Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid Them.

We recently talked about Potentially Unwanted Programs (PUPs), what they are and how they are now even brought to you by free antivirus providers. This article goes into more detail on how PUPs are delivered. Again, any application can be considered potentially unwanted when it is installed without a knowledgeable user’s “proper consent”.

However, with thousands of new PUPs a day and the gray area in which PUPs operate (between annoying and malware), there is still a slight chance that you ever come across a PUP. You may recognize a few methods of how they might sneak in:

Example 1: Spreading through download portals

Upon visiting Filehippo.com, one of the most widely used download portals, one can find themselves presented with the most beautiful green download buttons that I have ever seen. However, the case is not so beautiful whenever you find yourself selecting the fake download option presented. Below is a continuation of what happens.

Download ManagerPUP_Filehippo_150124-1

Hmm…. This is interesting, now I am presented with the opportunity to receive a “Free Download Manager”….Wow! This is very nice of “Filehippo”. I really want to install Utorrent…on with the show.

Download Manager PUP_Filehippo_150124 (2)-1

Wait a minute – I wanted Utorrent but this does not look like Utorrent… I wonder what I did wrong? This presented scenario is a very common method in which users are tricked everyday into downloading PUP’s. A popular download portal hosts freeware software. Sure, the software is “free” (and free is good, right?). You click download and aren’t paying attention or are not aware of the difference in the direct download as compared to the supposed second seemingly legit download option. Congratulations, the PUP infestation has started! But fear not, there is a work-around.

icon_warning_50x50How to avoid: The best way to avoid PUP scams such as this is to avoid download portals altogether. If you do, pay very close attention when downloading files, use an up-to-date antivirus with PUP detection enabled, and observe the file name and check to be sure it is the software that you are wanting. If it doesn’t have the proper executable name such as Utorrent, don’t execute it.

Example 2: Via fake updates, often pushed through temporary sites

Updates are often pushed through temporarily created websites, developed for Adsense, that serve mostly Open Source software, wrapped in downloaders that prompt users to update their Flash Player, Java, Service Pack etc. There are companies that create hundreds of sites a day in order to mislead the user and generate traffic to their site.

An example: Finally, just what Internet Explorer users have been wanting, an updater for their Internet Explorer. I wonder will this IE updater always ensure that I have the latest version of Internet Explorer. Wait, this definitely doesn’t look like a software updater. This is nice of Internet explorer to offer me search protection and show me desktop notifications about the weather. Wow, this updated version of IE is really going to be something else!

SoftwareUpdater - Comment2

SoftwareUpdater - Comment6

The two installers above make the user friendly offers. However, the offers that are in the above installations are far from great or friendly. Once installed, Search Protect will change your browser settings ( Search Engine, Home Page, Tab Settings) Search Protect may even submit some of your browsing information to unknown sources as well. The StormWatch software will offer you ads during browsing sessions and more than likely numerous unwanted pop ups about “the weather”. Beware! Fake updaters will possibly “update” your computer status to potentially unwanted!

icon_warning_50x50How to avoid: It can safely be stated that user’s do not want updated software or weather reports from this updater. The best way to avoid this specific installation type junkware is to click Decline and untick any checkboxes which may be present. Once again be sure to USE CAUTION!

Example 3. Installers: spreading by downloaders and EULA’s

One of my most favorite software programs of all time… KMPlayer. Whoa, this sure is a lot to read! I believe I will just hit Agree and Install! BAM! Now Spigot will install browser extensions, Shopping Aid, NewTab, Ebay Shopping Assistant, and Search Protect. That’s not all – your browser home page and search engine will be changed to Yahoo.

CNET Downloader_CNET_150124-1

This is the second wave of potentially unwanted “special offers” before finally reaching the legitimate installer. Pro PC Cleaner, will install silently on a PC and then bombard you with fake results annoying the user in many ways. Offers within downloaders (also called wrappers) from sites such as Download.com, Filehippo, Brothersoft, and so forth try to push users into installing and accepting to install junk. A user will not feel like reading a bunch of nonsense. Users only want to install their desired software.

icon_warning_50x50How to avoid: A method of avoiding these types of potentially unwanted programs is to safely hit the decline button, read carefully, and do not install anything without first reading, looking and reading what is being pushed. Also, check on the download portal for information on the specific installer for details on what may be bundled with the software.

