PUP.Qihoob is a potentially unwanted program (PUP) that typically infiltrates Windows systems bundled with free software downloads or disguised as a legitimate utility. This threat is associated with aggressive advertising behavior, browser manipulation, and system performance degradation. While not as destructive as ransomware or data-stealing trojans, PUP.Qihoob creates a frustrating user experience and poses privacy risks through its intrusive data collection and ad-injection capabilities.

pupqihoob-removal cybersecurity illustration
Photo by Nicola Barts on Pexels

Many users discover they have PUP.Qihoob installed after noticing unexplained browser redirects, an influx of pop-up advertisements, or unfamiliar browser extensions they never intentionally added. The program often establishes multiple persistence mechanisms to survive basic uninstallation attempts, requiring thorough removal procedures to completely eliminate it from an infected system.

Think You're Infected Right Now? If you're seeing constant pop-ups, browser redirects, or unfamiliar toolbars while reading this, disconnect from Wi-Fi immediately if you're concerned about data transmission. Don't enter passwords or financial information until the infection is removed. For immediate professional help, call Computer Repair Roswell at (770) 637-1435 — we can typically remove PUP infections same-day.

Threat Profile

Attribute Details
Threat Classification Potentially Unwanted Program (PUP), Adware
Threat Family Qihoob family (variants include Qihoob.A, Qihoob.B)
Common Aliases PUP.Optional.Qihoob, Adware.Qihoob, BrowserModifier:Win32/Qihoob
Affected Platforms Windows 7, 8, 8.1, 10, 11 (all editions)
Primary Distribution Software bundling, fake updaters, deceptive download buttons
Persistence Mechanisms Registry Run keys, scheduled tasks, browser extension policies, service installation
Primary Capabilities Ad injection, browser hijacking, homepage/search engine modification, tracking cookie installation, affiliate fraud
Typical Artifacts Random-named folders in %LOCALAPPDATA% and %APPDATA%, browser extension folders, registry modifications in HKCU and HKLM\Software
Network Behavior Connects to ad-serving domains, sends system telemetry data, downloads additional PUP payloads
Data at Risk Browsing history, search queries, clicked links, general system information (not typically passwords or financial data)
System Impact Moderate — browser slowdowns, increased CPU usage during ad injection, potential exposure to malicious advertising
Removal Difficulty Moderate — requires multiple cleanup steps due to redundant persistence mechanisms

How It Spreads

PUP.Qihoob primarily spreads through software bundling, a distribution technique where the unwanted program is packaged alongside legitimate free software. When users download programs like video converters, PDF readers, or download managers from third-party websites, the installers often include "optional offers" that are pre-checked or presented in confusing ways. Users who click through installation screens quickly without reading carefully or choosing "Custom" installation options inadvertently agree to install PUP.Qihoob along with their intended software.

Another common infection vector involves fake update notifications that appear while browsing. These deceptive pop-ups claim your Flash Player, Java, or browser needs updating, but clicking the update button actually downloads PUP.Qihoob instead. Download portals with misleading "Download" buttons represent yet another risk — the actual file download link is often small and inconspicuous, while large green "Download Now" buttons actually trigger PUP installations.

Common distribution methods include:

  • Bundled installers from download sites like Softonic, download.com, and similar portals that repackage legitimate software with PUPs
  • Fake software updaters claiming to update Flash Player, Java, media codecs, or browser components
  • Misleading advertisements on file-sharing and streaming sites that disguise download buttons or play buttons as PUP installers
  • Torrent and pirated software packages that include PUPs alongside cracked programs
  • Malvertising campaigns where compromised ad networks serve malicious advertisements on otherwise legitimate websites
  • Email attachments or links in spam campaigns disguised as document viewers or file unpackers

What It Does On Your Machine

Once installed, PUP.Qihoob establishes itself across multiple system locations to ensure persistence. The program typically creates randomly-named folders in user-specific directories and installs browser extensions across all detected browsers — Chrome, Firefox, Edge, and sometimes Opera or Brave. These extensions gain extensive permissions to read and modify website content, allowing the PUP to inject advertisements directly into web pages you visit.

The most noticeable symptom is aggressive advertising. PUP.Qihoob displays pop-up windows, pop-under windows, in-text advertisements (where normal text on websites becomes clickable ad links), banner ads inserted into web pages, and interstitial ads that cover entire pages. The program modifies your browser's homepage and default search engine to redirect searches through affiliate services that generate revenue for the PUP's operators. Every search you perform and many links you click may be redirected through tracking URLs before reaching the intended destination.

