Hi there, I suspect I have a trojan on my W7Ux64 system that has access to my clipboard. I have a few PCAPNG files that I made with Wireshark that might show said clipboard upload activity. I am quite new to Wireshark and am not sure what to look for. Can anyone point me in the right direction to what to look for in Wireshark? Should I only look at HTTP packets? Also bonus question: Is there anything in Windows Event Viewer that would tell me anything about clipboard activity? asked 14 Aug '16, 06:40  Datura007 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
If it is a Trojan, you should be watching all ports as there is no telling which port(s) it might use, so don't limit search to just HTTP packets.
As for what to look for in WireShark, Trojans usually connect to somewhere on the internet to pass information collected from your PC. That said, look for any sessions from your PC to a Global IP address.
To reduce the number of Global IP addresses to check, stop all other programs that normally access the internet to limit the number of Global IP's you'll have to look through.
Find each IP you're going to and check it against a RBL (Real-time Black List) as well as perform reverse DNS lookups to see what your PC is talking to. Some will be kosher, others will be either unknown or flagged as malacious.
As for Windows Events... Hmmmm... I hardly doubt it, but PerfMon should be able to monitor when the Clipboard service is activated.
FWIW