Possible trojan transferred over Teamviewer (log files included)

zenzor

Honorable
Aug 22, 2012
3
0
10,510
Hello,

I recently had a teamviewer session who may have turned out to be shady. I saw him attempt to transfer a file, and I immediately terminated the connection and unplugged my ethernet cable.

Although I'm not concerned about the computer to which he attempted to transfer the file, it is connected to my home network, with systems I use for personal banking, etc.


The TV log file is too big to copy/paste, and I don't see an option to attach the file. I've provided below the section which I think logged the transfer. Help appreciated, thanks.


2014/11/15 19:39:58.185 129984 480860 D1 CScreenStreamSender::SendDisplayParams() 1920x1080x32 to 3
2014/11/15 19:39:58.185 247904 491536 G1 Display buffers allocated: width = 1920, height = 1080, bpp = 32
2014/11/15 19:39:58.185 247904 491536 G1 RA: RemoteAudioSender get started
2014/11/15 19:42:04.045 246092 464200 S0! CT250 UDP statistics: prp=2 scf=94
2014/11/15 19:42:09.138 246092 2032 S0 CStreamManager[61]::StreamRegistered(): streamID=17 type=6 (StreamType_File), source=[173901792,-1882872923]
2014/11/15 19:42:09.264 247904 52948 G1 CFileTransferThreadServer started.
2014/11/15 19:42:09.264 247904 496192 G1 - Server started successfully
2014/11/15 19:42:09.264 246092 2032 S0 CStreamManager[61]::StreamRegistered(): streamID=18 type=6 (StreamType_File), source=[430100421,-354497653]
2014/11/15 19:42:09.310 247904 496192 G1 - File transfer request from 173 901 792 allowed
2014/11/15 19:42:09.498 247904 496192 G1 - Views folder <root drives>
2014/11/15 19:42:24.685 247904 52948 G1 Ending CFileTransferThreadServer...
2014/11/15 19:42:24.685 247904 52948 G1 The CFileTransferThreadServer has ended.
2014/11/15 19:42:24.685 247904 496192 G1 DragDropManager: Aborting 0 copy operations
2014/11/15 19:42:24.685 247904 496192 G1 - File transfer server shut down.
2014/11/15 19:42:26.201 246092 121544 S0 CT248 CT.Send.CMD_ENDSESSION From=430100421 To=173901792 L=4
2014/11/15 19:42:26.201 246092 2032 S0 CT248 CConnectionThread::SendEndSession: Sent EndSession with reason: 1
2014/11/15 19:42:26.217 246092 2032 S0 CPersistentParticipantManager::RemoveParticipant: [430100421,-354497653]
2014/11/15 19:42:26.217 246092 2032 S0 CStreamManager::participantRemoved: Our own participant was removed, we must terminate our session
2014/11/15 19:42:26.217 246092 464200 S0! CMeetingControl[60]::CmdDataStream(): invalid StreamID=11, discarding 25 bytes
2014/11/15 19:42:26.217 247904 451508 G1 RA: RemoteAudioSender stopping...
2014/11/15 19:42:26.217 247904 496192 G1 RA: RemoteAudioSender get stopped
2014/11/15 19:42:26.217 247904 496192 G1 Manually closing connection
2014/11/15 19:42:26.217 247904 491536 G1 CClipboardChangeListener::UnregisterFromClipboardChanges
2014/11/15 19:42:26.232 247904 491536 G1 WindowObserverGUI::SessionEnded: 0
2014/11/15 19:42:26.232 246092 2032 S0 CT249 CT.Disconnect
2014/11/15 19:42:26.232 246092 121544 S0 CT249 CT.Run.LoopEnd
2014/11/15 19:42:26.232 246092 121544 S0 CT250 CT.Send.CMD_DISCONNECT From=430100421 To=173901792 L=4
2014/11/15 19:42:26.232 246092 464200 S0 CT250 CTU.Run.LoopEnd
2014/11/15 19:42:26.232 246092 2032 S0 Session to 173901792 ended. Estimated capacity=47837kBit/s, Latency=168ms
2014/11/15 19:42:26.232 246092 464200 S0 CT250 CTU.Run.LoopEnd2
2014/11/15 19:42:26.232 246092 2032 S0 CSendCommandToMaster::SendBCommandToMaster: CC=3 CT=37
2014/11/15 19:42:26.232 246092 464200 S0 CT250 CT.Disconnect
2014/11/15 19:42:26.263 129984 494456 D1 ServerThread to 173901792 finished
2014/11/15 19:42:26.263 129984 494456 D1 SessionEnded: 0
2014/11/15 19:42:26.263 246092 2032 S0 CGatewaySession::ShowSponsoredSessionDialog(): Show SponsoredSession
2014/11/15 19:42:26.263 246092 2032 S0 ConnectionGuard: no restrictions
2014/11/15 19:42:26.263 246092 2032 S0! CT250 UDP statistics: rf=1 prp=1
2014/11/15 19:42:26.263 129984 495092 D1 Received Control_TerminateProcess
2014/11/15 19:42:26.279 129984 81736 D1 DesktopThread ended
2014/11/15 19:42:26.279 129984 68728 D1 DesktopThread stopped
2014/11/15 19:42:26.279 129984 141376 D1 MachineHooks: got quit event
