Malwarebytes Toolset

User Guide
8 October 2019
Notices
Malwarebytes products and related documentation are provided under a license agreement containing restrictions
on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license
agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit,
distribute, exhibit, perform, publish, or display any part, in any form, or by any means. You may copy and use this
document for your internal reference purposes only.
This document is provided “as-is.” The information contained in this document is subject to change without notice
and is not warranted to be error-free. If you find any errors, we would appreciate your comments; please report
them to us in writing.
The Malwarebytes logo is a trademark of Malwarebytes. Windows is a registered trademark of Microsoft
Corporation. All other trademarks or registered trademarks listed belong to their respective owners.
Copyright © 2019 Malwarebytes. All rights reserved.

Third Party Project Usage

Malwarebytes software is made possible thanks in part to many open source and third-party projects. A requirement
of many of these projects is that credit is given where credit is due. Information about each third party/open source
project used in Malwarebytes software – as well as licenses for each – are available on the following page.
https://www.malwarebytes.com/support/thirdpartynotices/

Sample Code in Documentation

The sample code described herein is provided on an "as is" basis, without warranty of any kind, to the fullest extent
permitted by law. Malwarebytes does not warrant or guarantee the individual success developers may have in
implementing the sample code on their development platforms. You are solely responsible for testing and
maintaining all scripts.
Malwarebytes does not warrant, guarantee or make any representations regarding the use, results of use, accuracy,
timeliness or completeness of any data or information relating to the sample code. Malwarebytes disclaims all
warranties, express or implied, and in particular, disclaims all warranties of merchantability, fitness for a particular
purpose, and warranties related to the code, or any service or software related there to.
 Table of Contents
Introduction.......................................................................................................................................................... 1
System Requirements ............................................................................................................................. 1
External Access Requirements.............................................................................................................. 2
Program Licensing ................................................................................................................................... 2
First Time Use ............................................................................................................................................ 2
Staying Up to Date................................................................................................................................... 3
Screen Layout ................................................................................................................... 4
Search .......................................................................................................................................................... 5
Inform ................................................................................................................................. 6
System tab .................................................................................................................................................. 6
Operating System ................................................................................................................................................................. 7
Hardware ................................................................................................................................................................................. 7
Disk Drives ............................................................................................................................................................................... 8
Applications tab ........................................................................................................................................ 9
Configuration ......................................................................................................................................................................... 9
Programs and Features ....................................................................................................................................................... 9
Security tab ............................................................................................................................................... 11
Windows Protection............................................................................................................................................................ 11
Additional Protection ......................................................................................................................................................... 11
Network tab ............................................................................................................................................. 12
Network Discovery & Network Device Scanner ....................................................................................................... 12
Network Configuration ..................................................................................................................................................... 14
Network Adapters............................................................................................................................................................... 14
History tab ................................................................................................................................................ 15
System Rollback .................................................................................................................................................................. 15
History..................................................................................................................................................................................... 15
Crash Dump Analyzer ....................................................................................................................................................... 17
Actions ..................................................................................................................................................... 20
Scan................................................................................................................................... 21
Malwarebytes Portable Scanner ........................................................................................................................ 21
Scan for Malware ................................................................................................................................................................ 21
Status Icons ...........................................................................................................................................................................23
Delete on Reboot ...............................................................................................................................................................25
Custom Scan.........................................................................................................................................................................26
Settings, Updates, and Quarantine (Malwarebytes Portable Scanner) ............................................................ 27
Issue Scanner .......................................................................................................................................... 29
Scan History ............................................................................................................................................. 31
Toolbox ............................................................................................................................ 33
MyTools .................................................................................................................................................... 33
Staging MyTools Utilities ..................................................................................................................................................33
Managing MyTools with the MyTools Editor ............................................................................................................34
 Table of Contents (continued)
MyTools Editor Toolbar ....................................................................................................................................................34
Editing a Batch File .............................................................................................................................................................35
Creating or Editing a Tool Entry ....................................................................................................................................35
Using Toolset Variables in MyTools .............................................................................................................................38
Editing Complete…What Now? ......................................................................................................................................38
Check for Updates ..............................................................................................................................................................39
Protect ...................................................................................................................................................... 40
Malwarebytes for Windows .............................................................................................................................................40
Malwarebytes Browser Guard for Chrome ................................................................................................................40
Malwarebytes Browser Guard for Firefox ...................................................................................................................40
Malwarebytes Support Tool ............................................................................................................................................40
Remediate................................................................................................................................................. 41
Malwarebytes Anti-Bundleware ..................................................................................................................................... 41
Malwarebytes Anti-Rootkit .............................................................................................................................................. 41
AdwCleaner........................................................................................................................................................................... 41
MBBR CLI Scan..................................................................................................................................................................... 41
MBBR Command Prompt ................................................................................................................................................42
Launch Windows Defender Offline...............................................................................................................................42
Repair ........................................................................................................................................................ 43
Firewall Reset ........................................................................................................................................................................43
Network Reset......................................................................................................................................................................43
System File Checker ...........................................................................................................................................................43
Winsock Reset ......................................................................................................................................................................43
WMI Reset .............................................................................................................................................................................43
DISM Health Scan .............................................................................................................................................................. 44
Boot to Windows RE ......................................................................................................................................................... 44
Enable/Disable Legacy F8 Boot Menu ........................................................................................................................ 44
OS Tools ................................................................................................................................................... 45
Command Prompt..............................................................................................................................................................45
Computer Management ...................................................................................................................................................45
Device Manager ..................................................................................................................................................................45
Disk Management ..............................................................................................................................................................46
DiskPart ..................................................................................................................................................................................46
Event Viewer .........................................................................................................................................................................46
File Explorer ..........................................................................................................................................................................46
Group Policy .........................................................................................................................................................................46
Programs and Features .....................................................................................................................................................46
RegEdit ...................................................................................................................................................................................46
Services Manager................................................................................................................................................................46
Settings ...................................................................................................................................................................................46
System Restore ....................................................................................................................................................................46
Task Manager .......................................................................................................................................................................46
Windows Memory Diagnostic ........................................................................................................................................47
Windows PowerShell .........................................................................................................................................................47
Windows Store App Updates .........................................................................................................................................47
 Table of Contents (continued)
Windows Troubleshooters ...............................................................................................................................................47
Windows Update ................................................................................................................................................................47
Settings.............................................................................................................................48
Options & Startup Password ............................................................................................................. 48
License Details ........................................................................................................................................ 49
About ........................................................................................................................................................ 49
Command Line Options ............................................................................................... 50
Reports and Scan Logs ................................................................................................. 51
Inform Export Log .................................................................................................................................. 51
Malwarebytes Issue Scanner Reports and Summary Log .......................................................... 51
Malwarebytes Portable Scanner Reports and Summary Log ................................................... 51
Network Devices Scan Log ................................................................................................................. 52
Other Log Files ....................................................................................................................................... 52
Additional Tools ............................................................................................................. 53
Malwarebytes Breach Remediation for Windows ....................................................................... 53
Malwarebytes Breach Remediation for Mac ................................................................................. 54
Fab’s AutoBackup 7 .............................................................................................................................. 54
Frequently Asked Questions ....................................................................................... 55
Introduction
Welcome to the Malwarebytes Toolset!! – a collection of tools developed for technicians by technicians. This toolset
will help drive efficient processes and procedures in malware remediation and computer repair, ensuring technicians
have the right tools at the right time to get the job done.
Malwarebytes Toolset provides the following primary components:
• Inform – Quick access to essential diagnostic/triage information about the PC and local network
o Network Devices Scanner – Quickly discover local network devices like routers, printers,
computers, media streaming devices and more.
o Crash Dump Analyzer – performs a complete crash dump file analysis for diagnosing blue screens
and system crashes using a portable version of Microsoft’s WinDBG.
• Scan – An automated wizard that helps remediate malware, resolve OS issues, and discover failing hardware
o Malwarebytes Portable Scanner – Customizable malware scanning of the computer
o Malwarebytes Issue Scanner – Inspection of operating system components (registry and Services),
system logs, disk drives, SMART Attributes/Error, WHEA Errors, devices and connectivity.
• Toolbox – A one stop-shop for additional standalone tools and OS utilities
o MyTools – Integrate your own tools into the Toolbox to fit your specific needs
o Malwarebytes Technician Tools – Access to additional Malwarebytes Tools like AdwCleaner, Anti-
Rootkit, Anti-Bundleware and command line-based malware/rootkit scanning
o Malwarebytes Installer – Access to easily install the consumer version of Malwarebytes for
Windows and related web browser extensions on your client’s PCs to get them protected from
modern malware threats
o Repair and OS Tools – Access to common repair utilities and tools built into Windows
• Scan – An automated wizard that helps remediate malware, resolve OS issues, and discover failing hardware
o Malwarebytes Portable Scanner – Customizable malware scanning of the computer
o Malwarebytes Issue Scanner – Inspection of operating system components (registry and Services),
system logs, disk drives, SMART Attributes/Error, WHEA Errors, devices and connectivity.
• Search – Find the tool you need from the Toolbox, MyTools, and additional utilities built-in to the OS.
Your clients depend on you and your skills while you depend on your tools and in-depth experience to save the day.
Malwarebytes Toolset ensures that you can meet those goals by having the right tools at the right time to get the
job done.

System Requirements
Following are minimum requirements for a computer system on which Malwarebytes Toolset may be installed.
Please note that these requirements do not include any other functionality that the computer is responsible for.
• Operating System: Windows 10, Windows 8.1, Windows 8, and Windows 7
• Application Framework: .NET Framework 4.5
• CPU: 1 GHz or faster with SSE2 technology. This technology is used in most modern Intel x86 processors
as well as AMD’s Athlon 64, Sempron 64, Turion 64 and Phenom CPU families. For further information
about SSE2, please go to:
https://en.wikipedia.org/wiki/SSE2
• RAM: 2 GB (64-bit OS), 1 GB (32-bit OS)
• Free Disk Space: 400 MB
• Recommended Screen Resolution: 1024x768 or higher, 1366x768 recommended
• Active Internet Connection (required for activation, updates, and crash dump analysis)
• Network Discovery/SSDP Discovery Service Enabled (required for Network Devices scanner)

Malwarebytes Toolset User Guide 1

External Access Requirements
If your company’s Internet access is controlled by a firewall or other access-limiting device, you must grant access
for the Malwarebytes Toolset to reach Malwarebytes and Microsoft services. These are:
https://toolset.malwarebytes.com Port 443 outbound
https://telemetry.malwarebytes.com Port 443 outbound
https://data.service.malwarebytes.org Port 443 outbound
https://data-cdn.mbamupdates.com Port 443 outbound
https://data-cdn-static.mbamupdates.com Port 443 outbound
https://hubble.mb-cosmos.com Port 443 outbound
https://blitz.mb-cosmos.com Port 443 outbound
https://*.mwbsys.com Port 443 outbound
https://msdl.microsoft.com/download/symbols/ Port 443 outbound

Writable and Local Storage Execution Requirement

The Malwarebytes Toolset is designed to function from a writable local storage device like a USB flash drive or a
folder on the internal disk drive for example. While it is not designed to work from a network path or read-only
media, the Malwarebytes Toolset will detect this execution method and copy itself to the local temp directory then
relaunch itself.

