Introduction

I wanted to view some comics a friend recently gave me. If you haven’t heard of Berserk, you should go check it out. The anime does the manga justice, but the manga, just like all original sources, is way better than the anime because it doesn’t leave anything out. Anyhow, getting to the problem. In all of my excitement to start reading the manga I downloaded the first comic viewer I found because I vaguely remembered the name and I never would have suspected what happened next.

NEVER INSTALL CDisplayEx EVER

Before I start ranting, I just need to say that I almost never present opinion or uncertainties on my blog because I don’t like putting misinformation out on the internet. I am slamming CDisplayEx because the installer they offer on their site, www.cdisplayex.com, gave me malware. Not just one piece of malware, I got about 20-25 pieces (objects) of malware on my machine and I never agreed to any of it while installing the software. I am usually very careful about this kind of thing and I don’t install a lot of programs without recommendation or research… usually. Therefore I will be putting my foot in my mouth right now because the one time I put my guard down because I am excited to read my manga, I get hit with a program that is acting as a Trojan horse for 20-25 pieces (objects) of malware.
Hence I am telling anyone who is reading this right now to NOT INSTALL CDisplayEx EVER it harbors bullshit in it. If you check out that site I provided above, there is no mention anywhere on the site that you are installing a bunch of other crap with CDisplayEx. The EULA says you are taking the program as-is, yeah usually that mean just that program – not that you are going to get hit with a bunch of malware.
Before I ran Malware bytes, I uninstalled Mezza and Search Protect manually from my PC. I got hit with the following list of Malware which luckily I was able to remove using Malwarebytes. Thank goodness for free antivirus scans and removal tools and shame on Microsoft for their native antivirus, Windows Defender, for failing horribly on Windows 8. I ran a scan with Windows Defender and it found nothing! One of those pieces of Malware was a search engine hijacker named Trovi. I will get into why this is bad news for you if you use Chrome.

Registry Keys: 2

  1. PUP.Optional.SearchProtect.A, HKUS-1-5-21-3800025958-4139502185-2390362187-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0SOFTWAREMICROSOFTINTERNET EXPLORERSEARCHSCOPES{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, , [03992d9c95e6da5c83c63b35768c2dd3], 
  2. PUP.Optional.Mezza, HKLMSYSTEMCURRENTCONTROLSETCONTROLSAFEBOOTNETWORKMZA, , [712b52775526d85e260bf5f24bb757a9], 

Folders: 4

  1. PUP.Optional.OpenCandy, C:Users[UserName]AppDataRoamingOpenCandy, , [25776267c8b34de9c0231aa27989619f], 
  2. PUP.Optional.OpenCandy, C:Users[UserName]AppDataRoamingOpenCandyF2DCE73D13D54943ACEEE0596DA783E6, , [25776267c8b34de9c0231aa27989619f], 
  3. PUP.Optional.Extutil.A, C:Users[UserName]AppDataLocalTempD7ADFCCA-EE7E-442C-9999-C4D14FEF360B, , [861620a94f2c231331dd0dc836cc817f], 
  4. PUP.Optional.Managera.A, C:Users[UserName]AppDataLocalTemp38fdaae5-8e0e-493c-88ec-e05c3be06e42, , [f6a6d1f8a7d4e254729d1cb99b6728d8], 