2014/11/15 19:42:26.279 129984 481684 D1! UpdateServerInputState not executed. Error code: 0
2014/11/15 19:42:26.310 246092 139396 S0 CT248 CT.Receive.CMD_DISCONNECT From=173901792 To=430100421 L=4
2014/11/15 19:42:26.310 246092 139396 S0 CT248 CT.Run.LoopEnd
2014/11/15 19:42:26.357934208935324 H64 explorer.exe: DragInterceptor: restored interface (v2)
2014/11/15 19:42:26.357934208935324 H64 explorer.exe: dll can unload now
2014/11/15 19:42:26.513 129984 481684 D1! UpdateServerInputState not executed. Error code: 0
2014/11/15 19:42:26.513 129984 481684 D1! UpdateServerInputState not executed. Error code: 0
2014/11/15 19:42:26.513 129984 481684 D1! UpdateServerInputState not executed. Error code: 0
2014/11/15 19:42:26.513 129984 48992 D1 CServer::ShutDown: remoteControlSessionPresent=1, fromLocal=0, autoLockOnSessionEnd=0
2014/11/15 19:42:26.513 246092 2032 S0 CInterProcessNetwork: Received DisconnectIPC from processID 129984 (ProcessType: 4 in Session 1) with reason 4
2014/11/15 19:42:26.513 246092 2032 S0 Process 129984 in session 1 has terminated
2014/11/15 19:42:26.513 129984 495092 D1 CTcpProcessConnector::HandleRead(): Socket gracefully closed (PID=246092)
2014/11/15 19:42:26.513 129984 495092 D1 CTcpProcessConnector::CloseConnection(): PID=246092
2014/11/15 19:42:26.513 129984 495092 D1! CInterProcess::EventFunction(): IPC-Connection Closed
2014/11/15 19:42:26.513 129984 495092 D1 CTcpProcessConnector::CloseConnection(): PID=246092
2014/11/15 19:42:26.513 246092 2032 S0 CTcpProcessConnector::HandleRead(): Socket gracefully closed (PID=129984)
2014/11/15 19:42:26.513 246092 2032 S0 CTcpProcessConnector::CloseConnection(): PID=129984
2014/11/15 19:42:26.513 246092 2032 S0 CInterProcessNetwork::NewInterProcessDataAvailable(): ConnectionClosed session=1 ptype=4
2014/11/15 19:42:26.513 246092 2032 S0 UpdateOnlineState newOnlineValue 1
2014/11/15 19:42:26.513 129984 48992 D1 ~MachineHooks: refcount = 1
2014/11/15 19:42:37.482 246092 487432 S0 CT247 CT.Receive.CMD_ROUTERCMD From=264082541 To=430100421 L=414
2014/11/15 19:42:37.482 246092 487432 S0 CT251 CT.TM_GWout.37.252.232.3 - CT251 - S251
2014/11/15 19:42:37.482 246092 487432 S0 CT251 CT.Connect to TeamViewer Router 37.252.232.3:5938
2014/11/15 19:42:37.576 246092 487432 S0 CT251 CT.Connected
2014/11/15 19:42:37.576 246092 487432 S0 CT251 CT.Send.CMD_IDENTIFY From=430100421 To=0 L=32
2014/11/15 19:42:37.576 246092 487432 S0 CT251 CT.Send.CMD_CONNECTTOWAITINGTHREAD From=430100421 To=0 L=48
2014/11/15 19:42:37.576 246092 197796 S0 CT252 CT.Run
2014/11/15 19:42:37.576 246092 197796 S0 CT252 TM.TM_TV
2014/11/15 19:42:37.576 246092 487432 S0 Starting desktop process for ID 430100421 in session 1
2014/11/15 19:42:37.607 246092 487432 S0 CTerminalServer::getPathToApplicationExe(): Choosing filename from partner process.
2014/11/15 19:42:37.607 246092 487432 S0 Filename for desktop process is c:\program files (x86)\teamviewer\version9\TeamViewer_Desktop.exe
2014/11/15 19:42:37.607 246092 487432 S0 CToken::GetSystemToken() set session 1
2014/11/15 19:42:37.623 246092 487432 S0 Desktop process started, PID=171112
2014/11/15 19:42:37.623 246092 487432 S0 CTerminalServer::StartGUIProcess() Not starting GUI, reusing existing
2014/11/15 19:42:37.623 246092 487432 S0 ConnectionGuard: incoming remote control in sessions: 1(1)
2014/11/15 19:42:37.623 246092 487432 S0 CT247 CT.Send.CMD_ROUTERCMD From=430100421 To=264082541 L=59
2014/11/15 19:42:37.623 247904 451508 G1 Connection incoming, sessionID = 1756964758
2014/11/15 19:42:37.623 246092 149136 S0 CT251 CT.Run
2014/11/15 19:42:37.623 246092 149136 S0 CT251 TM.TM_GWout
2014/11/15 19:42:37.670 246092 197796 S0 CT251 Activating support for ccmdV2
2014/11/15 19:42:37.670 246092 149136 S0 CT251 CT.Receive.CMD_SESSIONID From=0 To=430100421 L=8
2014/11/15 19:42:37.670 246092 149136 S0 CT251 CT.Receive.CMD_IDENTIFY From=0 To=430100421 L=32
2014/11/15 19:42:37.670 246092 149136 S0 CT251 CT.Receive.CMD_SESSIONMODE From=173901792 To=430100421 L=28
2014/11/15 19:42:37.763 246092 149136 S0 Negotiating session encryption: client hello received from 173901792, RSA key length = 2048
 
