How to remove TroxApp from your computer

TroxApp is one of many iterations of a particularly stubborn browser hijacker app that gets in the system and takes over the browser after being installed through a file bundle or a dedicated setup.msi installer. We encountered many reports from users struggling to delete this software, so we got our shovels and dug deep to find the most effective way to get rid of it.

What we learned during our research is that TroxApp is supposedly created by a Troxbox Publish, but we couldn’t find any actual information about this developer. We also learned that this hijacker is closely linked to a bunch of other rogue apps, including BivaApp, TruoApp, and CiviApp.

These are basically reskins of the TroxApp and they all tend to do the same thing: They introduce a “Managed by your organization” policy to the browser and then replace your default search engine to spam you with ads and redirects. Sometimes the hijacker might also add a rogue extension to the browser. None of the unwanted changes can be reversed until you first take care of the rogue hijacker policy.

TroxApp Removal Instructions

Ok, first things first, a disclosure. There is a free tool involved in the removal, called Lock Hunter. The tool is completely free with no strings attached. We just couldn’t find a way to do this without a download.

The issue is that TroxApp will lock its own folder as read-only and you won’t be able to delete it without finding out what is locking the file. The tool will do this for you and unlock the folder.

We are also offering an anti-malware program that can remove it for you. That is optional. The guide below will help you regardless. It will just be a slow, thorough process in the range of 1 hour or more, as opposed to a few minutes with the anti-malware program.

SUMMARY:

NameTroxApp
TypeBrowser Hijacker
Detection Tool

How to Delete TroxApp and its files

Here we will focus on finding where the malware resides. As noted before, this won’t resolve the issue; TroxApp can come back.

TroxApp
The TroxApp files directory
  1. Type Apps & Features in the Start Menu, hit Enter.
  2. If you spot anything suspicious, Uninstall it. Yes, we know that if you could remove Troxapp this way, you wouldn’t visit our page. This part is more for spotting other suspicious apps. Sort the list by install date and look for anything that appeared since TroxApp appeared.
    pubquo app delete
  3. After, type Folder Options in the Start menu, open it –> View. There, click on Show Hidden Files, Folders, and Drives as seen on the screenshot below, and click OK.
    pubquo folder options
  4. Now visit the following folder on your PC C:\Users\\AppData\Roaming\Troxbox Publish\TroxApp and delete the entire TroxApp folder.
  5. This is the part we warned you about in the beginning. If you can’t delete the folder, you will need to install a free tool called Lock Hunter.
  6. After the install, right-click the TroxApp folder -> What’s locking this folder? and in the window that opens, click Delete. That was an important step, but you’re not done, though.
  7. Type Task Scheduler in the Start Menu and open it.
    pubquo task scheduler
  8. If (it’s possible but not 100% confirmed) anything is linked to TroxApp and will restore it, it will be here. You can see which item does what by right-clicking on the task, Properties –> Actions. Look at what software is executed by the task. No legal process will originate from Roaming or AppData.
  9. You must also type “%Temp%” in the Start Menu and hit Enter to open the Temp folder.
  10. Then you must delete everything in that folder as there might be some TroxApp files stored there.

For the Task Scheduler cleanup, you’ll have to do some manual digging on your own. We’ve seen in here random strings with numbers that change and we can’t give you an exact name to look for. It’s also possible there’s nothing. But again – this guide isn’t for TroxApp on its own. It’s for everything that infected you.

We also strongly recommend that you clean the Registry Editor from any TroxApp records. Type regedit in the Start Menu, right-click the first item, and run it with admin privileges. Then press Ctrl + F and search for “TroxApp”. If you find anything, delete the entire key (registry folder) where it’s located. Search again after each deleted key to see if there others left. Then do the same when searching for “Troxbox”.

Finally, manually find the following registry keys in the left panel and delete them:

  • HKEY_CURRENT_USER\Software\Troxbox Publish\TroxApp
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{6FF75648-4DBA-42BE-8DFD-42733DFEB882}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\alejc\AppData\Roaming\Microsoft\Installer\{6FF75648-4DBA-42BE-8DFD-42733DFEB882}\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\alejc\AppData\Roaming\Troxbox Publish\TroxApp\
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2711832992-2010773812-3919415913-1001\\Device\HarddiskVolume3\Users\alejc\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2711832992-2010773812-3919415913-1001\\Device\HarddiskVolume3\Users\alejc\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

If you don’t find any of these keys, that’s okay. Just be careful to not delete something else because you may inadvertently introduce additional issues to your PC.