Program Licensing
A valid license is required to use the Malwarebytes Toolset. Validation requires Internet access and is valid for fifteen
(15) days of offline use. Each time Malwarebytes Toolset is launched, a silent revalidation will occur. Should the
license become expired, blocked, or deleted, an error will be displayed, and the user will be given an opportunity to
reenter the license. You can also manage your license key in the Settings component of the Malwarebytes Toolset.
If you need further assistance with your license, contact [email protected].

Offline Usage
The Malwarebytes Toolset is designed to support offline usage for up to 15 days before requiring license
revalidation and for requiring updated definitions for the Malwarebytes Portable Scanner and Malwarebytes
Breach Remediation.

First Time Use

When you first use the Malwarebytes Toolset, you will need internet access to allow it to validate your license key
and to update the toolset components.
1. Download the Malwarebytes Toolset with your license key pre-injected using the URL contained in your
confirmation email.
2. Extract the MBTS_X.X.X.XXXX.zip package file to the root of a USB flash drive, a dedicated directory within
a USB Flash Drive, or a dedicated folder of the local device.
• Note: Ensure the path where Malwarebytes Toolset is extracted to does not include any
ASCII/UNICODE extended set characters.
3. Double click MBTSLauncher.exe from the extracted package.
4. Once the Malwarebytes Toolset has launched and validated your license, go to Toolbox ► MyTools ►
Check for Updates
5. Download all available updates

Malwarebytes Toolset User Guide 2

Staying Up to Date
Upon launching Malwarebytes Toolset, a silent check for an update is performed. If one is available, an orange
Update Available notification bar will appear below the black menu bar. Click Update Now to see what updates are
available. Initiate the update process and follow the additional prompts.

For all other components, or to manually update, use the Check for Updates Tool by doing the following
(recommended daily):
1. Launch Malwarebytes Toolset.
2. Click on the Toolbox component.
3. Go to MyTools and click Check for Updates
4. Select the components you want to update, then click Download
5. Follow any additional steps presented.

We will always check for the latest version of a tool before it is launched from the Toolbox. If a new version is
available, we give you the option to download it or to continue using the version already on the Toolset.

Malwarebytes Toolset User Guide 3

Screen Layout
The Malwarebytes Toolset user interface is divided into three sections, as shown below.

The Mode selector is shown across the top, in the black area. This gives you quick access to the core components of
the Malwarebytes Toolset – Inform, Scan, Toolbox, and Settings. Each of these areas are covered in more detail later
in this document.

The Option selector is displayed vertically, at the left edge of the screen. It
is present only when accessing Inform, Settings, and Scan Results. This allows
you to dive deeper in to sub areas of a particular component of the Toolset.

The majority of the screen in the middle is known as the main window and
is reserved for system information related to the selected option. When in
Scan mode or Toolbox, the area used for the Option selector is allocated for
use by the program as a whole.

The interface size may be increased or decreased at will. The names of the
options will disappear when the interface size decreases beyond a certain
point, leaving only the icons showing.

As you can see, the Security option (the padlock) contains a warning to alert
the user to a security-related situation which should be investigated.

Malwarebytes Toolset User Guide 4

Search
The Toolset includes a built-in search function to quickly find the tool you need from the following areas of the
Toolset and the current operating system:
• Toolbox > Protect, Toolbox > Remediate, Toolbox > Repair, Toolbox > OS Tools, and MyTools
• Windows OS Tools, Administrative Tools, Control Panel Applets, and Settings (aka Immersive Control
Panel/Modern Settings - Windows 8+ only)
• Select Log Files:
o Component Based Servicing Log File (CBS Log)
o Deployment Imaging and Servicing Management Log (DISM Log)
o Pending File Rename Operations Log (PFRO log)
o SetupAPI Application Log (SetupAPI App Log)
o SetupAPI Device Log (SetupAPI Dev Log)
o Windows Setup Log (setupact log)
o Windows Update Log

To power Search, the following data points for the supported areas above were indexed:
• Name
• Vendor
• Path to File/Binary
• File Extension
• Tags

The indexed data points for a MyTool can be adjusted by going to the MyTools Editor (Toolbox > MyTools > MyTools
Editor) and editing an entry.

Using Search
To use Search, simply start typing in the Search box and the Toolset will instantly show results with the best match
(or matches) at the top and other results placed into categories. Then, just click on what you want, and the Toolset
will launch it. Note: pressing ctrl+f, will jump you directly to the search box.

You can also select Search Online to request the entered content to be searched using the current default web
browser of the OS. This can be helpful if you are wanting to research an error or piece of information that you have
copied from within one of the many components in the Toolset.

Malwarebytes Toolset User Guide 5

Inform
This program mode is designed to quickly gather technical information about the operating system and hardware
state of a system. It scours all over the OS (e.g. WMI, SMBIOS, Event Logs, and other OS areas/APIs) within a matter
of seconds to pull technical information that you can use to triage a device before fully servicing it and maybe even
uncover issues or other opportunities.
Inform is broken up into sections to organize all the information it gathers. Each section has Tiles for a set of
information. These Tiles may include links to open a Details view or Open the related OS application. Let’s dive
deeper into each of these sub areas of Inform.

Note: All Inform results can be exported using the Actions menu or via command-line (details in another section). You
can also right-click any field in a Details window to copy it to the clipboard.

System tab
The System tab offers basic technical information about a computer. When servicing a computer, the first thing a
technician must do is to know what they are working with. Problems may be visible on this screen, though deeper
investigation will likely be required. While a wealth of information is available to the technician on this screen, tools
designed specifically for the purpose of evaluating issues on the computer will be discussed later.

Many of the Tiles shown in this area have a clickable Details link, allowing you to find out more about a particular
item. When viewing those details, you may right click any individual detail to copy its value into your clipboard for
use elsewhere.

Malwarebytes Toolset User Guide 6

Operating System
Here, you can find information pertaining to your operating system installation, Services and Device Manager.
Services and Device Manager both launch function-specific snap-ins of the Microsoft Management Console. You
can also inspect or perform Windows updates, as well as change update settings.

Please note that the Operating System Details displays the Product Key (license) associated with the operating
system installation, as well as the Firmware Embedded Key (a Windows license key that may be embedded in
firmware by motherboard vendors or by Microsoft for Digital Entitlement). In most cases, this information is unique
to the OS installation and should not be shared.

Hardware
Each major system component is itemized here. Feel free to click any Details link to find out more. Windows settings
for some hardware devices can also be changed here. On portable devices, detailed battery charge and health
information is displayed.

Malwarebytes Toolset User Guide 7

Disk Drives
Information for each disk drive installed in the computer can be viewed here as well. Diskmgmt links provide access
to the Microsoft Management Console snap-in, allowing inspection and/or modification of disk partitions. The drive
letter associated with each disk drive is also a clickable link, providing access to File Explorer/Windows Explorer
(application name dependent on operating system version in use).

Malwarebytes Toolset User Guide 8

Applications tab
This tab is focused on software installed on the target computer, and on system settings which control operation of
programs. These settings are commonly used by malware to modify system operation, further enabling operation
of the malware.

Configuration
Default Browser is not symptomatic of any kind of system problem. Instead, it helps the technician ascertain the
characteristics of the user. That, combined with many other factors, may influence troubleshooting methods.

Programs and Features

Programs relate to desktop applications installed on the computer, as well as some system add-on components and
drivers. Clicking the link that states the number of installed programs will open a window that lists detected installed
applications. This detailed list includes Name, Publisher, Date of installation, and Platform (e.g. x86, x64, etc.).
Clicking Uninstall/Change will launch the Programs and Features component of the Windows Control Panel.

Malwarebytes Toolset User Guide 9

Windows Features are optional capabilities which are beyond the scope of normal operating system functionality.
Clicking the link that states the number of installed features will open a window with information on the currently
installed features. This list includes Display Name and Feature Name. Clicking Configure will launch the Windows
Feature component of Control Panel.

Application Problems gives insight on applications that have crashed or hung on the system. Clicking the link that
states the number of crashes/hangs will open a list of the detected problems. The list is grouped by the problem
process and includes the Executable that failed, Time of failure, Module that failed, Event type, Exception code, and
detailed error message.

Malwarebytes Toolset User Guide 10

Security tab
This tab controls security features of the computer, both built-in and add-on. It is primarily designed as a quick
verification of security practices being used on the computer.

Windows Protection
These items pertain to security features built into Windows operating systems. A brief description of each protection
item is as follows:
• User Account Control (UAC) – which made its debut as part of Windows Vista – requests your authorization
before allowing programs to perform an operation that may affect computer operations or change
performance characteristics. If your computer is not under the control of a system administrator, you may
alter UAC settings.
• Windows Firewall controls access to your computer, with default settings specified for each profile
(domain, private, public). In addition to default settings, you may specify unique new firewall rules, and
modify or delete existing rules.
• Windows Defender is an antivirus program offered by Microsoft on computers using Windows 8 (and
newer) operating systems. Windows Defender was not classified as an antivirus program prior to Windows
8; therefore it would not be listed for earlier operating systems.

Additional Protection
This tab provides information about additional security applications (Malwarebytes and other antivirus/antimalware
applications) installed on the computer. These applications are in addition to those provided by the operating
system. There are no provisions to change settings associated with these external programs. If no antivirus software
is installed, a link to install Malwarebytes will be shown.

Malwarebytes Toolset User Guide 11

Network tab
This tab provides information about your networking environment. Any networking-related issues noted during the
system scan will be shown here as well. A screenshot of this tab is below.

Network Discovery & Network Devices Scanner

This section provides access to the Network Devices scanner to quickly discover local network devices like routers,
printers, computers, media streaming devices, mobile devices, game consoles, and more. The tile will list the current
IP scheme of the local network, the current state of the Network Discovery Service (required for the Network Devices
scanner), and a link to open the Network Devices scanner window. Click Start Scan to launch the Network Devices
window and begin scanning the local network for devices as shown below. Scan status is shown on the right side.

