Today I was doing a PC repair visit for a crash repair company. There was one particular PC that was running unusably slow, so I set about cleaning it up best I could.

Everything was running swimmingly until I ran a malware scan with malwarebytes. The computer aruptly shut down, as if there had been a power failure. I booted it up and tried again, but the PC turned off at the exact same point in the scan. I switched to using HitMan Pro to do a scan and, it too, caused the PC to switch off.

Further investigations revealed a startup entry that didnt appear in msconfig or CCleaner. It pointed to a directory in C:\Windows. When I opened that folder, the PC switched off. Same thing in safe mode.

Oddly, there is no "your PC failed to shut down correctly error" when Windows is next booted. No logs suggest why Windows would shut down as if someone had pulled the plug, either.

I have no idea whether this is some sort of hardware issue, software bug or malware infection. Anyone have any suggestions on where to go from here?

Could C:\Windows directory be corrupted somehow (or HDD malfunctioning)? Have you tried defragging or running chkdsk? How about sfc/scannow?

Is it laptop or desktop? Which OS?

Edit. oh and does it have SSD or HDD?

What happens if you do an sfc ?

What happens in safe mode with a MBAM scan?

You got a Hirens disk handy to do an Eset Online Scan?

It was a subdirectory of C:\Windows, sorry - I should have made that more clear.

This is an old beige Windows XP tower. SSDs were science-fiction when they last upgraded their systems. I ran disk check, system file check and a disk defragment, none to any avail. sfc/mbam steps were also done in safe mode.

My current diagnosis is "I think you need a new computer"

Edit: AVG was able to complete a scan, but it came up clean.

Just out of curiosity what was the startup entry?

System restore a possibilty to see if it worked 'before'?

I think I would agree with the ''you need a new computer'' diagnosis though

Could it be malware which responds with a system crash when MalwareBytes is looking at it,

but either has no fear of AVG or perhaps AVG fails to inspect it ?

The entry was hklm:run c:\windows\pchealth\somethingicantremember\binary\pub\binary\msconfig.exe

Looks like certain malware to me. This compounded by the fact it only showed up when I looked in regedit.

To be honest, I didn't even attempt a system restore. I had no idea how far back I would need to go, or whether it would work. Seemed like a time sink.

At this point, diagnosing is more of an intellectual curiosity.

Could it be malware which responds with a system crash when MalwareBytes is looking at it,

but either has no fear of AVG or perhaps AVG fails to inspect it ?

This was my thought, too. But I've never seen a malware crash where the PC actually switches off at a hardware level.

Well, maybe a Windows reinstall or a new PC is the best (and easiest) option here.

Edit. for further testing you could install the HDD into different PC and boot in safemode -> scan with MBAM etc.

Also you could run HDD test on it.

try seeing if there's a process running for that before running the scan, perhaps that'll allow you to scan without a crash.

This was my thought, too. But I've never seen a malware crash where the PC actually switches off at a hardware level.

My speciality is thinking the unthinkable.

I will admit it is more fun when it is some one else's problem

The entry was hklm:run c:\windows\pchealth\somethingicantremember\binary\pub\binary\msconfig.exe

Looks like certain malware to me. This compounded by the fact it only showed up when I looked in regedit.

Correct & Legit path is this:

C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe

From WinXP SP3 the hashes are:

MD5 = A81135541C9D4EBCE43EFA8AD31395B4
SHA1 = C4E6CBA41EBEA2EAD0278BCD80991F4E9C6C6A74

Could be a very valid reason it's running on startup, such is the case if someone intentially changed what starts with Windows because it will automaticlly show MSCONFIG on the next startup. If someone did that they have to tick a box in MSCONFIG to tell it not to display again.

It's an annoying startup behaviour but if the file is corrupt that could cause issues. Anyways that startup behaviour can be stopped using this in CCleaner's winapp2.ini file:

[MSConfig*]
LangSecRef=3025
Detect=HKLM\Software\Microsoft\Shared Tools\MSConfig
Default=False
RegKey1=HKLM\Software\Microsoft\Shared Tools\MSConfig\ExpandFrom
RegKey2=HKLM\Software\Microsoft\Shared Tools\MSConfig\ExpandTo
RegKey3=HKLM\Software\Microsoft\Windows\CurrentVersion\Run|MSConfig

Perhaps run a boot disc with Internet access to upload that file to Jotti, MetaScan Online, Virus Total, etc.

Don't forget the dreaded ComboFix!

I would do a chkdsk /r too to see if the HDD is physically healthy.