Jump to content

Unable to delete MBAMChameleon.sys & mbae64.sys files

Recommended Posts

Background information: I hold a lifetime Malwarebytes Anti-Malware license. I am trying to upgrade to Malwarebytes 3.0.5 from Malwarebytes Anti-Malware. I also have Malwarebytes Anti-Exploit installed in my machine which got uninstalled automatically while upgrading.

Problem statement: Since Malwarebytes 3.0 was unable to upgrade & register properly the first time, i tried reinstalling it several times and register it but it did not work. So, i thought to do a clean install but that did not work either as the files "mbae64.sys" and "mbamchameleon.sys" were not getting deleted.

Note: I also have Comodo Internet Security installed.



Link to post
Share on other sites

Pretty sure there was something else involved.

If you don't have the right to delete a file, renaming it won't change anything because the file stays the same and therefore the permissions don't change. If you can't delete it because the file is in use, you won't be able to rename it either because it's also in use.

Link to post
Share on other sites

1 hour ago, PhoenixDragon said:

It still works.  How or why is unknown.  Only that it works.


Files in System32 are typically owned by "TrustedInstaller" and are locked down very tightly. There is no direct way to remove /  delete files under this folder.

This is done to ensure that there is no misbehavior done by any malware or user and that the system remains stable.

If you really, absolutely feel you must do this, the easiest way is to boot from a Linux LiveCD or a Windows install disk.

Using Linux, mount the drive R/W with the ntfs-3g utility (or just use mount; all modern Linux distros default to using ntfs-3g) and delete the files like you would any others (from a shell, the command is rm). I know this approach works.

Using Windows install media, you need to enter repair / recovery mode. That will give you the option to open a command prompt. This prompt can be used to browse to the folder (note that it may not be on the C: drive, if the install media is putting itself as C:) and try deleting the file, potentially using the same kinds of things you did above (taking ownership, changing ACLs, etc.). This should work, but I haven't tested it.

You could try to start CMD in administrator mode and then delete the files with the DEL command provided if some other process is not locking the file.

Being Administrator, you can directly rename the files only they are not being used by any of the processes but deletions of sys files in the drivers folder is not allowed directly.


I am awaiting a reply from the support team regarding my license activation issue. Once I get a reply, I will make one more attempt to do a clean install by renaming / deleting the leftover files and see if it works.


Thank you all for your help. I'll keep you posted once I'm done so that it helps others.

Link to post
Share on other sites

A new problem now arises.. I was able to install and activate the product successfully but after a restart the product behaves very oddly. It does the following:

1) It asks for the license activation again. It even resets the product trial version.

2) It also shows that an update is available to the 3.0.4 version whereas I have already installed the latest 3.0.5 version. When I try to update it, it shows the access denied message for the mbae64.sys file to be replaced in the system32\drivers folder.

I am attaching the mbam-check result log.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.