Malwarebytes Toolset User Guide 12

The Network Devices scan uses the following methods:
• ICMP/PING ● Simple Service Discovery Protocol (SSDP)
• ARP Cache ● Web Services on Devices (WSD)
• DNS Resolution ● Windows Connect Now (WCN)
• Universal Plug and Play (UPnP) ● Selected Port/Service scanning
Devices are sorted by IP address into three categories:
• Gateway – the network device–usually a router or access point–that is serving you network and internet
access.
• Local Device – the device you are currently running the Network Devices scanner from
• Network Devices – Other network devices connected to the same network as the Local Device
The following screenshots show typical data for each of the three network device categories (after one of them has
been selected). Please note that Plug and Play information is shown for devices which support this feature.

Gateway Local Device (computer) Network Device (network

printer)

For discovered devices, the Network Devices scanner provides the following capabilities:
• Detailed technical information (e.g. IP address, MAC Address, Host Name, UPnP/WSD/WCN details, etc.)
in the right-hand details pane
o Note: A right-click context menu is available with the following functionality:
▪ Copy to clipboard
▪ Open in default web browser (for URL based content)
▪ Search the internet for…
▪ Edit Cell (for Device Name, Manufacturer, MAC Address and Device Type only)
• Configure a network device by jumping out to its web GUI (on supported devices only)
o Please note: The device must advertise a SSDP/UPnP/WCN/WSD Presentation URL
• Ping a device
• Export results to the clipboard, text file, or CSV

Malwarebytes Toolset User Guide 13

Network Configuration
This section provides information about how your networking is configured as a whole. Access is provided to the
ping and tracert networking utilities. Network shares are also available here for inspection. Please note that network
shares may include shares which are available only to network admins and programs/utilities which have SYSTEM
permissions.
If the computer is configured to utilize a proxy server for access to the Internet, that can be inspected here using the
Windows Internet Properties dialog. The Hosts file can be inspected here as well. This file is modifiable by the user
and is used by Windows to redirect Internet URL’s to non-standard IP addresses, or to block access to troublesome
URL’s. This file is sometimes modified by malware as well.

Network Adapters
This section shows presence and configuration of network adapters, including adapters used in a virtual machine
environment. You may inspect properties of each adapter. Of special interest here is the display of each adapter’s
IP address, and the method by which each adapter obtains its IP address. If there is a loss in connectivity on a
machine using Dynamic Host Configuration Protocol (DHCP), the IP address will often show a 169.254.x.x IP
address. This address range indicates an inability to receive an IP address from the network’s DHCP server.

Malwarebytes Toolset User Guide 14

History tab
This tab provides tools used for disaster recovery, as well as the ability to inspect details on anomalies that the
computer has encountered. A screenshot is shown below.

System Rollback
This section is focused specifically on disaster recovery measures which have been taken on the computer. System
Restore points are commonly created prior to Windows updates and may also be created prior to installation of any
application which incorporates this process. If you encounter a serious error on your computer, restore points may
provide the most effective answer.
Volume Shadows are used to create snapshots of system files. If problems are encountered with a file which uses
this service, it can be rolled back to a previous version. The rollback process uses the Previous Versions tab of a file’s
Properties page.

History
This section focuses on status of the computer with regard to its daily operations. Boot History has an entry for each
time the computer has been started/restarted, which includes the length of time required to boot the computer to
a fully operational state, as well as how long that session lasted. A copy of Boot History Details is shown below.

Malwarebytes Toolset User Guide 15

In this screenshot, each column was compressed so that more information could be displayed. Note the Timestamp
column. Each entry is preceded by an icon. Those icons are explained below.

The session currently in progress.

A past session which terminated by either a reboot or planned shutdown.

A past session which terminated abnormally (e.g. power failure, forced shutdown,
system crash)

When System Events statistics are clicked, Windows Event Viewer opens with a special filter to view only Errors and
Warnings. This allows you to view information pertaining to every critical system event which has occurred in the
life of the system. Operating systems prior to Vista had a maximum file size limitation (300 megabytes), though this
likely caused no issues for users of this information.
Blue Screens tells you how many memory dumps (mini and full) were performed as a result of system crashes (aka
BSODs). Click Details to launch a window with details on the detected crash dump including the Date, Bugcheck
Code, Description, Uptime, System State, and File Path to the crash dump file. You can select a crash dump and click
Analyze to launch the built-in Crash Dump Analyzer. More details are covered in the next section.

Malwarebytes Toolset User Guide 16

Please note that not all crashes have the ability to create a dump file. There is no facility provided here to evaluate
the dump files. External Windows utilities must be used for that purpose.
The USB History section shows the most recent insertion of each USB drive that has been used in the computer.
Please note that entries may appear to be redundant when multiple USB drives made by the same manufacturer
have been inserted. This is because of the method that different vendors use to report the drive’s insertion to the
operating system. Windows will assign each USB drive its own GUID, providing a unique identity. Please note that
information shown is specifically with regard to drive insertion, and not to drive contents and how they were used.

Crash Dump Analyzer

Troubleshooting BSODs can be difficult and time consuming from many aspects:
• Popular free tools do it "fast" but at the cost of being grossly inaccurate
• Using the Debugging Tools for Windows provides accurate results but is time consuming to use (requires
installation, requires detailed configuration, steep learning curve, etc.)

All of that can lead to headaches and in the worst of circumstances - an inaccurate diagnosis. To solve for all of
this, the Toolset includes a Crash Dump Analyzer that is fast, easy to use, and accurate. To utilize it simply go
to Inform > History > Blue Screens > Details.

When you launch the Blue Screens Details window (only accessible if the system has crash dumps), you'll see a list
of detected crash dumps from the following locations:
• %WinDir%\MiniDump\*.dmp
• %WinDir%\MEMORY.DMP

This first view aims to give you a quick pre-analysis overview of the following:
• Date - date and time when the crash occurred
• Bugcheck Code - the actual error code of the BSOD/Bugcheck
• Description - description of the crash based on the bugcheck/BSOD error code
• Uptime - total time the operating system had been running for when the crash occurred
• System State - estimated state the OS was in when the crash may have occurred
• File Path - Path to the crash dump file

Malwarebytes Toolset User Guide 17

Clicking the Analyze button after selecting a crash dump will call on an integrated portable version of the
Debugging Tools for Windows to perform a complete crash dump analysis and spit out the results in a much easier
to digest format:

• Analysis Summary:
o Crash Information - Operating System (with version, Architecture, and Build), Timestamp, Up
Time (of the OS), Stop Code (with error code, error message, and detailed description),
Arguments, and Bucket ID.
o Probably Caused By - Path, Company Name, Description, Product Name, File Version, Product
Version, Last Modified date, and a Comment if the driver is identical, different, or missing on the
system.
▪ NOTE: Some fields will not show if the file is missing from or different on the current
system.

• Stack Trace:
o Call Stack - the ordered list of modules, their called function, and arguments from when the
crash occurred
o Relevant Modules - list of modules from the Call Stack with details on the Path, Company Name,
Description, Last Modified date, and the Current State of the module (e.g. identical, different, or
missing)
▪ NOTE: Some fields will not show if the file is missing from or different on the current
system

• Full Output - Complete raw text output from WinDBG for manual inspection and additional raw technical
details

Malwarebytes Toolset User Guide 18

 • NOTE: Internet access is required to obtain symbol files from Microsoft to provide an effective and
accurate crash dump analysis
• NOTE: You can use the right-click context menu on any field to "Copy String" contents to the Clipboard
• NOTE: You can highlight, use common keyboard shortcuts, or the right-click context menu to copy content
from the Raw Output tab

Malwarebytes Toolset User Guide 19

Actions
This button opens a menu with options to control certain actions with Inform. Here is an overview of the available
actions:
• Refresh – Force a re-scan of the device and update all applicable areas of Inform.
• Export to Clipboard – Export current results of Inform in plain text to the clipboard.
• Export to Text File – Export current results of Inform in plain text to a file of your choosing.

Malwarebytes Toolset User Guide 20

Scan
This module contains two types of wizard-based tools – the Malwarebytes Portable Scanner to remove malware,
PUPs and PUMs, and the Malwarebytes Issue Scanner to fix Windows OS and device related issues.

NOTE: The Malwarebytes Portable Scanner requires Windows 7 and higher as well as .NET 4.5. If it is not installed
(or has been rendered unusable due to malware), please use the Malwarebytes Breach Remediation command-line
utility included in the Toolset which is covered in more detail in the Additional Tools section of this guide.

Malwarebytes Portable Scanner

This scans the computer for malware, based on selection criteria provided by the user. The Malwarebytes Portable
Scanner uses the latest Malwarebytes for Windows engine, offering full scanning and remediation functionality of
our flagship product without the need to install Malwarebytes itself.
Malware, PUPs and PUMs often fill the screen with windows, which tends to get in the way of troubleshooting
efforts. For this reason, Malwarebytes Portable Scanner provides an optional Process Killer. Critical OS process,
common technician utilities, known-good processes, and processes from Malwarebytes products are exempt from
forced termination. You may add your own tools to this whitelist as well. More on that later.

Scan for Malware

When the Scan for Malware button is pressed, the screen shown below is presented over the top of the existing
screen.

You may choose Cancel to return to the previous screen.

Click Yes to terminate running processes or click No to
allow running processes to continue running.
Here, you may choose to terminate running processes
during the scan or allow them to continue operation.
After either of these buttons are pressed, the scan will
begin.

Malwarebytes Toolset User Guide 21

Malwarebytes Portable Scanner uses a Threat scan as a default scan. This scan method analyzes all areas of the
computer which are typically associated with malware outbreaks. A screenshot of a scan in progress is shown below.

After a scan is requested, Malwarebytes Portable Scanner connects to Malwarebytes servers to obtain the latest
protection updates. If the computer has no Internet connectivity, it will attempt to use protection updates that were
downloaded previously. If existing updates are not available, you must perform an update using another computer.
► On first use of the Malwarebytes Portable Scanner, downloading protection updates are mandatory.
While a scan is running, Malwarebytes Toolset displays several icons on the main screen which serve as progress
indicators for the scan. These are as follows:
• Grey hourglass – Scan phase not yet executed; will be replaced by either a blue circular animation or a
green hyphen
• Green hyphen – Scan phase not performed (hyper scan and custom scan do not execute all phases)
• Blue circular animation – Scan phase currently running; will be replaced by a green checkmark when
complete
• Green checkmark – Scan phase completed
A light blue bar immediately under the Scan button in the menu pane will also show scan progress. It is difficult to
notice, so it has been supplemented by indicators in the Windows taskbar, as shown below.

