Solved I suspect a rootkit may be installed on my laptop

James321

Thread Starter
Joined
Apr 10, 2013
Messages
385
Since the computer is clean, let's finish the procedure here.

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
How will resetting my system restore points effect my 21H1 Windows 10 upgrade?
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,248
The webpage you quote doesn't really cover the issue I have. The webpage in question covers sudden shutdowns while you are actually using your laptop, not shutdowns that occur when the laptop has been idle for say three hours.
This is the FIRST time in this topic you say that the computer shuts down after being inactive/idle for 3 hours. Was that so difficult? I asked you so many times to describe what is happening in details...

Also you never told me that you have already an open thread about your issues. Even when I asked you to tell what things have you tried.

Have in mind that describing in details your issues is of a great importance and it can save time from both, you and the person who helps you. You don't just go to the doctor saying "I feel sick". You explain the symptoms.

Anyway.

Try this:
  • In the Search area type Power & Sleep options and choose it from the list.
  • Choose Additional Power Settings from the right column menu.
  • Choose Change Plan Settings from the plan you have already have chosen (Balanced I guess).
  • Change Advance Power Settings.
  • Expand the Sleep option.
  • Expand Hibernate after.
  • Click the field and select the whole number of minutes - You probably have "180", so select this and delete.
  • Type Never then hit the Apply button
  • OK.
Result?

How will resetting my system restore points effect my 21H1 Windows 10 upgrade?
By using the tool above, a new restore point will be created with the computer in this healthy condition where it is now. It is something necessary after a cleaning procedure comes to an end. Your Windows version/upgrade has nothing to do with that. So please, go on to run KpRm.
 

James321

Thread Starter
Joined
Apr 10, 2013
Messages
385
I've just run an ESET malware scan again, running a quick scan.

After downloading the latest updates, ESET detected a second PUP. Both PUP's are of the same identical type and both are also present in a Norton 360 file.

Here's the log:

22/09/2021 15:56:45
Files scanned: 12903
Detected files: 2
Cleaned files: 0
Total scan time 00:38:00
Scan status: Finished
C:\Program Files\Norton Security\Engine\22.21.6.53\NCrypt.exe a variant of Win64/CoinMiner.RH potentially unwanted application error while cleaning (Access denied)

C:\Program Files\Norton Security\Engine\22.21.8.62\NCrypt.exe a variant of Win64/CoinMiner.RH potentially unwanted application error while cleaning (Access denied)

P.S. Yet to run KpRm.
 

James321

Thread Starter
Joined
Apr 10, 2013
Messages
385
Try this:
  • In the Search area type Power & Sleep options and choose it from the list.
  • Choose Additional Power Settings from the right column menu.
  • Choose Change Plan Settings from the plan you have already have chosen (Balanced I guess).
  • Change Advance Power Settings.
  • Expand the Sleep option.
  • Expand Hibernate after.
  • Click the field and select the whole number of minutes - You probably have "180", so select this and delete.
  • Type Never then hit the Apply button
  • OK.
Result?
I'm trying the set Hibernate to Never method detailed above and will report back.
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,248
Running Eset again was un-necessary, but it gave me the opportunity to realize that although Eset detected those files, it didn't delete them (Access denied) since they are part of your antivirus. That's why you couldn't restore it from Quarantine the first time. There wasn't anything there to be restored. So, all good. (y)

I'm trying the set Hibernate to Never method detailed above and will report back.
Perfect. Was it set to 180 minutes?
 

James321

Thread Starter
Joined
Apr 10, 2013
Messages
385
Perfect. Was it set to 180 minutes?
It was set to 180 minutes or 3 hours which coincidentally was about the same time the laptop auto-shutdown each time.

The laptop did not auto-shutdown after more than 3 hours last night so it seems to have worked. Thanks for the suggestion.

I will run the KpRm next.
 

James321

Thread Starter
Joined
Apr 10, 2013
Messages
385
The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
Ran KpRm.

Not noticed any increase in HDD space after apparently deleting the old restore points, still exactly the same.

KpRm removed the ESET software but left Malwarebytes untouched. The "Malwarebytes Anti-Rootkit" it refers to in the log as having been deleted, is a more specialist anti-rootkit from Malwarebytes I downloaded earlier before our dialogue started.