Example 4: PUP over PUP: one PUP downloads another?

Based upon research, Pro PC Cleaner is a very common potentially unwanted program that is bundled with freeware on many download portals. I wonder how effectively it can really clean a PC? In theory, this PUP can be similarly compared to a rogue product. Lets investigate:

ProPCCleaner_CNET_150124

The above PUP was actually downloaded in the background by accepting the EULA agreement terms in the Download.com downloader for KMPlayer. It is a truly frightening scenario; however, it is very true. One potentially unwanted program downloads another. Pro PC Cleaner is attempting to fool the user into purchasing their paid version (similar to a rogue). Just one install from Download.com and already an annoying PUP popping up.

icon_warning_50x50How to avoid: Remember to stay sharp, use common sense, and carefully observe and read EVERYTHING before installing. As mentioned earlier, please ensure your antivirus is up to date with PUP detection enabled.

Example 5: Express Installation: the express way to get infected?

In this example, we’re using Free Youtube Downloader, which is a very popular freeware application on CNET.com for downloading videos from Youtube. However, I bet CNET doesn’t inform the user about potentially unwanted offers inside. Let’s take a look:

FreeYoutubeDownloader_CNET_150124 (2)

FreeYoutubeDownloader_CNET_150124

There you have it. The express way is not always the best method to take. Yes, the Express installation process may be only a few clicks and done; however, is it really worth the risk of installing potentially unwanted programs? Skype is a legitimate application; however, it may be unwanted for a user that doesn’t need it. The express installation installed potentially unwanted programs to the browser which will display ads and collect/share user data. That doesn’t sound too friendly to me.

icon_warning_50x50How to avoid: Never use the express or recommended installation. It’s recommended with the best interest of the creator in mind, not yours.

Example 6: Custom Installation: is a custom install better than express?

YTD video downloder is yet another popular freeware application. Lets check to see if its installation options are any less PUPish on its custom install than Free Youtube Downloader. Will the custom install make a difference? Lets Find Out:

YTDVideoDownloader_CNET_150124

It does not take a rocket scientist to see that while custom installation options are available, the potentially unwanted programs are too sadly. However, there is a distinct difference between Express and Custom install options: an express install does not give the user an option to change what you want installed, while a custom installation lets a user choose exactly what is being installed on their system. A user can easily uncheck all unwanted offers if they are cautious and do not take the express way.

icon_warning_50x50How to avoid: Use the same tactics mentioned before with the inclusion of also choosing a custom install option. As mentioned above, choosing a custom install is wisely recommended because then you control what is installed on your system. Always, try to choose a custom install when available.

Example 7: New homepage, search engine and updated drivers

Under normal circumstances, the ability to change one’s browser homepage and search engine is good. However, potentially unwanted programs now utilize methods of deceit within installers to trick a user to changing a home page, search engine and even new tab settings. Customized installations are even victims to this devilish PUP trickery as shown below.

InstallX2

As shown in the above screenshot, a user will be prompted with several potentially unwanted offers. In the image we see: Game Fire, ResultsBay, WebSearches, Driver Scanner, and Smart Driver updater all occuring from one simple installation. Wow! That is a lot to take in! PUP’s are taking over installers. Proceed with caution! Custom installations are no longer as “secure” as people believe them to be.

icon_warning_50x50How to avoid: Having the ability to avoid these types of offers is critical. Carefully untick all the checkboxes that appear to install junkware. You may even hit cancel with some installers that may cancel the PUP installation. Again, it is stressed that you be very careful and read installation options before proceeding.

Example 8: Spread by force: the almost no way out method

The activities performed by this potentially unwanted offer is anything but fun. In summary, Inbox toolbar wants to install as a typical PUP; however, this PUP is playing dirty. The inbox toolbar installation is actually willing to force the user to make a change to their home page or search provider before installing the software. Sounds like the user needs to send this toolbar to the deleted folder!

