False positive for Thaiphoon Burner zip - Firefox + Win11 issues resulting

[popc245]

Hi,

this is a brand new Windows 11 machine, latest 23H2 update, all-new parts, all latest drivers installed.  Every download came from an official source.

1) I set everything up, installed Malwarebytes + the Browser Guard for Firefox, activated my Malwarebytes license and set the program to check for Rootkits also, and then installed additional programs and games from official sources.

2) To verify that my RAM is working as intended, I downloaded Thaiphoon Burner - the zip - from their official website. 

Thaiphoon Burner v17.4.1.2 build 0902 Fina Free Download For Windows 11, 10, 8 and 7 [Latest Version]

This might be important: I did not unzip or install it.

3) During a scan, Malwarebytes detected "something" (Malware) but rendered it as "0".  In the Quarantine window, I tried multiple times to Export & Copy the information it to Clipboard.  Every time I did, Malwarebytes crashed and its icon disappeared from the tray. 

Firefox simultaneously nuked itself (refusing to load anything) and could not started anew (possibly due to the Browser Guard detecting "something"/the Thaiphoon Burner zip in tandem with the main app?).  In the Task Manager, both Firefox and Malwarebytes showed multiple entries using next to no resources.

Manually restarting Firefox and Malwarebytes was not possible - not even after ending all tasks.

4) Upon rebooting, Malwarebytes eventually started, after at least 2 minutes of waiting, and I ran more scans and tried to gather information.  Again, every time I tried to Export or Copy the information to the Clipboard, Malwarebytes nuked itself.

I then ran Panda Cloud Cleaner to check if it might find something.  It did not.

5) I then uninstalled Malwarebytes and Firefox via RevoUninstaller - the Uninstalling-window "lagged" a great deal during the process.  The Windows shield icon disappeared during the process (...).

6) On the next reboot, Windows encountered a problem and I had to run the Repair tool.

After getting back into Windows (Repair automatically picked an older restore point), I uninstalled and reinstalled Malwarebytes and Firefox, ran sfc and DISM (which reinstalled a few items), and rebooted again. 

On the next boot into Windows + Malwarebytes scan attempt, Malwarebytes discovered the Thaiphoon Burner.zip as Malware, as "1", and I immediately tried to delete the zip file. 

I had to attempt the deletion multiple times.  Malwarebytes would repeatedly crash while I tried to remove the zip from Windows (my cursor froze on the zip file as I hit Del) and since Malwarebytes did not run normally during the process, I don't have a screenshot for you. 

After another reboot, Malwarebytes seems to be all right again.  Firefox, too.

 

My question: is it possible that a false positive such as this zip can actually corrupt Firefox and the Windows installation?  I think I had better set up the entire windows installation again, from scratch.

I would have liked to provide more useful information, but Malwarebytes could not be used properly as the issue was occuring, my apologies. 

Please see the attached Screenshots I did manage to secure.

 

Thank you for your time!

popc245

ps: I found an older thread discussing the issue with Thaiphoon Burner

 

[popc245]

Hang on, I'm sorry!

I just found more screenshots - one showing Thaiphoon Burner zip in Quarantine after it was properly discovered.  Apparently, taking some of the screenshots actually worked.

Thank you for your patience,

popc245

[miekiemoes]

Hi,

The FP will be fixed in next database update, however, this shouldn't affect anything related with Firefox or Windows in general though. It looks like your MB install got corrupted before. Maybe another AV you have that interfered with it?

Sidenote, I see you mentioned that you enabled the rootkit scan. This is disabled by default since it's resource intensive + our normal engine (without this being enabled) detects rootkits as well. This is a component to target mainly older rootkit variants that aren't being seen in the wild, hence why now disabled by default. Also, rootkits aren't that common at all nowadays. So that's why I suggest you leave this component disabled. 

 

[popc245]

Thank you for your reply.

I don't see how the installation might have gotten corrupted, no interfering programs were installed, everything was running smoothly, and I resorted to installing previously downloaded Panda Cloud Cleaner only after the issues with Typhoon occurred and MWB became unuseable.

