TheWebAtom Posted April 26, 2013 Share Posted April 26, 2013 Today I was doing a PC repair visit for a crash repair company. There was one particular PC that was running unusably slow, so I set about cleaning it up best I could. Everything was running swimmingly until I ran a malware scan with malwarebytes. The computer aruptly shut down, as if there had been a power failure. I booted it up and tried again, but the PC turned off at the exact same point in the scan. I switched to using HitMan Pro to do a scan and, it too, caused the PC to switch off. Further investigations revealed a startup entry that didnt appear in msconfig or CCleaner. It pointed to a directory in C:\Windows. When I opened that folder, the PC switched off. Same thing in safe mode. Oddly, there is no "your PC failed to shut down correctly error" when Windows is next booted. No logs suggest why Windows would shut down as if someone had pulled the plug, either. I have no idea whether this is some sort of hardware issue, software bug or malware infection. Anyone have any suggestions on where to go from here? I'm Shane. Link to comment Share on other sites More sharing options...
nodles Posted April 26, 2013 Share Posted April 26, 2013 (edited) Could C:\Windows directory be corrupted somehow (or HDD malfunctioning)? Have you tried defragging or running chkdsk? How about sfc/scannow? Is it laptop or desktop? Which OS? Edit. oh and does it have SSD or HDD? Edited April 26, 2013 by nodles Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted April 26, 2013 Moderators Share Posted April 26, 2013 What happens if you do an sfc ? What happens in safe mode with a MBAM scan? You got a Hirens disk handy to do an Eset Online Scan? Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
TheWebAtom Posted April 26, 2013 Author Share Posted April 26, 2013 It was a subdirectory of C:\Windows, sorry - I should have made that more clear. This is an old beige Windows XP tower. SSDs were science-fiction when they last upgraded their systems. I ran disk check, system file check and a disk defragment, none to any avail. sfc/mbam steps were also done in safe mode. My current diagnosis is "I think you need a new computer" Edit: AVG was able to complete a scan, but it came up clean. I'm Shane. Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted April 26, 2013 Moderators Share Posted April 26, 2013 Just out of curiosity what was the startup entry? System restore a possibilty to see if it worked 'before'? I think I would agree with the ''you need a new computer'' diagnosis though Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Alan_B Posted April 26, 2013 Share Posted April 26, 2013 Could it be malware which responds with a system crash when MalwareBytes is looking at it, but either has no fear of AVG or perhaps AVG fails to inspect it ? Link to comment Share on other sites More sharing options...
TheWebAtom Posted April 26, 2013 Author Share Posted April 26, 2013 The entry was hklm:run c:\windows\pchealth\somethingicantremember\binary\pub\binary\msconfig.exe Looks like certain malware to me. This compounded by the fact it only showed up when I looked in regedit. To be honest, I didn't even attempt a system restore. I had no idea how far back I would need to go, or whether it would work. Seemed like a time sink. At this point, diagnosing is more of an intellectual curiosity. I'm Shane. Link to comment Share on other sites More sharing options...
TheWebAtom Posted April 26, 2013 Author Share Posted April 26, 2013 Could it be malware which responds with a system crash when MalwareBytes is looking at it, but either has no fear of AVG or perhaps AVG fails to inspect it ? This was my thought, too. But I've never seen a malware crash where the PC actually switches off at a hardware level. I'm Shane. Link to comment Share on other sites More sharing options...
nodles Posted April 26, 2013 Share Posted April 26, 2013 (edited) Well, maybe a Windows reinstall or a new PC is the best (and easiest) option here. Edit. for further testing you could install the HDD into different PC and boot in safemode -> scan with MBAM etc. Also you could run HDD test on it. Edited April 26, 2013 by nodles Link to comment Share on other sites More sharing options...
Winapp2.ini Posted April 26, 2013 Share Posted April 26, 2013 try seeing if there's a process running for that before running the scan, perhaps that'll allow you to scan without a crash. winapp2.ini additions thread winapp2.ini github Link to comment Share on other sites More sharing options...
Alan_B Posted April 26, 2013 Share Posted April 26, 2013 This was my thought, too. But I've never seen a malware crash where the PC actually switches off at a hardware level. My speciality is thinking the unthinkable. I will admit it is more fun when it is some one else's problem Link to comment Share on other sites More sharing options...
Moderators Andavari Posted April 26, 2013 Moderators Share Posted April 26, 2013 (edited) The entry was hklm:run c:\windows\pchealth\somethingicantremember\binary\pub\binary\msconfig.exe Looks like certain malware to me. This compounded by the fact it only showed up when I looked in regedit. Correct & Legit path is this: C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe From WinXP SP3 the hashes are: MD5 = A81135541C9D4EBCE43EFA8AD31395B4 SHA1 = C4E6CBA41EBEA2EAD0278BCD80991F4E9C6C6A74 Could be a very valid reason it's running on startup, such is the case if someone intentially changed what starts with Windows because it will automaticlly show MSCONFIG on the next startup. If someone did that they have to tick a box in MSCONFIG to tell it not to display again. It's an annoying startup behaviour but if the file is corrupt that could cause issues. Anyways that startup behaviour can be stopped using this in CCleaner's winapp2.ini file: [MSConfig*] LangSecRef=3025 Detect=HKLM\Software\Microsoft\Shared Tools\MSConfig Default=False RegKey1=HKLM\Software\Microsoft\Shared Tools\MSConfig\ExpandFrom RegKey2=HKLM\Software\Microsoft\Shared Tools\MSConfig\ExpandTo RegKey3=HKLM\Software\Microsoft\Windows\CurrentVersion\Run|MSConfig Perhaps run a boot disc with Internet access to upload that file to Jotti, MetaScan Online, Virus Total, etc. Edited April 26, 2013 by Andavari Link to comment Share on other sites More sharing options...
Winapp2.ini Posted April 26, 2013 Share Posted April 26, 2013 Don't forget the dreaded ComboFix! winapp2.ini additions thread winapp2.ini github Link to comment Share on other sites More sharing options...
eL_PuSHeR Posted April 27, 2013 Share Posted April 27, 2013 I would do a chkdsk /r too to see if the HDD is physically healthy. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now