PUP.GlobalHop is a potentially unwanted program (PUP) that functions primarily as adware and a browser modifier. Once installed on a Windows system, it injects advertisements into web pages, redirects search queries through unfamiliar intermediary servers, and alters browser settings without clear user consent. While not classified as malware in the traditional sense—it doesn't encrypt files or steal credentials directly—GlobalHop degrades system performance, compromises privacy by tracking browsing habits, and opens pathways for more serious infections through the questionable ads and landing pages it generates.
This PUP typically bundles with free software installers, particularly media converters, download managers, and pirated application packages. Users who rush through installation dialogs without scrutinizing the "optional offers" checkboxes inadvertently approve its installation. Once active, GlobalHop establishes persistence through browser extensions, scheduled tasks, and registry modifications that survive simple uninstalls of the host application.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Classification | PUP (Potentially Unwanted Program) / Adware / Browser Hijacker |
| Family | GlobalHop adware cluster |
| Common Aliases | Adware.GlobalHop, BrowserModifier:Win32/GlobalHop, PUA:Win32/GlobalHop |
| Platforms Affected | Windows 7/8/8.1/10/11 (32-bit and 64-bit); primarily targets Chrome, Firefox, Edge |
| First Documented | Variants observed since approximately 2018; ongoing distribution |
| Distribution Method | Software bundling, fake update prompts, misleading download buttons on freeware sites |
| Persistence Mechanisms | Browser extensions (force-installed), scheduled tasks, HKCU/HKLM Run registry keys, services (uncommon) |
| Primary Capabilities | Advertisement injection, search redirection, click fraud, behavioral tracking, homepage/new-tab hijacking |
| Known Indicators | Random folder names under %LOCALAPPDATA%, browser extension IDs in Chrome/Edge policy keys, scheduled tasks with obfuscated names |
| Network Behavior | Connects to advertising networks and analytics servers; routes search queries through third-party domains before reaching legitimate search engines |
| Data Exfiltration Risk | Moderate—collects browsing history, search terms, clicked links; no evidence of credential theft but privacy impact is significant |
| Removal Difficulty | Moderate—standard uninstallers often leave persistence hooks; browser resets and registry cleanup typically required |
How It Spreads
GlobalHop relies almost exclusively on social engineering rather than technical exploits. The developers partner with free-software distributors and pay-per-install (PPI) networks to bundle the PUP into legitimate-looking installers. When users download a free PDF converter, video downloader, or system optimizer from a third-party site, the installer presents a rapid-fire series of dialog boxes. Buried among "Next" buttons and end-user license agreements are pre-checked boxes offering "enhanced browsing features" or "recommended partner software." Clicking through quickly—which most people do—grants permission for GlobalHop to install alongside the desired application.
Secondary distribution vectors include misleading advertising. You might encounter a fake "Your Flash Player is out of date" banner on a sketchy streaming site, or a deceptive "Download" button on a file-sharing page that actually triggers the GlobalHop installer instead of your intended file. These tactics prey on users' urgency and trust in familiar UI patterns. Once the executable runs, the installation is silent or minimally interactive, often completing before the user realizes what happened.
Common infection pathways include:
- Software bundlers: Installers from download portals like Softonic, Download.com (in some cases), or file-sharing sites that repackage open-source tools with adware
- Fake updates: Browser notifications or overlay dialogs claiming Java, Flash, or media codecs need updating
- Misleading ads: "Speed up your PC" or "Remove viruses now" banners that launch PUP installers instead of legitimate utilities
- Torrents and cracks: Pirated software bundles frequently include multiple PUPs to monetize the distribution
- Malvertising campaigns: Compromised ad networks serving auto-download exploits or clickjacking redirects to GlobalHop landing pages
What It Does On Your Machine
Once installed, GlobalHop establishes a multi-layered presence across your system. In the browser, it force-installs an extension through Group Policy (on Chrome/Edge) or preference files (on Firefox), granting the extension permission to read and change all data on websites you visit. This extension intercepts your search queries—whether typed into the address bar or submitted through Google, Bing, or DuckDuckGo—and reroutes them through a series of redirect domains. These intermediary servers log your search terms, IP address, and browsing session data before finally delivering you to a results page that looks similar to the legitimate search engine but includes injected sponsored links at the top.
Beyond search hijacking, GlobalHop injects display advertisements directly into web pages. You'll notice banner ads appearing in places where none existed before, pop-unders opening when you close a tab, and in-text ads where random keywords turn into double-underlined hyperlinks. Clicking any of these generates revenue for the PUP operators through affiliate commissions or pay-per-click schemes. The ads themselves vary in quality—some lead to legitimate but overpriced products, others to tech-support scams, fake antivirus landing pages, or even drive-by download sites hosting more serious malware.
On the filesystem, GlobalHop creates a randomly named folder under your user profile to house its executable components and support files. The main binary often masquerades as a system service or benign utility, using names like "UpdaterService.exe" or "BrowserHelper.exe." It registers scheduled tasks to ensure the process relaunches after reboot or if you manually kill it. Registry modifications anchor the extension installations and set autostart entries so that even if you remove the browser extension manually, it reinstalls itself the next time you launch the browser.
Manual Removal — Step by Step
Disconnect From the Internet
Unplug your Ethernet cable or disable Wi-Fi to prevent GlobalHop from downloading additional components or updating its configuration. This also stops any ongoing data exfiltration and reduces the risk of drive-by downloads from injected ads.
