Kaspersky
Question

Email hack of Windows 10

  • 1 October 2019
  • 8 replies
  • 1152 views

I recently opened an email with my cousin's name, only to find the sender was: roach@azclan.net.
I did not click on the link in the email.
However, shortly after, my desktop started switching into tablet mode. As you can see from Exhibit I, there is a black window in the bottom right corner which I assume shows roach@azclan.net somehow accessed my computer just from me opening the email.
My desktop would switch to tablet mode, and I would see the black window. When I clicked on it, one of the other windows would fill the desktop.
Now, as per Exhibit II, the black window is gone when it switches to tablet mode without my permission.

Question: is anyone aware of a hack that allows access just by opening an email, and is the evidence of the hack similar to what is happening to me? Further, what can I do about it?

Any help would be very appreciated.





8 replies

Userlevel 7
Badge +4
Welcome. Please tell us the name and version of your Kaspersky product.

Please contact Tech Support: https://my.kaspersky.com/support/

Please attach the following items to your Tech Support request:

a. Description of the issue.
b. Screenshot, as needed.
c. GSI
Issue: my desktop switches to tablet mode without permission. There appears to be a black box window suggesting hacker penetration. I recently received an email from "roach@azchan.net". I opened the email but DID NOT click on the link in the email. The tablet changes started shortly after.
As a note: prior to the email, I had to contact Microsoft to upgrade my computer to version 1903. During that call, they remotely accessed my computer to make the upgrade. I'm not sure if the problem is related to their remote control as they assured me they deleted all remote access.

Screen shots: there are three. Exhibit I dated 23Sept2019, shows the black box that displayed in tablet mode. Exhibit II, dated 01Oct2019, shows the black box disappeared for a while. Exhibit III dated 01Oct2019 later in the same day, shows the black box returned.

GSI: see below.

Exhibit IV is from the windows 'about', just in case you need it.

Thank you for your assistance.
Userlevel 7
Badge +4
Please do a checkdisk, due to many disk error entries.

Your parsed GSI report: https://www.getsysteminfo.com/report/d8e86aae15c360ae51dab0272114721b

Your best bet, if you can not fix this issue, is to continue with Tech Support.
Userlevel 7
Badge +9
Hello @kenfromcanada,
Additional to the information posted by @richbuff
1⃣Before MS Support connected to your device, did they ask you to activate anything or send you a link or ask you to a website and select anything?

2⃣ Desktop - Tablet switching
Check Tablet mode Settings & check "When this device automatically switches" menu
Go to Win10, Settings, select System, select Tablet mode in the left pane, select the toggle switch "Make Windows more touch-friendly"

ON enable Tablet mode.
OFF disable Tablet mode, remain in Desktop mode ONLY.



3⃣Regarding (in built Windows) Remote Control
Open System and Security.
Choose System in the right panel.
Select Remote Settings from the left pane, opens System Properties dialog box for Remote tab.
Click Don't Allow Connections to This Computer, click OK

4⃣Check Task Manager, Processes, pause Update Speed, filter the list, look for any unfamiliar processes, select the process, right click, select Properties, make sure each process has a correct "starting point", for example, the majority of Windows processes will start from location C:\Windows\System32


5⃣ Go to (Windows) Programs & Features, look for any Programs or Features you do not recognise, did not install & or enable, make a list & post back?

Thank you🙏🏽
richbuff: Thank you for your suggestions. I ran Checkdisk from the File Explorer - it said it fixed a few problems on the C: drive: B3A2 and B3A3. No other disks had any errors.
The problem still exists, so I'll follow up with Tech Support.

As a matter of interest, the jumping is getting worse so I tried using KAS to stop all internet traffic - did not work, the jumping continued. I then unplugged the router, jumping continued. I'm not sure what this means but I'll follow up with MS as well.

