Jump to content
Goldanorack

Malware Bytes crushes Defender

Recommended Posts

Hi, 

 

I'm starting my first post here to complain about Malware Bytes' behavior and get some help about it. I just switched from Mac to PC and wanted a perfect protection, so I thought Malware Bytes associated with Defender would be the gold standard. after the installation, I started to notice HEAVY ethernet issue, until I lately reached the point where I had just NO INTERNET at all. after trying many many solutions without resolutions, I asked on my Motherboard's constructors' forum. They suggested that my Malware Bytes was the problem, and that I should try uninstall it with the removal tool provided. I did that, and my ethernet is back up again without failure, but the removal tool failed to reinstall every bit of Windows Defender. That's a SHAME. so now I find myself without protection and without Firewall, and seeking your help so I finally get Defender working again after Malware Bytes completely *****ed it up. 

 

Thanks for reading ! 

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Follow the instructions on this page to add MBAM to Wndows Defender exclusions list.

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/docs/DOC-1123

Restart the computer normally.

===

If any issues with with MBAM 

Uninstall and reinstall using the Malwarebytes Support Tool
https://support.malwarebytes.com/docs/DOC-2674

If you still have issues please contact Malwarebytes' support.
https://forums.malwarebytes.com/forum/41-malwarebytes-for-windows-support-forum/

Hope that helps.
 

Share this post


Link to post
Share on other sites

hi, 

 

thanks for answer. However, I do not want to reinstall MalwareBytes on my computer, at least not until that MAJOR issue is fixed. I just want my full Defender functions back, and I do not know how I can reactivate them now that MB destroyed them. 

Share this post


Link to post
Share on other sites

<kibbitz>   I hope Nasdaq will not mind my butting in here.

Hi @Goldanorack   

I will be happy to help you to get Windows Defender  back to on.  I presume this is a Windows 10 system !

I just need a report from this system before we start.

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:


"Download link for 32-Bit version Windows"

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Run report with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

 

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

 

NOTES:  Malwarebytes does not "clobber" or do ill to the Windows Defender.  It is just likely that Windows Defender is only just set to off.  That can be taken care of.

Your patience is appreciated in advance.

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

FRST.txtAddition.txt

Hi, thanks for taking the time @nasdaq @Maurice Daggar 

Here is the FRST and Addition txts !

Do you have any idea why this happened ? I really liked malware Bytes and the way it worked before it crashed my internet all the time, I'm kinda sad to let it go... 

Share this post


Link to post
Share on other sites

Honestly,  Malwarebytes does not crash internet.  You must realize that there are millions of users of Malwarebytes.   and that whatever happened on this box cant be known without additional logs  ( now gone since Malwarebytes was removed).

By the way, I am somewhat curious just what "removal tool" that forum you mentioned at the top,  had suggested you use ?

 

Thanks for the FRST reports.  I do see that this Windows 10  had Controlled Folder Access on  & that had interfered with the functioning Malwarebytes on the 13th.

from the Windows system event logs

Quote

Date: 2020-01-13 12:30:06.012
Description: 
Controlled Folder Access blocked C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe 
Detection time: 2020-01-13T11:30:06.012Z
Path: \Device\HarddiskVolume4
Process Name: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

 

We typically suggest to folks to NOT have the Controlled Folder Access feature of Windows 10.

 

What follows is a custom tweak for this system for the Windows Defender.   Please close all un-needed open programs you may have opened yourself manually.

Do that before doing this procedure.

 

This custom script is for  Goldanorack   only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  DOWNLOADS  folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Desktop.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

and when you post back, tell me how Windows is doing over-all.

 

ALSO, after the Windows is restarted and is settled in,

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

 

Take a look there.   Need to see that there is not a red flag or orange flag from Windows.

