Is TeamViewerQS malware?

TeamViewer.com itself appears to have an excellent reputation. It's just a tool, but the phone call was a scam. Are you sure the site they instructed you to go to was TeamViewer.com? They may have been using the legitimate TeamViewer.com as part of their alleged "support."

http://www.mywot.com/en/scorecard/teamviewer.com?utm_source=addon&utm_content=po pup-donuts

What were the threats Sophos detected? I'm guessing they were probably all Windows related that wouldn't have affected a Mac.

See also

http://www.dslreports.com/forum/remark,26286203

And do a search using "teamviewerqs scam"

Message was edited by: WZZZ

The call is absolutely a scam, as WZZZ said. There are many variations used by these crooks, and they're all fake. They are trying to do just what they tried; panic people into giving them money and to install software that would allow them access to your computer so that they can steal your personal information.

First, if your wife was tricked into installing TeamViewer, remove it - download the genuine installer here (we don't know for sure what she downloaded; it could be hacked):

http://www.teamviewer.com/en/download/mac.aspx

open the disk image and run the Uninstall TeamViewer script -

then immediately change the passwords to all your Mac OS X user accounts and any online services you may use, particularly online banking or credit card accounts (the latter is critical; then keep a close eye on those accounts).

You may even wish to back up your documents, erase the drive and reinstall Mac OS X and all your applications. If your wife was tricked into giving the crooks access to your system, it would be difficult to be certain that they didn't install some additional malware. Rebuilding your system will be a lot of works, but to me it would be worth it for peace of mind.

Regards.

All the Sophos threats won't run on a Mac.

Looking at a screengrab of it, it has boxes for ID number and password to be entered and my wife DID type these in whn the guy on the phone instructed her to do so.

EDITED What ID no. and password. One she created? Not sure what that would mean or the implications of that. EDITED

MacScan is probably the best for finding keyloggers; it's abysmal at finding ordinary malware. Free demo here.

http://macscan.securemac.com/

Our worry now is a) was the scam an attempt to get her credit card info if she fell for the £199 software 9 year protection plan, or b) while she was passed to the lady sales agent this was giving the scammers time to grab things off her computer, or c) both of these !!!

I don't think anyone here can know that. To be safe, I might want to assume the worst.

That Sophos didn't find anything besides .exe Windows stuff, doesn't necessarily mean it didn't miss somethng Mac.

I'm going to ask that someone who's far more expert in this area have a look here.

Message was edited by: WZZZ

If you've already read my post above, please see that I have edited it.

Sounds like everything is pretty well in-hand here, but I do have a few comments.

This is a pretty common scam, and you need to make sure to get TeamViewer off the machine ASAP. As already stated, there's nothing wrong with TeamViewer per se, but it is being used in this case as a tool to give these scammers access to your wife's iMac. It's pretty easy to get rid of.

Here's the problem: we don't know what else might have been done. If the machine was left unattended while TeamViewer was installed, anything is possible. There could be keyloggers, other backdoor apps, etc installed at this point. For that matter, if TeamViewer has any features that can be used for "behind-the-scenes" installation, it could be possible something was installed without you knowing, even if the computer was monitored the entire time.

Unfortunately, there's no reliable way to eliminate any possible keyloggers and whatnot from the machine at this point. MacScan is far from reliable in this regard, as it only uses certain easily-changed metadata (like creation and modification dates) to identify potentially malicious apps. Sophos is quite good, and it's unlikely that it missed any actual malware, but "potentially unwanted applications" (ie, legit applications being misused maliciously, as TeamViewer has been in this case) are another story. It wouldn't identify something legit that was installed for malicious purposes. (Though it may sound counter-intuitive, there are keyloggers and other such software that are completely legit, and are meant to be used for legit purposes.)

This means that the safest thing to do at this point might be to erase the hard drive completely, reinstall the system and any apps from scratch, and then restore your documents (and only documents, no settings files, applications or other such things!) from a backup. That is the only way that you can be 100% sure that there's nothing installed that is still giving these scammers access to your data.

If she didn't give the person on the phone the the id and password then you are safe. If she did then all bets are off and you should do the wipe and clean install as Thomas suggested.

The Teamviewer software is entirely legit. It is used by many for both conferencing and remote support. This is how the scammer was trying to get you. By joining the remote support network you would be giving someone the ability to access your computer IF you give them the id and password that was presented in the pop-up.

But I really have to ask, to get to the point of getting the pop-up with the id and password you are to go the site, click on join support network, (which downloads a dmg) open the dmg, which the OS will ask you to confirm you really want to do since you downloaded this from the web and then run the program. It's not like someone on the phone magically got something on your computer to do this.

Let this be a lesson, the number one means for hackers, scammers, etc to break into a system (any system) is through social engineering, asking the user to do something, not some wiz bang piece of super malware.

As was that popular saying says, Just say no!

ILG20000 wrote:

My wife was called by Indian call centre who said they acted for Virgin, BT and others and were responding to problems we were having on our computer.

As it happens, the iMac she uses had been going slow recently.

To cut a long story short, she ended up going to their website www.teamviewer.com (DO NOT GO ON THIS; just in case this is dodgy site!!!!!)

Ian

TeamViewer is reputable vendor, your wife got scammed, I have also seen LogMeIn and GoToMyPC placed in TeamViewers situation,

If you have a bootable clone of your system (as hard drives are cheap tese days) then you can just clone backwards (reinstall) and "delete" the malware while not having to actually reinstall everything.

I use Carbon Copy Cloner and have 3 clones (Weekly, Monthly, Safety/Yearly) it also can help when something recently installed causes issues.

TeamViewer is great but only in the hands of friendly folks.

Rosco.

Teamviewer is harmless unless you give the access password for it to 'unfriendly' folks.

So the answer is to keep the password to yourself unless dealing with someone at the other end that you have confidence in.

Never use it at the behest of someone you don't know.

Thanks for good information.

My mom was called up by these people (as earlier discussed in the thread), however, she downloaded the application the man on the phone wanted her to install, but she never proceeded with the installation and removed the download (no passwords or information was given to the man). Does she still need to reinstall her computer or is there no harm done unless the application is installed?

Thanks

she never proceeded with the installation and removed the download

There's no danger whatsoever if she can be 100% sure that she didn't actually install it.

The QS at the end of TeamviewerQS stand for quick support. It doesn't install you just run it. Normally a legit business will have it hosted on their own website. It's a quick and easy way to get remote support from legit businesses. Teamviewer does not have any behind the scenes aka silent installers. It does however have a built in FTP server. In my opinion they were probably just looking for whatever they could find, and didn't install anything. I'd check startup items for scripts etc... I would not go through wiping the and reinstalling everything; just keep an eye on your bank accounts.