Farflt.sys BSOD Cause

[Martyn2022]

Hello, 

I have been using Malwarebytes for a long time now and also adwcleaner here and there but recently within the last 2 weeks i have been given BSOD crashes via farflt.sys which is a registered ransom ware system file for malwarebytes,

Now i would like to know if Malwarebytes will continue to work if i delete this file and stay deleted not replicate itself upon reboot of the software/update as being a savvy user i dont have a need for the ransom ware protection anyway, but i dont want to have to go elsewhere for my malware protection as i much prefer to keep what im used to.

Thanks

Martyn

[Firefox]

Hello and Welcome... I doubt MB3 will continue to work 100% with missing files.... lets get some logs so the team can have a look and see what may be going on.

GET LOGS

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
2. Download FRST and save it to your desktop
   NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
3. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
4. Press the "Scan" button
5. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
   NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
6. NEXT: Create and obtain an mb-check log
7. Download MB-Check and save to your desktop
8. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
9. This will produce one log file on your desktop: mb-check-results.zip
10. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
    

Thank You,

Firefox

[Martyn2022]

Hello Firefox,

I have attached what you required, in the sense if removing farflt.sys and malwarebytes not working, i could assume it probably wouldnt either but worth a shout, if by shutting of the process inside malwarebytes for executing farflt.sys, could hopefully be another way of stopping it causing BSOD's.

Thanks

Martyn

mb-check-results.zip

Addition.txt

FRST.txt

[Firefox]

thanks for the logs, we will wait for someone from staff to review them for you...

@dcollins @AdvancedSetup @nikhils

[dcollins]

While looking over these logs, can you also see if you have any crash dumps at C:\Windows\MEMORY.DMP or in C:\Windows\Minidump? If so, please either upload them here or if they're too large, use wetransfer.com to send them to dcollins@malwarebytes.com

After doing this, you can also disable this for the time being by going to Settings -> Protection and turning off Ransomware Protection. This will allow MB3 to run and shouldn't crash your machine, although you won't have active ransomware protection on your machine

[johngosling]

Hi,

I have also had a problem with farflt.sys.  On Monday, Malwarebytes notified me of a software update and I accepted the installation.  On Tuesday morning when I restarted the computer for the first time after this installation, Windows froze and became unresponsive several seconds after logging in.  I had to shut down Windows using the power button.  A second attempt to start Windows produced the same result.  I then powered off via the power button and restarted Windows in Safe Mode. Since the installation of Malwarebytes the previous day was the only significant recent event, I suspected this to be the cause and so attempted to de-install Malwarebytes while in Safe Mode.  The de-installation process froze and once again I had to exit via the power button.  I then started again in Safe Mode and did a system restore back to a system state prior to the new installation of Malwarebytes.  This succeeded in allowing me to start Windows correctly.

On investigating the system logs this morning for yesterday's events, I can see that the initial freezing of the system on start up occurred immediately after farflt.sys was installed and loaded.  The system log shows no other events after this point until the system was powered off and restarted.

This isn't an issue for me any more since I have now removed Malwarebytes from my system and (regrettably) will not reinstall it since I can't affort to have such things happening on my system.  But I'm letting you know in case it helps.

[User3030]

I purchased the software several months ago and haven't had any issues until this morning - started getting BSODs on farflt.sys when MWB loaded.  I quickly exited the software when it started and didn't have any more crashes.

[User3030]

I should be clearer... when I said "didn't have any more crashes", I meant only while MWB is disabled.  If I run it, I get a BSOD like others.

[Porthos]

11 minutes ago, User3030 said:

I should be clearer... when I said "didn't have any more crashes", I meant only while MWB is disabled.  If I run it, I get a BSOD like others.

·  Create and obtain an mb-check log

1. Download MB-Check and save to your desktop
2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
3. This will produce one log file on your desktop: mb-check-results.zip
   • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

[gow]

I recently installed the latest version of MBAM (3.3.1).

I too have been getting the BSOD error Unexpected_Kernel_Mode_Trap. The Windows minidump file (attached) confirms that the MBAM Ransomware file "farflt.sys" is the culprit.

In my case, the BSOD specifically happens in File Explorer. In the left pane of File Explorer, if I single-click on the "+" sign next to C drive to view the sub-folders, the BSOD immediately occurs every time. Interestingly, if I instead double-click the C drive in the right pane of File Explorer, the subfolders are displayed and the BSOD does not occur.

To avoid this problem, I have temporarily turned off Ransomware detection in MBAM.

I've attached the minidump and and mb-check-results.zip files.

Hope this matter can be resolved soon.

Thanks

Alex

mb-check-results.zip

111817-36656-01.dmp

[Porthos]

32 minutes ago, gow said:

I recently installed the latest version of MBAM (3.3.1).

Follow this first to add exclusions to Bitdefender then do the following.

https://support.malwarebytes.com/docs/DOC-1123

Let us get a clean install of the current version. 3.3.1

We have another tool called MB-Clean which will automate the whole process for you.