Beyond the annoyance factor, PUP.Qihoob poses legitimate privacy and security risks. The program monitors your browsing activity — tracking which websites you visit, what you search for, what you click on, and how long you spend on different pages. This data is typically aggregated and sold to advertising networks or used to generate targeted advertising profiles. More concerning, the advertisements injected by PUP.Qihoob aren't vetted through legitimate ad networks, meaning you may be exposed to scam offers, tech support fraud, fake antivirus warnings, or even links to actual malware payloads.

System performance typically degrades with PUP.Qihoob active. Browsers consume more memory and CPU resources due to the constant ad injection and tracking processes. Page load times increase because the PUP intercepts page requests to insert advertising content. Some users report browser crashes or freezing, particularly when multiple tabs are open. The PUP may also download additional unwanted programs in the background, compounding the performance impact.

Typical filesystem artifacts for PUP.Qihoob: %LOCALAPPDATA%\{random-GUID}\ qihoob_core.exe updater.exe uninstall.exe %APPDATA%\Qihoob\ config.dat settings.db %PROGRAMFILES(X86)%\Common Files\{random-name}\ service_host.exe Chrome extension locations (varies by variant): %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\{extension-id}\ Registry persistence locations: HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Qihoob Service" = "%LOCALAPPDATA%\{GUID}\qihoob_core.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Varies — may use deceptive names like "System Update Service") Browser policy enforcement (prevents easy extension removal): HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist

Manual Removal — Step by Step

01

Disconnect from the Internet

Unplug your Ethernet cable or disable Wi-Fi to prevent PUP.Qihoob from downloading additional components, communicating with command servers, or interfering with the removal process. This also protects you from accidentally entering sensitive information while the adware is still active.

02

Boot into Safe Mode with Networking

Restart your computer and repeatedly press F8 during boot (or Shift+F8 on Windows 10/11). Select "Safe Mode with Networking" from the boot options menu. This prevents PUP.Qihoob's services and startup items from loading automatically, making removal significantly easier. On Windows 10/11, you may need to hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart → press 5 for Safe Mode with Networking.

03

Uninstall Suspicious Programs

Open Settings → Apps → Apps & features (or Control Panel → Programs and Features on older Windows). Sort by install date and look for unfamiliar programs installed around the time symptoms began. Uninstall anything related to Qihoob, along with any programs you don't recognize or didn't intentionally install. Watch for programs with random names, programs claiming to be "PC optimizers" or "driver updaters," or anything installed the same day as free software you downloaded.

04

Remove Browser Extensions

Open each browser you use and navigate to the extensions/add-ons page (chrome://extensions/ in Chrome, about:addons in Firefox, edge://extensions/ in Edge). Remove all extensions you don't recognize or didn't intentionally install, paying particular attention to extensions with vague names, no description, or permissions to "Read and change all your data on the websites you visit." If an extension doesn't have a remove button, the PUP has likely enforced it through group policy — you'll address this in the registry cleanup step.

05

Clean the Registry

Press Win+R, type "regedit," and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries with suspicious names or paths pointing to random folders in %LOCALAPPDATA% or %APPDATA%. Delete these entries. Also check HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome (or similar paths for other browsers) for "ExtensionInstallForcelist" keys that enforce unwanted extensions. Delete any suspicious policy entries. Always export keys before deleting as a safety precaution (right-click → Export).

06

Check and Remove Scheduled Tasks

Press Win+R, type "taskschd.msc," and press Enter to open Task Scheduler. Expand Task Scheduler Library and look through the task list for anything suspicious — particularly tasks with random names, tasks pointing to executables in %LOCALAPPDATA% or %TEMP%, or tasks configured to run at login or at frequent intervals. Right-click suspicious tasks and select Delete. PUP.Qihoob often creates scheduled tasks to re-download itself if other components are removed.

07

Delete Qihoob Files and Folders

Open File Explorer and navigate to %LOCALAPPDATA% (paste this into the address bar and press Enter). Look for folders with random GUID names (long strings of numbers and letters in curly braces) or folders named "Qihoob" or similar variants. Delete these entire folders. Repeat this process for %APPDATA% and %PROGRAMFILES(X86)%\Common Files\. Some files may resist deletion if services are still running — proceed to the next step if you encounter locked files.

08

Run Malwarebytes or Similar Reputable Scanner

Download and install Malwarebytes Free (reconnect to internet briefly if needed, using a different device if you're concerned about data exposure). Run a full "Threat Scan" which will detect PUP.Qihoob components you may have missed, including locked files, hidden registry entries, and browser data. Quarantine all detected threats. Consider running a second scan with AdwCleaner (also from Malwarebytes) which specializes in PUPs and browser hijackers. These tools often catch persistence mechanisms that manual removal misses.