Files: 13

  1. PUP.Optional.OpenCandy.A, C:Users[UserName]AppDataRoamingOpenCandyF2DCE73D13D54943ACEEE0596DA783E6dlm.exe, , [c8d49732f68523134220ce5d748deb15], 
  2. PUP.Optional.Mezza, C:Users[UserName]AppDataRoamingOpenCandyF2DCE73D13D54943ACEEE0596DA783E6MZAAppSetupx30001.exe, , [712b488196e596a036748f1ae41d6997], 
  3. PUP.Optional.SearchProtect.A, C:Users[UserName]AppDataLocalTempnsjC834.tmp, , [1785e6e3b8c30b2bf5865e3a09f8e31d], 
  4. PUP.Optional.Conduit.A, C:Users[UserName]AppDataLocalTempnskFDC0.exe, , [316b0cbd1b605adc90c4b9d5d829cc34], 
  5. PUP.Optional.Conduit.A, C:Users[UserName]AppDataLocalTempnsl11C.exe, , [5d3f3e8b82f9e3532f25e7a71ae7b749], 
  6. PUP.Optional.Conduit.A, C:Users[UserName]AppDataLocalTempnsrDD92.exe, , [c5d7ad1ce3980e281044e0aec23fee12], 
  7. PUP.Optional.Conduit.A, C:Users[UserName]AppDataLocalTempnst949F.exe, , [aeee329795e65ed8490b7f0f3ac7e11f], 
  8. PUP.Optional.Conduit.A, C:Users[UserName]AppDataLocalTempnsvDAF1.exe, , [fba10ebb7efd82b4aba9eea040c1c43c], 
  9. PUP.Optional.Extutil.A, C:Users[UserName]AppDataLocalTempD7ADFCCA-EE7E-442C-9999-C4D14FEF360Bbk.js, , [861620a94f2c231331dd0dc836cc817f], 
  10. PUP.Optional.Extutil.A, C:Users[UserName]AppDataLocalTempD7ADFCCA-EE7E-442C-9999-C4D14FEF360Bcs.js, , [861620a94f2c231331dd0dc836cc817f], 
  11. PUP.Optional.Extutil.A, C:Users[UserName]AppDataLocalTempD7ADFCCA-EE7E-442C-9999-C4D14FEF360Bmanifest.json, , [861620a94f2c231331dd0dc836cc817f], 
  12. PUP.Optional.Managera.A, C:Users[UserName]AppDataLocalTemp38fdaae5-8e0e-493c-88ec-e05c3be06e42cs.js, , [f6a6d1f8a7d4e254729d1cb99b6728d8], 
  13. PUP.Optional.Managera.A, C:Users[UserName]AppDataLocalTemp38fdaae5-8e0e-493c-88ec-e05c3be06e42manifest.json, , [f6a6d1f8a7d4e254729d1cb99b6728d8], 

How does this affect Chrome?

I have Chrome installed on all of my computers, which is about five PCs right now. Two of those PC’s are my work PC’s. Imagine my psychotic rage when I found a browser hijacker on my work PC. I don’t take risks with my work machine EVER. How the hell did Trovi find it’s way on my work PC. Well the one thing that I LOVE about Chrome is a double edged sword in this situation. My default search engine was switched on all chrome instances on all five PC’s to Trovi. This makes it ultra confusing to find the culprit. The culprit being my Windows 8 Surface Pro 2 because I installed that nefarious piece of software, if it can be called that now, CDisplayEx.
I had a different experience removing Trovi from each PC. I wasn’t recording what I was doing while I was panicking to remove this pest from my machines. I was more concerned about eliminating the threat than writing a blog article. The experience I had pretty much came down to one thing:
  1. Uninstall Chrome completely
  2. When it asks you if you want to delete your data, to be on the safe side say Yes
  3. Reinstall Chrome – reconnect your Google account etc etc etc
This helped me get rid of Trovi. Unfortunately with viruses and malware, you are never 100% sure if you got rid of it. Just because Malwarebytes and Windows Defender are saying that I don’t have any threats detected doesn’t mean that something isn’t still lurking around.

Your host file is altered without your permission

This may not mean much to a lot of people, but it is a big deal if you actually use your host file. I use my host file heavily and the only reason I even noticed that this even happened was because I have my host file open on my work PC all of the time. What is scary about this is that this happened on a PC that just had the search engine changed on it to Trovi via Chrome as the delivery method. That’s pretty screwed up. I am still scratching my head on that one.

Anyhow, if you want to check your host file go to this directory:
C:WindowsSystem32driversetc      – the file is named “host” no extension

I had two different experiences:

  1. My host file was deleted outright
  2. My host file was backed up for me (gee thanks!) – which is still kind of like being deleted

Actions taken

This pissed me off enough to report these bastards to the FBI. Now I know you had to take a double take at what you just read, yes you can submit a complaint to the IC3 in order to report internet and cyber crimes. This definitely falls under that category because programs were installed on my computer with malicious intent and without my consent. I want to see how far I can take this. The IC3 works, I have reported sites before for different reasons and I had bad sites investigated and eventually shut down. Let’s see how far I can take this.

Update 11/14/2015

I was looking for a new comic book reader to use and I stumbled across this article by LifeHacker:
I am adding this to my post to defend my position on CDisplayEx and why you shouldn’t install it. Call this reinforcement of my argument. I don’t care if it was a good program, the point is it isn’t anymore because of the Malware that is obviously present.
Here is an excerpt from the article dated 12/28/14 8:00am:

Earlier this week we asked you to tell us which comic book readers you thought were the best, since our previous picks were getting a little out of date (and our previous champion, CDisplayEx, apparently is bundled with a boatload of malware that many of you have written in to complain about.) You offered up tons of great nominations—and defenses of CDisplayEx—but we only have room for your top five. Here they are, in no particular order:

 Therefore once again, those of you who want to criticise this post are just being belligerent because I am presenting facts not opinion. In other words even if you disagree with me, you are wrong.

