BleepingComputer.com: For those having trouble running Malwarebytes Anti-Malware

For those having trouble running mbam.exe, download and scan with SUPERAntiSpyware Free

I have spent the last 2 days trying to fix this problem and this is the only thing that worked in removing the virus that was blocking mbam.exe from running. Once it removed the virus, I was able to reinstall Malwarebytes Anti-Malware. By the way, it also removed a number of trojans, ad-ware, other malware, etc. from my computer.


EDIT: Moved to a more appropriate forum

This post has been edited by quietman7: 11 February 2010 - 02:10 PM

Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, try this first:

Go to > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

Other Troubleshooting Suggestions:

• How to use Malwarebytes Chameleon when it cannot be opened normally through the START menu
  
• Malwarebytes Chameleon's help file will not open due to infection
  
• Use Malwarebytes Chameleon to install Malwarebytes Anti-Malware on an already infected system

---

Note: The information provided below and more can now be found in the Troubleshooting Malwarebytes' Anti-Malware section of Grinler's How to use Malwarebytes' Anti-Malware to scan and remove malware from your computer instruction guide which includes screenshots.

---

Renaming:
Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If MBAM will not install, try renaming it first.

• Right-click on the mbam-setup.exe file file and rename explorer.exe or winlogon.exe.
  
• Double-click on the renamed file to start the installation.
  
• If that did not work, then try changing the file extension.
  Vista/Windows 7 users, refer to these instructions.
  
• Right-click on explorer.exe and change the .exe extension to .scr, .com, .pif, or .bat.
  
• Then double-click on explorer.com (or whatever extension you renamed it) to begin installation.

-- In some cases it may be necessary to redownload mbam-setup.exe and randomly rename it before downloading and saving to the computer.

Note: Malwarebytes Anti-Malware uses Inno Setup instead of the Windows Installer Service to install the program. If installation coninues to fail in normal mode, try installing and scanning in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.

• Right-click on mbam.exe and rename it to wuauclt.exe or explorer.exe.
  
• Double-click on wuauclt.exe to launch the program.
  
• If that did not work, then change the .exe extension in the same way as noted above.
  
• Double-click on wuauclt.com (or whatever extension you renamed it) to launch the program.

It is also possible the malware targeted your .exe files and alter associations. Without repairing the file association .exe files will lose functionality. If you are unable to run your programs you can also try this: Download FixExe.reg and save it to your desktop. Double-click on the file and select Yes when it asks if you want to merge the data into your Registry. Once that is completed you should be able to run other programs.

Using RKill:
If the above does not work, you can try using RKill before scanning with Malwarebytes Anti-Malware. This tool terminates certain processes and fixes certain registry keys that stop us from using security and clean up tools. Please download Rkill by Grinler and save it to your desktop.

Link 1
Link 2
Link 3
alternate link with all versions <- if malware is blocking downloads from Bleeping Computer

Renamed versions if the above do not work:
iExplore.exe
eXplorer.exe
uSeRiNiT.exe
WiNlOgOn.exe

• Double-click on the Rkill desktop icon to run the tool.
  
• If using Vista, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• If not, delete the file, then download and use the one provided in Link 2.
  
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  
• Note: You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.
  
• Do not reboot until after scanning with Malwarebytes Anti-Malware.

-- If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

-- Some security tools may flag RKill as malware when renamed to iexplore.exe, explorer.exe, winlogon.exe, etc because they have definitions in place that flag reserved file names used outside their normal path. If you encounter such an alert when running Rkill, you can safely ignore it and continue to allow the program to run.

Other types of malware may delete the main mbam.exe executable file during installation or when attempting to perform a scan which results in various errors such as code 2...The system cannot find the file specified or mbam.exe - Application error.

One way to resolve this is to download and install Malwarebytes Anti-Malware on a non-infected computer.

• After installation, open Windows Explorer and navigate to the C:\Program Files\Malwarebytes' Anti-Malware\ folder where mbam.exe is located.
  
• Copy the mbam.exe file to the Desktop and rename it to wuauclt.exe or explorer.exe.
  
• Save the renamed file to a usb flash drive or CD, then transfer to the infected computer.
  • Alternatively, you can download a randomized renamed mbam.exe version (i.e. jdRjuT7Hk.exe) from here and use that.
    
  • Another option is to upload the file somewhere so you can download it later to the infected computer.
    
  • If you do not have access to another computer, ask a friend to email or upload a renamed mbam.exe for you and provide a link to download it.
• Place the renamed mbam.exe in the C:\Program Files\Malwarebytes' Anti-Malware folder on the infected computer, then double-click on it to launch the program.
  
• Check for database definition updates through the program's interface.
  
• Then perform a Quick Scan, check all items found for removal and reboot afterwards.
  
• Failure to reboot will prevent MBAM from removing all the malware.
  
• When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Another thing you can try, if you cannot run MBAM or complete a scan in normal mode, is to perform a Quick Scan in "safe mode".

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM but sometimes there is no alternative but to do a safe mode scan. If that is the case, after completing a safe mode scan, reboot normally and try rescanning again.

Before performing a scan, don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

If you cannot update MBAM through the program's interface and have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, be aware that mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.

• XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  
• Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

Additional Note: Some infections will alter the Proxy settings in Internet Explorer which can affect your ability to browse or download tools required for disinfection. You may also receive Error 732 when trying to update MBAM. If you are experiencing such a problem, check those settings. To do that, please refer to Steps 1-4 under the section Error 732 when trying to update Malwarebytes' Anti-Malware in this guide.

This post has been edited by quietman7: 17 April 2012 - 09:09 AM