PUP.Portscan.H is a potentially unwanted program (PUP) that masquerades as a legitimate network diagnostic utility while exhibiting behavior characteristic of adware and system monitoring tools. First identified in detection databases in late 2018, this software typically arrives bundled with freeware installers and positions itself as a port-scanning or network-security tool, though its actual functionality focuses primarily on generating advertising revenue and collecting system usage data. While not classified as malware in the traditional sense, PUP.Portscan.H employs deceptive distribution tactics and creates persistence mechanisms that make it difficult for average users to remove.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Family | Potentially Unwanted Program (PUP) / Adware |
| Common Aliases | PUP:Win32/Portscan, Adware.Portscan.H, PUA.Portscan, Generic.Portscan |
| Platform | Windows 7, 8, 8.1, 10, 11 (32-bit and 64-bit) |
| First Detected | Q4 2018 (variants continue to circulate) |
| Distribution Method | Software bundling, fake installers, misleading advertisements |
| Persistence Mechanisms | Registry Run keys, scheduled tasks, browser extensions, system service registration |
| Primary Capabilities | Advertisement injection, browser modification, data collection, affiliate redirects |
| Typical File Locations | %LOCALAPPDATA%, %PROGRAMFILES%, %APPDATA%\Roaming subfolders |
| Network Behavior | Frequent connections to advertising networks, analytics servers, affiliate tracking domains |
| Data Collection | Browsing history, search queries, clicked links, installed software inventory |
| System Impact | Moderate — browser slowdowns, increased CPU usage during ad injection, privacy concerns |
| Removal Difficulty | Moderate — multiple components require identification, browser cleanup necessary |
How It Spreads
PUP.Portscan.H primarily spreads through software bundling, a distribution tactic where the unwanted program is packaged alongside legitimate freeware or shareware applications. Users downloading video converters, PDF tools, system optimizers, or download managers from third-party websites frequently encounter bundled installers that include PUP.Portscan.H. The installation wizard typically presents the unwanted software in pre-checked boxes, declining screens with confusing "Accept" buttons, or Express installation options that bypass disclosure screens entirely.
A secondary distribution vector involves fake system alert websites that display fabricated security warnings claiming your computer has performance issues, outdated drivers, or security vulnerabilities. These deceptive pages pressure visitors to download a "scanning tool" or "optimization utility" that actually delivers PUP.Portscan.H. The threat also spreads through malvertising campaigns on legitimate websites, where compromised advertising networks serve malicious ads that trigger automatic downloads when clicked or, in some cases, simply when the ad renders on screen.
Common distribution methods include:
- Bundled installers — Tucked into setup packages for popular freeware tools, often with pre-checked consent boxes
- Fake system warnings — Browser-based alerts claiming your PC needs scanning or optimization
- Misleading download buttons — Oversized "Download" buttons on software repositories that aren't the actual download link
- Software cracks and keygens — Pirated software installers that include PUPs as additional payload
- Torrent files — Executable files masquerading as media or software in peer-to-peer networks
- Email attachments — Less common but occasionally distributed via spam campaigns disguised as software updates
- Compromised browser extensions — Legitimate extensions that were purchased by adware operators and updated to include PUP behavior
What It Does On Your Machine
Once installed, PUP.Portscan.H establishes multiple persistence mechanisms to ensure it survives reboots and casual removal attempts. The program typically creates a randomly-named folder in the user's AppData directory and copies its main executable there, then registers this executable in the Windows Registry Run keys so it launches automatically at startup. Some variants also create a Windows scheduled task that triggers the program at regular intervals, providing redundancy if the registry entry is removed.
The primary function of PUP.Portscan.H is monetization through advertising injection. It modifies browser settings across Chrome, Firefox, Edge, and other browsers by installing extensions or injecting code that intercepts web traffic. When you browse the internet, the PUP injects additional advertisements into legitimate web pages, replaces existing ads with affiliate versions that generate revenue for the attackers, and modifies search results to prioritize sponsored links. You'll typically notice banner ads appearing where none existed before, in-text advertising where certain words become clickable links, and pop-under windows that open behind your active browser window.