How to Remove TroxApp’s “Managed by Policy” from your browser

This step may not be needed. To determine if it’s needed, we recommend going in your browser and typing chrome://management/ in the address field. This works for Brave and Edge as well (but not Firefox) by substituting chrome for the name of the browser. If anything shows up as being managed, thee browser was infected. Continue with the steps. If not, you don’t need to continue with the guide, and you are done.

  1. Write in the Start Menu Edit Group Policy, and after you open it expand the Computer Configuration entry.
  2. Right-click on Administrative Templates and click Add/Remove Templates.
    policy editor pubquo delete
  3. If you see any items in the list that shows up, select them and select Remove.
    policy editor pubquo remove
  4. Restart your PC, open the browser that was infected, and see if the rogue policy is gone by typing chrome://management/ again.
  5. If this didn’t work and your browser still has the “Managed by your organization” policy locking it, visit this page and download the Chrome Policy Remover app. You can’t use this for other browsers, though. Only Chrome.
  6. If your AV deletes the app we just sent you to, temporarily turn it off and download the Policy Remover again. We promise, it’s safe.
  7. Right-click the app, run it as Administrator, and when a CMD window opens, hit Enter to execute its script.
    delete_chrome_policies 2
  8. Once the process completes, close the CMD window, and you should now be able to freely make changes to your browser.

Your browser is now unblocked, the rest of the guide is just for cleanup.

How to get Rid of TroxApp’s leftovers

We’ll show you how to clean up your Chrome browser because that’s the one TroxApp mostly infects, and the one most people use. If you are on another browser, just exercise your better judgement and see which setting resides. Your browsers were unlocked. This is just for removing the leftover settings.

  1. Type chrome://settings/ in the address bar and hit enter.
  2. Open Privacy and Security and click Delete browsing data. Select the Advanced tab, tick all data types except Passwords, and clear it.
    chrome delete pubquo data
  3. Next, go to Site Settings –> Permissions section, and, one by one, open each permission type and check it for rogue sites under Allowed. We recommend denying any and all notifications on your browser. Click Remove on anything you didn’t approve.
    pubquo chrome delete site permissions
  4. Move on to Appearance from the left and if there’s a strange URL set as your Home Button page, delete it.
    pubquo chrome delete home button
  5. Next, go to Search Engine, choose the search engine you want as your default, and then click on Manage Search Engines. Look at the list of tools and if you find anything suspicious, eliminate it.
  6. Then go to the On Startup tab and also delete any sketchy URLs you may see there.
  7. Last but not least, go to Extensions, disable anything suspicious you may find there, and then click its Remove button to delete it.

Congratulations! You are done. We hope we helped you today. If this didn’t work, you definitely missed something, because we already tried and tested the guide. We recommend downloading the anti-malware program from one of our ads.

TroxApp and Other Related Threats

As we mentioned at the start, TroxApp is only one of many similar browser hijackers and malware apps with no other purpose than to assume control of your browser and use it for generating income through ads, site promotions, and other similar methods.

All evidence we collected during our research suggests that the people behind TroxApp are the same as the ones behind BivaApp, JoisAppTjboApp, PubSurf, and PubQuo. All these are browser hijackers that are typically installed through file bundles downloaded from sketchy sites.

Troxbox public appears to be one of several names that refer to the same developer. Other related names we encountered are “vodw oiajf public” (BivaApp) and “uifie public co” (JoisApp). Needless to say, there’s no official information about either of these two developer aliases just as there’s no info about Troxbox public.

However, knowing these names can help you in the removal process of the TroxApp (or any other similar hijacker malware). The names of the files, processes, registry entries, and extensions of such hijackers change constantly, so it’s useful if you know what other names you must look out for.

For example, in the guide, we told you to look for the C:\Users\\AppData\Roaming\Troxbox Publish folder that you must delete. However, that folder might also be named Uifie public co or Vodw oiajf public, which is virtually the same thing only named differently.

vodw oiajf public troxapp
In this instance, TroxApp is located in the Vodw oiajf public folder instead of the Troxbox folder.

This is also why we keep monitoring the evolution of this family of hijackers and update this article whenever there’s new relevant information that can help with their removal. In this line of thinking, we encourage you to share in the comments below if you’ve noticed any other odd names of processes, folders, files, or extensions you’ve noticed on your PC while TroxApp or another similar hijacker was there. This can greatly help us make this guide even more detailed and exhaustive to ensure it’s as useful as possible to as many users as possible.


About the author

blank

Nathan Bookshire

Leave a Comment