Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unauthorized use of my work computer?


  • Please log in to reply
7 replies to this topic

#1 okiewild

okiewild

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 22 August 2015 - 12:36 PM

One morning I logged into the PC at work and found TeamViewer launched though it was not launched when I logged out the previous day. (I rarely use it.) Also, the DVD drive on my tower was open but empty. Our systems administrator did not seem concerned. We have reasonable antivirus/malware protection and a company firewall. I found an entry in the Events Viewer on this Win7 64bit machine ...

 

Log Name:      System
Source:        Service Control Manager
Date:          8/11/2015 8:36:53 PM
Event ID:      7045
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC950362
Description:
A service was installed in the system.
 
Service Name:  TeamViewer 10
Service File Name:  "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe"
Service Type:  user mode service
Service Start Type:  auto start
Service Account:  LocalSystem
Event Xml:
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7045</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-12T01:36:53.536577100Z" />
    <EventRecordID>324986</EventRecordID>
    <Correlation />
    <Execution ProcessID="532" ThreadID="10292" />
    <Channel>System</Channel>
    <Computer>PC950362</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="ServiceName">TeamViewer 10</Data>
    <Data Name="ImagePath">"C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe"</Data>
    <Data Name="ServiceType">user mode service</Data>
    <Data Name="StartType">auto start</Data>
    <Data Name="AccountName">LocalSystem</Data>
  </EventData>
</Event>


BC AdBot (Login to Remove)

 


m

#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 23 August 2015 - 08:18 AM

Can you be more specific?

When you say you logged in that morning, did you really log in, or did you unlock your session you locked the evening before?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 okiewild

okiewild
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 23 August 2015 - 03:40 PM

Unlocked the session from the afternoon before. All my other software seemed to be as I left it when I clocked out about 5 p.m. the previous day. 

We don't really turn our PCs off when the office closes. 



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 23 August 2015 - 05:09 PM

And TeamViewer is not software that is installed/used on your office machines?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 okiewild

okiewild
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 23 August 2015 - 05:31 PM

TeamViewer is installed so that employees can continue working from home in bad weather or similar circumstances. That has not happened for months. 


Edited by okiewild, 23 August 2015 - 05:32 PM.


#6 okiewild

okiewild
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 23 August 2015 - 06:44 PM

I have more of the Event log, but not sure what to look for that might be abnormal. I'm pretty good with software, but only rarely mess around with the insides of the Windows system tools.



#7 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:08:51 AM

Posted 25 August 2015 - 11:56 AM

Not to sound like I don't want to help... but...

 

If it is a work laptop I would leave that up to your IT at work and not pursue open community help. Send off a ticket tell them what happened, if they want to explore it fine, if not then you did what you were supposed to and the rest is on them.

I would assume you don't have Admin privileges which would make it hard to do much anyway. If you can run the AV tool that is installed I would do that as well, if IT has to... again let them decide if they want to. Your situation sounds more like a fluke than anything anyway. Teamviewer may have just opened (maybe for updates.. etc etc).. somebody hit your optical drive by accident and didn't close it..? Possible answers....

 

For the sake of asking, typically you are going to get something nasty on your PC if you clicked any suspicious looking e-mail links... while browsing the web and clicked something that wasn't typical.. etc. So if you did any of that you might have cause for concern... otherwise I wouldn't worry about it, especially if IT isn't worried. In they end they are responsible for taking care of these things.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#8 okiewild

okiewild
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 27 August 2015 - 06:40 PM

I forgive you for not endorsing my paranoia.

 

I went into system settings and made sure it will only launch if I tell it to. 

 

Thx!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users