 Tool can be found at https://downloads.malwarebytes.com/file/mb_clean

1. After downloading the tool run the tool.

2. The tool will automatically clean up the older possibly damaged installation and will ask you for a restart.

3. Restart your system and then the MB-Clean tool will prompt you to re-install the latest product .

4. Click on "Yes" to reinstall MB 3.×.

5. Now you will have the latest product installed. If it does not offer the new install after the reboot you can download and install from here. 

https://downloads.malwarebytes.org/file/mb3

 Please let me know if you are still seeing issues with the latest product install.

 

[gow]

Hi Porthos

1. Bitdefender Antivirus Free only allows the option to add exclusions when a threat is detected on the file being scanned. I scanned each file individually (as listed on this link https://support.malwarebytes.com/docs/DOC-1123 ) and no threats were found by Bitdefender and therefore I could not add to exclusion list.

2. The clean tool ran OK, the PC rebooted, then MBAM 3.3.1.2183 was installed. This is the version I had already installed a few days earlier. Ran File Explorer and the BSOD problem still exists. PC rebooted.

3. I uninstalled Bitdefender and rebooted the PC. Ran File Explorer and the BSOD problem STILL exists. Now also, MBAM refuses to turn on Web Protection.

4. Some of the earlier Windows minidump files from this morning mention the Windows Container Isolation FS Filter Driver whereas the latest two minidump files as described above show MBAM farflt.sys as the culprit.

All minidump files created today are attached

Hope you can help.

mb-clean-results.txt

111817-25828-01.dmp

111817-28078-01.dmp

111817-36656-01.dmp

111817-40046-01.dmp

111817-46953-01.dmp

[gow]

1 hour ago, gow said:

Hi Porthos

1. Bitdefender Antivirus Free only allows the option to add exclusions when a threat is detected on the file being scanned. I scanned each file individually (as listed on this link https://support.malwarebytes.com/docs/DOC-1123 ) and no threats were found by Bitdefender and therefore I could not add to exclusion list.

2. The clean tool ran OK, the PC rebooted, then MBAM 3.3.1.2183 was installed. This is the version I had already installed a few days earlier. Ran File Explorer and the BSOD problem still exists. PC rebooted.

3. I uninstalled Bitdefender and rebooted the PC. Ran File Explorer and the BSOD problem STILL exists. Now also, MBAM refuses to turn on Web Protection.

4. Some of the earlier Windows minidump files from this morning mention the Windows Container Isolation FS Filter Driver whereas the latest two minidump files as described above show MBAM farflt.sys as the culprit.

All minidump files created today are attached

Hope you can help.

mb-clean-results.txt

111817-25828-01.dmp

111817-28078-01.dmp

111817-36656-01.dmp

111817-40046-01.dmp

111817-46953-01.dmp

Update:

Un-installed and reinstalled MBAM 3.3.1.2183. Web Protection now working. BSOD still happening

[gow]

32 minutes ago, gow said:

Update:

Un-installed and reinstalled MBAM 3.3.1.2183. Web Protection now working. BSOD still happening

Another Update:

Seems like it's not an MBAM problem at all as the BSOD is happening after I uninstalled MBAM and rebooted. Could have something to do with the November Feature Update. I'm at a loss. According to the latest minidump file, it could be a driver problem. Anyway thanks for your help.

 

111817-31687-01.dmp

[jsljustin]

On 11/18/2017 at 4:52 PM, gow said:

Another Update:

Seems like it's not an MBAM problem at all as the BSOD is happening after I uninstalled MBAM and rebooted. Could have something to do with the November Feature Update. I'm at a loss. According to the latest minidump file, it could be a driver problem. Anyway thanks for your help.

Just for your info/help, I was having similar problems:

 

and MBAM staff and I think that my BSOD's and farflt.sys might be coincidence as well.. I came to the conclusion like you that it may be a fault with the November Windows Feature Update. All my drivers are up-to-date, but who knows? The past two windows updates have given me problems.

Hope that helps.

[gow]

Thanks for the info.

In my case, the mini-dump file seems to suggest a file on my system, namely "C:\Windows\System32\drivers\XMS1563K.SYS", may be the problem. Searching Google about this file produced conflicting reports. One site says it's an important Windows file while another says it's a virus and part of a rootkit. Spyhunter from Enigma Software claims they can remove this rootkit but also say that Malwarebytes must be uninstalled in order to do so because Malwarebytes flags Spyhunter as a potentially undesired program. I'll have to pay for Spyhunter to use it's removal properties. I'm running a 32-bit version of Windows 10 and note that the file XMS1563.SYS does not exist in the same folder on a 64-bit system.

Do I have an infection or not and what to do or not to do, that is the question. 

[Fruchu]

I also had today BSOD related to farflt.sys. MB Trial version 4.1.0. I got FRST.txt, Addition.txt and mb-check-results.zip

Can I upload those file to this reply or should I create new topic ?

[Porthos]

18 minutes ago, Fruchu said:

Can I upload those file to this reply or should I create new topic ?

Create a new topic and attach your logs.