Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible screen capture going on


  • This topic is locked This topic is locked
8 replies to this topic

#1 ubuntublues

ubuntublues

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 23 August 2013 - 01:40 PM

When pasting into a gmail "compose" a screenshot that I didn't take pasted, as if I took the screen shot and pasted it myself. I was trying to paste text I had just copied. It occured over and over for some time before retuning to normal paste. Most alarming is that the screenshot was of when KeePass was open and it was included in the screenshot although no passwords were visible. The two DDS files are attached.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660  BrowserJavaVersion: 10.25.2
Run by John at 11:13:23 on 2013-08-23
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.9207.6713 [GMT -7:00]
.
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9B5F5313-CAF9-DD97-C460-E778420237B4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Bitdefender Antivirus Free Edition *Enabled/Updated* {203EB2F7-ECC3-D219-FED0-DC0A39857D09}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\Logitech\SolarApp\L4301_Solar.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\OpenDNS\DNSCrypt\OpenDNSCryptService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\LxrSII1s.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\OpenDNS\DNSCrypt\dnscrypt-proxy.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\AntiLogger\AntiLogger.exe
C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\OpenDNS\DNSCrypt\OpenDNSInterface.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Sam\Downloads\TCPView\Tcpview.exe
C:\Windows\system32\notepad.exe
C:\Users\Sam\Desktop\KeePass-2.22\KeePass.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: AutorunsDisabled - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a logon
mRun: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized
mRun: [ZALFree] "C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe" /MINIMIZED
mRun: [kbdsprt] <no file>
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\LOGITE~1.LNK - C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENDN~1.LNK - C:\Windows\Installer\{DEF3592F-0751-4632-9875-8BF9AD602898}\_7245386387960A1D7D5229.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.apple.com/qtactivex/qtplugin.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://navigatela.lacity.org/download/mgaxctrl.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{97E3896E-F385-4A5B-A904-8D491FF3428A} : NameServer = 127.0.0.1
TCP: Interfaces\{97E3896E-F385-4A5B-A904-8D491FF3428A} : DHCPNameServer = 192.168.2.1
AppInit_DLLs= C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;C:\Windows\System32\drivers\avc3.sys [2013-8-9 718840]
R1 AntiLog32;AntiLog32;C:\Windows\System32\drivers\AntiLog64.sys [2013-7-23 49240]
R1 bdfwfpf;bdfwfpf;C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys [2013-8-9 121928]
R1 gzflt;gzflt;C:\Windows\System32\drivers\gzflt.sys [2013-8-9 148696]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\System32\drivers\nm3.sys [2010-6-9 46392]
R2 DNSCrypt;OpenDNSCrypt;C:\Program Files (x86)\OpenDNS\DNSCrypt\OpenDNSCryptService.exe [2012-8-31 14336]
R2 gzserv;Bitdefender Antivirus Free Edition;C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [2013-8-9 64224]
R2 L4301_Solar;Logitech Solar Keyboard Service;C:\Program Files\Logitech\SolarApp\L4301_Solar.exe [2013-1-30 405744]
R2 LxrSII1d;Secure II Driver;C:\Windows\System32\drivers\LxrSII1d.sys [2012-7-10 63064]
R3 keycrypt;keycrypt;C:\Windows\System32\drivers\KeyCrypt64.sys [2013-7-25 25568]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2013-5-22 77592]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2013-5-22 13080]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 avckf;avckf;C:\Windows\System32\drivers\avckf.sys [2013-8-9 593144]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-7-17 102368]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-3-4 19456]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-7-17 203104]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-4 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-1 1255736]
S4 DirMngr;DirMngr;C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [2011-3-2 224256]
S4 MTKSCVAD;Ralink Virtual Audio device;C:\Windows\System32\drivers\mtkvadx.sys [2013-4-5 44544]
S4 NTI BackupNowEZSvr;NTI BackupNowEZSvr;C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [2013-2-5 46072]
S4 RalinkRegistryWriter;RalinkRegistryWriter;C:\Program Files (x86)\Ralink\Common\RaRegistry.exe [2013-4-5 372736]
S4 RalinkRegistryWriter64;RalinkRegistryWriter64;C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe [2013-4-5 447488]
S4 RaMediaServer;Ralink UPnP Media Server;C:\Program Files (x86)\Ralink\Common\RaMediaServer.exe [2013-4-5 1863680]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
S4 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2012-9-7 117080]
.
=============== Created Last 30 ================
.
2013-08-23 14:41:12    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-08-23 14:41:12    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-20 01:34:40    53248    ----a-r-    C:\Users\John\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-08-17 16:49:43    --------    d-----w-    C:\Program Files (x86)\Spyrix Free Keylogger
2013-08-15 01:00:35    --------    d-----w-    C:\Program Files (x86)\OpenDNS
2013-08-14 05:36:33    --------    d-----w-    C:\Symbols
2013-08-14 05:34:11    --------    d-----w-    C:\Debug