InboxToolbarPUP_150121

InboxToolbarPUP2_150121

Never fear, there is hope! It seemed very grim and dark for a moment. The above so called forceful potentially unwanted offers can be skipped over indeed. This PUP was trying with all of its cunningness to trick the user into changing their browser settings. This type of PUP above should be approached and dealt with cautiously before proceeding with the rest of the installation.

icon_warning_50x50How to avoid: In order to avoid this installation, one must always use good judgement and choose to untick the potentially unwanted checkboxes . Additionally, it may be possible to select cancel in order to skip over the offer as well. NEVER proceed through an installation without cautiously reading what is being offered. Users may assume that at this point, it may be a wise decision to cancel out of the installation altogether.

Example 9: Someone else uses your computer

You may share your computer with your kids, co-worker or significant other. They may not be as careful as you and get you PUPs on their computer. This could especially be the case if they visit torrent sites, streaming sites or online gaming sites which frequently bombard you with downloads and ads.

icon_warning_50x50How to avoid: The only way to really get around this is, is to use your computer for your own use only.

 

Example 10: Your employer lets you do research on PUPs ;)

Even if you are like me and pay close attention to what you’re installing, it still can be very tricky. Some PUP creators are working hard to get around antivirus programs and uninstall programs, sometimes with a simple line of code. Some PUPs are really hard to detect by a savvy computer user, let alone the average computer user.

icon_warning_50x50How to avoid: Use a virtual machine and/or take a recovery snapshot of your operating system before starting your research. This might sound a bit over-the-top, but really is a straightforward way to not have to worry about how slow your system – even if it is just your computer at work – might end up.

Important facts to remember to avoid PUPs

In the end, everyone will succumb to at least one potentially unwanted program in their life. The industry needs to change and take a clear stance on PUPs, so that they’re only offered opt-out or so that antivirus programs can block them all. The important facts to remember to avoid potentially unwanted programs is :

  • Be cautious, use common sense and take your time.
  • Install, update, and run a reputable antivirus software, such as Emsisoft Anti-Malware that offers real-time protection against PUPs.
  • Only use reputable download sources.
  • NEVER download or install applications that seem suspicious or malicious.
  • Look for custom installation options and use them if available
  • Look for concealed Decline/Skip buttons, usually they have an unobtrusive font type and color contrary to the big shiny “Next” button
  • Scan and clean your computer from PUPs periodically with the Free Emsisoft Emergency Kit.

Have a great (PUP-free) day!

Update 1/28/15: The How To Avoid on Example 8 has been added and the article has been updated accordingly.

 

  • Milo

    There was an ad today from PC World for ‘reimage’… A piece of junk if ever there was… And expensive junk at that. That a supposedly legit computer journal would let its name, its company be used for this piece of junk ends up shocking.

  • Jon Delo

    Thank you for the update, unfortunately viele Menschen sind dummkopfs.

  • Gennady Nesin

    Спасибо за объяснение!

  • Doug Jacques

    You didn’t explain how you avoided the two buttons in example 8, you only said it was more difficult than the others, but not HOW to get around it.

    • sladelloyd11

      Thank you very much for your feedback. I appreciate you pointing that out. Honestly, this was my first article and I just mistakenly did not put the method of avoiding on Example 8. I will most definitely be more cautious of this in the future. I will be proofreading future articles much more carefully. I hope you understand. I appreciate your feedback. I completely overlooked Example 8 somehow. I am disappointed that this happened; however, I will take this feedback and improve upon this in the future. Thank you.

    • Marc Leroux

      in MOST cases, you can click on the “X”. This does not always work for all PUPs, but it does work for most. I try to avoid those little suckers (leeches) too, but they are a problems to completely avoid. Closing the install application works about 90% of the time, but those programmers are getting smart and are now starting to disable that work around. I ALWAYS check my “Programs and Features” and “Task manager – Processes” listings to make sure I haven’t unknowingly picked up something nasty. There are now a lot of PUPs that work in the background and you will never see them.

      • Mariska

        You’re correct, the PUP creators are trying to find all sorts of workarounds so that they can still get on your computer. You may not now that the Emsisoft Emergency Kit scans for and removes PUPs as well (as well as other malware). It’s free and you don’t need to install it, probably smart to do periodically.

  • RandallEvans

    I regularly get offered firefox updates in an extra window. When I check I find, surprise surprise, that firefox is up to date!