Conclusion

Don’t just install programs that look okay, even when you are excited about reading your favorite manga of all time.

24 Replies to “How I got Trovi on my computer and why you should never install CDisplayEx”

  1. This program was caught by the AVG antivirus for me. Wanting to check if it was a serious threat, I found your point, and I'm sufficiently convinced. I'm curious if old versions of this software were similarly infected. There is a rather small list of .cbr readers, and there's no doubt that this plays into the strategy of getting such malware installed. I believe it's still top of the list for many related Google searches. But maybe it's only a matter of time before they recognize it too and put up warnings.

    1. You make a good point there – I am going to see if I can contact google about this. Not sure if they can intervene on this one or not (probably not). I am also going to contact the site's host. There has to be a guideline about this, they should not be hosted if they are harboring malware. Unless there is a legal loophole or something.

  2. Dear Infernape28,

    I took the liberty of deleting your comment instead of replying to it because I figured the amount of time and effort you spent on writing it was gratifying to you. I found it gratifying to delete your comment. Plain and simple, I downloaded the EXE from the site, wrong link or not, I found it on the site and it was infected. When they clean up the site I will update this article. Until then, I stand by what happened to me and probably others.

  3. Same here. I installed it from http://www.cdisplayex.com, very careful to disable any proposed additional program, yet it changed chrome settings to Trovi, and installed Conduit software (SearchProtect).
    I hadn't had that kind of near-virus issue since the last millenium, as I can usually tell legit software from malware.
    CDisplayEx.com is really to be avoided. I had to install MawareBytes to disable all the malwares added…

    1. I want to thank you for sharing your experience. After I made this post the first reply that I got was from a user named Infernape28 who essentially said it was my fault for getting infected. Like I said in the post, I wouldn't post this unless I was sure and you are helping me prove that. Thank you.

  4. I found your article after the fact and, yes, I should've researched it before downloading it but I didn't. I had to uninstall a bunch of malware including Chromium which was a bitch! I didn't get Trovi as far as I know, but I am looking for it. Thanks for your article, I wish i had seen it prior to my mistake.

    1. I'm sorry you had to go through this, we live and learn right? Unfortunately there is a community of zealous trolls out there too that stand by CDisplayEX stating that there is nothing wrong with the software and it is just that site that got hacked – they blame us for downloading it. Hopefully you can fix your computer and get past this, I recommend Comic Rack in the mean time.

  5. Well, that's irritating. Avast flagged something up after I installed CDisplayEx last night, but I looked up the error and it said it was a broad-spectrum warning so I thought nothing of it. I saw Chromium had been installed too, but it's the browser I use on my laptop with Ubuntu on it so I thought I'd just missed one of those annoying check-boxes with the install. I uninstalled it with Programs and Features, but when I started my computer this morning it opened up anyway. Scanned with Malwarebytes, and sure enough, it found four of the PUP files in my registry. Fortunately, Chrome warned me when the Chromium extension tried to install itself in my browser, and looking through the AppData folder it looks like it didn't find its way in.

    Regardless, it's taken a fat dump all over my registry, so now I've got to go through the rigmarole of removing it. I should have done more research before hand. Anything I need to look out for?

    1. I'm sorry to hear that this happened to you. I don't have anything more to contribute other than it seems like the malware that is embedded into CDisplayEx is evolving quite a bit. I hope the responsible parties burn in hell. Worst case scenario, not that it is fun to do, wipe your drive if you can't fix it.

  6. Thanks for your dedication and share. I was about to install it when Avira rung the bell. Any suggestion for a light weight comic book reader for Windows?

  7. Was looking for a comic reader and it's a shame that it is one of the first results that comes up on Google. Nearly got infested, thankfully I had Avast installed and was able to remove the crap that it comes with. Thanks dude, keep this up.

  8. Thanks for the info. I was installing it until I got to a blank page saying something about installing other stuff on my computer. It wouldn’t let me continue until I clicked “Next” which would have dumped all that malware into my system too. I’ll use another comic book reader which is not full of malware.

    1. And be careful because all of the CDisplayEX fanboys will grill you alive for saying so. I’m sorry you got hit with that virus site, I would report them to the FBI. Didn’t do much for me, but you never know.

  9. I tried repeatedly to download CDisplayEx today, and it kept getting deleted by my anti-virus (Thanks work policies!), so I googled and found this article before I went for a workaround to install it.

    Still unsafe as of 8. of May 2019

Leave a Reply

Your email address will not be published. Required fields are marked *