When a scan is running, a green indicator shows scan progress.

Because malware was detected during the scan, the icon is replaced by red as its final
status. When malware is detected during execution of the scan, this icon will immediately
switch from green to red.
When a scan completes without malware being detected, you will see the Summary as shown here.

Malwarebytes Toolset User Guide 22

Status Icons
Several large icons are used to inform you of scan status, here and in the Issue Scanner (which will be discussed
later). These icons are oversized, so that you can easily see status without forcing you to interrupt your repair work.
These are the icons used and their meaning.

No issues were detected

Non-critical issues which require your attention were detected during the scan

Critical issues which require your attention were detected during the scan

A reboot is required to complete the repair process

Icons will always be in a color which represents the most serious situation. If all but one of the items tested passed,
the icon shown will be in the color which represents either a critical or non-critical issue.
You may also inspect the Scan Report to look at other information pertaining to the scan.

Malwarebytes Toolset User Guide 23

The following screenshot shows results after a custom scan which detected malware.

The left section of the screen shows malware and PUPs/PUMs which were detected, the number of traces detected,
and checkboxes to allow you to select which malware to remove.

Selecting this malware causes the Summary (right) section of the screen to
display the information shown here.
Traces is a new term. It is the number of specific vectors which a threat is
using to attack your computer. The Trojan.MBAMTest malware has two
traces, the directory where the file is stored, and memory which the
running program occupied. If processes were terminated during scan
execution, only the first trace would have appeared.

View Report provides a display which is best described as a hybrid between a “clean” Scan Report screen combined
with a “dirty” Scan Summary screen. If needed, you can click the gear icon in the top of the Summary section and
select to copy the results to the clipboard or export a text file.
Once you have reviewed scan results, you may click Start Removals to initiate the threat removal process. After
performing the removal process, a Repair Report will be displayed in its expanded form. If needed, you can copy
information listed in the Scan Results, Scan Summary, Scan Report or Repair Report by right-clicking an item and
selecting the content to copy. You can also use the gear icon in the Summary section to export a detailed summary
to the clipboard or a text file.

Malwarebytes Toolset User Guide 24

Delete on Reboot
If a reboot is required to remove any threat, you will be presented the applicable status icon with a Restart button
to initiate the reboot process and a Close button if you need to manually reboot the PC later.

In any event, the Toolset will automatically relaunch after reboot and once a user account logs in. This will start
the post-reboot removal progress window before going to a final Summary of the entire operation.

Malwarebytes Toolset User Guide 25

Custom Scan
The second scan mode available in Malwarebytes Toolset is the custom scan. Click Custom Scan to launch this screen
over the top of the Malwarebytes Toolset screen.

Here you can pick the type of scan you wish to run, and the options you wish the scan to use. These settings are, for
the most part, identical to the settings used in Malwarebytes for Windows and Malwarebytes Breach Remediation
CLI. Under Process Killing, you may choose whether running processes should be killed. Malwarebytes Toolset uses
a whitelist of known good processes to be excluded from potential termination, and you may add your own through
use of a Custom Whitelist.
If you choose not to use the Malwarebytes Whitelist here, you will not cause your computer to crash. Windows
system processes will continue to function as intended. Non-critical applications (such as browsers or email
programs) would be terminated if a whitelist is not used.
When running a Specific scan, click Edit Paths to select specific files or folders which should be scanned. In the
screenshot below, Add Folders… was used to add a specific folder to scan, and Add Files… was used to select a single
file. To remove a file or folder from the list, highlight the item to remove and click Remove Item.
Malware may exist in files and in processes running in memory. When running a scan on a computer for the first
time, it is probably best to not kill processes, so that you have a clearer picture of the level of infection in that
computer.

Malwarebytes Toolset User Guide 26

Settings, Quarantine, and Updates (Malwarebytes Portable Scanner)
You may have noticed the two gears above and to the right of the Malwarebytes Portable Scanner logo. This hides
settings associated with the malware scanning component.

Edit Default Scan allows you to customize the default scanning experience for when you click Scan for Malware.
When that option is selected, a screen identical to the Custom Scan screen (shown in the previous subsection) is
displayed. Here, you can customize specifications of your default scan. This does not prevent you from running a
Custom Scan with different specifications whenever you choose.

Manage Quarantine launches the Quarantine Manager, so you can delete or restore items that have been placed in
the quarantine by the Malwarebytes Portable Scanner and the installed instance of the following Malwarebytes
products:
• Malwarebytes for Windows (v 3.6.1+)
• Malwarebytes Endpoint Protection
• Malwarebytes Breach Remediation (v 3.6.1+)
Select Quarantine allows you to select the quarantine to interact with from a drop-down menu. By default, the
Malwarebytes Portable Scanner quarantine is loaded when the Quarantine Manager is launched. The Quarantine
Manager groups items by date of the scan and the family the traces belong to. This allows you to easily manage
items by family, as they may be comprised of many traces, and mirror the reporting layout used by the Malwarebytes
Portable Scanner.
The basic view will list the Family name, the Type of item, and the total number of Traces that comprise that item.
To see the specific traces, simply click on it. That will populate a details side pane that lists all trace details. This
includes type of trace and where it was found on the device.

Malwarebytes Toolset User Guide 27

If you want to manage an item, simply select the checkbox next to it then click the desired action. Delete will
permanently delete all traces of that item and Restore will put all traces of that item back to their original location.
You can select multiple items at once or select the topmost checkbox to select all items in quarantine.

Update Definitions allows manual update of the definition databases for the Malwarebytes Portable Scanner (64-
bit and 32-bit). This option will launch a Download Updates (aka the MBTS Updater) window to check only for
database updates. If updates are available, click Download and the MBTS Updater will acquire and install them for
you.

Malwarebytes Toolset User Guide 28

Issue Scanner
Malwarebytes Toolset will initiate a scan of several system settings to help identify potential OS problems and
hardware issues, then offer technical information on the issue or even offer an automated repair. These encompass
disk drive errors, SMART Attributes, network connectivity problems, critical errors stored in Event Viewer, registry
settings, files executed at startup, system services, Device Manager error codes and many other Windows settings.
You can see a full list of the current Issue Scanners in the Malwarebytes Issue Scanner Technical Reference. Below
is a screenshot from Issue Scanner while it is scanning your system. The purpose of all icons used here are identical
to the Portable Scanner.

And here is a screenshot showing results of that scan.

Malwarebytes Toolset User Guide 29

 Highlighting any issue results in a more
detailed explanation in the rightmost
Details pane. The event description
that you would typically read in the
Windows Event Viewer is shown at the
bottom of this pane.

You will notice that three issues were detected during this scan. Click View Report to see the results of all tests run
during the Issue Scan. A high-level view is shown below. You can expand each of the items shown here to see exactly
what the scan included. The full list of tests is too large to be included here. If needed, you can copy information
listed in the Scan Results, Scan Summary, Scan Report or Repair Report by right clicking and item and selecting the
content to copy.

Finally, it is important to note that these may not be problems. Malwarebytes Toolset has analyzed typical settings
on many Windows environments (both operating system and service pack permutations) to determine what is
expected. A knowledgeable user may modify settings on their computer, and a computer used in a business
environment may have been fine-tuned by their IT group. When issues are detected, further investigation is
warranted.

Malwarebytes Toolset User Guide 30

Scan History
Malware scans and issue scans both generate history logs, allowing inspection of the results of each scan that has
been executed. Please note the location of the calendar icons on the Scan screen shown below.

Clicking either calendar icon displays a history of the scans of the type selected which have been executed. A
Malware Scan History Log is shown below.

Selecting the first entry on this page causes the results of this scan to be displayed, as shown below.

Malwarebytes Toolset User Guide 31

Scan status is shown in the center of the screen with a sidebar that provides selected summary information.
Malware scan status may indicate remediated threats (cleaned), warnings (threats detected but not cleaned), or
malware-free scans. Issue scan status may indicate system issues that are present, system issues that were repaired
by Malwarebytes Toolset, or issue-free scans.
Each issue scan that is executed generates a log file. You may need this log file for troubleshooting purposes, or just
for your records. Here’s how to get that log. After running an Issue Scan, look for the Detail window associated with
the scan, as shown here.

The selector in the upper

right corner of each status
screen allows you to copy
a summary of the selected
scan to your clipboard, or
to a text file.
Samples of each scan type
are included at end of this
guide.

Malwarebytes Toolset User Guide 32

Toolbox
The Toolbox is a collection of tools to help you do your job better. Each part of the Toolbox has been carefully
selected to help you evaluate and repair problem computers. We have also created an open framework which allows
you to add your own tools to the Toolbox framework. Please refer to the screenshot below.

There are five sections to the Toolbox, which the above screenshot represents as icons. If the user interface is
stretched vertically, each of the buttons also appears with a label as shown here.

Let’s look at the Toolbox, beginning with MyTools.

MyTools
MyTools provides technicians with the ability to quickly access their favorite tools. You can link to executables,
execute Command Prompt/PowerShell commands, or even launch a custom batch file. The primary tool to manage
MyTools is the MyTools Editor, the first item listed on the MyTools screen. There are several logical steps required
in this section, but when configured properly, those steps will allow this to serve you well.

Staging MyTools Utilities

Before you get started with the MyTools Editor, we recommend storing your tools in the MyTools folder created
when Malwarebytes Toolset was unzipped. This keeps the environment organized, and also makes it easier to
maintain. Once you get MyTools built and configured, the MyTools folder can be copied to another devices
Malwarebytes Toolset has been extracted to. Now you can distribute a customized MyTools configuration to your
technicians on USB Flash Drives. Below is a sample configured MyTools folder.

Malwarebytes Toolset User Guide 33

Managing MyTools with the MyTools Editor
Once your tools are staged, launch the MyTools Editor. From here you can add, remove and edit your tools. Changes
are saved and implemented in real time.

MyTools Editor Toolbar

The toolbar appears directly below the Malwarebytes Toolset banner. It contains a number of icon buttons. To
create or edit an entry, press the + or Edit icon. You can also add a new tool by clicking <Insert> or edit an existing
tool by selecting it and pressing <Enter>. You can also right-click and select Create Tool or Edit Tool. The
corresponding window will then be displayed. For each tool to be added, enter specifications for the tool. Below is
a brief description of each field.

Add a new tool to the Malwarebytes Toolset. This is typically a tool which you often
use in your repair work.

