What is this virus?

[TONY7 0]

This is my first time on Eset forum. I saw something copy my desktop screenshot at a regular interval of time. 

(see attachment) I scanned whole computer with eset. But it shows all clear.

Can you guys help me to figure it out.

There is no "prt sc " faults

[Marcos 3,660]

There's nothing unusual in your screen shot, just two notifications, one from One Drive and the other from ESET.  Just make your choice, choose No, thanks, Postpone, close the notification via X, etc.

[TONY7 0]

This screenshot is not taken. when ever i open paint tool and press c+v, some screenshot pictures appear.

Something captures my screenshots and copy to clipboard. eset is not detecting why is this happens.

[peteyt 180]

4 hours ago, TONY7 said:

This screenshot is not taken. when ever i open paint tool and press c+v, some screenshot pictures appear.

Something captures my screenshots and copy to clipboard. eset is not detecting why is this happens.

Possibly one drive is set up to capture screenshots

[Marcos 3,660]

You could try this application which monitors clipboard, however, I'm not sure if it will shed more light: http://clipdiary.com

[TONY7 0]

Hi Marcos,

I'm a Windows user.I use Win+v for the clipboard history. Once i changed my OS to Ubuntu. Then also the screen blink with a capture sound and files were saved to picture folder.

Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/

I think you guys on cyber security can resolve this.

 

[peteyt 180]

2 hours ago, TONY7 said:

Hi Marcos,

I'm a Windows user.I use Win+v for the clipboard history. Once i changed my OS to Ubuntu. Then also the screen blink with a capture sound and files were saved to picture folder.

Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/

I think you guys on cyber security can resolve this.

 

Have you tried with one drive closed e.g. not running in taskbar?

[itman 960]

1 hour ago, peteyt said:

Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/

This requires that a backdoor has been previously installed on the device:

Quote

How to Protect Yourself Against Screenshot Attacks

Unfortunately, there's no way to prevent Metasploit's ability to take screenshots and no way for victims of this attack to detect a screenshot has been taken of their Windows 10 desktop. Antivirus scanners should be kept up-to-date and run on a regular schedule. This may help detect and remove common backdoors and viruses. Otherwise, the best preventive measure you could perform is securing up your PC so a hacker can't install a backdoor on it.

Backdoor's are notorious difficult to detect since in essence all they are is a reverse shell. The only foolproof detection method is positive signature detection of the backdoor code. Also, Eset does detect Metasploit code.

Edited October 31, 2019 by itman

[Aryeh Goretsky 317]

Hello,

Microsoft recently introduced a change into Windows to introduce a marketing message into Windows 10 to promote the use of Microsoft's OneDrive cloud file-sharing service, which has both free and paid tiers of usage. 

More information on this behavior can be found on Microsoft's web site at:

• https://support.office.com/en-us/article/save-screenshots-to-onedrive-automatically-d04df71c-1cb0-4ad6-9f9c-b08494d79d6a

For now, clicking on the small, faint "No, thanks" towards the bottom of the Microsoft OneDrive advertisement should disable this functionality.  There is probably a way to programmatically disable this advertisement via registry editing, PowerShell or Group Policy templates, but I have not investigated this thoroughly.

Regards,

Aryeh Goretsky

 

 

[TONY7 0]

Hi Itman,

Thanks for that info. How to do positive signature detection of the backdoor code ?

[peteyt 180]

3 hours ago, TONY7 said:

Hi Itman,

Thanks for that info. How to do positive signature detection of the backdoor code ?

Have you closed onedrive completely down as it just seems an odd coincidence it is talking about screenshots and you are having screenshots captured. It could be a backdoor but could it be onedrive is simply capturing them for you. Disabling it might rule it out

[TONY7 0]

My one drive is not automatically saving screen shot from clipboard. There is no files in the screenshot folder of one drive.

Just enabled a setting to open sniper tool by pressing the prt sc button.(See attachment). At first they can't capture the screenshot, because it just open the sniper tool. But later that button enable them to copy the screenshot again to clipboard!  

Any idea to see and control the network usage in my pc by different programms?

[itman 960]

6 hours ago, TONY7 said:

How to do positive signature detection of the backdoor code ?

You have to rely on the AV solution you are using to provide the signature.

Another way of detecting a backdoor is to monitor and log outbound network traffic. You want to pay attention to any outbound connections from an untrusted not normally used process. The problem here is the reverse shell can be run from one of the script processes; PowerShell, wscript, vbs, etc.. It is not normal to see any outbound network traffic from any of these.

[itman 960]

2 hours ago, TONY7 said:

Any idea to see and control the network usage in my pc by different programms?

As far as my Win 10 keyboard settings from the screen shot you posted, I have them all set to "off."

[TONY7 0]

Finally disable my prt sc button using this software : https://keytweak.informer.com/ .

Now nothing in clipboard. But find some image collections  in screenshot folder. As far as i open the folder,they get disappear!