Jump to content
Gt-truth

MALWAREBYTES Uninstall get hang and locked issue by it’s service

Recommended Posts

Hi there

I am having an strange problem since the first release of MALWAREBYTES version 3  so , as of today ,  I had to uninstalled MALWAREBYTES V3 due to up-going problem with my anti-virus which it cause an connectivity issue to my laptop to not connected to a router / modem device . and when I ran a network diagnostic built-in the windows system then I get an error message , I have ran it to attempting to fix any problems founds but I get error message. anyway , I Have suspected of my ant-virus which it turns out to be the cause of blocking the connection /the cause to windows troubleshoot tools to have an errors while running it’s scans .so , after all those I had to completely remove the anti-virus and via REVO uninstaller and by using their Removal tool to fully solving the networking problems !

and now I had to completely uninstalled MALWAREBYTES (mb3-setup-consumer-3.5.1.2522-1.0.441-1.0.6669.exe) from my system via Control Panel\Programs\Programs and Features and then using both MB-clean and MBST tool to trying to remove any MB-V3 leftover files/folder in the registry , while I’m looking in registry I’ve been noticed some of entries behind MB version 3 will not be removed either by the MALWAREBYTES Uninstall option or by even revo uninstaller !!!! so , when I try to delete any of those entries then I instantly get this error message blow and I not really sure why also the uninstall process got hang for awhile or sometime for forever in both normal mode and in the safe mode , moreover of that I have been waiting for the uninstall process to be done more then 10 minutes and it got hang and nothing works until I have been to forced to kill the running processes of MB which is (mbamservice) this MBAM service is not just to cause one problem but it causing more then one issues just like high ram usage and more others !

and been running all of those MB-clean tool mbam-clean-2.3.0.1001.exe and mb-clean-3.1.0.1035.exe and mb-support-1.1.2.471 tools and they unable to clean-up all leftover registry keys belong to MALWAREBYTES V3 and it says failed ! so how do I remove those locked registry keys related to MB ????

also , I had to make my own script to at least to remove some of the registry entries of the MB so some of entries were removed successfully and some of are still locked and can not be removed !!!!

so any help to remove those from the windows system registry ???? :mellow:

quick question : why mbamservice processes is running in task manager even in safe mode? yeah I know mbamservice processes it will be running in the normal mode with all it’s problems .and why is mbamservice processes is cause to hanging of the uninstalling process in both windows - modes ????

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMPROTECTION

error deleting key

cannot delete LEGACY_MBAMPROTECTION; error while deleting key.

error deleting key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMSWISSARMY

cannot delete LEGACY_MBAMSWISSARMY; error while deleting key.

error deleting key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMWEBPROTECTION

cannot delete LEGACY_MBAMWEBPROTECTION error while deleting key.

MBST-log file blow :

2018-09-07 01:39:07.630   MBST-Clean Log Version: 1.1.2.471
2018-09-07 01:39:07.630   Log Path: C:\Users\\Desktop\mbst-clean-results.txt
2018-09-07 01:39:07.640   User Account Type: Administrator
2018-09-07 01:39:07.640   Date/Time Log Created: 2018-09-07 01:39:07.640
2018-09-07 01:39:07.640   Operating System: Windows 7 Service Pack 1 x64
2018-09-07 01:39:07.640   
2018-09-07 01:39:07.640   ======================================================
2018-09-07 01:39:07.640   Pre-Reboot Cleanup
2018-09-07 01:39:07.640   ======================================================
2018-09-07 01:39:07.640   OpenService MBAMChameleon failed (1060)
2018-09-07 01:39:07.640   Deleted registry key: (SOFTWARE\Classes\AppID\{1F7896AD-8886-42CD-8ABD-7A1315A3A5F2})
2018-09-07 01:39:08.191   OpenService MBAMChameleon failed (1060)
2018-09-07 01:39:09.822   Post reboot settings were configured successfully
2018-09-07 01:40:48.210   
2018-09-07 01:40:48.226   ======================================================
2018-09-07 01:40:48.226   Post-Reboot Cleanup
2018-09-07 01:40:48.226   ======================================================
2018-09-07 01:40:49.599   Deleted registry key: (SOFTWARE\Malwarebytes)
2018-09-07 01:41:18.329   
2018-09-07 01:41:18.329   ======================================================
2018-09-07 01:41:18.329   Install Malwarebytes for Windows
2018-09-07 01:41:18.329   ======================================================
2018-09-07 01:41:18.329   User choice for reinstall prompt (No clicked)

