Sophiisticated scam or legitimate service?

Page 3 of 5 FirstFirst 12345 LastLast

  1. Posts : 395
    Windows 10
    Thread Starter
       #21

    Bree said:
    Answer this question carefully. Did they at any time remotely open anything to show you the alleged 'evidence'? Or did they talk you through what to open and look at? Did they ever tell you to go to a website and install anything (eg Teamviewer)?
    Unfortunately I think you're onto a key point here. I'm not sure of the details (I confess I was a bit stressed at the apparent 'evidence of hacking', regardless of whether the perp was the caller or not) but, yes, I did click under instructions a couple of times. But that was after the TeamViewer window at the outset of the call.

    See also my reply to RickC a few minutes ago.

    If all you did was open things on your PC under their direction then they have not had direct access to your PC.

    How did they know what to show you? Because every PC has errors and warnings that can be purported to be 'evidence of hacking'. Open Event viewer and look at Windows Logs > System. I guarantee that if you scroll down a bit you'll see scary-looking (but harmless) warnings. The scammers know this and use it to fool you.
    Yes, I was briefly rattled by that ;-(

    Terry, UK
      My Computer


  2. Posts : 24,613
    10 Home x64 (21H2) (10 Pro on 2nd pc)
       #22

    Terrypin said:
    ....But that was after the TeamViewer window at the outset of the call....
    If Teamviewer was used by the scammers we have to be very careful what may have been done. I'll leave you in RickC's hands....
      My Computers


  3. Posts : 395
    Windows 10
    Thread Starter
       #23

    This is one entry in Services that looks a potential source of remote access. But as you see I cannot disable it.

    Sophiisticated scam or legitimate service?-parameterincorrect.jpg
      My Computer


  4. Posts : 1,057
    Windows 10 Pro (+ Windows 10 Home VMs for testing)
       #24

    Terrypin said:
    This is one entry in Services that looks a potential source of remote access. But as you see I cannot disable it.
    That's the Agent Activation Runtime service and is related to Cortana and/or other digital assistants, not remote access. (It IS possible to disable - but not advisable - but only via the registry editor.)

    Can you confirm the answers to my previous post?
      My Computer


  5. Posts : 395
    Windows 10
    Thread Starter
       #25

    Rick: Sorry, only just seen your reply, as I was mistakenly assuming any new replies would appear on page 3 of this thread.

    A short time ago, searching my entire PC (all internal and external drives) there was just one copy, namely
    C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamViewer.exe

    Its version is 11.0. In case it helps here's the full Properties:
    File description TeamViewer 11
    Type Application
    File version 11.2.2150.0
    Product name TeamViewer
    Product version 11.0
    Copyright TeamViewer GmbH
    Size 19.6 MB
    Date modified 17/09/18 12:19
    Language English (United Kingdom)
    Legal trademarks TeamViewer
    Original filename TeamViewer.exe

    I'd say it must have got installed during the call, except for that apparent TeamViewer window appearing at its very start.

    That folder has many TeamViewer files. As it's a TEMP folder, I assume it gets deleted automatically, but maybe I should do so now? As mentioned, there's no entry in my Revo Uninstaller list or the identical 257 entry list in Control Panel\All Control Panel Items\Programs and Features. And none in AutoRuns.

    Thanks for your ongoing help on these forensics.

    - - - Updated - - -

    Couldn't delete these two registry keys:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
    Or this:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004

    Both give the message:
    Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting key.

    Any thoughts on howto zap?
      My Computer


  6. Posts : 1,057
    Windows 10 Pro (+ Windows 10 Home VMs for testing)
       #26

    Terrypin said:
    A short time ago, searching my entire PC (all internal and external drives) there was just one copy, namely
    C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamViewer.exe
    Its version is 11.0. In case it helps here's the full Properties:
    That explains one thing. The latest version of TeamViewer is v14 and is only available as a full install... which installs to the C:\Program Files (x86) folder. Older versions like v11 included a runtime version that could be run directly from a website (similar to the Sysinternals/TechNet utililties like AutoRuns).

    As it's in a temporary folder it will only get deleted if the internal program logic includes an instruction for that to be carried out on program exit. As it's not a full install, there's no standard uninstall string written to the registry, e.g to the following location:

    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer
    If no uninstall string gets written then it doesn't appear in any GUI as a program that can be removed automatically (or - in the case of an MSI - be repaired)... hence why Revo Uninstaller couldn't 'see' it.