Solution
It's looks like it could be possible, from these lines...

2014/11/15 19:42:09.264 247904 52948 G1 CFileTransferThreadServer started.
2014/11/15 19:42:09.264 247904 496192 G1 - Server started successfully
2014/11/15 19:42:09.264 246092 2032 S0 CStreamManager[61]::StreamRegistered(): streamID=18 type=6 (StreamType_File), source=[430100421,-354497653]
2014/11/15 19:42:09.310 247904 496192 G1 - File transfer request from 173 901 792 allowed
2014/11/15 19:42:09.498 247904 496192 G1 - Views folder <root drives>
2014/11/15 19:42:24.685 247904 52948 G1 Ending CFileTransferThreadServer...
2014/11/15 19:42:24.685 247904 52948 G1 The CFileTransferThreadServer has ended.
2014/11/15 19:42:24.685 247904 496192 G1 DragDropManager: Aborting 0...

Skylyne

Estimable
Sep 7, 2014
405
0
5,010
The log doesn't appear to give any information as to what the file being transferred was... so even if it was something malicious, the TV log wouldn't show it.

Are you trying to figure out if the file was a trojan/virus/etc.? If so, then I'd need some information about the actual file transfer, which it doesn't appear that TV logs that information.
 

zenzor

Honorable
Aug 22, 2012
3
0
10,510


I would like to know if a file was actually transferred.
 

Paul NZ

Admirable
Well you would see it you can see what the person is doing when you use teamviewer.

I use it often. Its not like other programs, where it cuts you off. So you have no idea what the person is doing

Well it doesnt say the name of any file anywhere. So your guess is as good as ours
 

Skylyne

Estimable
Sep 7, 2014
405
0
5,010
It's looks like it could be possible, from these lines...

2014/11/15 19:42:09.264 247904 52948 G1 CFileTransferThreadServer started.
2014/11/15 19:42:09.264 247904 496192 G1 - Server started successfully
2014/11/15 19:42:09.264 246092 2032 S0 CStreamManager[61]::StreamRegistered(): streamID=18 type=6 (StreamType_File), source=[430100421,-354497653]
2014/11/15 19:42:09.310 247904 496192 G1 - File transfer request from 173 901 792 allowed
2014/11/15 19:42:09.498 247904 496192 G1 - Views folder <root drives>
2014/11/15 19:42:24.685 247904 52948 G1 Ending CFileTransferThreadServer...
2014/11/15 19:42:24.685 247904 52948 G1 The CFileTransferThreadServer has ended.
2014/11/15 19:42:24.685 247904 496192 G1 DragDropManager: Aborting 0 copy operations
2014/11/15 19:42:24.685 247904 496192 G1 - File transfer server shut down.

I can't say whether there was something that successfully transferred, as there is no real confirmation of that; however, it does look like it could have happened. Looks like you allowed a file transfer, but it doesn't say the transfer ever started, or if it completed successfully; that's the only reason I can't say there definitely is/isn't anything that was loaded onto your computer. From the looks of things, it appears the file transfer server was shut down before any file transfer could be initiated; and that's definitely a good thing. I wouldn't worry too much, unless you have MBAM, HitmanPro, or your antivirus of choice comes up with something.
 
Solution