Malwarebytes keeps detecting the same PUP

Document created by jyamada Employee on Mar 14, 2018
Version 1Show Document
  • View in full screen mode

You have removed a Potentially Unwanted Program (PUP) but Malwarebytes keeps detecting the same PUP.  The user's device may be reinfected via a browser synch with another device or rootkit infection.

 

Browser related PUP

PUPs are commonly found in browsers, so it can make PUP removal challenging if the browser is synced across multiple devices.  If your user is logged into their browser, there's a chance the browser is syncing PUPs from their personal devices. 

 

 

When a PUP is detected and before you remove it, note the location/file/folder path.  If the path relates to a browser, like Google Chrome, the PUP may be an extension or browser setting, which is syncing between the user's work machine and their personal machine or mobile device.

 

To remove the PUP:

  1. Have the user sign out of their web browser's profile and reset their browser to default settings. 
    To ensure the PUP does not infect other installed browsers, it is best practice to reset all web browsers installed on the user's device.  For instructions on how to reset a browser, refer to:
  2. Scan the user's machine with Malwarebytes.
  3. Scan the user's machine with ADWCleaner.  For instructions, refer to Malwarebytes AdwCleaner v7.0 download and features 

 

To mitigate this risk in the future, you may choose to disable the browser syncing functionality on corporate-managed devices.  This Chrome function can be disabled via Group Policy Objects (GPO), refer to Google's support document Set Chrome policies for devices.

 

Rootkit Infection PUP

If the path does not involve a browser, then the PUP is likely being placed back on the machine via a rootkit infection.  An administrator will need to scan the user's machine.

 

Additional information

Attachments

    Outcomes