Jump to content

Recommended Posts

I'm getting the BSOD with farflt.sys listed as the cause.  I've seen that others have had the same problem, but the topics were fairly old so I thought it best to start a new one.

The machine is an HP Compaq PC.  I reinstalled Windows 7 Pro 32-bit yesterday and put all the software on top, including MB Premium.  I had to install MB twice because it errored, but it went on okay second time and I was using the PC for a few hours without problems last night.  As well as installing software like Office, and setting up Outlook, I've run Windows Update and installed all the updates it wanted, including SP1.

This morning it started BSOD on boot, with farflt.sys given as the culprit.  Windows runs okay in Safe Mode but not in normal mode.  Following instructions given in other posts I ran mb-clean in Safe Mode, which seemed to work okay, rebooted into Normal Mode, which came up okay, then re-installed MB.  It seemed to install okay but didn't even wait until I rebooted before it went BSOD.

I've run FRST and MB-Check and attached the zip file, and also attached the minidump file from one of the BSOD's, so I'm hoping someone will be able to tell me what's wrong.

I'm running AVG Free - does MB "fight" with AVG?  The built-in Windows virus checker is running as well, so is there a problem there?  I've also installed Trusteer Rapport, which my bank recommends, but it's created by IBM so should be safe.

I don't want to have to turn off anti-ransomware in MB, as the main reason I bought MB was because I was the victim of a ransomware attack a few years ago, which fortunately didn't cause much damage as I saw what was happening very early and stopped it.

If anyone can tell me what's happening and how to stop it I'd be grateful.

mb-check-results.zip

090118-29406-01.dmp

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

@ChrisL- thanks for your report.

Could you get us a Complete memory dump so can look into this issue further? 

  • Check your C:\Windows directory for a "MEMORY.DMP" file
    • You'll have to copy the file to the Desktop. Once on the Desktop, right-click > send to > Compressed (this will zip it and make the file smaller so its quicker to upload) 

It looks like you should have one, based on the FRST log results.

Please use a service like www.wetransfer.com to upload your dump file(s) as they'll be too large to upload to the forum. Click the "3 dots" and you'll be given the option to get a link instead of entering an email address.

Share this post


Link to post
Share on other sites

Hi @ChrisL - thanks for the memory dump. It looks like this is an automatic or kernel dump rather than a Complete memory dump. It may not hold enough details for our developers to assess the issue.

For the time being, can you try to use Malwarebytes with Ransomware Protection (ARW) disabled?

Is the BSOD now immediate when Malwarebytes starts, or do you have a few minutes to be able to make a change in the settings? If so, please temporarily disable the Ransomware Protection while we assess this situation.

If you don't have time to disable the protection through the UI, let me know. I can walk you through some steps to disable ARW

Share this post


Link to post
Share on other sites

MB wouldn't run, even though it appeared to be installed, it said it couldn't connect the Service.  I couldn't re-install over the top of it, so I used MB-clean, rebooted and installed from start.  I got the BSOD as soon as it had finished, presumably as it tried to run.  The BSOD said something like "farflt.sys unloaded without closing running processes" (or something along those lines).

I've rebooted and logged in again in Normal mode, the machine seems stable but MB won't even try to run, it says it can't connect the Service when I try to launch it from the Desktop icon.  The Service is listed in Services but not running, when I try to start it manually it times out with a message "Error 1053: The service did not respond to the start or control request in a timely manner".

I've turned AVG off to test MB, the service still won't start. (I've had AVG running alongside MB for three or four years, so they should be able to co-exist happily.)  Windows Defender is off.  I've added MB to the Allowed list in Windows Firewall.  Something is now stopping MB from starting for some reason.  There's no other security software running, but I seem to remember a message when I was installing to say that Windows was going to block something or other and was I okay with that.  I can't remember what it was now, but MB ran (albeit problematically) for some time after the installation, so that probably isn't the problem anyway.

I've looked at Event Viewer, there's nothing much that jumps out at me apart from a few notifications that the MB service didn't start (details below) and a notification that a timeout was reached (30000 milliseconds) while waiting for the MB service to start.  There are also three entries under Applications and Services Logs/Microsoft-Windows-WER-Diagnostics/Operational that say "Possible heap corruption detected (exception code 3221225477). Initiating further diagnostics."

Hopefully these symptoms might give you a further clue as to what's happening!