Fixlist.txt

Share this post


Link to post
Share on other sites

I know, it seemed strange too but the fact everything works now is even more strange, maybe I can reinstall it to see if the problem happens again ?

it was the official tool from MB : mb-support-1.5.3.749

I'll do that and keep you updated about the evolution, thank you so much for the custom. I didn't know Controlled Folder Access feature of Windows 10 was a bad thing I just had my first after nearly a decade on a MacbookPro... but I just checked and it is deactivated 1953558168_Annotation2020-01-15230814.png.1c5ed9a58df793a56a9ab2d6fa347609.png

I wonder why the FRST tools says it is on then... 

Share this post


Link to post
Share on other sites

Controlled folder access can complicate things.

Have you run the custom FRST fix yet?   If not, do that   and send the Fixlog report after it finishes.

Share this post


Link to post
Share on other sites

Fixlog.txt

ran your custom script and everything is back to normal. here is the fixlog.txt. I also checked Windows Security in Security and Updates. There's no red flags, and everything is displaying correctly (I had just a blank page before your script)

Thank you so much for your help and your time. I will now run a clean install of MalwareBytes freshly downloaded, and see if the problem occurs again. 

Share this post


Link to post
Share on other sites

Windows 10 includes the firewall from Microsoft.

The Windows Defender is ON.

 

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.

If using Windows 7/8 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.
If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

 
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

 

Share this post


Link to post
Share on other sites

Farbar Service Scanner Version: 14-12-2019
Ran by gabri (administrator) on 16-01-2020 at 00:33:50
Running from "C:\Users\gabri\Downloads"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Policy: 
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv: "%systemroot%\system32\svchost.exe -k netsvcs -p".
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MsMpEng.exe"".


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

Here is the result for the FSS.txt !

Share this post


Link to post
Share on other sites
3 hours ago, Goldanorack said:

 

...... I will now run a clean install of MalwareBytes freshly downloaded, and see if the problem occurs again. 

You seem to say that you have completed a new install of Malwarebytes for Windows.   I need for you to take one action on Malwarebytes.   This is because you prefer to want Windows Defender as "the" resident antiviirus.

 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

.

Then later on, after about a minute or so,  I would like for you to look on the Security section of the Windows Settngs.

From the start menu, click on the Settings ( gear ) icon   and then select Update and Security.

Now, from the left side list, click on Windows Security.    Tell me if you see a display similar to this one

 

image.thumb.png.a6bd9cd3699db2a23c44910aef68b15e.png

Share this post


Link to post
Share on other sites

did the action on the new install of Malware Bytes (altough I already had done it on the previous version I had installed on my computer) - everything is fine in Windows Security, everything is green. I just turned my computer on : no internet again, and Windows Defender asked me to activate a firewall again... by no internet I mean the connection is on and speedtest is normal, it just takes minutes before loading a page. I typically got the issue back since I reinstalled MB. Strange behavior in the Task Manager image.png.024f5d7de218c1f3677117f174fc49ae.png

Share this post


Link to post
Share on other sites

Lets take  a look at the status of several Windows Services, using the Services applet.

Please be sure that you are logged in to Windows with a login that has Administrator-level rights.

This Windows seems to have a issue on some specific Windows services.
I need for you to have pen and paper handy and take notes on what follows, please.

Press and hold the Windows-flag-key on keyboard and tap the *R* key to get the RUN menu option.

type in

services.msc

and press Enter key. 

Scroll down the list. Look for "Background Intelligent Transfer Service".

Does it show in the list as Running?
If it does not, then click the line "Background Intelligent Transfer Service "   to be sure it is selected

look on the upper left corner and click on Start service.
.

Scroll down the list. Look for "Base Filtering Engine".

.Does it show in the list as Running?
If it does not, then click the line "Base Filtering Engine "   to be sure it is selected

look on the upper left corner and click on Start service.
.


Scroll down the list. Look for "Remote Procedure Call ( RPC ".

Does it show in the list as Running?
If it does not, then click the line "Remote Procedure Call ( RPC ]   to be sure it is selected

look on the upper left corner and click on Start service.
.

 

Scroll down the list. Look for "Windows Defender Firewall".