MB-clean log blow :

2018-09-07 01:27:23.666   mb-clean:3.1.0.1035  @ Malwarebytes. All rights reserved.
2018-09-07 01:27:24.386   No Malwarebytes software installed.
2018-09-07 01:27:29.208   Trying to delete REG key: HKCU\SOFTWARE\Malwarebytes
2018-09-07 01:27:29.208   HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver does not exist.
2018-09-07 01:27:29.208   HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon does not exist.
2018-09-07 01:27:29.208   Trying to delete REG key: HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt
2018-09-07 01:27:29.208   HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection does not exist.
2018-09-07 01:27:29.208   HKLM\SYSTEM\CurrentControlSet\Services\MBAMService does not exist.
2018-09-07 01:27:29.208   HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy does not exist.
2018-09-07 01:27:29.208   Trying to delete REG key: HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection
2018-09-07 01:27:30.248   Trying to delete path C:\ProgramData\Malwarebytes\
2018-09-07 01:27:30.248   Cannot delete path C:\ProgramData\Malwarebytes\, reason:(The system cannot find the path specified.(error=3))
2018-09-07 01:27:30.248   Trying to delete path C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\
2018-09-07 01:27:30.248   Cannot delete path C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\, reason:(The system cannot find the path specified.(error=3))
2018-09-07 01:27:30.248   Trying to delete path C:\Program Files\Malwarebytes\Anti-Malware\
2018-09-07 01:27:30.248   Cannot delete path C:\Program Files\Malwarebytes\Anti-Malware\, reason:(The system cannot find the path specified.(error=3))
2018-09-07 01:27:30.248   Trying to delete REG key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService
2018-09-07 01:27:30.248   Trying to delete REG key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService
2018-09-07 01:27:30.248   --------END OF LOG FILE ----------
2018-09-07 09:50:21.077   mb-clean:3.1.0.1035  @ Malwarebytes. All rights reserved.
2018-09-07 09:50:21.767   No Malwarebytes software installed.
2018-09-07 09:50:23.357   HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver does not exist.
2018-09-07 09:50:23.357   HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon does not exist.
2018-09-07 09:50:23.357   HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt does not exist.
2018-09-07 09:50:23.357   HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection does not exist.
2018-09-07 09:50:23.357   HKLM\SYSTEM\CurrentControlSet\Services\MBAMService does not exist.
2018-09-07 09:50:23.357   HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy does not exist.
2018-09-07 09:50:23.357   HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection does not exist.
2018-09-07 09:50:24.057   Trying to delete path C:\ProgramData\Malwarebytes\
2018-09-07 09:50:24.057   Cannot delete path C:\ProgramData\Malwarebytes\, reason:(The system cannot find the path specified.(error=3))
2018-09-07 09:50:24.067   Trying to delete path C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\
2018-09-07 09:50:24.067   Cannot delete path C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\, reason:(The system cannot find the path specified.(error=3))
2018-09-07 09:50:24.067   Trying to delete path C:\Program Files\Malwarebytes\Anti-Malware\
2018-09-07 09:50:24.067   Cannot delete path C:\Program Files\Malwarebytes\Anti-Malware\, reason:(The system cannot find the path specified.(error=3))
2018-09-07 09:50:24.067   --------END OF LOG FILE ----------

 

Edited by Gt-truth

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

mbamservice will run in safe mode for users who need to remediate there.

As for your issue, I would try installing again if possible, then doing another uninstall using the Support Tool (not mb-clean or mbam-clean, use the support tool)

Share this post


Link to post
Share on other sites
13 hours ago, dcollins said:

mbamservice will run in safe mode for users who need to remediate there.

