SoftwareRefresher is a potentially unwanted program (PUP) that masquerades as a legitimate software update utility but typically delivers unwanted browser modifications, intrusive advertisements, and bundled software installations. First detected in the wild around 2016-2017, this application commonly arrives bundled with free software downloads and presents itself as a helpful tool for keeping your applications current. Instead of providing useful functionality, it modifies browser settings, tracks your online activity, and creates persistent changes that redirect your web traffic through affiliate networks.
While not classified as a virus in the traditional sense, SoftwareRefresher exhibits behavior that security researchers categorize as adware and a potentially unwanted application. It doesn't replicate itself or encrypt your files, but it undermines your browsing experience and privacy while proving remarkably difficult to remove through standard uninstallation procedures. Many variants leave behind registry entries, scheduled tasks, and browser extensions that continue to operate even after you think you've removed the program.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Classification | Potentially Unwanted Program (PUP), Adware, Browser Hijacker |
| Family | SoftwareRefresher variants, related to software bundler families |
| Common Aliases | Software Refresher, SoftwareRefresher.exe, UpdateChecker |
| Platform | Windows 7, 8, 8.1, 10, 11 (primarily 32-bit and 64-bit) |
| First Observed | Approximately 2016-2017 |
| Distribution Methods | Software bundling, freeware installers, deceptive download buttons, fake update prompts |
| Persistence Mechanisms | Registry Run keys, scheduled tasks, browser extensions, startup folder entries |
| Primary Capabilities | Browser modification, search redirection, ad injection, tracking cookie installation, affiliate traffic generation |
| Typical Artifacts | Executables in AppData folders, registry modifications in HKCU\Software, browser helper objects, scheduled tasks |
| Network Behavior | Redirects to affiliate domains, communication with ad-serving networks, tracking beacon transmissions |
| Data at Risk | Browsing history, search queries, clicked links, system information, potentially entered credentials on phishing pages |
| Removal Difficulty | Moderate—requires manual registry cleaning, scheduled task removal, and browser reset in addition to file deletion |
How It Spreads
SoftwareRefresher rarely arrives on systems through direct, intentional downloads. Instead, it piggybacks on legitimate-seeming software installers that users download from free software hosting sites, torrent repositories, or through deceptive advertising. The distribution model relies on users clicking through installation wizards quickly without reading the fine print or unchecking pre-selected options that authorize "additional software" installations.
The software bundling tactic is particularly effective because the host installer often provides something the user actually wants—a PDF converter, video codec, system utility, or media player. During installation, buried in the "Custom" or "Advanced" options that most users skip, are checkboxes that grant permission to install SoftwareRefresher alongside the desired program. Even users who consider themselves cautious can miss these bundled offers because they're presented with confusing language, double-negative phrasing, or are pre-checked by default.
Beyond software bundlers, SoftwareRefresher spreads through:
- Fake update notifications: Pop-ups mimicking Flash Player, Java, or browser update prompts that instead deliver the PUP when clicked
- Malicious advertising (malvertising): Legitimate websites serving compromised ad networks that redirect to download pages
- Deceptive download buttons: Free software sites with multiple "Download" buttons where only one is legitimate and others deliver unwanted software
- Email attachments: Less common, but some variants arrive as attachments in spam campaigns disguised as invoices or receipts
- Compromised installers: Repackaged versions of popular free software on unofficial mirror sites
- Social engineering: Tech support scam sites that recommend downloading "optimization tools" that include SoftwareRefresher
What It Does On Your Machine
Once installed, SoftwareRefresher establishes multiple persistence mechanisms to ensure it continues running even after reboot and survives casual removal attempts. The program typically creates a main executable in your user profile's AppData folder under a randomly-named subdirectory. From there, it modifies Windows registry keys that control startup behavior, ensuring the program launches every time you log in. Many variants also create scheduled tasks that check for and reinstall components if they're deleted, making manual removal frustrating for average users.
The primary monetization method involves browser hijacking and search redirection. SoftwareRefresher modifies your default search engine, homepage, and new tab page settings across all installed browsers—Chrome, Firefox, Edge, and sometimes Internet Explorer. When you perform web searches, your queries get routed through affiliate networks that earn the distributor money for each redirected search. You might search for "weather forecast" and briefly see a URL flash through several domains (often with names you don't recognize) before finally landing on a search results page that looks somewhat legitimate but isn't Google, Bing, or your intended search engine.
Beyond search hijacking, the software injects advertisements into web pages you visit. These aren't the normal ads that websites display—they're additional banners, pop-unders, interstitial screens, and in-text link ads that appear on pages that shouldn't have them. You might notice that text on legitimate news sites suddenly has double-underlined words that trigger ad pop-ups when you hover over them. Video streaming sites might show extra pre-roll ads. Shopping sites might display competing coupon offers. All of these generate affiliate revenue for the SoftwareRefresher operators.
From a privacy perspective, the software tracks your browsing behavior comprehensively. It logs which sites you visit, what you search for, which links you click, how long you spend on pages, and potentially what you type into forms. This data gets transmitted back to remote servers where it's aggregated, analyzed, and potentially sold to advertising networks. While the operators typically claim in their privacy policies that they don't collect "personally identifiable information," the browsing profile they build is often detailed enough to identify individuals when combined with other data sources.
Manual Removal — Step by Step
Disconnect and Document
Disconnect your computer from the internet by unplugging the Ethernet cable or disabling Wi-Fi. This prevents the malware from receiving updates or communicating with command servers during removal. Open a text file and document the symptoms you're experiencing—which browsers are affected, what redirects you're seeing, any error messages. This helps verify successful removal later.
