TONY7 0 Posted October 31, 2019 Share Posted October 31, 2019 This is my first time on Eset forum. I saw something copy my desktop screenshot at a regular interval of time. (see attachment) I scanned whole computer with eset. But it shows all clear. Can you guys help me to figure it out. There is no "prt sc " faults Link to comment Share on other sites More sharing options...
Administrators Marcos 3,882 Posted October 31, 2019 Administrators Share Posted October 31, 2019 There's nothing unusual in your screen shot, just two notifications, one from One Drive and the other from ESET. Just make your choice, choose No, thanks, Postpone, close the notification via X, etc. Link to comment Share on other sites More sharing options...
TONY7 0 Posted October 31, 2019 Author Share Posted October 31, 2019 This screenshot is not taken. when ever i open paint tool and press c+v, some screenshot pictures appear. Something captures my screenshots and copy to clipboard. eset is not detecting why is this happens. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 219 Posted October 31, 2019 Most Valued Members Share Posted October 31, 2019 4 hours ago, TONY7 said: This screenshot is not taken. when ever i open paint tool and press c+v, some screenshot pictures appear. Something captures my screenshots and copy to clipboard. eset is not detecting why is this happens. Possibly one drive is set up to capture screenshots Link to comment Share on other sites More sharing options...
Administrators Marcos 3,882 Posted October 31, 2019 Administrators Share Posted October 31, 2019 You could try this application which monitors clipboard, however, I'm not sure if it will shed more light: http://clipdiary.com Link to comment Share on other sites More sharing options...
TONY7 0 Posted October 31, 2019 Author Share Posted October 31, 2019 Hi Marcos, I'm a Windows user.I use Win+v for the clipboard history. Once i changed my OS to Ubuntu. Then also the screen blink with a capture sound and files were saved to picture folder. Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/ I think you guys on cyber security can resolve this. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 219 Posted October 31, 2019 Most Valued Members Share Posted October 31, 2019 2 hours ago, TONY7 said: Hi Marcos, I'm a Windows user.I use Win+v for the clipboard history. Once i changed my OS to Ubuntu. Then also the screen blink with a capture sound and files were saved to picture folder. Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/ I think you guys on cyber security can resolve this. Have you tried with one drive closed e.g. not running in taskbar? Link to comment Share on other sites More sharing options...
itman 1,086 Posted October 31, 2019 Share Posted October 31, 2019 (edited) 1 hour ago, peteyt said: Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/ This requires that a backdoor has been previously installed on the device: Quote How to Protect Yourself Against Screenshot Attacks Unfortunately, there's no way to prevent Metasploit's ability to take screenshots and no way for victims of this attack to detect a screenshot has been taken of their Windows 10 desktop. Antivirus scanners should be kept up-to-date and run on a regular schedule. This may help detect and remove common backdoors and viruses. Otherwise, the best preventive measure you could perform is securing up your PC so a hacker can't install a backdoor on it. Backdoor's are notorious difficult to detect since in essence all they are is a reverse shell. The only foolproof detection method is positive signature detection of the backdoor code. Also, Eset does detect Metasploit code. Edited October 31, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 321 Posted November 1, 2019 ESET Moderators Share Posted November 1, 2019 Hello, Microsoft recently introduced a change into Windows to introduce a marketing message into Windows 10 to promote the use of Microsoft's OneDrive cloud file-sharing service, which has both free and paid tiers of usage. More information on this behavior can be found on Microsoft's web site at: https://support.office.com/en-us/article/save-screenshots-to-onedrive-automatically-d04df71c-1cb0-4ad6-9f9c-b08494d79d6a For now, clicking on the small, faint "No, thanks" towards the bottom of the Microsoft OneDrive advertisement should disable this functionality. There is probably a way to programmatically disable this advertisement via registry editing, PowerShell or Group Policy templates, but I have not investigated this thoroughly. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
TONY7 0 Posted November 1, 2019 Author Share Posted November 1, 2019 Hi Itman, Thanks for that info. How to do positive signature detection of the backdoor code ? Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 219 Posted November 1, 2019 Most Valued Members Share Posted November 1, 2019 3 hours ago, TONY7 said: Hi Itman, Thanks for that info. How to do positive signature detection of the backdoor code ? Have you closed onedrive completely down as it just seems an odd coincidence it is talking about screenshots and you are having screenshots captured. It could be a backdoor but could it be onedrive is simply capturing them for you. Disabling it might rule it out Link to comment Share on other sites More sharing options...
TONY7 0 Posted November 1, 2019 Author Share Posted November 1, 2019 My one drive is not automatically saving screen shot from clipboard. There is no files in the screenshot folder of one drive. Just enabled a setting to open sniper tool by pressing the prt sc button.(See attachment). At first they can't capture the screenshot, because it just open the sniper tool. But later that button enable them to copy the screenshot again to clipboard! Any idea to see and control the network usage in my pc by different programms? Link to comment Share on other sites More sharing options...
itman 1,086 Posted November 1, 2019 Share Posted November 1, 2019 6 hours ago, TONY7 said: How to do positive signature detection of the backdoor code ? You have to rely on the AV solution you are using to provide the signature. Another way of detecting a backdoor is to monitor and log outbound network traffic. You want to pay attention to any outbound connections from an untrusted not normally used process. The problem here is the reverse shell can be run from one of the script processes; PowerShell, wscript, vbs, etc.. It is not normal to see any outbound network traffic from any of these. Link to comment Share on other sites More sharing options...
itman 1,086 Posted November 1, 2019 Share Posted November 1, 2019 2 hours ago, TONY7 said: Any idea to see and control the network usage in my pc by different programms? As far as my Win 10 keyboard settings from the screen shot you posted, I have them all set to "off." Link to comment Share on other sites More sharing options...
TONY7 0 Posted November 2, 2019 Author Share Posted November 2, 2019 Finally disable my prt sc button using this software : https://keytweak.informer.com/ . Now nothing in clipboard. But find some image collections in screenshot folder. As far as i open the folder,they get disappear! Link to comment Share on other sites More sharing options...
Recommended Posts