Remove a tool from the Malwarebytes Toolset.

Malwarebytes Toolset User Guide 34

 Edit criteria for an existing tool. Information on adding and editing tools is described
below.
Load the Batch Import Tools window. This lets you specify a folder which contains tools
to add, the specific tools, and adds them all with one click. It is preferable that the
tools be moved to the MyTools directory so that any configuration or results files can
be accessed without issue.
Move a selected tool higher on your priority list. You would typically do this when your
- repairs tend to proceed in the same logical order and your tools do not match that
-
order.

Move a selected tool lower on your priority list.

Move a selected tool to the top of your priority list.

Move a selected tool to the bottom of your priority list.

Undo whatever you just did!

Redo the last action you performed.

Editing a Batch File

You can also quickly edit a batch file (CMD or BAT) using the MyTools Editor. After adding a batch file, simply right
click the item and select Edit Batch File. This will open the batch file in an instance of Notepad.exe so you can quickly
manipulate it.

Creating or Editing a Tool Entry

To create or edit an entry, press the + or Edit icon. You can also use keyboard shortcuts (<insert> and <Enter>
respectively) or right-click and select Create Tool or Edit Tool. The Add Tool/Edit Tool window will then be displayed.
Below is a brief description of each field in this window so you can get the most out of MyTools:
• Binary Path – Direct path to the tool to be added to MyTools. Use the Browse button to navigate to the
tool, or type in the full path/file name. Right-click this field if you want to use special Toolset variables
(described immediately after the examples provided here). By Default the Browse option shows only
executables (.exe), batch files (.bat or .cmd), and PowerShell scripts (.ps1), but you can specify ANY file you
want MyTools to launch including something as basic as a text file.

Malwarebytes Toolset User Guide 35

 • Arguments – Specify any arguments or switches you want us to pass to the binary being executed. This
allows you to customize execution even further if needed. This field can be critical for executing custom
PowerShell cmdlets, performing special operations with Command Prompt-based tools, or for running an
executable or script with special switches/options.
• Execution Type - Select execution method for the tool you are adding. This gives you more control and
options for what you can add, plus it can make things like adding scripts even easier.
o Normal - We will execute the item specified like a binary/executable file with administrator
privileges.
o CMD - We will execute the item specified via an argument passed to the Windows Console (aka
Command Prompt or cmd.exe). This is ideal for launching batch files (e.g. .bat, .cmd, etc.)
▪ Note: The following syntax is used: cmd.exe /k "%PATH_TO_BINARY%" "%ARGUMENTS%"
o PowerShell - We will execute the item specified via an argument passed to Windows PowerShell
with common arguments and administrator privileges. This is ideal for launching PowerShell scripts
(e.g. .ps1, etc.)
▪ Note: The following syntax is used:
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy -
NoProfile -File "%PATH_TO_BINARY%" "%ARGUMENTS%"
o MMC - We will execute the item specified as an MMC Snap-In for the Microsoft management
Console
• Architecture - Specify if a tool runs on a specific OS architecture:
o Any - Appears and launches on both 64-Bit/x64 and 32-Bit/x86 versions of Windows
o 64-Bit Only - Only appears and launches on 64-Bit/x64 versions of Windows
o 32-Bit Only - Only appears and launches on 32-Bit/x86 versions of Windows
• Alternate Icon - Specify an alternate icon of your choosing
• Search Tags - Add custom search tags/keywords to make searching for it easier. This will also add extra
weight for a MyTool to be a "Best Match". Adding duplicates increases the Best Match score/weight even
more (aka - use this to force a custom Best Match result).
• Tile Preview and Test - Provides a preview of what your MyTools entry will look like and the ability to test
all the settings you have input. Simply click on the Tile Preview and you can perform a test run of your tool.

Malwarebytes Toolset User Guide 36

The below example shows the usage of a Toolset variable (in this case, it will dynamically identify the full path based
on the relative path to the MyTools folder of the running instance of the Toolset) is shown as well as setting execution
to occur only on certain Windows versions and architectures. In this example, this tool will only appear on the
MyTools are if the Malwarebytes Toolset is running on a 64-Bit version of Windows 7, Windows 8.x, or Windows 10.

The below example demonstrates the usage of both system variables (Binary Path) as well as switches (Arguments)
to be utilized during execution of the tool. This tool to appear on the MyTools menu when Malwarebytes Toolset is
running on a Windows 10 computer.

Malwarebytes Toolset User Guide 37

Using Toolset Variables in MyTools
When specifying a Binary Path or Arguments for any tool, you can right-click the field to add special Toolset Variables.
This not only simplifies entry of long directory paths, but also helps to ensure your tools can launch across multiple
computers – especially if you are storing and running Malwarebytes Toolset from a USB Flash Drive. On top of that,
these variables are passed as Environment Variables to process that is executed, which means you can take
advantage of them inside of your tools and scripts too. For reference, the following variables have been defined:
• %MBTS_SYSTEM32% - The \Windows\SysNative directory of the host operating system
• %MBTS_CMD% - Launches Command Prompt from the default location based on the host operating system
• %MBTS_PWSHL% - Launches PowerShell from the default location based on the host operating system
• %MBTS_ROOT% - The root directory the Malwarebytes Toolset itself is running from.
• %MBTS_MYTOOLS% - The MyTools subdirectory that is in the root directory the Malwarebytes Toolset
itself is running from
• %SYSTEMROOT% - The root directory of the host operating system

Editing Complete…What Now?

Once you have added all of the tools you wish to use (or made changes when required), close the MyTools Editor.
The Malwarebytes Toolset user interface will appear similar to what is shown below. Depending on the width of the
interface displayed on your screen, you may see tools arranged as one long column, or in two columns (as shown
here). Note that all tools shown here are ones that were just entered.

Malwarebytes Toolset User Guide 38

Check for Updates
This option enables the Malwarebytes Toolset to look for pertinent updates which may be available. This includes
updates to the Toolset itself as well as all Malwarebytes utilities which are made available through the Toolset.
Updates will appear on the list (as shown below) for utilities which have not yet been downloaded, or for utilities
which updates are available for. If a program has been downloaded and is up to date, it will not appear on the list.

Select updates you wish to download and click Download. The window will update to show status of the download,
and will inform you of final download status. When the download is complete, click Close.
In the next section of this guide, you will notice small clouds at the bottom right of two utilities, and the absence of
a cloud on the MC-Check icon. That indicates that two utilities have updates available, while the third does not.
That standard is used throughout the Toolbox section of this program.

Malwarebytes Toolset User Guide 39

Protect
This area provides easy access to install our flagship product – Malwarebytes for Windows – as well as utilities that
are often used in conjunction with Malwarebytes for Windows.

Malwarebytes for Windows

This option installs the latest version of Malwarebytes for Windows. While we encourage users to install
Malwarebytes Premium version to take advantage of the real-time protection it offers, the free version will allow
the computer owner to run scans at will. If Malwarebytes for Windows has not been previously downloaded (or an
updated version exists), it will be downloaded automatically before being executed.

Malwarebytes Browser Guard for Chrome

This option will open the default web browser of the target computer and go to the Malwarebytes Browser Guard
for Chrome browser extension page at the Chrome Web Store. This will allow you to add proactive protection at the
web browser level to protect a system from malware, scams, clickbait, and annoying ads. More info can be found on
our website here.

Malwarebytes Browser Guard for Firefox

This option will open the default web browser of the target computer and go to the Malwarebytes Browser Guard
for Firefox browser extension page at the Firefox Add-ons site. This will allow you to add proactive protection at the
web browser level to protect a system from malware, scams, clickbait, and annoying ads. More info can be found on
our website here.

Malwarebytes Support Tool

This utility allows you to manually remove Malwarebytes products and potential leftovers on a computer. It also
helps in gathering in-depth technical logs of a system and installed Malwarebytes products to help troubleshoot
issues with our products. See the Malwarebytes Support Tool FAQ (https://support.malwarebytes.com/docs/DOC-
2387) for more details on using this utility.

Malwarebytes Toolset User Guide 40

Remediate
This option provides several Malwarebytes programs to assist in the remediation and cleanup of a computer. You
may choose to limit your toolset to the tools you have added in the MyTools section. That is your choice, but we
also offer these tools to you all in one place for ease of use.

Here is more information about each of these tools.

Malwarebytes Anti-Bundleware
Malwarebytes Anti-Bundleware is a program designed to detect and remove bundleware which may have been pre-
installed on your system or automatically installed with another piece of software. More details about this program
can be found on our forums: https://forums.malwarebytes.com/forum/233-malwarebytes-anti-bundleware/.

Malwarebytes Anti-Rootkit
Malwarebytes Anti-Rootkit is a program designed to detect and repair rootkits which may have been placed on your
disk drive via a malware attack. This program is a perpetual beta product, meaning that it is updated only when
there is a specific need.

AdwCleaner
This is one of the most frequently downloaded tools for removal of potentially unwanted programs (PUPs), toolbars
and adware. Addition of AdwCleaner technology to your repertoire helps to provide even more effectiveness to the
services you provide. If AdwCleaner has not been previously downloaded (or an updated version exists), it will be
downloaded and then executed.
► AdwCleaner includes the technology of the Junkware Removal Tool.

MBBR CLI Scan

This option performs a Threat Scan on the computer from the command line using Malwarebytes Breach
Remediation. There is no provision for customization of the arguments. If the computer does not have .NET 4.0
installed (or if it has been rendered unusable), this is the only method available for portable malware scanning.

Malwarebytes Toolset User Guide 41

► If malware is detected, you may be prompted to reboot the computer. Please plan accordingly.

MBBR Command Prompt

This option will open a Command Prompt instance with focus on the directory where MBBRv2 is stored so you can
run Malwarebytes Breach Remediation however you see fit. It will prompt to register and update definitions for
MBBRv2 for you to make things as easy as possible.

Launch Windows Defender Offline

This option is available for Windows 10 users only. It causes the system to reboot, then performs an offline scan
using Microsoft Windows Defender.

Malwarebytes Toolset User Guide 42

Repair
This section provides common repair tools to fix problems and OS damage that often occur as a result of malware
attacks. The tools available will dynamically change depending on the version of Windows being ran.

Firewall Reset
Computers are often infected by malware which manipulates firewall settings, thus opening the computer to access
from the outside world. This command resets the firewall to the default policy. When Group Policy is used, all
firewall settings are turned off and Group Policy settings pertaining to the firewall are set to not configured.

