Removal instructions for the CiviApp virus

What is CiviApp?

CiviApp is a browser hijacker that also exhibits characteristics of a Trojan Horse. It’s kind of an unorthodox thing to say since these things are quite well separated – one infects the browser, the other background processes on the PC. But in this case, these distinctions are blended, because the app appears in Windows App overview list, developed supposedly by Yuif Qyus Public. It does this to confuse users into thinking it is legitimate or to make it more difficult to spot it (every App has a listed creator, it’s very easy to see it if it doesn’t). In reality CiviApp exists as a door to include and enforce other hijacker components in your browser. The reason we say it resembles Trojans is that it operates on the OS level as opposed to most other hijackers which infect only web browsers, or Adware, which create a barrage of notifications in Windows and other apps.

Screenshot of the CiviApp installer malware detections on VirusTotal
The CiviApp installer malware detections on VirusTotal

Is there a legitimate CiviApp program?

CiviApp officially has the version number 3.3.8, but this is actually the only version that ever existed. The number is chosen to appear as if the App was in development for some time. We couldn’t find any older version or an official site for CiviApp that would explain what the app does. It is also developed by a company called Yuif Qyus Public as it is shown on Windows. There are no records for such a developer existing currently or in the past.

All of this tells us CiviApp is a scam. You are very unlikely to come in contact with anything legitimate if you find this name on your PC suddenly and without explanation. In fact, there is no way to access the app or see it apart from the aforementioned list in Windows. And when you interact with said list and click “uninstall” the app remains and nothing happens. If you see a legitimate interface, it’s very likely this isn’t the same CiviApp.

And as another point of fact, this appears to be a rebranding of two recent browser hijackers called TruoApp and Applvl. We concluded this based on when the infections for each app started and stopped. It appears the criminals just change names for the app and company but use the same methods and code for each infection.

Is CiviApp dangerous without the other programs it installs?

CiviApp is always dangerous in a roundabout way. We came across some statements from users that broke the hijacker components in their browser and claimed the app doesn’t do anything anymore. But this is fundamentally wrong from the simplest read of this paragraph’s heading. Yes, the app doesn’t do anything without the other components it installs. That’s the point. It installs other malware on your system and remains separate from them so the backdoor remains operational in cases when you eradicate the other stuff.

There’s no reason for malware creators bundle everything together in one big app. If they do this, you will remove everything in one fell swoop. If for example, CiviApp remains while the rest of the hijacker is gone, CiviApp can stay dormant for a few days then reinfect you with more malware. And not only that, but it’s not tied to infecting you to a browser hijacker, it can do whatever it wants in your system.

The final point I want to drive is that criminals don’t need to play by normal rules. As long as CiviApp is there it can even infect you with another backdoor that is a backup even if you remove CiviApp. Tech-illiterate users will really need to buy an anti-malware tool or they won’t be able to get rid of the threat in such an example.

To summarize, if you don’t want to read everything up until now: CiviApp won’t cause immediate harm, but its nature and indirect changes make it something you should take seriously. Remove it as soon as detected or it introduce further system flaws that didn’t exist before it infected you.

What other components does CiviApp infect you with?

For starters, you will immediately notice a change of your search engine and every time you click things, a new browser may open, prompting you to download something. You can see one such example we uncovered during our research of CiviApp.

Screenshot of the CiviApp"ready download" prompt

This is what happened when we opened a rudimentary google search for how to remove CiviApp. An additional tab opened immediately with this “ready download” prompt appearing without apparent logic. This is a classic example of a phishing website. If you were trying to download something at the same moment, you can get distracted and use this download button instead of the legitimate one. For reference, this link lead to the installation of further Adware software called FindClix.

Perhaps the most damning thing is that CiviApp restricts users from visiting certain websites or downloads – particularly for anti-malware programs like SpyHunter or Malwarebytes. We believe this shows its willingness and go even further and introduce worse malware later on.

It also installs other hijacker extensions, which create different vulnerabilities within the system, and those can be exploited as well. If you start experiencing system errors that appear out of nowhere, and this is because of malware-corrupted code.

CiviApp Distribution Vectors

From what we could find, CiviApp doesn’t appear normally, and is not downloaded itself. Rather it comes through a vulnerability of an already preexisting extension that suddenly gets infected – and infects its entire user base.

The other likely method we detected is through fake downloads such as the one in the screenshot above. If you’ve never come across such scams before you can be tricked into downloading the hijacker disguised as a necessary plugin or update. But this should only happen on grey legality websites or free app repositories that don’t track everything. Such fakes use a certain degree of social engineering to appear legitimate at least at the beginning.

