Jump to content


  • Content Count

  • Joined

  • Last visited


About LiquidTension

  • Rank
    Malwarebytes Staff

Recent Profile Visitors

5,944 profile views
  1. LiquidTension

    Windows 10 Defender disabled

    Thanks Chuck. Please download batch.bat using the following link: https://malwarebytes.box.com/s/jlhjsposwb7q81ihpsr6au89b7f4pd3v Right-click the file and click Run as administrator. A file named query2.txt will be saved to your Desktop. Please attach this in a post. Afterwards, please restart the computer (Start button > Power button > Click Restart; not Shut down). After the restart, do the following: Press the Windows Key + R on your keyboard at the same time. Type services.msc and click OK. Scroll down to Windows Defender Antivirus Service. Right-click and click Properties. Click Start. Let me know the results.
  2. Hi zarthan, Please hold off on running the FRST fix above (in post #7). Thank you for providing the mbst-grab-results.zip. Please do the following: Right-click the Malwarebytes icon in the notification area (next to the clock) and click Quit Malwarebytes. Press the Windows Key + R on your keyboard at the same time. Type services.msc and click OK. Scroll through the list of services until you reach Malwarebytes Service. Right-click Malwarebytes Service and click Properties. Set the Startup type to Automatic (Delayed Start). Click OK and close the Services window. Once done, please restart the computer (Start button > arrow next to Shut down > Restart). After the restart, please try to open Malwarebytes. Let me know how you get on. If you still encounter an issue, please let me know how you're attempting to launch Malwarebytes.
  3. I'm sorry to hear of the issue you've experienced. Please provide the log file referenced in the post above and we'll look into the cause of this issue.
  4. LiquidTension

    Unable to contact license server (another)

    The logs indicate the connection to the licensing server is timing out. Have you made any recent changes to the computer or environment/network? Does the same issue occur in Safe Mode with Networking? https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode In Normal Mode, can you try temporarily disabling Windows Firewall and check if the issue still occurs: https://www.tenforums.com/tutorials/70699-turn-off-windows-defender-firewall-windows-10-a.html#option4
  5. Thank you. I'm not seeing any reference to Ransomware Protection in that log. Please do the following: Enable Malwarebytes Enhanced Event Log Data Setting Open Malwarebytes. Click the Settings menu. Ensure the Application tab is selected. Scroll down to Event Log Data. Turn the Collect enhanced event log data for support setting On. Rerun Process Monitor in the same manner you did before, but don't stop the capture yet. Quit Malwarebytes (right-click the Malwarebytes icon in the notification area and click Quit Malwarebytes). Relaunch Malwarebytes, wait for the user interface to open and confirm Ransomware Protection is off. Return to Process Monitor. Click File followed by Capture Events and repeat the earlier steps to Zip up the generated log. Rerun the Malwarebytes Support Tool as well. Click Advanced > Gather Logs and attach the generated mbst-grab-results.zip (found on your Desktop). https://downloads.malwarebytes.com/file/mbst
  6. I have no issues with Process Monitor boot time logging on Windows XP. It could very well be related to the same issue you're encountering with MBAMChameleon boot start. I'm looking into other potential methods of obtaining similar information. In the meantime, you may want to leave the start type as System. This is expected. You should find the process automatically restarts.
  7. Yes, that would be helpful. Thank you.
  8. LiquidTension