09

Reset Your Browsers

Even after removing extensions, PUP.Qihoob may have modified browser settings. In Chrome, go to Settings → Reset and clean up → Restore settings to their original defaults. In Firefox, go to about:support and click "Refresh Firefox." In Edge, go to Settings → Reset settings → Restore settings to their default values. This will reset your homepage, search engine, and new tab page while preserving bookmarks and passwords. After resetting, manually configure your preferred homepage and search engine.

10

Restart Normally and Verify Removal

Restart your computer in normal mode (not Safe Mode). Open your browsers and verify that pop-ups have ceased, your homepage is correct, and no unfamiliar extensions have reappeared. Open Task Manager (Ctrl+Shift+Esc) and review the list of running processes for anything suspicious. Monitor your system for 24-48 hours to ensure the PUP doesn't return. If symptoms persist, the infection may be more complex than typical PUP.Qihoob or you may have additional malware — professional help is recommended at this point.

Prevention

  1. Download software only from official sources. Get programs directly from the developer's website rather than third-party download portals. Avoid sites like Softonic, download.com, or CNET Downloads when possible — if you must use them, carefully select the "Direct Download" option and decline all bundled offers.
  2. Always choose Custom or Advanced installation. Never click through installers using Express/Recommended options. Custom installation reveals bundled offers that you can decline. Read each installation screen carefully and uncheck any pre-selected options for browser toolbars, homepage changes, or additional programs you don't want.
  3. Keep legitimate software updated through official channels. Enable automatic updates for Windows, your browsers, and security software. Ignore pop-up messages on websites claiming your software is outdated — if you need to update Flash (which is now discontinued), Java, or media codecs, go directly to the official website rather than clicking pop-up prompts.
  4. Install a reputable ad blocker. Browser extensions like uBlock Origin prevent many malicious advertisements from displaying, including fake download buttons and misleading software update prompts. Ad blockers also improve browsing speed and privacy as a side benefit.
  5. Use reputable antivirus software with real-time protection. While traditional antivirus may not catch every PUP (some vendors classify them as "low priority" threats), quality solutions like Windows Defender (built into Windows 10/11), Bitdefender, or Kaspersky can block many PUP installers before they execute. Ensure real-time protection is enabled.
  6. Enable Windows SmartScreen and browser phishing protection. These built-in features warn you about known malicious downloads and websites. In Windows Security settings, ensure "Check apps and files" and "SmartScreen for Microsoft Edge" are turned on. Keep these protections enabled even if they occasionally create false positives.
  7. Be skeptical of browser permission requests. When a website asks permission to show notifications, think carefully about whether you actually want notifications from that site. Many PUP distribution campaigns now use browser notification permissions to continue showing ads even without installing software on your computer.
  8. Educate family members and employees. Many PUP infections occur because children, elderly relatives, or less technically experienced users click through installation screens or respond to fake warnings. Take time to explain safe browsing and installation practices to anyone who uses computers you're responsible for.
Our 90-Day Warranty: When Computer Repair Roswell removes malware from your system, we guarantee it stays removed. If the same infection returns within 90 days through no fault of your own (not from reinfection due to unsafe browsing), we'll remove it again at no charge. We also provide written guidance on preventing reinfection so you stay protected going forward.

Bring It In

While the manual removal steps above work for straightforward PUP.Qihoob infections, some variants are more stubborn or come bundled with additional malware that complicates removal. If you've followed the removal steps and still experience pop-ups, redirects, or performance problems — or if you're simply not comfortable editing the registry and working with system files — we're here to help. Computer Repair Roswell has removed thousands of PUP infections from home and business computers throughout the Roswell area, typically completing the work same-day.

Our technicians use professional-grade tools and techniques to ensure complete removal, not just suppression of symptoms. We verify that all persistence mechanisms are eliminated, check for additional infections that may have been downloaded by the PUP, and optimize your system's performance afterward. We're located at 1951 Piedmont Road NE in Roswell, open Monday through Friday 9 AM to 6 PM, and Saturday 10 AM to 4 PM. Call us at (770) 637-1435 to describe your symptoms and get an estimate, or just bring your computer by — we'll diagnose the problem and give you a clear explanation of what's needed before proceeding with any work. No geek-speak, no pressure, just honest service from technicians who've been keeping Roswell's computers healthy since 2006.