You have removed a Potentially Unwanted Program (PUP) but Malwarebytes keeps detecting the same PUP. The user's device may be reinfected via a browser synch with another device or rootkit infection.
Browser related PUP
PUPs are commonly found in browsers, so it can make PUP removal challenging if the browser is synced across multiple devices. If your user is logged into their browser, there's a chance the browser is syncing PUPs from their personal devices.
When a PUP is detected and before you remove it, note the location/file/folder path.
To remove the PUP:
- Have the user sign out of their web browser's profile and reset their browser to default settings.
To ensure the PUP does not infect other installed browsers, it is best practice to reset all web browsers installed on the user's device. For instructions on how to reset a browser, refer to:
- Scan the user's machine with Malwarebytes.
- Scan the user's machine with ADWCleaner. For instructions, refer to Malwarebytes AdwCleaner v7.0 download and features
To mitigate this risk in the future, you may choose to disable the browser syncing functionality on corporate-managed devices. This Chrome function can be disabled via Group Policy Objects (GPO), refer to Google's support document Set Chrome policies for devices.
Rootkit Infection PUP
If the path does not involve a browser, then the PUP is likely being placed back on the machine via a rootkit infection. An administrator will need to scan the user's machine.
- For Malwarebytes Endpoint Protection or Malwarebytes Incident Response environments, scan the user's machine with rootkit options turned on.
- For Malwarebytes Endpoint Security or Standalone environments, download and run a scan with Malwarebytes Anti-Rootkit tool. Refer to What is Malwarebytes Anti-Rootkit (beta)? and How do I use Malwarebytes Anti-Rootkit?.