    As a result you'll need to delete the program executable (and any TeamViewer folder it resides in) manually.

    There's one thing I don't understand. Normal use of TeamViewer (aka TV) would throw up a GUI which would include both a 'Partner ID' and a password. It's possible to create a custom 'Quick Support' version of TV with a pre-configured password. However, the way the TV host (the part that runs on YOUR PC) works is to generate a unique GUID on first use. This unique GUID is described as the 'Partner ID'. The TV host then connects to a TV server on the internet and advertises its GUID. The TV client lets the user enter this GUID in its interface then it too connects to a third-party TV server on the internet. When the TV client finds a TV host with a matching GUID then a 'handshake' is carried out and the TV host issues a 'challenge', i.e. what's the password? If the TV client responds with the correct password then the connection is deemed to be 'authenticated'... and the man-in-the-middle third-party TV server drops out of the handshake. At that point, all further communication for that remote session is solely between the TV host and client.

    So, what I cannot work out is... how did the scammer know what the unique GUID was without you telling him? It's generated dynamically on first use (based on the hardware of the host) - and remains the same each time, although - by default - the password changes each session (although this behaviour can be changed to a pre-set password). There's no way the scammer could have guessed what GUID was going to be generated on first use.

    As for:

    Terrypin said:
    Couldn't delete these two registry keys:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
    Or this:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004

    Both give the message:
    Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting key.
    Any thoughts on howto zap?
    Don't try to delete them. The first one (ControlSet001) is just a copy of the second one (CurrentControlSet) and is autogenerated. The keys are the SID (Security Identifier) details of the 'logged on user' (shown here as ending in 1004) as they relate to the BAM service. The BAM service is a default service bucket introduced in Win 10 1709 called the Background Activity Moderator which controls the activity of applications running in the background.

    The 2 keys you have mentioned are the BAM parent and its copy. You need to keep them. You should, however, be able to delete child entries, for example (on my PC and shown in red below):

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-3346666356-219093826-3681105284-1004\
    "\\Device\\HarddiskVolume2\\Program Files (x86)\\TeamViewer\\TeamViewer.exe"=hex:c4,\
    45,fd,4e,af,7e,d5,01,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00


    Only delete the entries in the right-hand pane, not the keys themselves in the left-hand navigation pane..

    Note that 1) you need to export the keys (just in case) before carrying out any deletion and; 2) you'll need to open the Registry Editor using Run as administrator in order to get the necessary elevated rights.

    Don't forget the advice of others to wipe and start over. You have no idea what went on behind the scenes. Unfortunately TeamViewer can easily be used maliciously to drop unwanted software on a connected host.

    Hope this helps...
    Last edited by RickC; 10 Oct 2019 at 03:33.
      My Computer


  7. Posts : 395
    Windows 10
    Thread Starter
       #27

    Thanks Rick. You're way ahead of me on technical know-how and I'm baffled. I'm sure I must have played a hand unwittingly, but the initial display out of the blue that captured my attention remains a mystery!

    I couldn't delete the child entries either:

    Sophiisticated scam or legitimate service?-teamviewerregistry-1.jpg

    Terry
      My Computer


  8. Posts : 5,087
    21H1 64 Bit Home
       #28
      My Computer


  9. Posts : 1,057
    Windows 10 Pro (+ Windows 10 Home VMs for testing)
       #29

    Terrypin said:
    I couldn't delete the child entries either:
    My apologies, Terry. I haven't had to do this is a long while (not since Win 10 1607) and you're quite right.... opening the Registry Editor using Run as administrator no longer works to delete these specific entries. However, I've just checked and the following worked for me in Win 10 1903.

    1. Close the Registry Editor.
    2. Download WinAero's freeware ExecTI.
    3. Open ExecTI and enter regedit.exe -m
    Sophiisticated scam or legitimate service?-execti.png

    4. When the new instance of the Registry Editor opens, navigate to the child entry you want to remove, right-click on it and select Delete.

    Hope this helps...
    Last edited by RickC; 09 Oct 2019 at 17:13.
      My Computer


  10. Posts : 395
    Windows 10
    Thread Starter
       #30

    Callender: Thanks, very interesting. Looks like the scam remains very similar three years on!

    Rick: OK, thanks a bunch for following through. It's been a long day (I was up at 06:00) so I'll try your alternative method in the morning.

    Terry
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 12:08.
Find Us




Windows 10 Forums