If you have any other suggestions, I would appreciate them.
Thank you for your assistance.
KenfromCanada
*********************************************************************************************
FLOOD
MS assist could not update online so she had to download a windows Image to do the update. I looked in my Download folder and the two files that looked different were 'wu10.diagcab' and 'windows 10.0-KB4512937-x64_2a065a9ecfee76e3e457f3c2a04:4e42:1e::367. She also did alot of other stuff such as deleting the previous recovery image and other stuff.
She left the image file on my desktop and left a file to re-establish contact if I had problems. There were none so I deleted both files and have since cleared my Recycle Bin so I don't have them anymore.

I had the tablet settings as Don't ask and Don't switch. I have changed them to Don't Ask and Always Switch. Will advise if this changes behaviour.

My version of Windows Home does not allow remote connections via the Settings. But I went through everything I could think of to turn off any remote access (including the KAS functions).

I looked for unknown programs or apps but I'm not very familiar with computers so I don't really know what to look for. Under Services, I found some stuff but I don't know what they do:
WirelessKB850NotificationService.exe; SettingsSyncHost.exe (just wondering why a sync exe would be here since I've turned off all sync functions); DiagTrack - Connected User Experiences & Telemetry; OneSyncSvc_5ff70 - Sync Host_5ff70.

As I advised richbuff, I first pulled the power plug on the router which had no effect, then disconnected the cable between the router and my desktop - still no effect. Makes me wonder if this means it's a MS problem. But then this morning - 02Oct2019 about 9:30EST the screen was jumping alot. Now, about 10:15EST, it seems to have stopped which makes me think someone was checking things out before they went to work (or school).

Thank you for any suggestions you can provide.
KenfromCanada
Userlevel 7
Badge +9
Hello @kenfromcanada,
Thanks for posting back.
Why have you chosen Don't Ask and Always Switch?
My image may have mislead you, sorry, I showed the options for you to chose the setting you wished to have, as I don't know if you do or don't wish to use Tablet Mode "ever".
If you never wish to use Tablet Mode, the settings should be:
  • Tablet Mode OFF
  • Don't ask & don't switch.
Regarding the processes, it's important to verify the starting location of any process being queried.
Diagnostics Tracking or DiagTracK (Windows) service, runs automatically, sends data to Microsoft.
I disable DiagTracK, (imo) MS have more than enough (of my) data.
SettingSyncHost.exe, must be C:\Windows\System32, Windows core system file, synchronises system settings, between devices
WirelessKB850NotificationService.exe - must be C:\Windows\System32, MS Mouse & Keyboard software. Must be signed by MS.

Regarding OneSyncSvc_5ff70 - Sync Host_5ff70, please post an image of this, including Properties.
Thank you.
richbuff:
Sorry for misleading you...I first ran CheckDisk from the DOS window. But after 30 years, I forgot to include the repair suffix. I then did run it from File Explorer. It appears to have fixed the problem; no more jumping. As per Flood's suggestion, I turned off Tablet and set it to Don't Ask Don't Switch. I've waited a few days to ensure the problem has gone away (assuming hackers don't take days off or go on vacation). There have been some Windows's updates and KAS updates since then and the problem has not returned.
Thank you for your help and suggestions. It was very encouraging to receive assistance so quickly and expertly.

Flood:
As per above, the problem seems to have gone. I'm now not sure there ever was a hacker or I may have been a little paranoid.
Regarding OneSyncSvc, I've looked for it but cannot find it again. Next time I'll write down the pathway.
Thank you for your help as well.

If either of you have any questions or concerns, please feel free to contact me.
kenfromcanada
Userlevel 7
Badge +9
Hello @kenfromcanada,
Thank you for letting us know🙏🏽.
I'm glad the issue is resolved.
(imo) a little paranoia is a good thing if it keeps us alert to our net life. The world has changed.
Cyber-attacks are insidious, pervasive and real, it's better to be safe than sorry.
Regarding the fake email, it reminded me to mention, there are tools available to check (our email addresses) for data breaches, some browsers have the tool pre-installed. Kaspersky Security Cloud offers the feature, however KIS doesn't. I appreciate the fake email was not your email address, but, just in case you're interested.
Best regards

Reply / Ответить