Jump to content
TONY7

What is this virus?

Recommended Posts

This is my first time on Eset forum. I saw something copy my desktop screenshot at a regular interval of time. 

(see attachment) I scanned whole computer with eset. But it shows all clear.

Can you guys help me to figure it out.

There is no "prt sc " faults

img.png

Share this post


Link to post
Share on other sites

There's nothing unusual in your screen shot, just two notifications, one from One Drive and the other from ESET.  Just make your choice, choose No, thanks, Postpone, close the notification via X, etc.

Share this post


Link to post
Share on other sites

This screenshot is not taken. when ever i open paint tool and press c+v, some screenshot pictures appear.

Something captures my screenshots and copy to clipboard. eset is not detecting why is this happens.

Share this post


Link to post
Share on other sites
4 hours ago, TONY7 said:

This screenshot is not taken. when ever i open paint tool and press c+v, some screenshot pictures appear.

Something captures my screenshots and copy to clipboard. eset is not detecting why is this happens.

Possibly one drive is set up to capture screenshots

Share this post


Link to post
Share on other sites

Hi Marcos,

I'm a Windows user.I use Win+v for the clipboard history. Once i changed my OS to Ubuntu. Then also the screen blink with a capture sound and files were saved to picture folder.

Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/

I think you guys on cyber security can resolve this.

 

Share this post


Link to post
Share on other sites
2 hours ago, TONY7 said:

Hi Marcos,

I'm a Windows user.I use Win+v for the clipboard history. Once i changed my OS to Ubuntu. Then also the screen blink with a capture sound and files were saved to picture folder.

Someone capture screenshot for collecting credential data. Like this:https://null-byte.wonderhowto.com/how-to/hacking-windows-10-capture-exfiltrate-screenshots-remotely-0183646/

I think you guys on cyber security can resolve this.

 

Have you tried with one drive closed e.g. not running in taskbar?

Share this post


Link to post
Share on other sites
1 hour ago, peteyt said:

This requires that a backdoor has been previously installed on the device:

Quote

How to Protect Yourself Against Screenshot Attacks

Unfortunately, there's no way to prevent Metasploit's ability to take screenshots and no way for victims of this attack to detect a screenshot has been taken of their Windows 10 desktop. Antivirus scanners should be kept up-to-date and run on a regular schedule. This may help detect and remove common backdoors and viruses. Otherwise, the best preventive measure you could perform is securing up your PC so a hacker can't install a backdoor on it.

Backdoor's are notorious difficult to detect since in essence all they are is a reverse shell. The only foolproof detection method is positive signature detection of the backdoor code. Also, Eset does detect Metasploit code.

Edited by itman

Share this post


Link to post
Share on other sites

Hello,

Microsoft recently introduced a change into Windows to introduce a marketing message into Windows 10 to promote the use of Microsoft's OneDrive cloud file-sharing service, which has both free and paid tiers of usage. 

More information on this behavior can be found on Microsoft's web site at:

For now, clicking on the small, faint "No, thanks" towards the bottom of the Microsoft OneDrive advertisement should disable this functionality.  There is probably a way to programmatically disable this advertisement via registry editing, PowerShell or Group Policy templates, but I have not investigated this thoroughly.

Regards,

Aryeh Goretsky

 

 

Share this post


Link to post
Share on other sites

Hi Itman,

Thanks for that info. How to do positive signature detection of the backdoor code ?

Share this post


Link to post
Share on other sites
3 hours ago, TONY7 said:

Hi Itman,

Thanks for that info. How to do positive signature detection of the backdoor code ?

Have you closed onedrive completely down as it just seems an odd coincidence it is talking about screenshots and you are having screenshots captured. It could be a backdoor but could it be onedrive is simply capturing them for you. Disabling it might rule it out

Share this post


Link to post
Share on other sites

My one drive is not automatically saving screen shot from clipboard. There is no files in the screenshot folder of one drive.

Just enabled a setting to open sniper tool by pressing the prt sc button.(See attachment). At first they can't capture the screenshot, because it just open the sniper tool. But later that button enable them to copy the screenshot again to clipboard!  

Any idea to see and control the network usage in my pc by different programms?

image.png

Share this post


Link to post
Share on other sites
6 hours ago, TONY7 said:

How to do positive signature detection of the backdoor code ?

You have to rely on the AV solution you are using to provide the signature.

Another way of detecting a backdoor is to monitor and log outbound network traffic. You want to pay attention to any outbound connections from an untrusted not normally used process. The problem here is the reverse shell can be run from one of the script processes; PowerShell, wscript, vbs, etc.. It is not normal to see any outbound network traffic from any of these.

Share this post


Link to post
Share on other sites
2 hours ago, TONY7 said:

Any idea to see and control the network usage in my pc by different programms?

As far as my Win 10 keyboard settings from the screen shot you posted, I have them all set to "off."

Share this post


Link to post
Share on other sites

Finally disable my prt sc button using this software https://keytweak.informer.com/ .

Now nothing in clipboard. But find some image collections  in screenshot folder. As far as i open the folder,they get disappear!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...