2013-08-14 00:02:59    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-13 19:39:20    224256    ----a-w-    C:\Windows\System32\wintrust.dll
2013-08-13 19:38:59    1910208    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-08-09 11:32:25    261056    ----a-w-    C:\Windows\System32\drivers\avchv.sys
2013-08-09 11:30:27    180314    ----a-w-    C:\ProgramData\1376047725.bdinstall.bin
2013-08-09 11:29:55    718840    ----a-w-    C:\Windows\System32\drivers\avc3.sys
2013-08-09 11:29:55    593144    ----a-w-    C:\Windows\System32\drivers\avckf.sys
2013-08-09 11:29:05    --------    d-----w-    C:\Users\John\AppData\Roaming\QuickScan
2013-08-09 11:29:02    --------    d-----w-    C:\Program Files\Bitdefender
2013-08-09 11:28:58    148696    ----a-w-    C:\Windows\System32\drivers\gzflt.sys
2013-08-09 11:28:57    382536    ----a-w-    C:\Windows\System32\drivers\trufos.sys
2013-08-09 11:26:26    189    ----a-w-    C:\ProgramData\1376047573.1404.bin
2013-08-09 11:26:15    2049    ----a-w-    C:\ProgramData\1376047573.1532.bin
2013-08-09 11:26:13    27962    ----a-w-    C:\ProgramData\1376047573.2448.bin
2013-08-09 11:24:27    29195    ----a-w-    C:\ProgramData\1376047326.bdinstall.bin
2013-07-27 01:28:18    --------    d-----w-    C:\Users\John\AppData\Local\Lexar Media
2013-07-25 23:31:22    --------    dc-h--w-    C:\ProgramData\{33CC04A6-7C06-4D73-B22D-D63FE2603F84}
2013-07-25 23:18:50    25568    ----a-w-    C:\Windows\System32\drivers\KeyCrypt64.sys
2013-07-25 23:18:50    --------    d-----w-    C:\Program Files (x86)\KeyCryptSDK
2013-07-25 23:18:49    --------    d-----w-    C:\Program Files (x86)\Zemana AntiLogger Free
2013-07-25 23:18:47    --------    d-----w-    C:\Users\John\AppData\Local\AntiLogger Free
.
==================== Find3M  ====================
.
2013-08-20 01:34:00    18960    ----a-w-    C:\Windows\System32\drivers\LNonPnP.sys
2013-07-26 05:13:37    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-07-26 05:12:08    3958784    ----a-w-    C:\Windows\System32\jscript9.dll
2013-07-26 05:12:04    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-07-26 05:12:03    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-07-26 03:35:08    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-07-26 03:13:24    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-07-26 03:12:04    2877440    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-07-26 03:12:00    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-07-26 03:12:00    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-07-26 01:59:38    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-07-25 23:31:23    49240    ----a-w-    C:\Windows\System32\drivers\AntiLog64.sys
2013-07-25 09:25:54    1888768    ----a-w-    C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27    1620992    ----a-w-    C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42    2048    ----a-w-    C:\Windows\System32\tzres.dll
2013-07-19 01:41:01    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2013-07-12 07:26:15    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-12 07:26:15    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-10 06:42:34    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-10 06:42:32    867240    ----a-w-    C:\Windows\SysWow64\npDeployJava1.dll
2013-07-10 06:42:32    789416    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
2013-07-09 06:03:30    5550528    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-07-09 05:54:22    1732032    ----a-w-    C:\Windows\System32\ntdll.dll
2013-07-09 05:53:12    243712    ----a-w-    C:\Windows\System32\wow64.dll
2013-07-09 05:51:16    1217024    ----a-w-    C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20    184320    ----a-w-    C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20    1472512    ----a-w-    C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20    139776    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-07-09 05:03:34    3968960    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-07-09 05:03:34    3913664    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-07-09 04:53:47    1292192    ----a-w-    C:\Windows\SysWow64\ntdll.dll
2013-07-09 04:52:33    663552    ----a-w-    C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:33    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-07-09 04:52:10    175104    ----a-w-    C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31    140288    ----a-w-    C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31    1166848    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31    103936    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-07-09 04:45:07    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-07-09 02:49:42    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-07-09 02:49:41    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-07-09 02:49:39    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-07-09 02:49:38    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-06-15 04:32:16    39936    ----a-w-    C:\Windows\System32\drivers\tssecsrv.sys
2013-06-12 05:54:21    9089416    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-06-05 03:34:27    3153920    ----a-w-    C:\Windows\System32\win32k.sys
2013-06-04 06:00:13    624128    ----a-w-    C:\Windows\System32\qedit.dll
2013-06-04 04:53:07    509440    ----a-w-    C:\Windows\SysWow64\qedit.dll
2013-03-04 03:38:53    14823424    ----a-w-    C:\Program Files (x86)\Common Files\lpuninstall.exe
.
============= FINISH: 11:13:54.19 ===============
 