As for your issue, I would try installing again if possible, then doing another uninstall using the Support Tool (not mb-clean or mbam-clean, use the support tool)

I understand now ! :) and thanks to clarification @dcollins but why mbamservice cause a hang while uninstalling MB ? 

for my current issue ,going to try to Re-install MB again and to re-uninstall it again and I will report back if this solve this problem or not which I have !

Edited by Gt-truth

Share this post


Link to post
Share on other sites

unfortunately , install it again and uninstall it via revo uninstaller and by using MBST only will not solve the issue ! there are still MB - locked files and folder in the registry which can not be removed either by MBST or by searching in the registry itself ! I have to use an tool for this purpose and here the results in the screenshots blow 

so trying to remove those entries but won’t be deleted even by using MBST! 

note : I had to yet again to removed all of the security software’s from the system !

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\1\0\1\0]
"19"=hex:4a,00,31,00,00,00,00,00,23,4d,79,7e,10,20,6d,62,61,6d,00,00,36,00,08,\
  00,04,00,ef,be,23,4d,79,7e,23,4d,79,7e,2a,00,00,00,2f,42,00,00,00,00,08,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,6d,00,62,00,61,00,6d,00,00,00,14,\
  00,00,00

[HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\1\0\1\0\6]
"24"=hex:4a,00,31,00,00,00,00,00,23,4d,79,7e,10,20,6d,62,61,6d,00,00,36,00,08,\
  00,04,00,ef,be,23,4d,79,7e,23,4d,79,7e,2a,00,00,00,33,42,00,00,00,00,09,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,6d,00,62,00,61,00,6d,00,00,00,14,\
  00,00,00

[HKEY_CURRENT_USER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMPROTECTION]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMSWISSARMY]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMWEBPROTECTION]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBAMPROTECTION]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBAMSWISSARMY]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBAMWEBPROTECTION]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBAMPROTECTION]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBAMSWISSARMY]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBAMWEBPROTECTION]
"NextInstance"=dword:00000001

[HKEY_USERS\S-1-5-21-1881379605-1187743390-1954578905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery]
"11"=hex:6d,00,62,00,61,00,6d,00,00,00

I have to export this reg.file if this will help  then I can to do attach it here .

 

 

CpWz_708.png

CpWz_709.png

CpWz_710.png

Edited by Gt-truth

Share this post


Link to post
Share on other sites

Those keys actually are generally supposed to be left behind.  They are actually created by the OS itself, not by installed software (even when the services/drivers listed belong to third party software).  This is because the OS creates them itself for any installed device/driver/service that is ever installed on the system and only the OS itself has permissions/access there which is why you are getting the errors when trying to delete them.  With that said, they do no harm in remaining there and do not indicate that the devices/drivers/services listed are actually currently active/installed, just that they had been at one time.  There are rare cases where one or more legacy keys may require removal, however that is only for instances where they are preventing the software the key(s) belong(s) to cannot be reinstalled due to the key(s) existing.

You can find more information about those keys in the following links:

SOLVED Legacy MPKSL entries in registry after MSE removal
HKLM\SYSTEM\CurrentControlSet\Enum Registry Tree

By default, only Windows itself is supposed to add/remove any keys in those particular branches of the registry (the ENUM\ROOT\LEGACY branches) so the Malwarebytes uninstaller and even the Malwarebytes Clean Tool/Malwarebytes Support Tool should not and most likely does not attempt to remove them.  This is because, as I mentioned above, the OS itself creates them for every installed device/driver/service, not the software that installed the device/driver/service (those which are created by Malwarebytes are removed by both the normal uninstaller as well as the cleanup tools).

I hope this helps clarify what's going on with those keys and why you are seeing the behavior that you are with them.  You can also verify which devices/drivers/services are actually installed and active at any given time via tools such as MS Sysinternals Autoruns, FRST (a tool used frequently here on the forums, including as part of the Malwarebytes Support Tool's logging function) as well as many others, and you will notice that any device/service/driver which is not listed under the normal Services keys (HKLM\SYSTEM\CurrentControlSet\Services) will not be listed in any of those tools, even if entries persist for the given device/service/driver in any or all of the various ENUM\ROOT\LEGACY keys.

