Jump to content

MSFT MRT Removes mbshlext.dll?


Recommended Posts

I'm sorry if I've missed a discussion on this, but I'm surprised it isn't making more waves.

Ever install a Windows Update only to have your Scan with Malwarebytes context menu in Explorer disappear?  It appears that Microsoft's Malicious Software Removal Tool is just deleting a key component of Malwarebytes:  mbshlext.dll

After Windows Updates I have to go restore mbshlext.dll from one of my backups to its former home in folder C:\Program Files\Malwarebytes\Anti-Malware.

Sure seems rather anti-competitive to me...

-Noel

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link
    welcome mbst.png
  • Click the Gather Logs button
    gatherlogs.png
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

    Click "Reveal Hidden Contents" below for details on how to attach a file:
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    _mb_attach.jpg.a0465aaafd6cae688aa38ab16

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

I have before and after listings from the following SysInternals AutoRuns command:

autorunsc64 -a *

The one just before the application of cumulative Windows 8.1 updates on June 15 at 7am showed this:

   MBAMShlExt
     HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}
     Malwarebytes
     Malwarebytes
     3.0.0.26
     c:\program files\malwarebytes\anti-malware\mbshlext.dll
     1/25/2017 5:37 PM


The one just after the update showed this:

   MBAMShlExt
     HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}
     File not found: C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll

     

Do you know of specific logs emitted by the MRT?  I'll be happy to dig into them.

-Noel

Link to post
Share on other sites

I can't offer any other reason a Windows Update should remove the above mentioned file, but MRT didn't log the deletion.  That being said, it's certain that the Windows Update process is what caused it.  It's not the first time I've seen it happen during a Windows Update (I compare my AutoRuns output every time I run a Windows Update).  This is the pertinent section of the MRT log.

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.61, June 2018 (build 5.61.14929.3)
Started On Fri Jun 15 07:14:11 2018

Engine: 1.1.14901.4
Signatures: 1.269.297.0
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Fri Jun 15 07:16:40 2018


Return code: 0 (0x0)

 

I can only guess that if they're engaging in anti-competitive behavior they wouldn't log it.

-Noel

Link to post
Share on other sites

I seem to have accumulated a lot of stuff in there.

Bear in mind this was not a Windows in-place upgrade.  I brought a Win 8.1 x64 Pro MCE system up to date from December patch level to June patch level.

Any particular folder you'd like me to send you from this set?

C:\TEMP>dir C:\Windows\Panther /s
 Volume in drive C is C - NoelC4 SSD
 Volume Serial Number is 00ED-C11E

 Directory of C:\Windows\Panther

11/13/2013  01:05 PM    <DIR>          .
11/13/2013  01:05 PM    <DIR>          ..
11/13/2013  12:07 PM            42,475 cbs.log
11/13/2013  12:08 PM                68 Contents0.dir
11/13/2013  12:13 PM                68 Contents1.dir
11/13/2013  12:11 PM             2,844 DDACLSys.log
11/13/2013  12:13 PM             5,718 diagerr.xml
11/13/2013  12:13 PM            16,086 diagwrn.xml
11/13/2013  01:05 PM    <DIR>          FastCleanup
11/13/2013  12:08 PM            28,812 MainQueueOnline0.que
11/13/2013  12:13 PM            27,456 MainQueueOnline1.que
11/13/2013  01:05 PM           434,176 setup.etl
11/13/2013  12:11 PM    <DIR>          setup.exe
11/13/2013  12:13 PM           540,754 setupact.log
11/13/2013  11:59 AM                 0 setuperr.log
11/13/2013  12:08 PM           440,576 setupinfo
11/13/2013  12:11 PM    <DIR>          UnattendGC
08/22/2013  07:18 AM           929,792 _s_AEE9.tmp
08/22/2013  08:41 AM           442,772 _s_B40C.tmp
              14 File(s)      2,911,597 bytes

 Directory of C:\Windows\Panther\FastCleanup

11/13/2013  01:05 PM    <DIR>          .
11/13/2013  01:05 PM    <DIR>          ..
11/13/2013  01:05 PM             1,908 diagerr.xml
11/13/2013  01:05 PM             1,908 diagwrn.xml
11/13/2013  01:05 PM               456 setupact.log
11/13/2013  01:05 PM                 0 setuperr.log
               4 File(s)          4,272 bytes

 Directory of C:\Windows\Panther\setup.exe

11/13/2013  12:11 PM    <DIR>          .
11/13/2013  12:11 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of C:\Windows\Panther\UnattendGC

11/13/2013  12:11 PM    <DIR>          .
11/13/2013  12:11 PM    <DIR>          ..
11/13/2013  01:05 PM             4,123 diagerr.xml
11/13/2013  01:05 PM             3,813 diagwrn.xml
11/13/2013  01:05 PM            58,469 setupact.log
11/13/2013  01:05 PM               123 setuperr.log
               4 File(s)         66,528 bytes

     Total Files Listed:
              22 File(s)      2,982,397 bytes
              11 Dir(s)  605,448,335,360 bytes free

-Noel

Link to post
Share on other sites

Thanks, Devin.  Let me know if there's anything more I can do.

Oh, and could you please verify that the version of the dll (3.0.0.26) that I restored from my backup is the one that's supposed to go with the latest MWB package (3.5.1.2522)?

-Noel

Edited by NoelC
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.