Here's the log:

# Run at 23/09/2021 11:17:55
# KpRm (Kernel-panik) version 2.9.2
# Website https://kernel-panik.me/tool/kprm/
# Run by User from C:\Users\User\Downloads
# Computer Name: USER-PC
# OS: Windows 10 X64 (19043)
# Number of passes: 1

- Checked options -

~ Registry Backup
~ Delete Tools
~ Restore System Settings
~ UAC Restore
~ Delete Restore Points
~ Create Restore Point
~ Delete Quarantines

- Create Registry Backup -

~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
~ [OK] Hive C:\Users\User\NTUSER.dat backed up

[OK] Registry Backup: C:\KPRM\backup\2021-09-23-11-17-54

- Delete Tools -


## AdwCleaner
[OK] C:\Users\User\Downloads\AdwCleaner.exe deleted
[OK] C:\AdwCleaner deleted

## ESET Online Scanner
[OK] C:\Users\User\Desktop\ESET Online Scanner.lnk deleted
[OK] C:\Users\User\Downloads\esetonlinescanner.exe deleted
[OK] C:\Users\User\AppData\Local\ESET\ESETOnlineScanner deleted

## FRST
[OK] C:\Users\User\Downloads\Addition.txt deleted
[OK] C:\Users\User\Downloads\Fixlog.txt deleted
[OK] C:\Users\User\Downloads\FRST.txt deleted
[OK] C:\Users\User\Downloads\FRST64.exe deleted
[OK] C:\FRST deleted

## Malwarebytes Anti-Rootkit
[OK] C:\Users\User\Downloads\mbar-1.10.3.1001.exe deleted

- Restore System Settings -

[OK] Reset WinSock
[OK] FLUSHDNS
[OK] Hide Hidden file.
[OK] Show Extensions for known file types
[OK] Hide protected operating system files

- Restore UAC -

[OK] Set EnableLUA with default (1) value
[OK] Set ConsentPromptBehaviorAdmin with default (5) value
[OK] Set ConsentPromptBehaviorUser with default (3) value
[OK] Set EnableInstallerDetection with default (0) value
[OK] Set EnableSecureUIAPaths with default (1) value
[OK] Set EnableUIADesktopToggle with default (0) value
[OK] Set EnableVirtualization with default (1) value
[OK] Set FilterAdministratorToken with default (0) value
[OK] Set PromptOnSecureDesktop with default (1) value
[OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

No system recovery points were found

- Create Restore Point -

[OK] System Restore Point created

- Display System Restore Point -

~ RP named KpRm created at 09/23/2021 10:19:24

-- KPRM finished in 186.54s --
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,248
It was set to 180 minutes or 3 hours which coincidentally was about the same time the laptop auto-shutdown each time.
The laptop did not auto-shutdown after more than 3 hours last night so it seems to have worked. Thanks for the suggestion.
See why describing an issue in detail is important? Glad it worked! You can update the topic in the Windows 10 Forum, saying that the issue is resolved.

KpRm removed the ESET software but left Malwarebytes untouched. The "Malwarebytes Anti-Rootkit" it refers to in the log as having been deleted, is a more specialist anti-rootkit from Malwarebytes I downloaded earlier before our dialogue started.
I know. KpRm removes any tool (and log) which can't be used as it is at any time. These tools are very often getting updates which make useless an older version. Malwarebytes is different. You can keep it as an on-demand scanner and use it whenever you want.

So...

Are we fine now? Any other question?
 

James321

Thread Starter
Joined
Apr 10, 2013
Messages
385
Are we fine now? Any other question?
I'm still convinced I may have had spyware on my laptop. Just because it evaded detection doesn't mean it didn't exist.

However we'll see how things go.
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,248
I'm still convinced I may have had spyware on my laptop. Just because it evaded detection doesn't mean it didn't exist.
We have made multiple checks with specialized tools and nothing indicates an infection. The computer is clean, and therefore I mark this topic as Solved.

If you are not convinced, then you can always re-install your operating system.

Take care.
 

James321

Thread Starter
Joined
Apr 10, 2013
Messages
385
We have made multiple checks with specialized tools and nothing indicates an infection. The computer is clean, and therefore I mark this topic as Solved.

If you are not convinced, then you can always re-install your operating system.

Take care.
Can I ask you this one technical question DR.M?

How are new malware definitions created in the first place and how are completely new malware items properly identified and isolated in the first place?

What processes are involved?
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,248
Can I ask you this one technical question DR.M?
How are new malware definitions created in the first place and how are completely new malware items properly identified and isolated in the first place?
What processes are involved?
That could be the subject of a PhD Thesis. :)

For sure, I can't give you a short reply here, but you can search about modern malware and see how it acts.

E.g.
Modern Malware - an overview | ScienceDirect Topics
Malware__Attack_Technology_issue_1.0.pdf (cybok.org)

Since I see that you still have doubts about the procedure we used, just have in mind that FRST is the most effective diagnostic tool we have right now. It is getting updates in a daily base, and a whole team of malware experts work to keep it as recent as it can be. Through the logs we have with it, we can identify the suspicious files/processes/services/drivers etc. and isolate them.
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top