As for Firefox: one error msg stated that it couldn't load XPCOM, but this - as well as the Win11 corruption - only occurred after the Typhoon issue.

Thank you for the tip regarding rootkits. I was unaware that setting the scan to 'on' might be counterproductive.

Another thing I noticed: I previously had a license for 3 devices, which I upgraded to 4 to include the new machine.  Now I can't see the new, 4th machine in the list of devices anymore, even though MWB is activated.

I'll set up everything from scratch. The old restore point Win11 resorted to left me with a bunch of orphaned folders, apps and shortcuts, among them AsRock's Motherboard software.  This won't do.

Thank you,

popc245

 

[miekiemoes]

Hi,

In either way, I couldn't reproduce the same problem when I scanned the Typhoon file with MB. It did show detection, but everything was behaving properly here.

In your case, it looks like a corruption has happened already given this statement: "During a scan, Malwarebytes detected "something" (Malware) but rendered it as "0".  In the Quarantine window". This means, it couldn't properly process everything as how it should. Also given you had problems with firefox loading (XPCom issues) and probably other issues with certain programs... this rather sounds like a temporary corrupted userprofile. You won't always notice this since most programs do run, but in a way, your userprofile gets "locked", so it fails to write files/make changes to your userprofile, hence why a lot of programs might act weird. 

The cause of a temporary corrupted userprofile can be anything though, a failed Windows update, disk write errors, corrupted registry keys (related with your profile) etc etc..

In most cases, a simple reboot resolves this again so the userprofile gets "unlocked" again and programs act normally again.

As for the license display issue (since this isn't my expertise), I suggest you look here first: https://support.malwarebytes.com/hc/en-us/articles/360038523934-Find-my-Malwarebytes-license-key where you can also contact support below, so this will then be forwarded to the right team to help you.

 

[popc245]

Hi,

that's odd since I encountered no issues whatsoever with any other programs and did not mess with any settings or the registry, for instance. 

I also have no plugins but MWB Browser Guard installed to Firefox.  Various checks of the SSD, RAM, and Win11 installation showed no issues either, stress tests for CPU, RAM, and GPU rendered great results, and all programs used for additonal checks such as HWinfo64, Diskmark, CPU-Z, and GPU-Z identified all components correctly.

I still think the Firefox & Win11 corruption occurred due to MWB nuking itself abd MWB Browser Guard somehow playing a role in rendering Firefox unuseable.  I ran Malwarebytes quite often prior to downloading the Thaiphoon zip, 0 detections or issues.  All issues previously mentioned only occurred after the discovery of the zip, all latest (official) driver and Win11 updates are current and their installation happened without a single problem.

As for the license display issue: I'll see what's what after I've formatted and set up a fresh Win11 installation

Thank you for your assistance.

[miekiemoes]

Well, it's certainly interesting though, also since there were network-issues there as well when running the repair tool + your previous Panda Cloud cleaner scan displayed a problem with the pskmad.sys file driver which in your case was probably located under your userprofile rather than the drivers folder given it's the Panda Cloud Cleaner. So it also looks like not all components were running properly there. 

In either way, let me know if problems still occur afterwards, because troubleshooting this now after all the changes and scans you made already is like searching for a needle in a haystack :) 

[popc245]

Hi,

I honestly thought that the Network Issue resulted from Firefox continuing to do "something" in the background.

As for Panda and pskmad.sys: this is apparently a known issue, and I'm not sure whether it can be easily remedied.

If the fresh install later today runs into similar problems, I may have to pester you again.

Thank you for your help so far!

[David H. Lipman]

This is a False Positive file section and is only for dealing with software related False Positive detections by Malwarebytes' products.

There are other areas of this Forum that can assist you with your PC if a False Positive issue is settled.

• If you have problems that are of a malware nature, please read;  I'm infected - What do I do now?  and then create a post in;  Windows Malware Removal Help & Support
• If this is a general Windows problem, please post in;  General Windows PC Help