Windows 10: Follow-up Email Survey - armed with malware (in case you’re not nice) and questions for...

After giving a terrible rating in an online survey from a customer service department of a well-known, very large, “trusted” online company in which I had dealt with on the phone earlier that day. The very instant I clicked the second “terrible” button on that survey, my computer screen went black. I’ve been dealing with this malware since. The malware is meant to annoy and disrupt, which it has been very good at, it hasn’t done any other damage to my computer that I can tell, since it installed in mid-August.


Running a full scan of Windows Defender and a full scan of Microsoft Safety Scanner did NOT find the malware. After doing a System Restore, I still had the malware, it even activated a couple times during the restore process (thought I was screwed) but it restored okay to a point before mid-August.

The symptom of this malware is to activate the Standby or sleep mode on this computer. (screen goes black, a few seconds later I get “no signal” message on screen, then all lights turn off.) I can press the power button or click the mouse and it wakes up as normal, but mostly goes right back into sleep/standby mode a few seconds or a minute or so later, this happens for first half hour or so. After that it acts up less giving me more time to do things on the computer. If I do nothing it will wake from sleep/standby by itself after a few minutes. When it wakes the fan and fan light turns on, green power light blinks 7 times just like initial turn on, but NO Start Beep, it comes on with the lock screen, press enter or click mouse to get to the welcome screen, enter password and I am back to the exact point of whatever I was doing before. (If I was listening to a song, it comes back on at the exact same point in the song)

I spent the last month or so giving myself a crash course in Process Explorer, Process Monitor and Autoruns. I have learned a little about how to run those tools, but I really don’t know what to look for. Process Monitor is suspended when the malware is activated and in sleep/standby mode, which leaves a gap in the time line. I believe this is where there may be clues to its source, before or after this time gap, but especially if I could see the processes during sleep/standby mode.


pix


I can activate the malware by pressing the functions keys “F7” and ‘F8”, the “Home” key, the “4” on the numeric keyboard and the “0” (zero) and one letter in the alphanumeric keys, and when I press the Win key + PrtScr to get a screenshot (captures the ss okay). There are times when these keys do not activate the malware, I have determined that a process called “mobsync.exe” is always present in the Process Monitor Filter selection box - Process Name dropdown menu when the malware is active. Mobsync.exe is a normal process that belongs to Microsoft Sync Center and the Offline Files feature. I suspect the malware has hidden itself inside this process. When the computer is working normally, usually after its been on a couple hours, the above keys do NOT activate the malware and mobsync.exe is missing from the Process Name dropdown menu of Procmon,s filter.

I did NOT open an attachment to get it, unless clicking a button on a survey is the same.


I was using a standard account, NOT an administrative account when it downloaded.


Windows Defender and Microsoft Safety Scanner, nor newly downloaded Malwarebytes can NOT detect it.


Questions for Procmon users.

Why is there a time gap on Process Monitor when the computer is in malware induced sleep/standby? Is there anything I can change in the filter that will show me what is happening during sleep/standby? If I wake it, by clicking the mouse, the PID stays the same. If I let it wake itself up, the PID changes, Why?

:)

 

Survey questions emailed to me

I got a survey in my email recently. A few hours after answering the survey, it occurred to me it may not have really come from the Microsoft Insider program. After searching this forum, all the Microsoft official links, like Phishy survey email
aren't working returning a 502 error. I did a whois on the domain microsoftemail.com it Looks like it is from Microsoft, but I can't be sure. Here is the email I got:





The proceed with survey link points to https://click.email.microsoftemail....82365dbfadbbbd66c91b1c2dd209bd3e90def06835125 . Is this real?

Conversation opened. 1 read message.

 

Survey questions emailed to me

Yes that's real. And your link you gave above (Phishy survey email)
works just fine for me. Maybe it was a coincidental glitch.

 

Idea: survey of Ovi Suite users about their problems?

I would be in favour of using a site like SurveyMonkey (perhaps we can use this board to draft a list of questions?), as this will be much easier to evaluate the results, compared to people typing them into their e-mails on this board.



Also, the survey would be much easier to handle for users if these were just, say, 10 questions with radio buttons or so. Taking the survey should not take more than 5-10 minutes.



Any suggestions for (non-biased) questions are welcome.