  • Urs Rau

    How did you avoid it in example 8? The text doesn’t say how you did it? Only that it was harder than the others.

  • Foxynana

    I want to thank you for explaining what my IT man has not seen fit to inform me about. I went into Avast this morning and found the box on PUP’s and checked and did a scan. Again thanks so much. BTW you are the only program that actually sends me information that I read and appreciate. KUDOs

    • Monika (Emsisoft)

      Highly appreciate your feedback!

  • great article

    lately it seems that no matter what you do, stuff sneaks through when you install software [I’ve taken to comparing the file sizes of applications on filehippo to that of the actual manufacturers website – often you can pick up glaring discrepancies, which tells you that the installation archive is bloated]

    I often check add/remove programs for any funnies that may have taken up residence on my machine. Nothing like a clean install to put the spring back in your PC’s step.

    I am a user of emsisoft, but also use winpatrol which does a good job.

    • Monika (Emsisoft)

      To me, it is not only about spring cleaning your machine (which is really great, wouldn’t believe what old files and pics are hidden here and there ;)), but the misuse of trust that you put into the hands of that/any company. So maybe we really need to sometimes redefine the term “free” and/or add a clearly visible badge “privacy-free” or similar… like they do with gluten-free, lactose-free and genetically unmodified food etc.

  • sladelloyd11

    Everyone: Concerning that matter of Example 8: The How To Avoid for this one was not on the article because of an editing mistake. I can assure everyone that this will be updated soon.

  • Mariska

    Thank you for sharing that forum, seems like a nice knowledge base.

  • Cat Tilley

    We must remember, while there’s lots or ‘free’ software for Windows, that there’s no such thing as a free lunch with that brand of OS. A few relies on donations, while most will just brute force load one up with the PUP’s. This is to include some brands of free security, Avast is really bad, and AVG wants to push their ‘PC Analyzer’, which includes, of all things we don’t need, a registry cleaner, not to count the endless other PUP’s that comes from software wrappers.

    There are two ways to get rid of these, one by on demand Emsisoft Emergency Kit scans. That’s potent enough to catch a lot, a whole lot, however sometimes malware has a way to embed itself, which brings me to my preferred recommendation, prevention is better than cure.

    Protect your computer(s) with Emsisoft Anti Malware, and give yourself constant, real time protection against these PUP’s. Better yet, add Online Armor Firewall, that’s a 1-2 punch that makes it tough for a few legit apps to be installed while getting used to one’s environment & computing habits. I’m into my 3rd year with EAM, first with OA.

    There’s a new Emsisoft Internet Security Pack that combines both that I’ll likely take net go around, the Firewall is still there, and being that both are as one, they’ll work together even better than separates!

    Note that while I push EAM heavily, I’m not a rep of the company, and don’t get anything for recommending the software. All that I can tell you all is that it works, and have never been infected with EAM & OA on my computers. These will catch the PUP’s.

    A final note, today’s OS’s has more inbuilt utilities than ever, there’s often no need to be downloading this & that, Windows 7 & above has a disk burner built into the OS. Download needed software, such as backup, straight from the source, this greatly reduces chances of PUP’s sneaking in. The reason why I mention backup software is that Backup has to be a part of one’s security plan.

    • Monika (Emsisoft)

      Hi Cat,
      I don’t have much to add here, really. Thank you for taking the time to write it all up. I hope you continue to like and spread the word about our products!

    • Grand Poobah

      The main reason I stopped using AVG is that one day while I was being a bit lazy/unobservant, I accidentally let it hijack my search engine (default option on its update install). The impacted browser provided a way to undo the damage, which was non-functional. No other solution’s method of changing this hijack was effective.

      As often as Avast gives me false positives (and as frequently as it seems to “take over” without permission for the more-effective Malwarebytes Anti-Malware, I leave it installed. There’s truly no such thing as a free lunch, I try to go with the one that causes me the least grief.

  • Elilla Shadowheart

    Use an extractor(like universal extractor) to pull the files out. Then install the app minus the spamware.

  • Moreh Richard Fulk

    I learned a great deal reading this on Pup’s, I thought I was more savvy that I actually was, I had no idea as to where I’d in the past picked up so much garbage until after reading this page. This was and eye opener for me. Thank you kindly for putting this together, its very helpful.