 SUMMARY:

NameCiviApp
Type Adware/Browser Hijacker
Detection Tool

Remove CiviApp Virus

To try and remove CiviApp quickly you can try this:

  1. Go to your browser’s settings and select More Tools (or Add-ons, depending on your browser).
  2. Then click on the Extensions tab.
  3. Look for the CiviApp extension (as well as any other unfamiliar ones).
  4. Remove CiviApp by clicking on the Trash Bin icon next to its name.
  5. Confirm and get rid of CiviApp and any other suspicious items.

If this does not work as described please follow our more detailed CiviApp removal guide below.

If you have a Windows virus, continue with the guide below.

If you have a Mac virus, please use our How to remove Ads on Mac guide.

If you have an Android virus, please use our Android Malware Removal guide.

If you have an iPhone virus, please use our iPhone Virus Removal guide.


Some of the steps may require you to exit the page. Bookmark it for later reference.
Next, Reboot in Safe Mode (use this guide if you don’t know how to do it).

Step1 Uninstall the CiviApp app and kill its processes

The first thing you must try to do is look for any sketchy installs on your computer and uninstall anything you think may come from CiviApp. After that, you’ll also need to get rid of any processes that may be related to the unwanted app by searching for them in the Task Manager.

Note that sometimes an app, especially a rogue one, may ask you to install something else or keep some of its data (such as settings files) on your PC – never agree to that when trying to delete a potentially rogue software. You need to make sure that everything is removed from your PC to get rid of the malware. Also, if you aren’t allowed to go through with the uninstallation, proceed with the guide, and try again after you’ve completed everything else.

  • Uninstalling the rogue app
  • Killing any rogue processes

Type Apps & Features in the Start Menu, open the first result, sort the list of apps by date, and look for suspicious recently installed entries.

Click on anything you think could be linked to CiviApp, then select uninstall, and follow the prompts to delete the app.

delete suspicious CiviApp apps

Press Ctrl + Shift + Esc, click More Details (if it’s not already clicked), and look for suspicious entries that may be linked to CiviApp.

If you come across a questionable process, right-click it, click Open File Location, scan the files with the free online malware scanner shown below, and then delete anything that gets flagged as a threat.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Loading
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.
    Delete CiviApp files and quit its processes.

    After that, if the rogue process is still visible in the Task Manager, right-click it again and select End Process.

    Step2 Undo CiviApp changes made to different system settings

    It’s possible that CiviApp has affected various parts of your system, making changes to their settings. This can enable the malware to stay on the computer or automatically reinstall itself after you’ve seemingly deleted it. Therefore, you need to check the following elements by going to the Start Menu, searching for them, and pressing Enter to open them and to see if anything has been changed there without your approval. Then you must undo any unwanted changes made to these settings in the way shown below:

    • DNS
    • Hosts
    • Startup
    • Task
      Scheduler
    • Services
    • Registry

    Type in Start Menu: View network connections

    Right-click on your primary network, go to Properties, and do this:

    Undo DNS changes made by CiviApp

    Type in Start Menu: C:\Windows\System32\drivers\etc\hosts

    Delete CiviApp IPs from Hosts

    Type in the Start Menu: Startup apps

    Disable CiviApp startup apps

    Type in the Start Menu: Task Scheduler

    Delete CiviApp scheduled tasks

    Type in the Start Menu: Services

    Disable CiviApp services

    Type in the Start Menu: Registry Editor

    Press Ctrl + F to open the search window

    Clear the Registry from CiviApp items

    Step3 Remove CiviApp from your browsers

    • Delete CiviApp from Chrome
    • Delete CiviApp from Firefox
    • Delete CiviApp from Edge
    1. Go to the Chrome menu > More tools > Extensions, and toggle off and Remove any unwanted extensions.
    2. Next, in the Chrome Menu, go to Settings > Privacy and security > Clear browsing data > Advanced. Tick everything except Passwords and click OK.
    3. Go to Privacy & Security > Site Settings > Notifications and delete any suspicious sites that are allowed to send you notifications. Do the same in Site Settings > Pop-ups and redirects.
    4. Go to Appearance and if there’s a suspicious URL in the Custom web address field, delete it.
    1. Firefox menu, go to Add-ons and themes > Extensions, toggle off any questionable extensions, click their three-dots menu, and click Remove.
    2. Open Settings from the Firefox menu, go to Privacy & Security > Clear Data, and click Clear.
    3. Scroll down to Permissions, click Settings on each permission, and delete from it any questionable sites.
    4. Go to the Home tab, see if there’s a suspicious URL in the Homepage and new windows field, and delete it.
    1. Open the browser menu, go to Extensions, click Manage Extensions, and Disable and Remove any rogue items.
    2. From the browser menu, click Settings > Privacy, searches, and services > Choose what to clear, check all boxes except Passwords, and click Clear now.
    3. Go to the Cookies and site permissions tab, check each type of permission for permitted rogue sites, and delete them.
    4. Open the Start, home, and new tabs section, and if there’s a rogue URL under Home button, delete it.

    [facebook_like]

    About the author

    blank

    Nathan Bookshire

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1