- System
   
- Provider
      [ Name] Service Control Manager
      [ Guid] {555908d1-a6d7-4695-8e1e-26931d2012f4}
      [ EventSourceName] Service Control Manager
   
- EventID 7000
      [ Qualifiers] 49152
   
  Version 0
   
  Level 2
   
  Task 0
   
  Opcode 0
   
  Keywords 0x8080000000000000
   
- TimeCreated
      [ SystemTime] 2018-09-01T18:43:22.953737100Z
   
  EventRecordID 3260
   
  Correlation
   
- Execution
      [ ProcessID] 504
      [ ThreadID] 5096
   
  Channel System
   
  Computer DC-7800
   
  Security
- EventData
    param1 Malwarebytes Service
    param2 %%1053

Share this post


Link to post
Share on other sites

Without seeing new logs from the MBST tool, it's difficult to say what the current state of the Malwarebytes installation is, but it does seem to be damaged. Also, we have a newer and improved version of a log gathering and clean tool, the Malwarebytes Support Tool (MBST).

https://downloads.malwarebytes.com/file/mbst

My suggestion would be to use that tool, click on the Advanced Options link in the tool, then click Gather Logs. A zip file mbst-grab-results.zip will be created on your desktop. Please attach it.

Let's go from there.

 

Share this post


Link to post
Share on other sites

It took a while to run the MBST tool, as it involved installing .NET 4 and then installing about a million updates for it, but I got there eventually.  I hope you can find something useful in the vast amount of information it's gathered!

Skimming through the wealth of information one thing caught my eye, which may or may not be relevant.  In the file mbst-check-results.txt it says  

Anti-Spyware Product :  Windows Defender
 Up To Date: Yes Enabled: On

However if I try to run Windows Defender from Control Panel it says that "This program is turned off" and invites me to turn it on, so is part of it enabled and blocking MB from either installing properly or running?

 

 

mbst-grab-results.zip

Share this post


Link to post
Share on other sites

Update:

I tried turning on Windows Defender and got a message to say it was turned off in Group Policy, so unless there's some component running which hasn't been turned off by GP, Defender can't be running.  It's strange that MBST reports it as enabled though.

I've enabled boot logging in MSConfig and uninstalled MB using the uninstaller in MBST, in case it's more thorough than the mb-clean utility.  It's quite possible that MBST just invokes mb-clean, but you said MBST was "the newer and improved version of a log gathering and clean tool" so I thought I'd try it.  (Is MBST a better cleaner than mb-clean, or are they the same?)    I rebooted the machine and checked the log file.  It said that it had loaded a couple of the MB drivers, mbamswissarmy.sys and MbamChameleon.sys, so somehow they'd survived the reboot.  I rebooted again and checked the new boot log and they hadn't survived that one.  farflt.sys wasn't listed in either of the boot logs.

I've re-installed MB, it went on and started up okay and I was able to turn off the anti-ransomware.  So far the machine seems stable, MB has updated itself but I haven't yet run a scan.  The boot log says

Loaded driver \SystemRoot\System32\Drivers\mbamswissarmy.sys
Loaded driver \SystemRoot\system32\DRIVERS\mwac.sys
Loaded driver \??\C:\Windows\system32\drivers\mbae.sys
Loaded driver \SystemRoot\System32\Drivers\MbamChameleon.sys
Loaded driver \SystemRoot\system32\DRIVERS\mbam.sys
Loaded driver \SystemRoot\system32\DRIVERS\farflt.sys

So it's successfully loaded farflt, but I've now told MB not to use it.

I'll use the PC for a while and see if it remains stable, if so I'll try re-enabling anti-ransomware.  I'll report back shortly, but if the log files I uploaded last night give you any clues as to what's been happening I'd be very interested (I'm sure you'll be interested in what the problem is/was as well!)

Thanks

Edited by ChrisL
Change of emphasis in paragraph about farflt - initially gave incorrect impression that I thought it shouldn't have loaded farflt because I'd told MB not to use it.

Share this post


Link to post
Share on other sites

Hi ChrisL. I've not yet heard back from our developers about the nature of the BSOD you've been experiencing. We are currently investigating a couple other reports of BSOD from farflt.sys in the recent release 1.0.441, but it's too soon to tell if they are related to yours. For what it's worth, I've been stress testing a setup similar to your security software configuration since yesterday, and have yet to trigger a BSOD.

As far as Windows Defender being disabled by Group Policy, that is something AVG does when it is installed and fully active. This is from a TotalUninstall log taken during an AVG install.

    (+)(REG KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
       (+)(REG VAL) DisableAntiSpyware = REG_DWORD, 1

And I agree, the WinDefend service is not running, so nothing really from Windows Defender to cause interference. When I ran my test with AVG, MBST also reported Windows Defender as enabled. I'll sync up with that team to try to get an explanation.

Yes, the version of mb-clean included in the MBST tool is enhanced, and a better option to use than the standalone mb-clean tool.

I sent you some additional information via Private Message.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.