Boot Into Safe Mode With Networking
Restart your computer and press F8 (or Shift+F8 on Windows 10/11) during boot to access the Advanced Boot Options menu. Select "Safe Mode with Networking." This loads only essential drivers and services, preventing GlobalHop's persistence mechanisms from activating while still allowing you to download tools if needed.
Identify and Terminate the GlobalHop Process
Open Task Manager (Ctrl+Shift+Esc), switch to the Details tab, and sort by Name. Look for unfamiliar executables with generic names like "UpdaterService.exe," "BrowserHelper.exe," or processes running from %LOCALAPPDATA% folders with GUID-style names. Right-click and select "End Task." Note the file location from the "Open file location" context menu option before terminating.
Uninstall Suspicious Programs
Open Settings > Apps > Apps & features (or Control Panel > Programs and Features on older Windows). Sort by install date and uninstall any entries you don't recognize from around the time symptoms began. GlobalHop sometimes registers an uninstaller, but even if you run it, persistence hooks often remain—this step simply removes the obvious entry point.
Delete the Executable Folder and Registry Keys
Navigate to the folder you identified in Step 3 (typically C:\Users\[YourName]\AppData\Local\{GUID}\) and delete it entirely. Then open Registry Editor (Win+R, type "regedit"), navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and delete any values pointing to the GlobalHop executable. Also check HKLM\Software\Policies\Google\Chrome\ExtensionInstallForcelist and remove any unfamiliar extension IDs.
Remove Scheduled Tasks
Open Task Scheduler (search for it in the Start menu), expand Task Scheduler Library, and review the list for tasks with random names or those triggering executables from the now-deleted folder. Right-click and delete any GlobalHop-related tasks. These often have triggers set for logon or hourly intervals.
Reset Browser Settings and Remove Extensions
In Chrome/Edge, go to Settings > Reset settings > "Restore settings to their original defaults" and confirm. In Firefox, open about:support and click "Refresh Firefox." Then manually review your extensions (chrome://extensions or about:addons) and remove anything unfamiliar, especially items you can't disable (indicating force-installation). Clear browsing data including cache, cookies, and site settings for the past month.
Run a Reputable Anti-Malware Scan
Download and install Malwarebytes Free (from malwarebytes.com—verify the URL carefully) and run a full Threat Scan. Let it quarantine anything it finds. Follow up with a scan using Windows Defender (built into Windows 10/11) via Windows Security > Virus & threat protection > Scan options > Full scan. These tools often catch remnants manual removal misses.
Change Passwords on Critical Accounts
While GlobalHop isn't known for credential theft, it does track browsing behavior and could have logged site visits. As a precaution, change passwords for your email, banking, and any accounts you accessed while the PUP was active. Use a different, clean device or wait until after the final reboot and verification.
Reboot Normally and Verify Removal
Restart your computer in normal mode. Test your browser by performing a search and visiting a few common websites—verify that no ads inject, no redirects occur, and your homepage/new tab page is what you set it to. Check Task Manager one more time to confirm no GlobalHop processes have returned. If symptoms persist, the infection may be deeper than typical PUP behavior, and professional intervention is warranted.
Prevention
- Download software only from official sources. Go directly to the developer's website rather than third-party download portals. If you must use a repository like SourceForge or GitHub, verify the publisher and read recent reviews before downloading.
- Choose Custom/Advanced installation every time. Never click through an installer on autopilot. Select "Custom" or "Advanced" mode and read each screen carefully. Uncheck any offers for toolbars, browser helpers, or "recommended partner software."
- Keep Windows and browsers up to date. Enable automatic updates for Windows and your browsers. Many PUPs exploit outdated software or rely on users manually downloading fake updates—real updates happen silently in the background or through official channels.
- Use a reputable ad blocker. Extensions like uBlock Origin (not uBlock—there's a difference) prevent malvertising and deceptive download buttons from even appearing. This cuts off a major PUP distribution vector before you can click it.
- Enable Windows Defender real-time protection. It's built into Windows 10/11 and catches most common PUPs at download time. Don't disable it for "performance reasons"—modern systems handle it fine, and the trade-off isn't worth it.
- Scrutinize browser extension permissions. Before installing any extension, review what data access it requests. If a weather app wants permission to "read and change all your data on the websites you visit," that's a red flag.
- Run periodic scans even when everything seems fine. Schedule a monthly Malwarebytes scan as routine maintenance. PUPs can lurk dormant or operate subtly enough that you don't notice symptoms immediately.
- Educate other users on your network. If you share your computer with family members or employees, make sure they understand the risks of freeware installers and suspicious download links. One careless install affects everyone using the machine.
Bring It In
Manual removal works for many GlobalHop infections, but persistence mechanisms evolve, and bundled PUPs often travel in packs—you might clear GlobalHop only to discover another adware variant or a trojan-downloader still running. Our technicians at Computer Repair Roswell use specialized diagnostic tools that identify all components of a PUP cluster, including rootkit-level persistence and registry hooks that consumer scanners miss. We also verify that your browser profiles are truly clean and that no lingering tracking cookies or local storage data remain to phone home after the main infection is gone.
Bring your laptop or tower to our Roswell location (call 470-202-3530 for directions or to schedule a drop-off). We'll run a comprehensive scan while you wait—most diagnostics finish within 30 minutes—and give you an honest assessment. If the infection is straightforward, we'll quote you our standard malware-removal rate with same-day turnaround. If we find deeper issues (like a compromised boot sector or a secondary RAT infection that rode in on GlobalHop's coattails), we'll explain exactly what's needed and get your written approval before proceeding. No surprise charges, no upselling unnecessary services—just transparent, expert repair backed by our 90-day warranty. Your data and your privacy matter; let's get your machine back to trusted status.