 

                        

 

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 ubuntublues

ubuntublues
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 23 August 2013 - 01:43 PM

One more thing I should have mentioned. Today I tested it some more and the same screen shot appeared in the paste, again a screen shot of the desktop including the open KeePass window. That was after pasting worked normalled for some time, and then normal pasting returned without that screenshot.



#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:16 PM

Posted 28 August 2013 - 03:47 AM

Hello, my name is Elise and I'll assist you with this issue.

I see no evidence of anything suspicious in your logs. Can you tell me exactly what you had open and what actions you took to copy/paste (did you sue the mouse, keyboard combination, and so on).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 ubuntublues

ubuntublues
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 29 August 2013 - 11:05 PM

Hi, Elise and thanks for taking the time to review this.

 

It's difficult to remember exactly, but I highlighted some text with the mouse, did a Ctrl C and went to paste it into a gmail email with Ctrl V. Instead of the text, it pasted the screen capture that I didn't take. It was a bit alarming. Spyrix Free Keylogger was installed and it does take screen shots, but it was not set to run on startup and it happened again the next day with the same screenshot (figure that!) after uninstalling Zpyrix just in case. It hasn't happened since. I've done many tests with pastes into a gmail composition. Come to think of it, those tests were right click/pastes. Mmmm.

 

Since it isn't happening now and you don't see any problems, maybe it would be best to wait and see but it is an interesting mystery. Lucky I got screen shots of it because I might be doubting my sanity about now.

 

Thanks again.



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:16 PM

Posted 30 August 2013 - 02:16 AM

This is likely a setting, if you google the problem you'll see you're not the only one. The good thing is that this is not malicious. :)

 

Maybe this can help you: http://howto.cnet.com/8301-11310_39-57446272-285/change-ms-words-default-paste-setting-to-plain-text/


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 ubuntublues

ubuntublues
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 30 August 2013 - 12:00 PM

Elsie, I wasn't using Word though it may have an influence, but why a screen shot and why right then? I was just looking at the screen shots I took at the time. I was trying to gmail CamScanner (Android) support and was trying to paste a line of text into the email that I copied from the web. IOW, no Word involved. Another interesting point is that Zeman Antilogger paid fails its own screen logging test. I have other conversations going on about that but just realized that maybe the two issues are connected.

 

I could send you the screen shots by email if you want. I pasted the screenshots into a gmail Compose and saved it as a Draft. I don't want to do an upload because the screen shot include user names inside of KeePass, which was open when the screen shot was taken.  Guess I could blur them out. 

 

If it is malware it is undected by everything I ran against it: MalwareByes, Spybot, Microsoft Security Essentials and last but not least 360 Internet Security, which I just installed and just noticed it is giving me a "Computer Protection is Off" but when I click the "Switch On" button nothing happens. Probably unrelated.

 

Thanks, again. 



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:16 PM

Posted 30 August 2013 - 12:16 PM

There is no malware on your machine. Something set your Ctrl + C keyboard combination to take a screenshot instead of copy. The problem is, finding what it does. You could try to disable a bunch of programs (for example by doing a clean boot) and re-enabling one process at a time. This is a time-consuming task though.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ubuntublues

ubuntublues
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 30 August 2013 - 02:41 PM

Elsie, since it's not doing it now it wouldn't accomplish much by disabling stuff, would it? I suspect something was doing a screen capture and I just happened to past when it was in the clip board. Or maybe the website I copied from took a screen shot? Of course there is no way of knowing for sure and it only happened in that 12-hour period and not since. But since you say there is nothing there, along with all the various antivirus scans, and I use KeePass for important passwords, a screen capture cannot get them anyway. So I'll trust the the security of the machine unless something more concrete happens. If it happens again I'll do a DDS at the time.

 

Thanks again for your time. I really do appreciate it. And thanks to bleepingcomputer.com.



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:16 PM

Posted 30 August 2013 - 02:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users