Jump to content

A weird computer issue - thoughts?

TheWebAtom

By TheWebAtom
in Software

 Share

Recommended Posts

TheWebAtom

TheWebAtom

Posted
Posted

Today I was doing a PC repair visit for a crash repair company. There was one particular PC that was running unusably slow, so I set about cleaning it up best I could.

 

Everything was running swimmingly until I ran a malware scan with malwarebytes. The computer aruptly shut down, as if there had been a power failure. I booted it up and tried again, but the PC turned off at the exact same point in the scan. I switched to using HitMan Pro to do a scan and, it too, caused the PC to switch off.

 

Further investigations revealed a startup entry that didnt appear in msconfig or CCleaner. It pointed to a directory in C:\Windows. When I opened that folder, the PC switched off. Same thing in safe mode.

 

Oddly, there is no "your PC failed to shut down correctly error" when Windows is next booted. No logs suggest why Windows would shut down as if someone had pulled the plug, either.

 

I have no idea whether this is some sort of hardware issue, software bug or malware infection. Anyone have any suggestions on where to go from here?

I'm Shane.

Link to comment
Share on other sites
nodles

nodles

Posted
Posted (edited)

Could C:\Windows directory be corrupted somehow (or HDD malfunctioning)? Have you tried defragging or running chkdsk? How about sfc/scannow?

Is it laptop or desktop? Which OS?

 

Edit. oh and does it have SSD or HDD?

Edited by nodles
Link to comment
Share on other sites
TheWebAtom

TheWebAtom

Posted
  • Author
Posted

It was a subdirectory of C:\Windows, sorry - I should have made that more clear.

 

This is an old beige Windows XP tower. SSDs were science-fiction when they last upgraded their systems. I ran disk check, system file check and a disk defragment, none to any avail. sfc/mbam steps were also done in safe mode.

 

My current diagnosis is "I think you need a new computer"

 

Edit: AVG was able to complete a scan, but it came up clean.

I'm Shane.

Link to comment
Share on other sites
  • Moderators
hazelnut

hazelnut

Posted
  • Moderators
Posted

Just out of curiosity what was the startup entry?

 

System restore a possibilty to see if it worked 'before'?

 

I think I would agree with the ''you need a new computer'' diagnosis though :)

 

Support contact

https://support.ccleaner.com/s/contact-form?language=en_US&form=general

or

support@ccleaner.com

 

Link to comment
Share on other sites
TheWebAtom

TheWebAtom

Posted
  • Author
Posted

The entry was hklm:run c:\windows\pchealth\somethingicantremember\binary\pub\binary\msconfig.exe

 

Looks like certain malware to me. This compounded by the fact it only showed up when I looked in regedit.

 

To be honest, I didn't even attempt a system restore. I had no idea how far back I would need to go, or whether it would work. Seemed like a time sink.

 

At this point, diagnosing is more of an intellectual curiosity.

I'm Shane.

Link to comment
Share on other sites
TheWebAtom

TheWebAtom

Posted
  • Author
Posted

Could it be malware which responds with a system crash when MalwareBytes is looking at it,

but either has no fear of AVG or perhaps AVG fails to inspect it ?

 

This was my thought, too. But I've never seen a malware crash where the PC actually switches off at a hardware level.

I'm Shane.

Link to comment
Share on other sites
nodles

nodles

Posted
Posted (edited)

Well, maybe a Windows reinstall or a new PC is the best (and easiest) option here. :)

 

Edit. for further testing you could install the HDD into different PC and boot in safemode -> scan with MBAM etc.

Also you could run HDD test on it.

Edited by nodles
Link to comment
Share on other sites
Alan_B

Alan_B

Posted
Posted

This was my thought, too. But I've never seen a malware crash where the PC actually switches off at a hardware level.

My speciality is thinking the unthinkable.

I will admit it is more fun when it is some one else's problem :)

Link to comment
Share on other sites
  • Moderators
Andavari

Andavari

Posted
  • Moderators
Posted (edited)

The entry was hklm:run c:\windows\pchealth\somethingicantremember\binary\pub\binary\msconfig.exe

 

Looks like certain malware to me. This compounded by the fact it only showed up when I looked in regedit.

 

Correct & Legit path is this:

C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe

 

From WinXP SP3 the hashes are:

MD5 = A81135541C9D4EBCE43EFA8AD31395B4
SHA1 = C4E6CBA41EBEA2EAD0278BCD80991F4E9C6C6A74

 

Could be a very valid reason it's running on startup, such is the case if someone intentially changed what starts with Windows because it will automaticlly show MSCONFIG on the next startup. If someone did that they have to tick a box in MSCONFIG to tell it not to display again.

 

It's an annoying startup behaviour but if the file is corrupt that could cause issues. Anyways that startup behaviour can be stopped using this in CCleaner's winapp2.ini file:

 

[MSConfig*]
LangSecRef=3025
Detect=HKLM\Software\Microsoft\Shared Tools\MSConfig
Default=False
RegKey1=HKLM\Software\Microsoft\Shared Tools\MSConfig\ExpandFrom
RegKey2=HKLM\Software\Microsoft\Shared Tools\MSConfig\ExpandTo
RegKey3=HKLM\Software\Microsoft\Windows\CurrentVersion\Run|MSConfig

 

Perhaps run a boot disc with Internet access to upload that file to Jotti, MetaScan Online, Virus Total, etc.

Edited by Andavari
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept