Computer accessed from China

Have a client that had significant funds taken from accounts last week.  They pinpointed it to one computer that it had to be related to.  I think part of it was access to a Google account but not 100%.  They reported that after opening the locked screen and logging in that a Teamviewer Quick support box was open and the text was all Chinese.  I was able to locate Teamviewer as a series of folders hidden in USER\appdata\Temp.  In the connection_incoming.txt I see a connection from last week and then 4 today.  They DO NOT USE Teamviewer on that machine at all.  However, someone is maliciously using this to gain access.  I have the logs and screenshots.  What help can TV provide us regarding how to assure they don't just reinstall and use it again?

I deleted the folder entirely and after reboot confirmed that the one DLL left was removed as well.

What next?

Tagged:

Comments

  • JeanK
    JeanK Posts: 7,040 Community Manager 🌍

    Hello @zerom,

    Thank you for your message and welcome to the TeamViewer Community! ?

    I am very sorry to hear this. ? 

    The TeamViewer QuickSupport has to be launched by the user on the remote computer, in order to establish a remote control session. With other words, a person must have launched the TeamViewer QuickSupport on the computer that has been maliciously used, to allow the "attacker" to access the computer. This can't happen without any human interaction on the side of the maliciously used computer.

    I recommend you to close the QuickSupport, and check if a full version of TeamViewer is installed on the computer. If so, please uninstall it. If there is no TeamViewer installed, you should be on the safe side.

    Also, you can report a scam so we can support you in your investigations here: Report a scam 

    I hope this could help. ?

    If not, do not hesitate to ask your questions here. ?

    Best regards

    Jean

    Community Manager

  • zerom
    zerom Posts: 3

    I created a report.  Your software, which was NOT installed on this computer was used again for access even though found and deleted.  Something is being done to get your software QuickSupport back on this computer without the users consent or action.  

    Please help.  Last time the files were hidden in APPDATA, this time, I am not sure where they are but there is data in the logs which I provided on the report.

    Please help.

  • zerom
    zerom Posts: 3

    Just to provide further update, found another hidden folder that had a version of TeamViewer in it.  Documented and reported it as well.  Still trying to go through any logs to see/find how someone installed it.  This version was installed around 2am in the morning.  I presume they used the QS to connect and then install and hide that version.