Beyond advertising, PUP.Portscan.H functions as a data collection tool. It monitors your browsing activity including visited URLs, search queries, clicked links, and time spent on various websites. This information is transmitted to remote servers operated by the PUP's distributors and may be aggregated, analyzed, and sold to advertising networks or data brokers. While the PUP typically doesn't target sensitive information like passwords or financial data, the privacy implications are significant — especially if you conduct professional research, access health information, or browse content you'd prefer to keep private.
System performance degradation is another common symptom. The advertising injection process requires constant monitoring of browser activity and network traffic, consuming CPU cycles and memory. Users frequently report browsers becoming sluggish, longer page load times, and occasional browser crashes when the injected advertising code conflicts with legitimate website scripts. The persistent network connections to advertising servers can also impact internet speed, particularly on slower connections or during periods of heavy ad-serving activity.
Manual Removal — Step by Step
Disconnect from Network and Document Symptoms
Before beginning removal, disconnect your computer from the internet by disabling Wi-Fi or unplugging the Ethernet cable. This prevents the PUP from receiving commands, downloading additional components, or transmitting collected data during the removal process. Take note of any unusual browser behavior, unfamiliar programs in your system tray, or specific error messages you've encountered — this information helps verify complete removal later.
Boot Into Safe Mode with Networking
Restart your computer and boot into Safe Mode with Networking to prevent PUP.Portscan.H from loading its standard startup components. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select option 5 (Safe Mode with Networking). Safe Mode loads only essential system components, making it easier to identify and remove malicious processes without interference from the PUP's active protection mechanisms.
Uninstall Suspicious Programs
Open Settings → Apps → Apps & features (or Control Panel → Programs and Features on older Windows versions) and carefully review the installed program list. Look for entries named "PortScan," "Network Utility," "PC Helper," or any programs you don't remember installing, especially those installed around the time symptoms began. Uninstall any suspicious entries, but note that PUP.Portscan.H sometimes disguises itself with generic names like "System Utilities" or uses no entry at all. Check installation dates — legitimate software from Microsoft or Adobe won't have recent installation dates unless you specifically installed updates.
Terminate Malicious Processes
Open Task Manager (Ctrl+Shift+Esc) and examine the Processes tab for unfamiliar executables, particularly those running from AppData folders or consuming unusual amounts of CPU for background processes. Right-click suspicious processes, select "Open file location" to verify the path matches the artifacts listed earlier, then right-click and choose "End task." Common process names include "portscanh.exe," "pscansvc.exe," or randomly-named executables — but note that process names vary between variants, so focus on unfamiliar processes running from user AppData directories.
Remove Persistence Mechanisms
Press Win+R, type "regedit," and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries referencing the file paths you identified earlier or any executables running from AppData folders. Delete these registry entries by right-clicking and selecting Delete. Then open Task Scheduler (search for "Task Scheduler" in the Start menu), expand Task Scheduler Library, and delete any tasks with suspicious names like "PortScanHelper_Update" or tasks that run executables from AppData locations. Make note of what you delete in case you need to restore legitimate tasks later.
Delete PUP Files and Folders
Open File Explorer and navigate to %LOCALAPPDATA% (paste this into the address bar) and %APPDATA% to locate the folders containing PUP.Portscan.H executables. Delete the entire folder containing the malware — these typically have GUID-style names (long strings of letters and numbers in curly braces) or generic names like "PScanHelper." Also check Program Files and Program Files (x86) for folders named "PortScan Utility" or similar. If Windows reports files are in use, reboot back into Safe Mode and try again, or use the command prompt to delete stubborn folders with "rmdir /s /q [folder path]".
Clean Browser Extensions and Settings
Open each installed browser and remove suspicious extensions. In Chrome, go to Settings → Extensions; in Firefox, go to Add-ons → Extensions; in Edge, go to Extensions. Remove any extensions you didn't install or that were added around the time symptoms started. Then reset browser settings: in Chrome, go to Settings → Reset settings → Restore settings to their original defaults. In Firefox, go to Help → More troubleshooting information → Refresh Firefox. This removes injected advertising code and restores your homepage, search engine, and new tab settings without deleting bookmarks or passwords.
