PUP.Skrinshoter is a potentially unwanted program (PUP) that disguises itself as a legitimate screenshot utility while conducting intrusive background activities on infected systems. First observed in mid-2019, this software typically bundles itself with freeware downloads and presents itself as a helpful desktop tool, but exhibits classic adware and potentially unwanted behavior once installed. While not technically a virus or trojan, Skrinshoter aggressively modifies browser settings, injects advertisements into web pages, and collects browsing data without clear user consent—actions that cross the line from legitimate software into the PUP category that security vendors flag for removal.

PUP.Skrinshoter — cybersecurity illustration
Photo by cottonbro studio on Pexels

What makes PUP.Skrinshoter particularly problematic is its persistence mechanisms and the difficulty many users face when attempting to uninstall it through normal Windows removal methods. The program creates multiple registry entries, scheduled tasks, and browser extensions that can remain even after the main application appears to be removed. We see this pattern frequently at our Roswell shop: a customer thinks they've uninstalled unwanted software, but the advertisements and redirects continue because remnants of the PUP are still active in the system.

Think you're infected right now? Disconnect from the internet immediately if you're experiencing suspicious popups or browser redirects. Do not enter passwords or financial information on any websites until the infection is cleared. If you're uncomfortable performing manual removal steps, call us at (770) 797-9000 or bring your computer to our Roswell location at 1201 Woodstock Rd—we can typically clean PUP infections same-day.

Threat Profile

Attribute Details
Threat Classification PUP (Potentially Unwanted Program) / Adware
Aliases Adware.Skrinshoter, PUA:Win32/Skrinshoter, Screenshot Tool (misleading name)
Platform Windows 7/8/10/11 (primarily 32-bit and 64-bit)
First Observed Approximately Q2 2019
Distribution Method Software bundling, deceptive download buttons, fake update prompts
Primary Payload Screenshot utility with adware/browser hijacker components
Persistence Mechanisms Registry Run keys, scheduled tasks, browser extensions, Windows services
Browser Targets Chrome, Firefox, Edge, Internet Explorer (all major browsers)
Network Behavior Frequent connections to ad-serving domains, tracking domains, data exfiltration endpoints
Data Collection Browsing history, search queries, system information, potentially form data
Symptoms Excessive advertisements, browser redirects, changed homepage/search engine, system slowdown
Removal Difficulty Moderate (leaves multiple persistence points that resist standard uninstallation)

How It Spreads

PUP.Skrinshoter rarely arrives through direct, informed user choice. Instead, it relies on deceptive distribution tactics that exploit user inattention during software installation. The most common infection vector we encounter is software bundling—the practice of packaging Skrinshoter with legitimate free software that users actually want. When someone downloads a PDF converter, video codec pack, or system utility from a third-party download site, Skrinshoter may be included in the installer as an "optional" component that's pre-checked by default. Users who click through installation screens quickly using the "Next" button without reading each screen end up accepting the bundled PUP without realizing it.

Another frequent distribution method involves fake download buttons on software hosting sites and streaming platforms. Users searching for legitimate software encounter websites with multiple "Download" buttons—many of which are advertisements. Clicking the wrong button initiates a download of Skrinshoter or a bundled installer rather than the intended software. We've also seen cases where the PUP arrives through fake system update notifications that appear while browsing compromised or low-quality websites. These warnings claim your Flash Player, video codec, or browser needs updating, but the "update" file is actually a PUP installer.

Common distribution vectors include:

  • Software bundles: Packaged with free PDF tools, download managers, media players, and codec packs
  • Misleading download buttons: Fake "Download" links on freeware hosting sites that are actually ads
  • Fake update prompts: Browser notifications claiming Flash, Java, or video codecs need updating
  • Torrent and peer-to-peer files: Bundled with pirated software or media files
  • Compromised installers: Repackaged legitimate software with PUP components injected
  • Malvertising campaigns: Malicious advertisements on otherwise legitimate websites
  • Search engine poisoning: Manipulated search results directing to download sites hosting bundled installers

What It Does On Your Machine

Once installed, PUP.Skrinshoter operates on two levels: a visible front-end that provides basic screenshot functionality (lending the program a veneer of legitimacy) and hidden background components that generate revenue for its operators through advertising and data collection. The screenshot tool itself generally works as advertised—users can capture screen images—but this legitimate-seeming functionality serves primarily as camouflage for the unwanted activities happening behind the scenes.