Network Reset
Many connectivity issues are due to problems with configuration of the various networking components on the
computer. Sometimes this is due to malware, and sometimes not. This option resets most of those components to
initial values. As a result, subsequent networking commands encounter very slight delays as these initial values are
replaced by true operational values. Please note that this option does not accomplish the same goals as a Winsock
Reset, and when required, should be performed before use of a Winsock Reset is considered.

System File Checker

This option executes the Windows System File Checker utility program (sfc.exe). This program scans Windows
system files and attempts to repair any corrupted files found during the scan.

Winsock Reset
If the computer is exhibiting strange connectivity issues that have not been corrected by other diagnostic means,
you may need to reset the winsock catalog. This catalog is used for all Internet connectivity and is a favorite target
of malware. Unless the computer uses customized networking parameters, a reset would not have negative results.

WMI Reset
Windows Management Instrumentation (WMI) is infrastructure built into Windows for managing devices,
applications, data and operating system components. It is also used to share management data and operations with
other operating system components. This reset will rebuild and register the core components of Windows that allow
WMI to function.

Malwarebytes Toolset User Guide 43

DISM Health Scan
Deployment Image Service and Management Tool (DISM) is used on computers running Windows 8.x and 10, to
check the computer’s component store (WinSxS) against its own payload. Any files found to be corrupted are
replaced by files downloaded files through the Windows Update process. This option is not available on Windows
7.

Boot to Windows RE
The Windows Recovery Environment (Windows RE) is a bootable offline Windows PE based environment to help one
manually repair or restore their operating system using tools like System Restore, Refresh/Reset (Windows 8+),
Command Prompt, and much more. Windows RE is included by default starting with Windows 7 and can be a
powerful tool for technicians. This option allows a technician to set the assigned Windows RE image of the OS to
load on next boot.

Enable/Disable Legacy F8 Boot Menu

In Windows 8.x and Windows 10, the boot loader was modified to speed up the time required to boot the computer.
As a result, the Safe Mode option (F8) was removed. This feature still exists, but only through a setting in the
Windows registry. This option allows the technician to enable/disable the F8 Boot Menu using a Windows utility
that modifies the registry key. This option is not available on Windows 7.

Malwarebytes Toolset User Guide 44

OS Tools
This tab provides a collection of important system-level tools which are available in modern Windows operating
systems. While these tools will not detect malware on a system, they may detect the aftereffects of malware. Please
note that the Search component of the Toolset provides access to a plethora of additional OS Tools outside of the
ones included in the Toolbox.

Please note the shaded area of the main screen area, which shows five labeled icons. This is the view you will see
normally. When the screen is compressed vertically, it appears as shown below.

As with all system-level tools, significant damage may easily result from inappropriate usage. If you are not sure
about changing a system setting, please research that setting before making a change from which there may be no
cure.

Command Prompt
This option opens a Windows command prompt (cmd.exe), in Administrator mode. You may navigate to any
directory on any mounted drive and perform command line operations.

Computer Management
This option launches the Computer Management snap-in of the Microsoft Management Console (mmc.exe). Many
system parameters may be inspected here. Event Viewer and Device Manager are available within this option, as
well as being accessible by their own program option.

Device Manager
This option launches the Device Manager snap-in of the Microsoft Management Console (mmc.exe). Entries for
each installed hardware device may be inspected, along with the resources those devices use. Failing or
misconfigured devices will have a warning indicator displayed to alert the user. This option is available as a discrete
menu selection, and as a selectable option in Computer Management.

Malwarebytes Toolset User Guide 45

Disk Management
This option launches an analysis of each disk and disk partition in the storage subsystem. Drives which are not
assigned drive letters (unused areas, recovery partitions and disk used for secondary operating systems) are all
shown, as are CD/DVD/Blu-ray and virtual drives. This option is available as a discrete menu selection, and as a
selectable option in Computer Management.

DiskPart
This tool allows the technician to create new disk partitions, or to delete or modify existing disk partitions. This
program offers a number of configuration options. Please refer to the following page for more information on this
program: https://technet.microsoft.com/en-us/library/bb490893.aspx

Event Viewer
This option launches the Windows Event Viewer snap-in of the Microsoft Management Console (mmc.exe). All
system events may be inspected here.

File Explorer
This option opens Windows Explorer (Windows 7 and earlier) or File Explorer (Windows 8 and newer), allowing
navigation from one drive or directory to another. This option will not provide option to restricted operating system
directories.

Group Policy
This option opens the Local Group Policy Editor, allowing you to modify the Group Policies of the device. This option
will only function on versions of Windows that support the Group Policy Editor.

Programs and Features

This option opens the legacy Programs and Features (aka Add/Remove Programs or AppWiz.cpl) Control Panel
applet. This allows you to manage installed desktop applications, installed updates, and Windows Features.

RegEdit
This option opens the Windows Registry Editor (regedit.exe). Unless you are well versed in working with the
Windows registry, you should make a backup copy of the registry before proceeding.

Services Manager
This option opens the Windows Service Control Manager snap-in of the Microsoft Management Console (mmc.exe).
This tab shows each system service, its operating status, when the service starts, and under which user’s authority.

Settings
This option provides access to system settings on computers using Windows 8, 8.1 and 10 operating systems. This
option will not appear on computers running earlier versions of the Windows operating system.

System Restore
This option provides access to the System Restore wizard so you can roll back the OS to a previous state OR create
a system restore point.

Task Manager
This option opens the Windows Task Manager (taskmgr.exe), allowing inspection of running applications,
processes and services, each on their own tabs. CPU usage and memory usage as well as networking usage are also
available for inspection.

Malwarebytes Toolset User Guide 46

Windows Memory Diagnostic
This option launches a delayed diagnostic test of all RAM memory installed in the computer, using Microsoft’s
mdsched.exe diagnostic. This requires that you must reboot the computer after selecting this option to allow the
test to run. Please note that you cannot use the computer for any other purpose while the test is running, and this
test may take several minutes to complete.
Progress will be displayed on the screen, and the computer will reboot when the test is complete. Depending on
the operating system in use, you may be able to evaluate test results on screen. If you are unable to view test results,
they are available in the Windows Event Viewer in the System Log section.

Windows PowerShell
This option opens a Windows PowerShell command prompt ( powershell.exe). You may perform system-level
commands, which include many commands that have not been available in the older Windows command prompt
(cmd.exe). Please note that this option is visible only for operating systems that will support it (Windows 7 and
newer).

Windows Store App Updates

This option provides access to information on application updates on computers using Windows 8, 8.1 and 10
operating systems. Version numbers and dates that applications were last updated are shown here. This option will
not appear on computers running earlier versions of the Windows operating system.

Windows Troubleshooters
This option provides access to the troubleshooting tools provided by Microsoft for users of Windows 7 and newer
operating systems. This option will not appear on versions of Windows older than Windows 7.

Windows Update
This option opens the Windows Update option of the Control Panel. You may check for new updates, install or roll
back updates. If updates are controlled by a system administrator (typical in a corporate environment), this option
cannot override that authority.

Malwarebytes Toolset User Guide 47

Settings
Malwarebytes Toolset includes an area to manage general settings of the application, manage your license, and set
a Startup Password. The following options are available under Settings.

Options & Startup Password

This section contains options to help customize your experience with the Toolset. They are:
• Select the Toolset screen to load at launch: This sets which screen/component of the Toolset loads when
you launch it. Available options are:
o Inform (Default)
o Scan
o Toolbox
o Settings
• Help improve the Toolset by providing usage statistics: This configures the telemetry capabilities of the
Toolset to help us improve its capabilities. Available options are:
o Always (default)
o Never
o For more details on the data we collect with our products, see our Privacy Policy.
• Limit access to the Toolset by requiring a password at launch: This allows you to set a Startup Password to
limit unauthorized access to the Toolset.
o To enable this feature, click the Create Password link and you will be presented with a window to
enter a custom password with a minimum of four (4) characters.

o Once a Startup Password is enabled, you can change it by clicking Change or remove it by clicking
Remove.

o If you have forgotten your Startup Password, you can recover access by doing the following:

Malwarebytes Toolset User Guide 48

 1. Delete the Toolset license file at “\Malwarebytes\MBTS\Data\Configuration\mbts-
license.dat”
2. Relaunch the Toolset
3. Enter your Toolset license key and click Verify

License Details
This section allows you to view your license key and change it if necessary.
• License Key: This shows the current license key being used. Click on it to be prompted with a window to
change it

• License Type: This displays the current type of license being used.
• Expiration Date: The current date your Malwarebytes Toolset license will expire. For license or renewal
questions, contact [email protected]

About
This section shows version details of Malwarebytes Toolset with links to release notes, user guide, and EULA.

Malwarebytes Toolset User Guide 49

Command Line Options
The Malwarebytes Toolset provides Command Line options to utilize some components quickly for automation
and/or scripting purposes. These options can be passed to MBTSLauncher.exe or MBTS.exe. Below is a list of those
options with examples.
• /password:”Your Startup Password” - Suppress prompt for your Startup Password.
• /scan:inform /LogFile:”Path to file” - Silently runs an Inform operation and outputs results in plain text to
the file specified.
o If /LogFile is not specified, then the exported text file is saved to the following location:
%UserProfile%\Desktop\Inform_%COMPUTERNAME%_%DATE&TIME%.txt
o If only a file name is specified for /LogFile (e.g. "Inform Log File.log"), then the specified file will
be saved to %MBTS_ROOT% (aka the directory where MBTSLauncher.exe is stored).
o NOTE: MBTS.exe is not a console app. No output will be sent to the console window while the
export is occurring.
• /scan:malware - Scans for malware with the Malwarebytes Portable Scanner using the current Default Scan
settings. These settings can be changed using the MBTS.exe GUI (Scan ► Settings icon ► Edit Default
Scan).
• /scan:issues – Scans for issues with the Malwarebytes Issue Scanner.
• /repair:network – Performs a Network Reset.
• /repair:wmi – Performs a WMI Reset.
• /toolbox:”Name of Tool” – Launches the specified tool in quotes from the Toolbox or MyTools.
• /LogLevel:<0-5> – Launches the Malwarebytes Toolset with a specified logging level output for the
“DebugLogging.txt” file. This is used for troubleshooting the Malwarebytes Portable Scanner. The default
log level is 1 (ERRORS) and is used if no log level is specified. The following is a definition of each log level:
o 0 - none
o 1 – Events marked as Errors only are logged
o 2 – Events marked as Errors and Warnings are logged
o 3 – Events marked as Errors, Warnings, and Info are logged
o 4 – Events marked as Errors, Warnings, Info, and Debug are logged
o 5 – Events marked as Errors, Warnings, Info, Debug, and Trace are logged
o The DebugLogging.txt file is stored in the following locations depending on the architecture of the
operating system:
▪ 64-Bit (x64) - Malwarebytes\MBTS\x64\DebugLogging.txt
▪ 32-Bit (x86) - Malwarebytes\MBTS\DebugLogging.txt

Malwarebytes Toolset User Guide 50

Reports and Scan Logs
Malwarebytes Toolset can capture and export the results of scans –Inform, Network Devices Scan, Issue Scanner,
and Malwarebytes Portable Scanner– to your clipboard, to text files, and (in some cases) to specialized files on the
system itself. This allows you to export results to wherever you need them for documentation, reporting,
troubleshooting, or other similar needs.