    Windows 10 Defender disabled

    Hi Chuck, I see you're running an outdated version of Windows 10. Have you considered updating to the latest version? Windows 10 Home Version 1803 17134.523 Here is the source of your issue: Error: (01/16/2019 10:38:49 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: MsMpEng.exe, version: 4.18.1812.3, time stamp: 0xaa8bf4c9 Faulting module name: mpengine.dll, version: 1.1.15500.2, time stamp: 0x5bff8402 Exception code: 0xc0000005 Fault offset: 0x0000000000185014 Faulting process id: 0x18d0 Faulting application start time: 0x01d4ae26dfcbc18c Faulting application path: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MsMpEng.exe Faulting module path: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{31014893-3B92-4278-A6DC-46D6DC812EC0}\mpengine.dll Report Id: 65675de3-e275-488f-ab22-b9472624e4d4 Faulting package full name: Faulting package-relative application ID: Please do the following: SFC /Scannow Please download sfc_scannow.bat using the link below. https://malwarebytes.box.com/s/71uel6xlgciq5fitx1lq8a6jqo3ck4mi Open your Downloads folder. Right-click sfc_scannow.bat and select Run as administrator to run the file. Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway. A black Command Prompt window will appear. Upon completion, a file named mb-cbs-log.txt will be created on your Desktop. Please attach the file in your next reply. Also, please run the following command at the Command Prompt and provide the generated output saved to your desktop. reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s >> "%userprofile%\desktop\query.txt"
  9. Thank you. I'll look into the error and update the script accordingly. In the meantime, please manually download and run Process Monitor: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon Extract the downloaded file and run procmon.exe. Once Process Monitor is running, open Malwarebytes, click Settings, click Protection and try to toggle Ransomware Protection to on. When it fails to turn on, return to Process Monitor. Click File followed by Capture Events. This will remove the checkmark and stop the capture. Click File, followed by Save. Click OK. One or more files named Logfile.pml will be saved to the chosen location. Please Zip up all of the files (highlight all files > right-click > Send to > Compressed (Zipped) folder) and attach the file in a post. If the file is too large, upload it to WeTransfer.com and provide the generated link.
  10. Hi Dan, Thanks for reporting this. We're currently tracking an issue with certain protection components failing to start. To confirm, if you start a new Malwarebytes session (right-click the Malwarebytes icon in the notification area and click Quit Malwarebytes) and the relaunch Malwarebytes, is Ransomware Protection still tuned off? We'd like to get a Process Monitor log captured during a failed attempt to turn Ransomware Protection on. Please refer to the steps below. Run Process Monitor Please download run_procmon.bat using the link below. → https://malwarebytes.box.com/s/he92cwwd71sa0w7waiub8wx69ymb5d4i Open your Downloads folder. Double-click run_procmon.bat. Click Yes if prompted by User Account Control. Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway. A black Command Prompt window will appear. When prompted to carry out the tasks, please do the following: Open Malwarebytes and try to turn Ransomware Protection on. Once done, click inside the Command Prompt window and press Y on your keyboard followed by Enter. Upon completion, a file named procmon-log.zip will be saved to your Desktop. Please attach the file in your next reply. Note: If the file is too large, you will be provided instructions to upload the file to a file hosting website (wetransfer.com).
  11. LiquidTension

    Malwarebytes keeps turning off

    Thanks for the follow-up!
  12. That's correct. The license is first backed up and then deactivated when the tool removes Malwarebytes. If the user opts to reinstall Malwarebytes after the reboot via the tool, the backed up license will be used by the installer to automatically activate Premium. I edited my post above to clarify that a manual reinstallation will require manual reactivation.
  13. LiquidTension

    MBAM Service sending data

    The domains depicted in your screenshot are related to Malwarebytes update checks and license state/key check-ins. Note that disabling telemetry within the settings will prevent normal usage telemetry from being sent up, but does not suppress certain threat detection telemetry as this is required for normal operation of certain Real-Time Protection components.
  14. Understood. The purpose is not to resolve the issue, but to start the next set of troubleshooting from a consistent starting point. Can you enable boot time logging in Process Monitor: https://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool Reboot the computer. After the reboot, rerun Process Monitor and click Yes when prompted if you wish to save the collected data. Zip up the generated .pml files and upload to WeTransfer.com.
  15. Providing the machine is connected to the Internet and keystone.mwbsys.com is reachable, uninstalling Malwarebytes (via Programs and Features, Malwarebytes Support Tool, etc) will automatically deactivate the license. Manually reinstalling Malwarebytes on the same machine will therefore require a reactivation of Premium. This doesn't apply to an over-the-top installation, which will retain the license state.

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.