The most noticeable symptom is aggressive advertising injection. Skrinshoter installs browser extensions or uses other techniques to insert additional advertisements into websites you visit. These aren't the normal ads displayed by websites—they're extra banners, pop-ups, pop-unders, and in-text advertisements overlaid on top of legitimate content. You might see products you recently searched for suddenly appearing in ads across unrelated websites, or experience new tabs opening spontaneously to advertising landing pages. The program also commonly modifies your default search engine and homepage, redirecting searches through monetized search portals that display additional ads before showing actual results.

Browser hijacking represents another core component of Skrinshoter's behavior. The PUP alters browser settings to ensure its advertising and data collection mechanisms remain active. This includes changing the default search provider, modifying the new tab page, and adding browser extensions that users didn't request. These changes persist even when you attempt to manually restore your preferred settings—the PUP simply reverts them back, creating a frustrating cycle. Performance degradation is inevitable: the constant background ad-serving activity, data collection, and communication with remote servers consumes system resources, slowing down both your browser and overall computer performance.

From a privacy perspective, PUP.Skrinshoter engages in extensive data harvesting. It monitors your browsing activity, recording visited URLs, search queries, clicked links, and potentially form data you enter on websites. This information gets transmitted to remote servers where it's used for targeted advertising or potentially sold to data brokers. While not spyware in the traditional sense of capturing passwords or financial information, the level of surveillance Skrinshoter conducts crosses privacy boundaries that most users would not consent to if they understood what was happening.

Typical PUP.Skrinshoter Artifacts: File System Locations: %LOCALAPPDATA%\Skrinshoter\ %PROGRAMFILES%\Skrinshoter\ %PROGRAMFILES(X86)%\Skrinshoter\ %APPDATA%\ScreenshotTool\ %TEMP%\.exe ← installer remnants Registry Persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Skrinshoter HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScreenshotService HKCU\Software\Skrinshoter\ HKLM\SOFTWARE\WOW6432Node\Skrinshoter\ Browser Extensions: Screenshot Helper (Chrome/Edge) Quick Screenshot Tool (Firefox) Various randomly-named extension IDs Scheduled Tasks: \Microsoft\Windows\Skrinshoter Update \ScreenshotTool Launcher

Manual Removal — Step by Step

01

Disconnect From the Internet

Before beginning removal, disconnect your computer from the internet by unplugging the Ethernet cable or disabling Wi-Fi. This prevents the PUP from downloading additional components, communicating with command servers, or receiving updated instructions that might interfere with removal efforts.

02

Boot Into Safe Mode With Networking

Restart your computer and boot into Safe Mode with Networking. For Windows 10/11: hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select option 5. Safe Mode loads only essential system processes, preventing Skrinshoter's protection mechanisms from interfering with removal.

03

Uninstall Through Windows Settings

Open Settings → Apps → Apps & Features (or Control Panel → Programs and Features on older Windows). Look for "Skrinshoter," "Screenshot Tool," or any recently installed programs you don't recognize. Uninstall these entries. The PUP may use variations of its name or appear as a different application entirely, so review the installation dates and publishers carefully for suspicious entries.

04

Remove Browser Extensions

Open each browser and remove suspicious extensions. In Chrome/Edge: Menu → Extensions → Manage Extensions, then remove anything screenshot-related or unfamiliar. In Firefox: Menu → Add-ons → Extensions. Look specifically for extensions installed around the same time symptoms began. Don't just disable them—fully remove them, as disabled extensions can sometimes reactivate.

05

Clean Registry Persistence Points

Press Win+R, type "regedit," and navigate to the Run key locations listed in the terminal box above. Delete any entries referencing Skrinshoter, screenshot tools, or paths matching the file system locations. Also delete the entire Skrinshoter key under HKCU\Software and HKLM\SOFTWARE. Exercise caution in Registry Editor—only delete entries you can positively identify as related to this PUP.

06

Delete Scheduled Tasks

Open Task Scheduler (search for it in the Start menu) and review the Task Scheduler Library. Look for tasks named anything related to Skrinshoter, screenshot tools, or tasks that reference executable paths in the %LOCALAPPDATA% or %PROGRAMFILES% locations mentioned earlier. Right-click suspicious tasks and delete them. These scheduled tasks are how the PUP relaunches itself after system restarts.