Inform Export Log

This log is an optional export from Inform. It’s designed to provide users a way to export all the rich technical
information that Inform gathers on the operating system and device. This can be very helpful for service
documentation, reporting, or other similar use cases. To create an Inform Export Log from within Malwarebytes
Toolset:
1. Go to Inform and select Actions
2. Select the desired operation:
a. Export to Clipboard – This will export all detected devices and details in plain text to the clipboard
b. Export to Text File – This will export all detected devices and details to a text file

Alternatively (or for scripting/automation purposes), you can perform an Inform Export via the following Command
Line option passed to MBTSLauncher.exe or MBTS.exe:
• /scan:inform /LogFile:”Path to file” - Silently runs Inform and outputs results in plain text to the file
specified.
o NOTE: MBTS.exe is not a console app. No output will be sent to the console window while the
export is occurring.

Malwarebytes Issue Scanner Reports and Summary Log

The Malwarebytes Issue Scanner saves a detailed report of each scan and repair operation on the local system via
Scan History. You can export a summary-based log of any issue scan by doing the following:
1. Go to Scan and click the Scan History icon (looks like a calendar) in the Malwarebytes Portable Scanner
section
2. Select the scan report you want to load and click View
3. Click the gear icon near the top of the summary pane and select the desired operation:
a. Copy Summary to Clipboard – This will export a summary of the scan, issues found, and issues
repaired in plain text to the clipboard
b. Export Summary to Text File – This will export a summary of the scan, issues found, and issues
repaired to a text file
Note: You can also export a summary report at the Scan Results and Repair Results phases of a scan operation.
You can view full technical details of a Malwarebytes Issue Scanner operation from within Malwarebytes Toolset by
clicking the Scan History icon (looks like a calendar) under the Scan component, then selecting a scan report and
clicking View. This allows you to view the full Scan Report and Repair Report details that were presented during the
original scan operation.

Malwarebytes Portable Scanner Reports and Summary Log

The Malwarebytes Portable Scanner saves a detailed report of each scan and removal operation on the local system.
You can export a summary-based log of any malware scan by doing the following:

Malwarebytes Toolset User Guide 51

 1. Go to Scan and click the Scan History icon (looks like a calendar) in the Malwarebytes Portable Scanner
section
2. Select the scan report you want to load and click View
3. Click the gear icon near the top of the summary pane and select the desired operation:
a. Copy Summary to Clipboard – This will export a summary of the scan and malware removed in
plain text to the clipboard
b. Export Summary to Text File – This will export a summary of the scan and malware removed to a
text file
Note: You can also export a summary report at the Scan Results and Repair Results phases of a scan operation.
You can view full technical details of a Malwarebytes Portable Scanner operation from within Malwarebytes Toolset
by clicking the Scan History icon (looks like a calendar) under the Scan Component then selecting a scan report and
clicking View. This allows you to view the full Scan Report and Repair Report details that were presented during the
original scan operation.
Alternatively, you can also get a detailed scan results JSON file if needed. These are stored in the following location:
• %ProgramData%\Malwarebytes\Malwarebytes Toolset\MalwareScanner_Client\ScanResults\GUID.json –
scan results files in JSON format produced by the Malwarebytes Portable Scanner

Network Devices Scan Log

This log is an optional export from the Network Devices Scanner. It’s designed to provide users with an ability to
produce a network site survey or inventory of local network devices. Please note that the fields of this report can
be customized before exporting. To create a Network Devices Scan Log from within the Malwarebytes Toolset:
1. Go to Inform and select Network
2. Click Start Scan under the Network Discovery tile
3. Wait for the Network Devices Scan to finish
4. Click Export and select the desired operation:
a. Copy to Clipboard – This will export all detected devices and details in plain text to the clipboard
b. Export to Text File – This will export all detected devices and details to a text file
c. Export to CSV – This will export the summary of detected devices to a CSV file

Other Log Files

Additional log files are created for specific components that can help with customized reporting needs and
troubleshooting. Below is a list of these with a brief description of their contents.
• %ProgramData%\Malwarebytes\Malwarebytes Toolset\Logs\*.mbts – Scan History data files for the
Malwarebytes Portable Scanner and Malwarebytes Issue Scanner
• %ProgramData%\Malwarebytes\Malwarebytes Toolset\MalwareScanner_Client\ScanResults\GUID.json –
scan results files in JSON format produced by the Malwarebytes Portable Scanner
• \Malwarebytes\MBTS\DebugLogging.txt – debug log file for the Malwarebytes Portable Scanner (32-bit)
• \Malwarebytes\MBTS\x64\DebugLogging.txt – debug log file for the Malwarebytes Portable Scanner (64-
bit)
• \Malwarebytes\MBBRv3\x64\Logs\MBBR-ERROUT.txt –error and debug log files for Malwarebytes Breach
Remediation CLI v3 64-Bit
• \Malwarebytes\MBBRv3\x86\Logs\MBBR-ERROUT.txt –error and debug log files for Malwarebytes Breach
Remediation CLI v3 32-Bit
• \Malwarebytes\MBBRv2\Logs\MBBR-ERROUT.txt – the error and debug log file for Malwarebytes Breach
Remediation CLI v2

Malwarebytes Toolset User Guide 52

Additional Tools
Malwarebytes Toolset has additional standalone tools available to users either in a dedicated directory with the
Toolset package or as a separate download. Below are the current additional tools available.

Malwarebytes Breach Remediation for Windows

Malwarebytes Breach Remediation for Windows is a portable command-line version of our Malwarebytes
technology designed to facilitate malware remediation on Windows and Windows Server. This utility can be scripted
to provide advanced usage and automation which may be needed for certain environments.
Malwarebytes Breach Remediation for Windows version 2.x and 3.x are included with Malwarebytes Toolset in the
following locations and will need your Malwarebytes Toolset Product Key for licensing:
• Toolbox ► Remediate ► MBBR CLI Scan
• Toolbox ► Remediate ► MBBR Command Prompt
• Malwarebytes\MBBRv3\x64\mbbr.exe
• Malwarebytes\MBBRv3\x86\mbbr.exe
• Malwarebytes\MBBRv2\mbbr.exe
Malwarebytes Breach Remediation for Windows supports the following operating systems:
• Version 3.x: Windows 10, Windows 8.1, Windows 8, Windows 7 SP1, Windows Server 2019, Windows
Server 2016, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2
• Version 2.x: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP, Windows
Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server
2008, and Windows Server 2003

For full details on how to use this utility, please read the Malwarebytes Breach Remediation User Guide. You can
also run mbbr.exe from the Command Prompt with Administrator privileges with no arguments to a list of command
line options, settings, and arguments.

Malwarebytes Toolset User Guide 53

Malwarebytes Breach Remediation for Mac
Malwarebytes Breach Remediation for Mac is a portable GUI and Terminal version of Malwarebytes for Mac
designed to facilitate malware remediation on macOS 10.9.5 or later. Malwarebytes Breach Remediation for Mac
version 1.3.1 is available as a separate download and will need your Malwarebytes Toolset product key for licensing.
You can obtain Malwarebytes Breach Remediation for Mac via the following methods:
• Download via the Check for Updates Tool
• Manual Download: https://downloads.malwarebytes.com/file/mbbr
For full details on how to use this utility, please read the Malwarebytes Breach Remediation for Mac User Guides.
Links are included below.
• Malwarebytes Breach Remediation for Mac GUI User Guide
• Malwarebytes Breach Remediation for Mac CLI User Guide

Fab’s AutoBackup 7
To help expand the capabilities of the Malwarebytes Toolset and showcase one of our partners in the tech
community, we have partnered with the wonderful Fabrice Parisot to bring access to Fab's AutoBackup 7 to the
Toolset (license not included). This utility is the industry leader for technicians that want to easily backup, transfer,
and migrate user data and settings on Windows devices. You will find it under the Repair section of the Toolbox
(and Malwarebytes\AutoBackup7Pro).
For more details on this product, check out the included user guide or visit the following website:
https://www.fpnet.fr/
Please note that on first launch, Fab's AutoBackup will ask for your license info (for previous users), offer you an
exclusive discounted license at 25% off (must be launched from the Toolset itself), or utilize a trial version of the
product. Malwarebytes does not directly provide or sell these licenses, and it is up to you to obtain and provide one.

Malwarebytes Toolset User Guide 54

Frequently Asked Questions
Below are common questions users ask about using the Malwarebytes Toolset. If you have additional questions or
need technical support, email our team the details at [email protected]

► Getting Started - First Time Use

When you first use the Malwarebytes Toolset, you will need internet access to allow it to validate your license
key and to update all components. To begin using the tool, perform the following:
1. Using the URL contained in your purchase confirmation email, download the Malwarebytes Toolset.
Your license has been pre-injected into the product.
2. Extract the MBTS_X.X.X.XXXX.zip package file to the root of a USB flash drive or a dedicated directory
within a USB Flash Drive.
o Please Note: Ensure the path where the Malwarebytes Toolset has been extracted to does not
contain any ASCII/UNICODE extended set characters.
3. Double click MBTSLauncher.exe from the extracted package.
4. Once the Toolset launches and validates your license, go to Toolbox ► MyTools ► Check for
Updates
5. Download all available updates

► How do I update the components of the Malwarebytes Toolset?

The Malwarebytes Toolset checks for a new release at launch. If one is available, an orange notification banner
appears with an option to start an in-place update. For all other components or to update manually, use the
MBTS Updater by doing the following:
1. Launch the Malwarebytes Toolset
2. Click on the Toolbox component.
3. Go to MyTools and click Check for Updates
4. Select the components you want to update, then click Download
5. Follow any additional steps presented.

Any Toolbox item supported by the Updater can also be updated upon launch. If there is a new version, you
have the option to download and use that one OR continue to use the older version.

► How do I run a malware scan?

