5

I was using my desktop to do some work. I left it and sat on the sofa, the screen went off and after few minutes it went one I freaked out when I saw the mouse moving around on the screen, then it went down to the taskbar, opened my download manager and ran TeamViewerQS.exe.

When I saw that happening, I freaked out and it felt spooky. I shut down the pc and unplugged the network cable and started the PC backup.

I don't have (or use) TeamViewer, I use Windows 10 for my operating system and I have Kaspersky total security running. I'm the only user for this desktop and I never gave access to any other user for remote access.

Could you please help me understand what is happening?

Anders
  • 64,406
  • 24
  • 178
  • 215
Hareth
  • 51
  • 1
  • It's possible you were tricked into running malicious software. I'm guessing they were using some RAT with a less-than-ideal remote viewer and wanted to use TeamViewer since it's likely better. This is an unusual approach, since an attacker doesn't need to expose themselves in this way and could do most things from command line. – multithr3at3d Jun 04 '18 at 15:25
  • I've also seen this done using the Intel AMT hack; control of the hardware outside of the operating system, freaks people out when you start using their mouse. – gowenfawr Jun 04 '18 at 15:40

1 Answers1

8

Yes, your machine has been compromised by an attacker. You may have fallen for a fake "Computer Support" scam, or opened a phishing email attachment, or clicked on a bad link, or even simply been the victim of a "drive-by" malicious web site advertisement. I know TeamViewer is a common tool used by the fake support scam people; it is also used by other attackers.

You absolutely did the right thing by unplugging the network cable. Well done!

Unfortunately, since there is no way of knowing what they stole from your computer, you need to assume they already got away with some profitable stuff. Your next step should be to use a different (non-infected) computer to immediately change your banking and financial website passwords first, then your credit card / payment website passwords, your ISP and mobile provider passwords, and the passwords to each of your online shopping sites. Change the passwords to your social sites last, they're probably not as important as your money.

Consider contacting your local police because you have been the victim of a crime. Having a case number may be important if you need to file an insurance claim or report the identity theft to your bank or other businesses. But don't expect much help from the police, as they probably won't have the resources to investigate it; and unless you know money was fraudulently stolen from you, they won't prioritize it.

Once the important risks are taken care of, you can start to copy off any valuable data files you have from the infected machine - personal photos, documents, etc. Save them to a thumb drive.

Finally, you should wipe and reformat your computer's disk and rebuild it. You might be able to enlist a computer-savvy friend's help for this. Or consider bringing it to a computer repair place who specializes in recovering from attacks. They also might be able to help you preserve any licensed content you have stored on it. But be warned their help could quickly add up to higher than the cost of a new computer. Be sure to get a quote or arrange spending limits with them in advance.

John Deters
  • 33,650
  • 3
  • 57
  • 110