Unable to delete MBAMChameleon.sys & mbae64.sys files

[yashiscool]

Background information: I hold a lifetime Malwarebytes Anti-Malware license. I am trying to upgrade to Malwarebytes 3.0.5 from Malwarebytes Anti-Malware. I also have Malwarebytes Anti-Exploit installed in my machine which got uninstalled automatically while upgrading.

Problem statement: Since Malwarebytes 3.0 was unable to upgrade & register properly the first time, i tried reinstalling it several times and register it but it did not work. So, i thought to do a clean install but that did not work either as the files "mbae64.sys" and "mbamchameleon.sys" were not getting deleted.

Note: I also have Comodo Internet Security installed.

 

HWINFO.txt

[Aura]

Hi yashiscool

Do you still have Malwarebytes Anti-Malware or Malwarebytes Anti-Exploit installed on your system? If you do, please uninstall them first, run the mbam-clean.exe clean-up tool, and then try to install Malwarebytes 3.0.5 again.

https://forums.malwarebytes.com/topic/146017-mbam-clean-removal-process-2x/

 

[yashiscool]

Thanks Aura. I did try to do a clean installation twice but it is unable to remove these files or even allow the new Malwarebytes 3.0.5 to activate properly.

[Aura]

Alright, uninstall all your Malwarebytes products, and try to delete the folders/files that are left behind (if you know what they are). Can you delete them, or do you get an Access Denied error?

[yashiscool]

Tried that already. I am able to delete all the folders and files except MBAMChameleon.sys & mbae64.sys files located in the windows\system32\Drivers folder.

[Aura]

What's the error message you're getting when you try?

[yashiscool]

It says Access is denied. I tried removing these files using tools like fileAssassin and iobit unlocker  but all in vain.

[Aura]

Does it says you need permission from a certain user and/or group? If so, which one?

Also usually when you can't delete a file because of permission issues, you can't rename it either, so it won't help.

[Aura]

Pretty sure there was something else involved.

If you don't have the right to delete a file, renaming it won't change anything because the file stays the same and therefore the permissions don't change. If you can't delete it because the file is in use, you won't be able to rename it either because it's also in use.

[yashiscool]

1 hour ago, PhoenixDragon said:

It still works.  How or why is unknown.  Only that it works.

 

Files in System32 are typically owned by "TrustedInstaller" and are locked down very tightly. There is no direct way to remove /  delete files under this folder.

This is done to ensure that there is no misbehavior done by any malware or user and that the system remains stable.

If you really, absolutely feel you must do this, the easiest way is to boot from a Linux LiveCD or a Windows install disk.

Using Linux, mount the drive R/W with the ntfs-3g utility (or just use mount; all modern Linux distros default to using ntfs-3g) and delete the files like you would any others (from a shell, the command is rm). I know this approach works.

Using Windows install media, you need to enter repair / recovery mode. That will give you the option to open a command prompt. This prompt can be used to browse to the folder (note that it may not be on the C: drive, if the install media is putting itself as C:) and try deleting the file, potentially using the same kinds of things you did above (taking ownership, changing ACLs, etc.). This should work, but I haven't tested it.

You could try to start CMD in administrator mode and then delete the files with the DEL command provided if some other process is not locking the file.

Being Administrator, you can directly rename the files only they are not being used by any of the processes but deletions of sys files in the drivers folder is not allowed directly.

 

I am awaiting a reply from the support team regarding my license activation issue. Once I get a reply, I will make one more attempt to do a clean install by renaming / deleting the leftover files and see if it works.

 

Thank you all for your help. I'll keep you posted once I'm done so that it helps others.

[Aura]

If you still can't delete the leftover files after that, let me know and I'll make you a FRST fix to get rid of them (and the services if they are still present). 

[yashiscool]

Thank you all.. Renaming finally helped instead of the mbam-clean-2.3.0.1001.exe file. I think the cleaner needs to be updated to be able to remove the sys files by renaming them first and then deleting them upon reboot.

I can make an exe for this if you want. Let me know if you need any help. :-)

[yashiscool]

A new problem now arises.. I was able to install and activate the product successfully but after a restart the product behaves very oddly. It does the following:

1) It asks for the license activation again. It even resets the product trial version.

2) It also shows that an update is available to the 3.0.4 version whereas I have already installed the latest 3.0.5 version. When I try to update it, it shows the access denied message for the mbae64.sys file to be replaced in the system32\drivers folder.

I am attaching the mbam-check result log.

CheckResults.txt