We include a portable version of Malwarebytes, the Malwarebytes Portable Scanner. To use it, perform the
following:
1. Launch the Malwarebytes Toolset
2. Click on the Scan component.
3. Click Scan for Malware.
4. Follow any additional steps presented.
By default, a malware scan will always prompt if you want to kill non-essential processes, check for database
updates, and perform a Threat scan. If you want to change this default behavior, click on the Settings icon (it
looks like a gear) and select Edit Default Scan.
If you want to perform a one-time custom scan, click Custom Scan and select the scan options you want to use.

► Does the Malwarebytes Toolset and/or Malwarebytes Breach Remediation support offline usage?
Both products support offline usage. The Toolset must be validated (required on first use) and updated. If these
conditions are met, you can use the Toolset offline for seven (7) days with version 1.3 and fifteen (15) days with
version 1.4+. If you are only using the Malwarebytes Breach Remediation command line utility, it supports
fifteen (15) days of offline usage.

Malwarebytes Toolset User Guide 55

► How do I update the malware database/definitions?
By default, we always check for updates before a malware scan begins. Because you may be in situations with
no internet access, we highly recommend updating the database/definitions at least once per day on an
internet-connected PC. You can accomplish that two ways:
1. Launch the Malwarebytes Toolset
2. Click on the Scan component.
3. Click the Settings/gear icon next to Malwarebytes Breach Remediation and select Run Manual
Update
4. Follow any additional steps presented.
– or –
1. Launch the Malwarebytes Toolset
2. Click on the Toolbox component.
3. Go to MyTools and click Check for Updates
4. Select the Malwarebytes Rules component and then click Download
5. Follow any additional steps presented.

► How do I scan for malware or issues from Command Prompt/Command-Line?

The Malwarebytes Portable Scanner and Malwarebytes Issue Scanner can be launched from the command line
by passing /scan:malware or /scan:issues respectively to MBTS.exe or MBTSLauncher.exe. Below are
examples of this:
• Malwarebytes Portable Scanner
o MBTSLauncher.exe /scan:malware
o MBTS.exe /scan:malware
• Malwarebytes Issue Scanner
o MBTSLauncher.exe /scan:issues
o MBTS.exe /scan:issues

If you need additional automation or scripting capabilities for malware scans, Malwarebytes Breach
Remediation for Windows command line utility is included with the Malwarebytes Toolset. You can find it in the
directory structure here:
• Malwarebytes\MBBRv3\x64\mbbr.exe
• Malwarebytes\MBBRv3\x86\mbbr.exe
• Malwarebytes\MBBRv2\mbbr.exe

You can also manually download it from here:

• Malwarebytes Breach Remediation for Windows (3.x)
• Malwarebytes Breach Remediation for Windows (2.x)
Alternatively, we provide a quick launching version of Breach Remediation in the Toolbox under the
Remediate section. This is provided for instances where the GUI version is failing.

► How do I scan and export with Inform from Command Prompt/Command-Line?

You can perform an Inform Export silently from the command line by passing the following arguments to
MBTS.exe or MBTSLauncher.exe:
• /scan:inform /LogFile:”Path to file” - Silently runs Inform and outputs results in plain text to the file
specified.
o NOTE: MBTS.exe is not a console app. No output will be sent to the console window while the
export is occurring.

Malwarebytes Toolset User Guide 56

► How do I use AdwCleaner?
Malwarebytes AdwCleaner is included as a standalone component designed to remove adware, toolbars, and
more. You can run it by doing the following:
1. Launch the Malwarebytes Toolset
2. Click on the Toolbox component.
3. Go to Remediate and click on AdwCleaner
4. Follow any additional steps presented.

► How do I use Malwarebytes Anti-Bundleware?

Malwarebytes Anti-Bundleware is a standalone tool designed to remove unneeded bundled software and
junkware. You can use it by doing the following:
1. Launch the Malwarebytes Toolset
2. Click on the Toolbox component.
3. Go to Remediate and click on Anti-Bundleware Scanner Beta
4. Follow any additional steps presented.

► How do I scan for local network devices?

The Malwarebytes Toolset includes a Network Devices scanner to perform a detailed local network device
inventory scan. To use it, perform the following:
1. Launch the Malwarebytes Toolset
2. Click on the Inform component.
3. Go to Network then click Start Scan under Network Discovery
4. Follow any additional steps presented.

► How do I check the SMART Attributes and Disk Errors on a disk drive?
The Disk Drive Issue Scanner of the Malwarebytes Issue Scanner performs this function. Please note that only
failures or issues will be presented, but you can see full details by clicking on the Scan Report. To use the
Malwarebytes Issue Scanner, perform the following:
1. Launch the Malwarebytes Toolset
2. Click on the Scan component.
3. Click on Scan for Issues
4. Follow any additional steps presented.
For additional information, please see the latest Malwarebytes Issue Scanner Technical Reference.

► How do I add tools?

The MyTools component of the Malwarebytes Toolset allows you to bring along additional tools, scripts, and
batch files into the UI.
1. Launch the Malwarebytes Toolset
2. Click on the Toolbox component.
3. Go to MyTools and click MyTools Editor
4. Click the + icon to add a tool
o To import a directory of tools, click the Batch import button instead (looks like a download
icon)
5. Complete the Create Tool form and click Save

► How do I launch MyTools or Toolbox tools from Command Prompt/Command Line?

Malwarebytes Toolset User Guide 57

 Any tool from the Toolbox (including MyTools) can be launched from the command line by passing
/toolbox:”Name of Tool” to MBTS.exe or MBTSLauncher.exe. These tools will be launched as Administrator
and pass on the special variables defined in the MyTools section of the User Guide. Below are examples of this:
o Malwarebytes AdwCleaner
▪ MBTSLauncher.exe /toolbox:”AdwCleaner”
▪ MBTS.exe /toolbox:”AdwCleaner”
o Network Reset
▪ MBTSLauncher.exe /toolbox:”Network Reset”
▪ MBTS.exe /toolbox:”Network Reset”
o Windows PowerShell
▪ MBTSLauncher.exe /toolbox:”Windows Powershell”
▪ MBTS.exe /toolbox:”Windows Powershell”

► How do I manually download the Malwarebytes Toolset?

You can download the latest build of the Malwarebytes Toolset using the URL in your confirmation email. If
needed, use the syntax below to manually obtain the Malwarebytes Toolset with your product key pre-injected:
• Standard Download: https://toolset.malwarebytes.com/file/mbts/YOUR-PRODUCT-KEY
• Full Download: https://toolset.malwarebytes.com/file/mbts_full/YOUR-PRODUCT-KEY

Alternatively, there are generic URLs if the auto-injection system is down/not working correctly.
• Standard Download (No Key): https://toolset.malwarebytes.com/file/mbts
• Full Download (No Key): https://toolset.malwarebytes.com/file/mbts_full

► What is the difference between the Standard and MBTS Full download of Malwarebytes Toolset?
The Standard download is a smaller package with only the following core components:
• Malwarebytes Toolset (Inform, Network Devices Scanner, Portable Scanner, Issue Scanner, and
Toolbox)
Additional standalone components can be downloaded as needed when they are executed via the Toolbox or
downloaded using the MBTS Updater by going to Toolbox ► MyTools ► Check for Updates.
The Full download is a larger package with the following core and standalone components:

• Malwarebytes Toolset (Inform, Crash Dump Analyzer, Network Devices Scanner, Portable Scanner,
Issue Scanner, and Toolbox)
• Malwarebytes Breach Remediation v3 command line utility
• Malwarebytes Breach Remediation v2 command line utility
• Malwarebytes AdwCleaner
• Malwarebytes Anti-Bundleware
• Malwarebytes Anti-Rootkit
• Malwarebytes for Windows (installer)
• Malwarebytes Support Tool
• Fab’s AutoBackup 7
► Are There Command Line/Command Prompt Options for running the Malwarebytes Toolset?
Yes, command line options are available to utilize some components of the Malwarebytes Toolset quickly for
automation and/or scripting purposes. These options can be passed to MBTSLauncher.exe or MBTS.exe. Below
is a list of those options and their applicable syntax:
• /password:”Your Startup Password” - Suppress prompt for your Startup Password.
• /scan:inform /LogFile:”Path to file” - Silently runs an Inform operation and outputs the results in plain text
to the file specified.

Malwarebytes Toolset User Guide 58

 o If /LogFile is not specified, then the exported text file is saved to the following location:
%UserProfile%\Desktop\Inform_%COMPUTERNAME%_%DATE&TIME%.txt
o If only a file name is specified for /LogFile (e.g. "Inform Log File.log"), then the specified file will
be saved to %MBTS_ROOT% (aka the directory where MBTSLauncher.exe is stored).
• /scan:malware - Scans for malware with the Malwarebytes Portable Scanner using the current Default
Scan settings. These settings can be changed using the MBTS.exe GUI (Scan > Settings icon > Edit Default
Scan).
• /scan:issues – Scans for issues with the Malwarebytes Issue Scanner.
• /repair:network – Performs a Network Reset.
• /repair:wmi – Performs a WMI Reset.
• /toolbox:”Name of Tool” – Launches the specified tool in quotes from the Toolbox or MyTools.
• /LogLevel:<0-5> – Launches the Malwarebytes Toolset with a specified logging level output for the
“DebugLogging.txt” file. This is used for troubleshooting the Malwarebytes Portable Scanner. The default
loglevel is 1 (ERRORS) and is used if no log level is specified. The following is a definition of each log level:
o 0-none
o 1 – Events marked as Errors only are logged
o 2 – Events marked as Errors and Warnings are logged
o 3 – Events marked as Errors, Warnings, and Info are logged
o 4 – Events marked as Errors, Warnings, Info, and Debug are logged
o 5 – Events marked as Errors, Warnings, Info, Debug, and Trace are logged
o The DebugLogging.txt file is stored in the following locations depending on the architecture of
the operating system:
▪ 64-Bit (x64) - Malwarebytes\MBTS\x64\DebugLogging.txt
▪ 32-Bit (x86) - Malwarebytes\MBTS\DebugLogging.txt

Note: MBTS.exe and MBTSLauncher.exe are not a console applications. They will not send output to the
console window once they execute.

► How do I analyze crash dumps from blue screens/BSODs?

The Malwarebytes Toolset includes a Crash Dump Analyzer to perform a detailed analysis of crash dump files
created when a computer produces a blue screen of death (BSOD). To use it, perform the following:
1. If you have not already done so, launch the Malwarebytes Toolset
2. Click on the Inform component.
3. Go to History then click Details under Blue Screens
4. Select a Blue Screen event from the list then click Analyze

Malwarebytes Toolset User Guide 59