Jump to content

Recommended Posts

     On Wednesday, November 10, 2021, I found this in McAfee's Quarantine section:

Item: mbae.dll | Threat: GenericRXQL-XZ!F2A56B293D17 | Detected: 11/6/2021 11:12 AM

Full Path:
C:\Program Files\Malwarebytes\Anti-Malware\LKG
Threats Detected
GenericRXQL-XZ!F2A56B293D17


979239084_Nov62021falsepositive.thumb.jpg.eff769eb31fd46d996efe3fcbbade5d1.jpgItem: mbae.dll | Threat: GenericRXQL-

     mbae.dll is Malwarebytes' Anti-Malware Anti-Exploit dynamic link library.
I suspect that something is tricking McAfee into quarantining then deleting
the file so exploits can run amuck on my PC.

https://www.registry-programs.com/process/list/mbae.dll.html says:

The legit mbae.dll process is located in the
e: \ \program files\ \malwarebytes anti-exploit \ folder.
If it is located elsewhere, it could be malware as a virus can have any name.

https://www.shouldiblockit.com/mbae.dll-856ef24d278cd512a4b10b593a1f3a1d.aspx [from 2016] says:
Typical file path: C:\Program Files\malwarebytes anti-exploit\mbae.dll

     Here in 2021, however, there is no malwarebytes anti-exploit subfolder.

     A search on mbae in my C:\Program Files\Malwarebytes\Anti-Malware folder
yielded the following:

mbae64.dll
C:\Program Files\Malwarebytes\Anti-Malware
mbae.dll
C:\Program Files\Malwarebytes\Anti-Malware
mbae-api-na.dll
C:\Program Files\Malwarebytes\Anti-Malware
AeShim.dll
C:\Program Files\Malwarebytes\Anti-Malware

mbae64.dll
C:\Program Files\Malwarebytes\Anti-Malware\LKG
mbae-api-na.dll
C:\Program Files\Malwarebytes\Anti-Malware\LKG

mbae64.sys
C:\Program Files\Malwarebytes\Anti-Malware\LKG
mbae64.sys
C:\Program Files\Malwarebytes\Anti-Malware

1415720223_searchformbaeinAnti-Malwarefolder.thumb.jpg.586f67311e825fefd800333448ebf1ee.jpg

     Should I leave the mbae.dll file that McAfee put in quarantine,
or restore it to C:\Program Files\Malwarebytes\Anti-Malware\LKG ?

Link to post
Share on other sites

  • Root Admin

Hello @Stephe

I'd suggest that you go ahead and do a Clean Removal and Reinstall of Malwarebytes. First make sure you disable the Real-Time protection from McAfee

 

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

 

After the reinstall

Please setup exclusions between McAfee and Malwarebytes

https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

Thank you

 

Link to post
Share on other sites

Hi,

     Thank you for your reply.

     I am much more familiar with the MBAM Clean removal tool, and have
used the Malwarebytes Support Tool only once, two years ago.  Looking
at some Malwarebytes web pages, I see that there are new procedures
as well as a new Malwarebytes Support Tool 1.7 User Guide.pdf.  The
previous version I had was Malwarebytes Support Tool 1.4 User Guide.pdf

     Please give me a little time read the documentation about the
Malwarebytes Support Tool.

     Also, you gave a link for instructions about setting up exclusions
between McAfee and Malwarebytes, but that seems to be mostly applicable
to Malwarebytes.  I don't yet know where to look in McAfee to find
suchlike.  (I took a quick look around, but didn't find anything.)

Edited by Stephe
clarification
Link to post
Share on other sites

  • Root Admin

I'm sorry but we don't have one for McAfee. That is not our product and it changes often. We used to create one many years ago but it was too much work trying to keep up with their changes. We also don't see as many customers using McAfee as we used to. Windows 10 comes with Windows Defender antivirus builtin so I think many users stick with that and often add our program to that as a pair.

