Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual activity started with Teamviewer - not sure if fixed


  • Please log in to reply
8 replies to this topic

#1 Johng123

Johng123

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 07 March 2017 - 10:26 PM

This is gonna be long so I apologize, but I wanted to explain exactly what the symptoms were and what I've done.  I will say I am a pretty computer savvy person, and I only say that so you can understand I can generally debug things on my own.

 

So this starts back when I was using my previous computer.  I installed teamviewer so that I could access my laptop while on my phone.  At one point, some one accessed my computer and tried to send themselves bitcoins from my btc-e account.  Luckily they did not complete this process, but I was SUUUUUPER paranoid after this happened.  I added two factor authentication to all my emails and used google authenticator for my teamviewer.

 

I thought I locked everything down, but I am not sure if the person who accessed my computer left any backdoors.  I had eventually decided to get a new laptop, and figured that this would mostly resolve the issue.  I still decided to keep teamviewer on my computer.  Yesterday I had left my laptop opened, and went to the bathroom, and when I came back the startup screen for teamviewer was up on my computer.  This was an obvious red flag, but I wasn't sure if it was just teamviewer updating.  The first time the person connected (on my old computer), I was able to immediately tell since this screen was left opened: https://www.gromichoafsystems.com/wp-content/uploads/2015/04/teamviwer-sponsored-session.png

 

That screen was not opened this time though, so it might not be a related indicator and might just be me being super paranoid because of everything that had happened previously.  

 

I am not really sure where to go from here to determine if some one is currently accessing my computer or not.  I followed this persons guide on programs to install and run to check for infections: https://www.bleepingcomputer.com/forums/t/641523/spybot-rootkit-scan/?p=4195111

 

Here are all the logs from that guide:

Malware Bytes: http://pastebin.com/CLGGmq2N

Adwcleaner: http://pastebin.com/pQtp60Zz

Junkware removal tool: http://pastebin.com/TbpNrvxq

ESET Cleaner: (nothing found)

 

 

Also here is my teamviewer log (trimmed to very recent): https://justpaste.it/148zm  I bolded the areas where the user might have connected to my comp. It was around 3/7/17 18:20

 

 

Here are the things that concern me:

 

2017/03/07 21:10:53.793 5536 9152 G1 VoIP: Sender: Initialzed
2017/03/07 21:10:53.793 5536 9152 G1 VoIP: Sender: Audio pipeline: AutoVoiceCapturerWinAll: Building pipeline started
2017/03/07 21:10:53.808 5536 9152 G1 VoIP: Sender: Audio pipeline: BasicVoiceCapturerUsingWindowsDMOInSourceModeAndSpeexNS: Init for devices: "Microphone Array (Realtek High Definition Audio)", "Speakers (Realtek High Definition Audio)"
2017/03/07 21:10:53.808 5536 9152 G1 VoIP: Sender: Audio pipeline: VoiceCaptureDMOSourceFilter: Init for devices: "Microphone Array (Realtek High Definition Audio)", "Speakers (Realtek High Definition Audio)"

2017/03/07 21:10:53.793 5536 5540 G1 AudioDriver: using rec dev 'Primary Sound Capture Driver', '' (prim), id -1

2017/03/07 21:10:53.793 5536 5540 G1 AudioDriver: using play dev 'Primary Sound Driver', '' (prim), id -1

2017/03/07 21:10:55.687 5536 6596 G1 Camera: name = 'ATIV Real HD Camera', best Matching Video Format: size = 40, format = YUY2, width = 640, height = 480, bpp = 16, planes = 1, framesize = 614400, time per frame = 333333

 

 

Now that to me LOOKS LIKE some one listening to my audio and video!!!  Maybe I'm wrong but that's what it looks like to me!  Please help, and either tell me I am wrong or tell me how to make this go away permanently.  (I will be uninstalling teamviewer of course once this whole thing is figured out.)

 

Thanks!!!


Edited by Johng123, 07 March 2017 - 10:28 PM.


BC AdBot (Login to Remove)

 


#2 Johng123

Johng123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 07 March 2017 - 10:30 PM

Arg I hope some one can help me soon, I am FREAKING OUT right now!  Looking at this teamviewer log is scaring the hell out of me!!!  It looks like some one turned on my microphone and camera.  I am a generally pretty paranoid person and this is really scaring me.  :( :( :(



#3 Johng123

Johng123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 16 March 2017 - 10:48 AM

bump, please help



#4 Johng123

Johng123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 March 2017 - 02:31 PM

bump



#5 Johng123

Johng123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 23 March 2017 - 07:46 PM

no one wants to take a stab at it?



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 AM

Posted 29 March 2017 - 02:16 PM

They look like Teamviewer files.. Shut down or Uninstall it and see.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Johng123

Johng123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 29 March 2017 - 05:12 PM

They look like Teamviewer files.. Shut down or Uninstall it and see.

Sorry what do you mean?  



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 AM

Posted 30 March 2017 - 09:31 AM

Go into your Remove programs... look for Teamviewer and uninstall, reboot and see .
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 ultraelf

ultraelf

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 31 March 2017 - 02:35 AM

I think problem not in TeamViewer, TV is very safe, someone must know your ID , password. 

Usually used emails vith trojan, USB flash drive or something similar, 

who could get access to your computer or phone?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users