Sophiisticated scam or legitimate service?

Terrypin said:

A short time ago, searching my entire PC (all internal and external drives) there was just one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamViewer.exe
Its version is 11.0. In case it helps here's the full Properties:

That explains one thing. The latest version of TeamViewer is v14 and is only available as a full install... which installs to the C:\Program Files (x86) folder. Older versions like v11 included a runtime version that could be run directly from a website (similar to the Sysinternals/TechNet utililties like AutoRuns).

As it's in a temporary folder it will only get deleted if the internal program logic includes an instruction for that to be carried out on program exit. As it's not a full install, there's no standard uninstall string written to the registry, e.g to the following location:

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer

If no uninstall string gets written then it doesn't appear in any GUI as a program that can be removed automatically (or - in the case of an MSI - be repaired)... hence why Revo Uninstaller couldn't 'see' it.

As a result you'll need to delete the program executable (and any TeamViewer folder it resides in) manually.

There's one thing I don't understand. Normal use of TeamViewer (aka TV) would throw up a GUI which would include both a 'Partner ID' and a password. It's possible to create a custom 'Quick Support' version of TV with a pre-configured password. However, the way the TV host (the part that runs on YOUR PC) works is to generate a unique GUID on first use. This unique GUID is described as the 'Partner ID'. The TV host then connects to a TV server on the internet and advertises its GUID. The TV client lets the user enter this GUID in its interface then it too connects to a third-party TV server on the internet. When the TV client finds a TV host with a matching GUID then a 'handshake' is carried out and the TV host issues a 'challenge', i.e. what's the password? If the TV client responds with the correct password then the connection is deemed to be 'authenticated'... and the man-in-the-middle third-party TV server drops out of the handshake. At that point, all further communication for that remote session is solely between the TV host and client.

So, what I cannot work out is... how did the scammer know what the unique GUID was without you telling him? It's generated dynamically on first use (based on the hardware of the host) - and remains the same each time, although - by default - the password changes each session (although this behaviour can be changed to a pre-set password). There's no way the scammer could have guessed what GUID was going to be generated on first use.

As for:

Terrypin said:

Couldn't delete these two registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
Or this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004

Both give the message:
Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting key.
Any thoughts on howto zap?

Don't try to delete them. The first one (ControlSet001) is just a copy of the second one (CurrentControlSet) and is autogenerated. The keys are the SID (Security Identifier) details of the 'logged on user' (shown here as ending in 1004) as they relate to the BAM service. The BAM service is a default service bucket introduced in Win 10 1709 called the Background Activity Moderator which controls the activity of applications running in the background.

The 2 keys you have mentioned are the BAM parent and its copy. You need to keep them. You should, however, be able to delete child entries, for example (on my PC and shown in red below):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-3346666356-219093826-3681105284-1004\
"\\Device\\HarddiskVolume2\\Program Files (x86)\\TeamViewer\\TeamViewer.exe"=hex:c4,\
45,fd,4e,af,7e,d5,01,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00

Only delete the entries in the right-hand pane, not the keys themselves in the left-hand navigation pane..

Note that 1) you need to export the keys (just in case) before carrying out any deletion and; 2) you'll need to open the Registry Editor using Run as administrator in order to get the necessary elevated rights.

Don't forget the advice of others to wipe and start over. You have no idea what went on behind the scenes. Unfortunately TeamViewer can easily be used maliciously to drop unwanted software on a connected host.

Hope this helps...

FYI: Solved: Scammers - TeamViewer Community - 682

Terrypin said:

I couldn't delete the child entries either:

My apologies, Terry. I haven't had to do this is a long while (not since Win 10 1607) and you're quite right.... opening the Registry Editor using Run as administrator no longer works to delete these specific entries. However, I've just checked and the following worked for me in Win 10 1903.

1. Close the Registry Editor.
2. Download WinAero's freeware ExecTI.
3. Open ExecTI and enter regedit.exe -m

4. When the new instance of the Registry Editor opens, navigate to the child entry you want to remove, right-click on it and select Delete.

Hope this helps...