No rush - let me know if you need further assistance @Stephe

 

Link to post
Share on other sites

     The home version of Mcafee only lets you exclude files, not folders.  
I tried copying mbae.dll from C:\Program Files\Malwarebytes\Anti-Malware
to C:\Program Files\Malwarebytes\Anti-Malware\LKG, but it didn't work until
I went in Malwarebytes > Settings > Security and under the Windows startup
section, toggled Enable self-protection module off.  Then I was able to add
C:\Program Files\Malwarebytes\Anti-Malware\LKG\mbae.dll to McAfee's exclusion
section.

     Then, I ran the Malwarebytes Support Tool and did as instructed to remove
Malwarebytes.  My PC did not restart automatically.  I had restart it on my own.

     Upon reinstalling, I was surprised to see a second installation window
for something called Malwarebytes Privacy, which I hadn't heard of before.

     When I looked inside the mbst-clean-results.txt file which I found on my
desktop, I was surprised to see under Pre-Reboot Cleanup the following:

2021-11-13 14:24:06.946   Skipped deletion: C:\Program Files\Malwarebytes\Anti-Malware\LKG\ (Folder not empty)

     Does the above mean the version of mbae.dll that I reinserted manually
with copy-and-paste prior to uninstalling was left as is and not repaired?

     In Malwarebytes > Settings > Allow List, I set up exclusions for:
C:\Program Files (x86)\McAfee
C:\Program Files\McAfee
C:\Program Files\McAfee.com

     For Exclusion rules, I selected Exclude from detection as malware or
potentially unwanted item only

mbst-grab-results.zip

Edited by Stephe
spelling mistake
Link to post
Share on other sites

  • Root Admin

Hello @Stephe

Yes, it looks like we did not fully remove the folder, possibly due to operations you mention.

Let's do this again a bit differently.

STEP 1

Temporarily disable the real-time protection form McAfee and run the MBST tool again. This time do the removal but DO NOT allow it to reinstall Malwarebytes

STEP 2

Please restart the computer. Then download and run the following for me.

 


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

 

Thank you

 

Link to post
Share on other sites

     Well, now I've gone and done it.  I succeeded in removing all of Malwarebytes by running
Clean twice, but now the program won't accept my Malwarebytes 2013 Anti-Malware Pro Lifetime
license which I first activated on January 9, 2014.  The license has an ID and a key in this format:

ID: 5Qxxx-xxxxx
Key: K6xx-xxxx-xxxx-xxxx

     What can I do to make this work again?

     When I go to https://my.malwarebytes.com/en/subscriptions there isn't anything there.

     I am not able to activate my license in the Malwarebytes program on my PC no at the
https://my.malwarebytes.com/en/subscriptions page.

     Maybe the problem is that a lifetime license is not a subscription.  If that's it,
how do I make it work again?

-----

     Well, this is odd, but rather nice.  Before uninstalling and reinstalling this
last time, I moved the C:\Program Files\Malwarebytes\Anti-Malware\LKG folder so that
it was no longer in the C:\Program Files\Malwarebytes\Anti-Malware\ folder, thinking
that the LKG folder might repopulate upon reinstallation of of Malwarebytes, but it
did not.  So, I copied and pasted the LKG folder from where I'd moved it into the
new folder created by the reinstallation, and then it accepted my ID and Key!

     So, my lesson of the day is, if you have a lifetime license, hold onto a copy
of the LKG folder that is saved outside of the Malwarebytes folder if you want to
keep your license without undue grief.

1541994040_Malwarebyteslicensedforever.thumb.jpg.ce5f62396d341af48cd5eabc7b6af607.jpg

     Well, live and learn.

Steven

 

Edited by Stephe
added final paragraph
Link to post
Share on other sites

  • Root Admin

No, something is wrong there. That seems more like a hack than a valid license.

Please send me a private message with the full license information as well as the purchase information and I'll validate the license tomorrow. I'm heading off now to get some sleep.

Thanks @Stephe

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.