Jump to content

File System Protection prevent booting


Recommended Posts

I have a Toshiba Portege laptop running Vista Business 32bit and setting up for a customer who I have convinced to purchase Malware Bytes (two licences, one installed on a Windows 7 laptop without problems). When installing the trial version of Malware Bytes Pro (prior to registration) the system fails to boot correctly and at first conflict with antivirus was suspected but two tried (AVG Free and Panda Cloud Free, or even no antivirus installed) with no change.

 

Thought it might be an infected system so did a factory restore and installed Malware Bytes Pro again - same problem. Can boot into Safe Mode but not full desktop. Investigation showed that disabling File System Protection cured the non-booting to desktop but obviously this isn't ideal so where do I go from here?

 

Barry

Link to post
Share on other sites

  • Root Admin

Hi Barry and :welcome:

 

We'll need to get some logs from the computer in order to assist you.

 

Please run the following scans and post back the logs.

 

STEP 01

Please create an mbam-check log:
 

  • Download mbam-check.exe from here and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post


STEP 02

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment. 

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file


STEP 03

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:


  •  
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.



Thanks
 

 

Link to post
Share on other sites

Thanks for the reply and attached are the scans requested.

 

Note 1: The problem with booting happens when the option "start file execution blocking when protection module starts" is enabled. I can manually start File Protection in Malware Bytes after loading and this doesn't appear to affect anything, it's just during boot.

 

Note 2: When DDS was run Malware Bytes blocked an outgoing connection, details below:

 

IP: 78.46.103.8
Type: Outgoing
Port: 49381

 

Read afterwards that I should have disabled Malware Bytes before running but is that a normal IP block if DDS is run without blocking ? If so then I can re-run DDS after disabling protection.

Attach.txt

CheckResults.txt

DDS.txt

Result.txt

Link to post
Share on other sites

Following on from the scans you suggested I noticed the boot display in Safe Mode ends at a file called AlfaFF.sys before the GUI kicks in and doing some digging it appears to be related to a biometric scanner (the laptop has a finger scanner that isn't used so disabled) and checking in System32 the file AlfaFF.dll security certificate expired in 2009.

 

So having nothing to lose I renamed this file to AlfaFF.dll.old and also in System32/drivers renamed the file AlfaFF.sys to AlfaFF.sys.old - then rebooted into normal mode with the option in Malware Bytes to "start file execution blocking when protection module starts" enabled. 

 

The system booted correctly to the user login screen with Malware Bytes fully active!!

 

I am now going to continue with the setup of this laptop (updates/SP2 etc...) and see how it goes but it appears this was the cause but would be interested to hear your analysis of the scan reports anyway. Something to add to the database in case you come across it again perhaps?

Link to post
Share on other sites

AlfaFF.zip

Nice detective work :)!

Would you mind zipping and attaching those files so that we might attempt to replicate this and research the issue further?

 Thanks :-)

 

Files zipped and attached as requested. The fingerprint software itself is Truesuite Access by Authentec version 2. 5. 28. 0 if that's any help

Link to post
Share on other sites

Excellent, thanks a lot.

You wouldn't happen to have the installer for that version of the software, would you? It likely shipped with your PC. I ask because I can only find their latest version on their downloads page.

Not directly, all part of the factory restore image. However when the system has finished this current lot of update (Vista is a pain to update !!) I'll try booting with Ubuntu and seeing if the image contains individual drivers or if it's a ghost file - if it is drivers then I'll be able to extract the ones for this and send. What's the file size limit for uploads ?

Link to post
Share on other sites

Have found the fingerprint scanner software on the system and zipped up but still too large to send directly as your upload limit is only 20Mb (fine for text file results of scans) so used the 'We Transfer' service suggested and here's the link to go get it ... http://we.tl/vUPuCHXHXY

 

Have fun and let me know how you got on with it  :)

Link to post
Share on other sites

  • Staff

Thank you for bringing this to our attention BurtonTechSupport. =)

 

I have Replicated the issue with the files that you included. Unfortunately, only work around is to remove the alfaFF.dll and alfaFF.sys or to disable Filesystem protection.

 

I will bring this to the dev's attention. 

Link to post
Share on other sites

Relief in a way that you managed to replicate the problem and shows that this is all it was, i.e. no nasty root kits lurking. Not a problem having no fingerprint login but the system doesn't like removing the software even if the reader hardware is disabled in device manager - just re-installs on next boot. Suspect I'd have to open up the laptop and physically disconnect the reader and it's not worth that hassle / time as renaming those files does appear to be a permanent fix.

 

One to bear in mind if you get others with similar problems - check if there's a fingerprint reader on the affected laptop  ;)

Link to post
Share on other sites

Possibly but having finally got this system ready for returning to the customer (just need to get their netbook setup finished) I'm loathe to spend any more (unchargeable !!) time on it. Would be a different story if they were wanting to use the fingerprint reader - maybe next time I come across this one, if ever - it's evidently not something you have met either or you'd have this in your FAQ's ?

Link to post
Share on other sites

Possibly but having finally got this system ready for returning to the customer (just need to get their netbook setup finished) I'm loathe to spend any more (unchargeable !!) time on it. Would be a different story if they were wanting to use the fingerprint reader - maybe next time I come across this one, if ever - it's evidently not something you have met either or you'd have this in your FAQ's ?

Ah, that's fine then. Yes, if they aren't going to use the fingerprint reader, then it doesn't matter. We've never come across this particular issue, no. It must be something unique about that particular vendor's driver. Hopefully our Dev team can get it sorted out and make Malwarebytes Anti-Malware compatible with it.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.