An acquaintance of mine got a call from an alleged Microsoft employee and provided him access to his Windows 10 computer via team viewer (commonly known as the tech support scam). But when the scammer wanted to send him a file he got suspicious and immediately shut down the computer before anything could be sent. He did not give away his credit card number or any other personal information. Afterwards he immediately changed his passwords from another computer and did not connect the affected computer to the internet since. He asked me for help now, but I am not sure which steps are necessary.
Would be nice if someone gave me some hints and advice. I don't think the question is a duplicate of these two:
Because I'm more interested if it was possible to infect the computer without sending a file rather than about what to do if there is a virus on the computer.
PS I'm from Germany, it seems like the tech support scam has reached non English speaking countries as well...
From your description, there is nothing to worry about. The victim just shared the screen with the attacker without giving the attacker control or giving the attacker any information.
As the victim used a common tool (TeamViewer) and not one provided by the attacker, there is no risk in the shared session.
There is no risk to the router as the attacker never had access to it.
It is not known what information the attacker saw on the screen, but perhaps the only concern is the disclosure of the IP address. This can be mitigated by turning the router on/off (which works in some instances) or asking the ISP for a new IP.
If they did not give a credit card and did not receive the file, there should not be a significant reason for concern. I would have them run virus scan and malware detection and remove anything found.
In the US, the Federal Trade Commission put together a non-techie page about these types of scams. You might direct your friend there for some further knowledge.
It never hurts to be over protective if you think anything might have occurred. It is all about the level of comfort the person has after the fact that their computer data is still intact.
In my Uni times, when I cracked nagware, I often repackaged the original installer with my crack and whatever modifications I had done to the code, including extra files/binaries. The tools at the time were far more simple than today.
Nothing guarantees your friend installed a "genuine TeamViewer".
Nothing also guarantees that despite he "having seen" what they were doing, that they had not by the time he clicked on a binary/installer, that a secondary control connection was opened to a partner of the people talking with him, or extra software was downloaded in the background.
Despite the victim having "only" installed TeamViewer, and "having seen" what was done, IMO the only sensible solution is to format the computer and install everything from scratch just in case.
It is also quite a false sense of security assuming there is nothing left if some AV solution does not find signatures. An AV wont find special crafted binaries/scripts or "official" software left behind.
Teamviewer by default allows the other party to control your computer. However, this control is entirely visible, as if they were sitting right at your machine, using a mouse and a keyboard.
To infect the PC, the attacker could download and execute a file through your PC; sending a file via TV definitely isn't necessary. But if they tried to do that, it's very likely that it was part of their plan. Why do it otherwise.
If your friend has seen the whole process, they can know what the attacker has accessed. If your friend knows they did neither of that, and they didn't set up access for themselves via RDP or something else, then it's very likely that they didn't 'hack' the computer. This is an easy scam on the unsuspecting, it's unlikely to be combined with a sophisticated under the radar attack.
If the computer isn't used to process sensitive information, it's probably not necessary to take any steps out of the ordinary (malware check). Just to be sure, some further steps that can be taken include uninstalling Teamviewer (in case it's been set up for unattended access), clearing the browser of banking passwords/using a password-protected manager, and changing the banking passwords where 2FA isn't used (not a bad thing to do every year or so anyway).
The Teamviewer version was not specified.
Older versions allowed clipboard sharing (including files) by default. Worse, the clipboard sharing did not have any indication of being used, so one can copy files to a remote computer (possibly on Startup locations) without anyone noticing.
There's a risk that a program may have been copied over to the machine being remote controlled. This doesn't have any immediate effects, but any malicious payload will get activated on next boot. One can also replace files that are periodically used by services. So yes, the machine may be infected.
Running a live CD and doing a manual check may be the best way to go. A virus scan may miss obfuscated files, or the malicious payload simply isn't recognized by the scanner. Realistically, there's a lot of attack options once one has write access to a machine (e.g. replacing commonly-loaded driver files, replacing files used by common services), so a manual check might not even be feasible.
Using the approach above, the router may be infected in theory, though I highly doubt that unless you're up against a persistent, dedicated threat.