Boot Into Safe Mode with Networking
Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, then press F5. Safe Mode loads only essential drivers and prevents most malware from launching automatically, making removal significantly easier.
Uninstall Through Programs and Features
Open Control Panel > Programs > Programs and Features (or Settings > Apps on Windows 10/11). Sort by install date and look for SoftwareRefresher or any unfamiliar programs installed around the time your problems started. Right-click and uninstall, but be aware that the uninstaller may not remove everything or might even attempt to reinstall components. If prompted to keep settings or data, decline.
Terminate Running Processes
Open Task Manager (Ctrl+Shift+Esc) and look for processes named SoftwareRefresher.exe or suspicious processes running from AppData folders. Right-click any suspicious process, select "Open file location" to verify it's related, then end the process. Note the file location for deletion in the next step.
Delete Program Folders
Navigate to the file locations you identified. Common paths include C:\Users\[YourName]\AppData\Local\SoftwareRefresher\ and C:\Users\[YourName]\AppData\Roaming\SoftwareRefresher\. Delete these entire folders. If you receive "file in use" errors, you didn't successfully terminate the process in the previous step—return to Task Manager and try again. You may need to show hidden files (View tab > Hidden items checkbox in File Explorer).
Clean Registry Entries
Press Win+R, type "regedit," and press Enter to open Registry Editor. Navigate to HKEY_CURRENT_USER\Software\ and look for a "SoftwareRefresher" key—right-click and delete it. Then check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ for any SoftwareRefresher entries and delete them. Also check HKEY_LOCAL_MACHINE\SOFTWARE\ for system-wide entries if the infection had administrator privileges. Make a registry backup before making changes (File > Export).
Remove Scheduled Tasks
Open Task Scheduler (search for it in the Start menu). Expand Task Scheduler Library and look for tasks named "SoftwareRefresher" or tasks that reference the deleted program folders. Right-click each suspicious task and delete it. These tasks often attempt to reinstall the software or check for its presence, so removing them is critical for preventing reinfection.
Reset Browser Settings
Open each affected browser and reset it to defaults. In Chrome: Settings > Reset settings > Restore settings to original defaults. In Firefox: Help > More troubleshooting information > Refresh Firefox. In Edge: Settings > Reset settings > Restore settings to default values. This removes hijacked homepage settings, search engines, and unwanted extensions. You'll need to reconfigure your preferences afterward, but it's the most reliable way to undo browser modifications.
Run Reputable Anti-Malware Scanners
Download and run Malwarebytes (free version works fine) while still in Safe Mode with Networking. Let it perform a full scan and quarantine everything it finds. Then run a second-opinion scan with AdwCleaner or HitmanPro. Different scanners catch different remnants, and the combination typically finds registry entries or browser extensions that manual removal missed. Reboot after cleaning completes.
Verify and Monitor
Boot into normal mode and reconnect to the internet. Test your browsers—perform searches, visit a few different websites, check your homepage and new tab behavior. Open Task Manager and verify no suspicious processes are running. If you still see redirects or ads, additional remnants remain. If behavior is normal for 48 hours, the removal was likely successful, but remain vigilant for the next week.
Prevention
- Always choose Custom/Advanced installation: Never click through installers using the Express or Quick option. The Custom path reveals bundled software offers that you can decline. It takes an extra 30 seconds but prevents most PUP infections.
- Download software only from official sources: Get programs directly from the developer's website, not from download portals like Softonic, Download.com, or CNET Downloads. These aggregator sites often bundle PUPs with otherwise legitimate software to monetize free downloads.
- Keep your actual software updated through proper channels: When you see update prompts for Flash, Java, or your browser, close the notification and manually visit the official website to download updates. Fake update prompts are a primary distribution vector for PUPs and worse malware.
- Use browser extensions that block malicious sites: Install uBlock Origin (not uBlock—they're different) to block many malicious advertisements and download prompts. Consider adding a second extension like Malwarebytes Browser Guard for additional protection against phishing and scam sites.
- Read installer screens carefully: Look for pre-checked boxes, links to terms of service (skim them—they often disclose bundled software), and anything asking to change your homepage or search engine. Legitimate software rarely modifies browser settings during installation.
- Run standard Windows account for daily use: Don't use an administrator account for regular browsing and work. Many PUPs gain deeper system access when installed with administrator privileges. Use a standard account and only elevate when necessary for legitimate software installation.
- Keep a reputable anti-malware program running: Free versions of Malwarebytes, Bitdefender, or Windows Defender (built into Windows 10/11) catch many bundled PUPs during installation if real-time protection is enabled. Update definitions regularly.
- Be skeptical of free software that seems too good to be true: Professional-grade software offered free without a clear business model often comes with PUPs or worse. Read reviews before installing, and check VirusTotal.com to scan installers before running them.
Bring It In
While the steps above work for technically-inclined users who enjoy hands-on troubleshooting, most people find manual malware removal tedious, time-consuming, and frustrating—especially when remnants keep reappearing despite following every step. That's exactly why Computer Repair Roswell exists. Our technicians see dozens of SoftwareRefresher infections and similar PUPs every month. We know every hiding spot, every registry trick, every scheduled task variation these programs use. What takes you three hours of research and trial-and-error takes us 30-45 minutes with professional tools and accumulated experience.
Bring your infected computer to our Roswell location at 1297 Hembree Road, or call us at (770) 695-6032 to describe your symptoms. We offer same-day service for most malware infections, and we'll assess your system while you wait if you prefer. Beyond just removing the immediate threat, we'll identify how it got there, close that security gap, and give you specific recommendations for your setup and usage patterns. Don't spend your weekend fighting with registry editors and task schedulers—let us handle it so you can get back to using your computer the way it's meant to work.