This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi there,

I suspect I have a trojan on my W7Ux64 system that has access to my clipboard. I have a few PCAPNG files that I made with Wireshark that might show said clipboard upload activity. I am quite new to Wireshark and am not sure what to look for. Can anyone point me in the right direction to what to look for in Wireshark?

Should I only look at HTTP packets?

Also bonus question: Is there anything in Windows Event Viewer that would tell me anything about clipboard activity?

asked 14 Aug '16, 06:40

Datura007's gravatar image

Datura007
6223
accept rate: 0%

If it is a Trojan, you should be watching all ports as there is no telling which port(s) it might use, so don't limit search to just HTTP packets.

As for what to look for in WireShark, Trojans usually connect to somewhere on the internet to pass information collected from your PC. That said, look for any sessions from your PC to a Global IP address.

To reduce the number of Global IP addresses to check, stop all other programs that normally access the internet to limit the number of Global IP's you'll have to look through.

Find each IP you're going to and check it against a RBL (Real-time Black List) as well as perform reverse DNS lookups to see what your PC is talking to. Some will be kosher, others will be either unknown or flagged as malacious.

As for Windows Events... Hmmmm... I hardly doubt it, but PerfMon should be able to monitor when the Clipboard service is activated.

FWIW

(14 Aug '16, 06:50) wbenton
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6
×6
×1

question asked: 14 Aug '16, 06:40

question was seen: 557 times

last updated: 14 Aug '16, 06:50

p​o​w​e​r​e​d by O​S​Q​A