[resolved] Problem with Custom Rootkit Scan on SSD

[Stormy1988]

Hello everyone,

I have a problem while performing a "Scan for Rootkits" in the mode "Custom Scan" and I´m not sure whether this should concern me or not.

The line where the currently scanned file is shown always gets stuck at a "system.runtime.serialization.dll" file (at this point about 200.000 files have been scanned)

It looks like Malwarebytes os frozen, nothing is changing besides the time required which is constantly running. Windows is running fine and I get no error notifications.

After waiting another 20-30 Minutes, Malwarebytes then comes up with the "Scan successful" notification and everything is back to normal.(Files scanned jumps from 200.000.to 350.000).

My question is: Am I safe because in the end the scan is successful without showing any threats and the freeze of the display of the file currently scanned is just a bug or something?

Or is it possible that there is some malware hiding within this file which intereferes with the scanning progress?

Additional Information: My System (Windows 10) is running on an Samsung evo 850 ssd. I have made a clean reinstall of windows 10 including complete formatting of the drive two times during the last two days which did not solve the problem.

I would be thankful for any advice!

Kind regards

Stormy1988

[Firefox]

Hello and Welcome!

Collecting the logs below will give the team a better insight of what may be going on....

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
2. Download FRST and save it to your desktop
   NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
3. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
4. Press the "Scan" button
5. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
   NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
6. NEXT: Create and obtain an mb-check log
7. Download MB-Check and save to your desktop
8. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
9. This will produce one log file on your desktop: mb-check-results.zip
10. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
    

Thank You,

Firefox

[Stormy1988]

Hello Firefox,

thanks a lot for your reply and the detailed instructions.

I have attached  "mb-check-results.zip" file accordingly and hope it helps to figure out what is going on. Let me know if I should provide any further information.

Kind regards

Stormy1988

mb-check-results.zip

[exile360]

While we're waiting for the specialists, I'd suggest doing the following if you're able as it should show us what's going on during the scan so that we can check for anything that looks abnormal:

Create a Process Monitor Log:

• Create a new folder on your desktop called Logs
• Please download Process Monitor from here and save it to your desktop
• Double-click on Procmon.exe to run it
• In Process Monitor, click on File at the top and select Backing Files...
• Click the circle to the left of Use file named: and click the ... button
• Browse to the Logs folder you just created and type MB3 Log in the File name: box and click Save
• Open Malwarebytes and start a scan then exit Process Monitor and open it again just prior to it reaching the point where it appears to be stuck if you can; otherwise you can run Process Monitor throughout the entire scan (the log will be much larger if you do, which is why I recommend trying to start it as close to the problem area of the scan as possible)
• Once the scan completes close Process Monitor
• Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Please attach the Logs.zip file you just created to your next reply, or if it is too large, please upload it to Rapidshare or a similar file hosting service that we may download the file from via a link and post the link to the download
  

[Stormy1988]

Hello exile360,

thanks for your advice! I have created the log as per your manual. 

I have uploaded 2 Logs of two scans: https://we.tl/vo2DXiBOdg

1st Scan stopped again at the "system.runtime.serialization.dll" file and scanned 298.550 items in total. (File "Logs 1")

2nd Scan (directly after the first one) stopped at the file "system.identitymodel.dll" and scanned 298.578 items in total. (File "Logs 2")

I only mention this because I´m not sure if this is part of the problem but I´m surprised about the different number of items scanned.

Kind regards

Stormy1988

 

[exile360]

Hello again.  I heard back from the team and they informed me that this is indeed a known issue but that as long as the scan is able to complete and doesn't crash or anything, that it should be just fine.  It's just a problem with the scan UI not always having the needed resources available during the scan to update the display of what is currently being scanned.  As for the discrepancies in the number of items being scanned between different scans, my educated guess would be that it's most likely due to things like temp files building up on the system such as those which are created when you use your internet browser to browse the web.

Also, I would recommend trying a Threat scan in Safe Mode if you haven't already, just to make certain there isn't any malware on the system interfering with the scan, but if that comes back clean then you should be fine.  Instructions on starting Windows 10 in Safe Mode can be found here.

Please let me know if you have any additional issues or questions.

Thanks  

[AdvancedSetup]

I'll go ahead and close this topic now since it has been resolved.

Thanks