07

Delete Program Folders

Navigate to %LOCALAPPDATA%, %PROGRAMFILES%, and %APPDATA% (paste these into Windows Explorer's address bar) and delete any folders named Skrinshoter, ScreenshotTool, or matching the paths identified in step 5's registry cleaning. You may need to take ownership of these folders if Windows reports permission errors. Also empty your %TEMP% folder to remove installer remnants.

08

Run Malwarebytes or Similar Scanner

Download and run a reputable anti-malware scanner like Malwarebytes (the free version works fine). Let it perform a full scan, which will catch registry remnants, leftover files, and related PUPs you might have missed. Malwarebytes specifically recognizes PUP.Skrinshoter and its variants. Quarantine or remove everything it finds.

09

Reset Browser Settings

Even after removing extensions, browser settings may still be hijacked. In Chrome/Edge: Settings → Reset settings → Restore settings to their original defaults. In Firefox: Help → More Troubleshooting Information → Refresh Firefox. This removes custom search engines, homepage changes, and other modifications the PUP made. You'll need to reconfigure your preferences afterward, but it ensures a clean slate.

10

Reboot and Verify Removal

Restart your computer normally (not in Safe Mode) and reconnect to the internet. Open your browsers and verify that advertisements, redirects, and performance issues have resolved. Check that your homepage and search engine are correct. Monitor the system for 24-48 hours—if symptoms return, the PUP may have additional persistence mechanisms requiring professional removal.

Prevention

  1. Download software only from official sources: Avoid third-party download sites like Softonic, Download.com, or CNET Downloads. Go directly to the software developer's website. These aggregate sites often bundle PUPs with otherwise legitimate software.
  2. Choose Custom installation every time: Never use "Express" or "Recommended" installation options. Always select "Custom" or "Advanced" and read each screen carefully. Uncheck any pre-selected offers for additional software, browser toolbars, or homepage changes.
  3. Keep a reputable ad-blocker active: Browser extensions like uBlock Origin block malvertising and fake download buttons that lead to PUP infections. They significantly reduce exposure to the deceptive advertising tactics that distribute programs like Skrinshoter.
  4. Maintain an up-to-date anti-malware scanner: Keep Windows Defender active at minimum, or use a third-party solution like Malwarebytes. Enable real-time protection so it can block PUP installers before they execute.
  5. Ignore fake update prompts while browsing: Legitimate software updates come through the application itself or Windows Update—never through browser pop-ups. If a website tells you to update Flash, Java, or codecs, close the tab immediately.
  6. Review installed programs monthly: Check your installed programs list periodically for applications you don't remember installing. Catching PUPs early, before they establish deep persistence, makes removal significantly easier.
  7. Use a standard user account for daily activities: Don't use an administrator account for browsing and email. PUPs require administrator privileges to install their persistence mechanisms system-wide. A standard user account limits their ability to embed deeply.
  8. Be skeptical of "free" utilities that seem too good to be true: Many PUPs masquerade as helpful system utilities, PC cleaners, or optimization tools. If a free program promises dramatic performance improvements or capabilities that match expensive commercial software, it's likely monetized through bundled adware.
Our 90-Day Warranty: When we remove PUP.Skrinshoter or any other malware at Computer Repair Roswell, your system is covered by our 90-day warranty. If the same infection returns within 90 days, we'll remove it again at no charge. We stand behind our work because we don't just delete the visible components—we hunt down every persistence mechanism to ensure it's truly gone.

Bring It In

Manual removal works well if you're comfortable with registry editing, task scheduling, and system administration. But we understand that most people don't want to spend hours troubleshooting their computer when they just need it working again. PUP infections often travel in packs—where there's one potentially unwanted program, there are frequently others. What appears to be a straightforward Skrinshoter removal sometimes reveals additional browser hijackers, adware components, or even more serious threats that came through the same infection vector.

At Computer Repair Roswell, we handle PUP removals daily. We have the diagnostic tools to identify every component of a bundled infection, the experience to recognize persistence mechanisms that automated scanners miss, and the expertise to restore your system without losing your data or settings. Most PUP cleanings take 2-4 hours, and we can often complete them same-day. Call us at (770) 797-9000 or stop by our shop at 1201 Woodstock Rd in Roswell—we're here Monday through Saturday to get your computer back to normal without the ads, redirects, and privacy invasion.