Share this post


Link to post
Share on other sites

@exile360 thanks for the detailed explanation and for the links in your reply! however , I was previously able to remove these MB V3 entries before which are belongs to the previous version of  MALWAREBYTES version 3 using the windows registry editor only without any problem :) but now not sure why cannot to delete any of those MB entries placed in the registry ! so what I just have to do is to search in Google and I find a small and powerful utility to remove any stubborn and any locked key from the windows registry ! so I think that MB clean and MBST tools are unable even to each time to clear up it’s MALWAREBYTES  file/folder from the registry because sometime it will leave those out there which are in the list blow :

MBAMService
MBAMProtection
MBAMSwissArmy
MBAMWebProtection

I have run a scan with another tool called "runscanner" which found all above entries and just check marks all of those entries to be deleted and this tool is always to removed them all successfully ! :) and just a note : runscanner website is down since a few day and can’t be reach to support there . anyway , I did the same thing to remove the KASPERSKY leftover file and folder within the registry and all KASPERSKY leftover files and folder were Removed successfully without any error to pop-ups . the other new utility I have just to download it it is called "RegistryDeleteEx" this one have help me just now to delete all entries belongs to MALWAREBYTES and HITMANpro :)

also note : some time both MBST and MB-clean will leave MALWAREBYTES folder behind in this path C:\ProgramData and C:\Program Files (x86) :) (not sure of the path) but I’m going to reboot the system right now and to install MB v3 again !

OK , can you tell whatever this is a MB drivers or not which sometime left behind the uninstaller?

C:\Windows\system32\Drivers\266891BE.sys
C:\Windows\system32\Drivers\5317F3D7.sys

 

 

Edited by Gt-truth

Share this post


Link to post
Share on other sites

You can check the links I referenced (or MS directly via Technet etc. if you wish); those entries are created by Windows, not Malwarebytes and normal uninstallers do not and should not try to remove them (the MS documentation specifies this in the link I posted to their site on the subject).  Other tools may certainly remove them if designed to do so, although they likely have to modify permissions on the keys to do so (similar to how tools like Unlocker work for removing stubborn items).

As for the folders, I do know that the Program Files folder should not be left behind and the Program Files (x86) folder shouldn't exist since version 3 of Malwarebytes uses a native dual platform installer with some native x64 executables and installs to the native Program Files folder, so the Program Files (x86) folder was likely from an older version of Malwarebytes (2.x or 1.x) or from another Malwarebytes tool/product installed in the past and I don't believe the Malwarebytes clean tools target those folders, however I do believe there is an older version of mbam-clean.exe still available somewhere for removing older versions that should.

With regards to the ProgramData folder, I do believe (though a staff member may need to confirm) it is left behind deliberately because that is where the license info is stored and the clean tools and uninstaller deliberately leave that info intact in case the user desires to reinstall the software and doesn't have their license info handy to reactivate.

Those drivers do look like cleanup drivers that belong to Malwarebytes used for remediation as a component of its DOR (Delete on Reboot) technology.  They use random names to evade blocking/deletion by malware so the cleanup tools aren't able to target them either.  Normally they are supposed to get deleted after the remediation/reboot process, however they do end up getting left behind sometimes, either due to some kind of error or interference (like an AV or permissions issue) or when the DOR sequence fails to complete fully (rare, but I have seen it happen before).  That said, having them remain on disk is completely harmless (though a arguably a negligible waste of space) as they are set to run only once, on the first reboot for the cleanup process and won't load again (you can verify this via any tool that looks at drivers that are currently running or configured to load on boot).

If Runscanner and other tools target the LEGACY keys that doesn't necessarily mean that they should, as again, according to Microsoft's own documentation, those keys are to be used by the OS itself and shouldn't be modified by third party software.  In a case like this where you're just trying to remove all traces of Malwarebytes it obviously isn't going to do any harm, however I would advise caution in how you remove them as I wouldn't want the security and stability of your system compromised by doing so if, for example, the tool were to alter the parent permissions on the entire ENUM\ROOT registry branch/path which is deliberately restricted from modification by Microsoft for the reasons stated. 

Edited by exile360

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.