\Smartbar

8.    Now please make sure that your browser is clean:

Mozilla Firefox

•    Click on the Menu button   in the right upper corner of Firefox window (older versions of browser: click on the orange ‘Firefox’ logo in the upper left corner) -> findAdd-ons section -> check ‘Extensions’ and ‘Plugins’ tabs, and if you find SnapDoextension here, please click on ‘Remove’ button.
•    Again click on the Menu button -> Options :
•    In the General tab ‘Home Page’ field, please highlight Snap.Do link -> right click on it and press ‘Delete’ -> type a web address of your preferred home page in ‘http://…’ format.
•    In the Security tab make sure that all the 3 options ‘Warn me when sites try to install add-ons’, ‘Block reported attack sites’ and ‘Block reported web forgeries’ are checked.
•    In the main Firefox window, click on a small triangle in the ‘Search Engines’ field (right upper corner) , and choose ‘Manage Search Engines…’ option. Highlight all the unwanted search engines including ‘Web Search’ and click on ‘Remove’ button.
•    Restart Firefox.

 Google Chrome

•    Type chrome://settings in the Chrome address bar and press ‘Enter’ to open Chrome Settings menu;
•    In the ‘On Startup’ section ->‘Open a specific page or set of pages.’ Option -> click on the ‘Set pages’ link -> if you find ‘http://feed.sonic-search.com…’ here, hover your mouse to this line for a ‘Delete’ option to appear, and click ‘x’ to remove this page from startup; 
•    In the ‘Appearance’ section, when the ‘Show Home button’ is checked, if you see ‘search.hometab.com’ link, please click on ‘Change’ and remove it from your browser;
•    In the ‘Search’ section, click on ‘Manage search engines…’ -> hover your mouse cursor to any search engine for the ‘Make default’ and ‘Delete’ menu to appear. You can delete all the unnecessary search engines here, and make default your desired one (note. While an engine is set to ‘Default’, you are unable to delete it. Therefore, firstly choose a new default search tool. Once done, you will be able to remove old default item.):

•    Click on ‘Show advanced settings…’ link in the bottom of the page -> in the ‘Privacy’ section please make sure that ‘Enable phishing and malware protection’ box is checked;
•    Restart Google Chrome;
•    If you see this icon   left from Snap.Do Search on your desktop, please delete it;
•    Finally, please follow this path: C:\Program Files (x86)\Google\Chrome\Application -> find chrome.exe icon -> drag it to your desktop using right-click of your mouse -> choose ‘Create shortcuts here’ from the context menu.

Internet Explorer

•    When IE window is opened, press Alt+x keys on your keyboard to open Tools menu -> Manage Add-ons ->‘Search Providers’ section -> if you have ‘WebSearch’ here, highlight it and click on ‘Disable’ button;
•    Again open Tools menu -> Internet Options -> General Tab ->‘Home page’ section: if you see ‘http://feed.sonic-search.com…’ link here, highlight and delete it using context right-click menu -> type a new web address you want to set up as your home page, and click ‘Apply’. You can also set other custom settings of your startup page display in the ‘Startup’ section (to start with your last session, for example):



•    In the Privacy tab, ‘Pop-up Blocker’ section you can restrict any pop-ups to appear by checking appropriate button (you can exclude websites you trust using a ‘Settings’ button)
•    Restart Internet Explorer.

9.   Now, please install adaware antivirus to make sure you don’t have any infections on your machine: 

•    Click here to download adaware antivirus, and follow installation instructions from adaware antivirus User Guide (‘Installation and Uninstallation’ ->‘adaware antivirus Install’ section).
•    Perform a full scan of your PC with adaware antivirus (following adaware antivirus User guide: ‘Scanning System’ ->‘Running a scan’ section).
•    Restart your PC.

10.  If you continue facing issues with Snap.Do, please remove its traces from your registry. Before you start, please make sure you understand how important this part of your PC is. You cannot restore data from here once you delete something (‘Ctrl+Z’ never works in Registry Editor). And if you delete an incorrect component by mistake, it may damage your OS and make it unusable. 

•    To open the Registry, press ‘Win+R’ keys on your keyboard -> in the opened window type regedit and press ‘Enter’. 
•    Highlight main registry section called ‘Computer’ -> press Ctrl+F keys on your keyboard -> make sure Keys, Values, Data check-boxes in the ‘Find’ window are checked -> type snapdo in the search field and click OK. Search results will highlight a key/value/data that contains Snap.Do components. If you find the exact match with the name of program you want to remove, right click on the element in question and choose ‘Delete’ from the context menu. 
•    Use F3 key to continue the search and to find all the necessary files.
•    Exit the registry editor.
•    Reboot your PC.

Lastly, it is recommended to always keep your antivirus program up-to-date with a real-time protection turned on, and perform weekly full scans to stay protected at all times.