Does it show in the list as Running?
If it does not, then click the line "Windows Defender Firewall: to be sure it is selected

look on the upper left corner and click on Start service.


.
Scroll down the list. Look for "Windows management Instrumentation".

Does it show in the list as Running?
If it does not, then click the line "Windows management Instrumentation: to be sure it is selected

look on the upper left corner and click on Start service.

Close the window when done.
Kindly relay to me all details. Thank you.

Share this post


Link to post
Share on other sites

alright, just did what you told me and here are the results :

Background Intelligent Transfer Service wasn't running and is on Manual Startup Type.
it switched itself to Automatic (delayed start) when I started the service. 

Base Filtering Engine is running and on automatic.

Remote Procedure Call (RPC) is running and on automatic. 

Windows Defender Firewall is running and on automatic.

Windows Management Instrumentation is running and on automatic. 

(just in case, note that my Windows is authentic, I bought my own key, so no risk of a corrupted crack)

Share this post


Link to post
Share on other sites

I did a reboot to verify the state of these services : Background Intelligent Transfer Service isn't running and is on Manual Startup Type again. 

the others are running (Defender still asked me to activate my firewall though)

Share this post


Link to post
Share on other sites

Thanks.

Lets do this next.

 

Start NOTEPAD { you can press Windows-key+R keys to get the RUN option
and then type in
 

NOTEPAD.exe


and press Enter key to start NOTEPAD.

Check and make sure "word wrap" is off. 
From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.
IF it -is- checkmarked, click that one time so that it is un-checked.

Please copy/paste the lines below to Notepad:


@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset resetlog.log
shutdown -r -t 1
del %0




now Save as flush.bat to your desktop.
Double-click flush.bat file to run it. Your computer will reboot.

 

After Windows is restarted, wait for a couple of minutes for the system to settle in.   Then do a basic check using the PING  applet

Start NOTEPAD { you can press Windows-key+R keys to get the RUN option
and then type in

 

ping bing.com

.tell me if that succeeds.

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Sorry, but the ping should be run from a Command prompt.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

ping bing.com

.tell me if that succeeds.

Share this post


Link to post
Share on other sites

so, I ran the batch, and just before it rebooted I saw "access denied" multiple time occuring (I checked and Controlled Folder Access is still off)

the ping for bing.com returned following statement

image.png

Share this post


Link to post
Share on other sites

I tried pinging Google.com instead and got so interesting results. 

When pinging with MB on, the four packets timed out. 
When pinging with MB off, they all arrived within 10 to 20 ms. 

When pinging with MB on but Web Protection off, the four packets arrived within 20 to 40 ms. 

 

Share this post


Link to post
Share on other sites

Very sorry to learn all this.   Lets get a fresh readout report.  The FRST64 tool  is  on the Downloads folder.

 

Run report with FRST64

Right-click on FRST64 icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

 

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Share this post


Link to post
Share on other sites

I do not believe there is a "malware infection.

One big point I would like to relay:  Lets slow down a bit, take things at a slower pace.

One of the next things I would like to try is a special repair operation using the Malwarebytes Support tool.

That tool is named mb-support-1.5.3.749.exe   and it is on the Downloads folder on this machine.

 

First, close as many opened windows that have been opened by you ....so that you have clear fields of view.

Using Windows File Explorer   open your Downloads folder

  • Double-click  image.png.6bfcc9b5d7fd99e7917c59835747b383.png   mb-support-1.5.3.749 to start the report tool.
  •  
  • Click YES to allow Windows to proceed to run this tool.
  • If prompted, place a checkmark next to Accept License Agreement and click Next.

Now, click the ADVANCED button at the left side.

Next,  Look for the far right pane titled Repair system.

Put a tick mark on each of the 4 check-boxes.

Then click the button "Repair System".

Do have lots of patience.

 

I am hopeful this will help out.   Keep me advised.  Keep faith.   Your continued patience is appreciated.

If needed, later on, we can take other measures ....... as needed.

Sincerely,

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.