New
#11
Sophiisticated scam or legitimate service?
-
-
New #12
Thanks for all the replies so far, which are much appreciated.
While this is clearly a scam, I'm worried about several things:
1. How did they get access to my PC before the call so that they could immediately start, in their terms, "showing me evidence of the hacking" etc?
2. How can I ensure that this cannot happen without my authority? I suggested some services, but RickC says "disabling them would be a really bad idea". So my question remains: how to prevent unauthorised access?
3. There was an implied threat that unless I bought the service, my PC would be further seriously hacked tonight. Obviously he would imply that. But (apart from my usual alertness, Defender, CCleaner, MalwareBytesFree, inconveniently changing a couple of much-used email passwords, etc) how can I satisfy myself that this cannot happen?
[This was sent just before seeing the suggestion about a clean install. With several hundred programs and scores of forum sites, accounts, etc, that's a very major project!]
-
New #13
At what point did you become aware that Team Viewer was being used? Immediately in the first phone call? Only after escalation to "Roger"? Was that without your knowledge or consent?
How sure are you that Team Viewer was in fact used, rather than alleged?
If it was used, I don't see how you can be confident they can't get back in or may have compromised your PC irretrievably.
-
New #14
If TeamViewer was used then there should be a logfile left by default in the C:\Program Files (x86)\TeamViewer folder and a TeamViewer folder in C:\Users\<logged_on_username>\AppData\Local.
Also, searching the registry for 'TeamViewer' using something like Nir Sofer's RegScanner will show hundreds of entries (and will also show if a permanent password has been set... which allows surreptitious reconnection).
-
New #15
These muppets usually get you to look in event viewer where there's a ton of 'errors'. They are not errors of course, but it's often enough to scare the average user into paying for some kind of 'fix'.
The 'fix' inevitably involves giving them access to your pc, when they then plant spyware to get your bank details, other login info etc.
The only upside is that due to the time difference, the scammers in India have to work nights.
-
New #16
Yes, they popped up a TeamViewer window very quickly.
Only after escalation to "Roger"?No, right in the second call. (I'd put the phone down within seconds on the very first one, as mentioned._Yes.Was that without your knowledge or consent?
Very sure.How sure are you that Team Viewer was in fact used, rather than alleged?
That's my main worry. But from research over the last hour, I too need to have TeamViewer installed for that to be possible, and I see no sign of it in my installed programs or under Details column of TM, or Services. Or for a 'VPN...' which I read might be necessary.If it was used, I don't see how you can be confident they can't get back in or may have compromised your PC irretrievably.
In short, I know enough to be worried but not enough to fix it!
Terry
-
New #17
Have a look at the properties of the teamviewer folder (location below) and see when it was created.
C:\Program Files (x86)\TeamViewer
-
New #18
Answer this question carefully. Did they at any time remotely open anything to show you the alleged 'evidence'? Or did they talk you through what to open and look at? Did they ever tell you to go to a website and install anything (eg Teamviewer)?
If all you did was open things on your PC under their direction then they have not had direct access to your PC.
How did they know what to show you? Because every PC has errors and warnings that can be purported to be 'evidence of hacking'. Open Event viewer and look at Windows Logs > System. I guarantee that if you scroll down a bit you'll see scary-looking (but harmless) warnings. The scammers know this and use it to fool you.
-
-
New #19
I could find no trace of TeamViewer being installed anywhere. No such folder, or in \Program Files. But intriguingly Regedit gave these six hits:
1. Key = HKEY_CURRENT_USER\Software\TeamViewer
Entry = Default (value not set)
2. Key = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\mi crophone\NonPackaged\C:#Users#terry#AppData#Local#Temp#TeamViewer#TeamViewer.exe
Entry = Start 0x 1d57e80e49c7d73 (132150856133672307)
(Second entry Stop is identical)
If that's a date/time, I couldn't decode it with Excel for instance.
3. Key = HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
Entry = SRPPasswordMachineIdentifier with a 'REG_BINARY' entry and a string of pairs
4. Key = HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry = \Device\HarddiskVolume6\Users\terry\AppData\Local\Temp\TeamViewer\TeamViewer.exe
5. Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
Entry = Same as #4
6. Key = HKEY_USERS\S-1-5-21-1643601740-1098315019-3821599572-1004\Software\TeamViewer
Entry = Default (value not set)
What do you make of all that? Temporarily installed somehow?
- - - Updated - - -
No such folder. See also my reply to RickC.
-
New #20
Yes, it shows the TeamViewer.exe executable in your AppData's 'temp'(orary) folder. What I can't work out is how it got there unless the scammer directed you to the TeamViewer website. However, the TeamViewer website no longer shows the link to just run TeamViewer from its home page like it used to.
Can you go to the C:\Users\terry\AppData\Local\Temp\TeamViewer folder then right-click on the TeamViewer.exe file and select Properties then the Details tab and let us know the 'file version' of the executable.
Also, reg keys 4 and 5 appear to indicate TeamViewer is set as a background service. Can you right-click on the taskbar, choose Task Manager then - when it opens - select the Services tab and see whether there's an entry for TeamViewer (and, if so, what its status is).
Quote
Related Discussions