Scan with Reputable Anti-Malware Tools
Download and run Malwarebytes Free (from malwarebytes.com) or another reputable anti-malware scanner to catch any components you might have missed during manual removal. Perform a full system scan rather than a quick scan. These tools maintain updated databases of PUP signatures and can identify variants with different file names or locations. If the scanner finds additional threats, follow its removal prompts, then run a second scan to verify the system is clean. Consider running a second opinion scanner like AdwCleaner (also from Malwarebytes) which specializes in PUPs and adware.
Update Passwords for Sensitive Accounts
Although PUP.Portscan.H typically focuses on advertising rather than credential theft, its monitoring capabilities could have exposed passwords if you typed them while infected, especially if the PUP included keylogging functionality (some variants do). From a clean device or after confirming removal, change passwords for your email, banking, social media, and any accounts accessed during the infection period. Use unique, strong passwords for each account and enable two-factor authentication where available.
Reboot Normally and Verify Removal
Restart your computer normally (not in Safe Mode) and reconnect to the internet. Monitor browser behavior for the next few days — you should no longer see injected advertisements, unexpected redirects, or performance issues. Check Task Manager to verify no suspicious processes have reappeared. Run your anti-malware scanner one more time after a few days of normal use to ensure no components have reinstalled themselves. If symptoms persist, the infection may be more complex than typical PUP.Portscan.H behavior and professional removal may be necessary.
Prevention
- Download software only from official sources. Avoid third-party download sites like Softonic, Download.com, or CNET Downloads that often bundle PUPs with legitimate software. Always download directly from the software developer's official website and verify the URL is correct before downloading.
- Choose Custom installation when installing software. Never click through installation wizards using Express or Recommended options. Always select Custom or Advanced installation, then carefully read each screen and uncheck any boxes offering to install additional software, toolbars, or browser changes. Legitimate software doesn't require bundled additions to function.
- Keep a reputable antivirus program running. Windows Defender (built into Windows 10/11) provides good baseline protection, but consider supplementing it with Malwarebytes Premium or another reputable anti-malware tool that specifically targets PUPs. Configure your security software to scan regularly and keep definitions updated.
- Enable browser security features and install ad blockers. Most modern browsers offer enhanced protection settings that block known malicious downloads and warn about deceptive sites. Install uBlock Origin or similar reputable ad blockers to reduce exposure to malvertising campaigns that distribute PUPs through compromised advertising networks.
- Keep Windows and all software updated. Enable automatic updates for Windows and regularly update all installed applications. PUPs and malware often exploit vulnerabilities in outdated software to install without user interaction. Pay special attention to browser, Java, and Adobe product updates.
- Be skeptical of system warnings in your browser. Legitimate security warnings come from your installed antivirus software or Windows Security, not from websites. Any browser-based message claiming your PC has problems, needs scanning, or must install software is a scam designed to distribute PUPs or worse threats.
- Review browser extensions regularly. At least monthly, check what extensions are installed in each browser you use. Remove anything you don't recognize, don't actively use, or that has poor reviews. Extensions can be compromised when sold to new owners or updated to include PUP behavior.
- Create a standard user account for daily use. Windows administrator accounts have permission to install software and modify system settings without prompting for approval. Create a standard user account for everyday computing and only use your administrator account when deliberately installing software. This prevents PUPs from installing silently in the background.
Bring It In
While manual removal of PUP.Portscan.H is possible for technically-inclined users, the multiple persistence mechanisms, browser modifications, and potential for missed components make professional removal the safer choice for most people. Our technicians at Computer Repair Roswell have removed hundreds of PUP infections and can typically clean your system in a few hours while you wait or within 24 hours for drop-offs. We use professional-grade tools not available to consumers, verify complete removal across all system components, and optimize your computer's performance in the process.
If you're experiencing browser redirects, unwanted advertisements, performance issues, or you simply want peace of mind that your system is clean, bring your computer to our Roswell shop at 1394 Canton Road or call us at (770) 695-6444 to discuss your symptoms. We provide free diagnostics to confirm the infection and offer flat-rate pricing for removal — no surprises, no hourly fees that run up while we work. We serve residential customers and small businesses throughout Roswell, Alpharetta, Sandy Springs, and the greater North Metro Atlanta area with honest, expert service you can trust.