Jump to content

Invalid install on Windows Server 2016 and no can't uninstall


Recommended Posts

Hi All, 

I found that when I zipped a file on my server I had a Trojan present in the zip (and so wasn't able to open it), so I installed Malwarebytes on the Windows Server 2016 machine and it stalled on the final part of the installation.

This wouldn't finish even though I left it overnight and so I had to end the task and then reboot. When I had rebooted the server was running very slow and it seemed to be down to a bad version of the Malwarebytes application running in te background, so I tried to un-install it only to be told 'Access is denied 5'.

So, I downloaded the support tool as suggested on this forum (https://downloads.malwarebytes.com/file/mbst?src=Forums-Automated-Reply) and once I had finally got it onto the server ran it.

The application hangs indefinitely on both the logging and the clean options whilst the repair option is greyed out.

Does anyone have any suggestions as to how I can disable the application to unstall or how I can get it working again as its making the server unresponsive currently.

Many Thanks,

Kinsley

removal tool.png

Link to post
Share on other sites
  • Root Admin

Hello @redransom

Are you able to Exit out of the Malwarebytes program from the Task Tray?

Please download the following program and run it for me.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Ok I'm not able to close MBAM from the task tray as its not there for me when I login to the VPS. I can see in the tasks list that there are:

Malwarebtyes Service

Amd nothing else runnign but the MBAM software is taking up 9-20% of any memory whilst I am unable to stop it. 

The server was all ok until I put this s/w on it and so it stands to reason that it has caused the server to unresponsive.

Any help would be great in uninstalling it at least?

Kinsley

Link to post
Share on other sites
  • Root Admin

If self-protection is not enable you may be able to remove the program. If self-protection is enabled it will be difficult to remove if you don't have physical access to boot Recover Mode or boot from USB

Under Services set the following to disabled.

MBAMService  (Malwarebytes Service)

If this key exists try to remove it in the Registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy

 

 

 

Let me know if you're able to access Safe Mode or Recovery Mode, or able to boot from USB

 

The following files, folders, services are created on a Desktop installation so not all entries may exist on Server and need to be removed. Again, If self-protection is enabled though it will be difficult to remove without booting to a Recovery method.

C:\Program Files\Malwarebytes
cmd: regsvr32 /u /s C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
C:\ProgramData\Malwarebytes
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
C:\Windows\system32\Drivers\farflt.sys
C:\WINDOWS\system32\Drivers\mbae64.sys
C:\Windows\system32\Drivers\mbam.sys
C:\WINDOWS\system32\Drivers\MbamChameleon.sys
C:\Windows\system32\Drivers\MbamElam.sys
C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
C:\WINDOWS\system32\Drivers\mwac.sys
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-06-26] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-06-26] (Malwarebytes Corporation -> Malwarebytes)
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [153312 2020-01-29] (Malwarebytes Corporation -> Malwarebytes)
R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [214496 2020-02-05] (Malwarebytes Inc -> Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [6960640 2020-01-12] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [226448 2020-02-05] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [73584 2020-02-05] (Malwarebytes Corporation -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248968 2020-02-05] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [119960 2020-02-06] (Malwarebytes Inc -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [20936 2020-01-12] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [248968 2020-02-05] (Malwarebytes Inc -> Malwarebytes)
S3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [119960 2020-02-05] (Malwarebytes Inc -> Malwarebytes)
sc delete MBAMInstallerService

 

Link to post
Share on other sites

Well this is going real great I guess. No progress after two days. The Farbar application has created the registry but is stuck on the same message and won't go any further.

The server is a VPS so I don't have access to go into safe mode / recovery mode or boot from usb.

I think I am truly stuffed at this point. Really dont know what else I can do.

Kinsley

Link to post
Share on other sites
  • Root Admin

You can manually remove the files or see if FRST can help remove them.

Save the attached file to the same location as FRST and then click the FIX button

fixlist.txt

Then reboot the server

You may need to do it a couple of times

Again, here the the file, folders, services that need to be removed.

R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7456464 2021-01-10] (Malwarebytes Inc -> Malwarebytes)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [220160 2021-01-10] (Malwarebytes Inc -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-01-10] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
S3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [197792 2021-01-10] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248968 2021-01-10] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [139424 2021-01-10] (Malwarebytes Inc -> Malwarebytes)
C:\Users\Administrator\Downloads\MBSetup (2).exe
C:\Users\Administrator\Downloads\MBSetup (1).exe
C:\Users\Administrator\AppData\Local\Temp\MBAMInstallerService.exe
C:\Windows\system32\Drivers\mbam.sys
C:\Windows\system32\Drivers\farflt.sys
C:\Windows\system32\Drivers\mwac.sys
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
C:\Users\Public\Desktop\Malwarebytes.lnk
C:\ProgramData\Desktop\Malwarebytes.lnk
C:\Users\Administrator\Downloads\MBSetup.exe
C:\Windows\system32\Drivers\mbamswissarmy.sys
C:\Windows\system32\Drivers\MbamChameleon.sys
C:\Windows\system32\Drivers\mbae64.sys
C:\Windows\system32\Drivers\MbamElam.sys
C:\ProgramData\Malwarebytes
C:\Program Files\Malwarebytes

 

Link to post
Share on other sites

Ok it failed to complete - I can see some of the items were cleared out but not all (even after another reboot).

 

So I have run another scan - to see what other files need removing. Anyway this stalled so I have had to cancel it. 

Can you let me know what I can do next please as currently the client can still not use their server.

 

Fixlog.txt

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.