Manually identify/remove: Mystery web attack hijacks your clipboard
August 18, 2008 by bluecollarpc
http://bluecollarpc.wordpress.com/20...our-clipboard/
Manually identify/remove: Mystery web attack hijacks your clipboard
….. my first attempt at this:
Posted: Mon Aug 18, 2008 2:36 am Post subject: Removals….
http://www.thornsoft.com/phpBB2/view...?p=12642#12642
bluecollarpc wrote:
Hi… I have posted from this news article:
Mystery web attack hijacks your clipboard
http://www.theregister.co.uk/2008/08...ard_hijacking/
….at my forum here:
http://bluecollarpc.net/smf/index.php/topic,740.0.html
…..I am researching and cam across the possible way to backtrack this
to origin perhaps in a rudimentary way that is not too hard. It is
strange and is attracting the security news rooms. Hope this helps in
the least as a starting place of a manual removal of a malware. Most
likely, quality antivirus and antispyware will have it nailed within
weeks tops.
From the idea of like a browser hijacker always setting its own
Homepage, this is like tracking to the source of the “ownership”….
Apparently this may be an “in the wild threat” assuming these persons
use quality antivirus and also have scanned with quality antispyware.
Let’s try a manual clearing of the Clipboard…
EmptyClipboard Function
http://msdn.microsoft.com/en-us/libr...37(VS.85).aspx
The EmptyClipboard function empties the clipboard and frees handles to
data in the clipboard. The function then assigns ownership of the
clipboard to the window that currently has the clipboard open.
Syntax
BOOL EmptyClipboard( VOID
);Parameters
This function has no parameters.
Return Value
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error
information, call GetLastError.
Remarks
Before calling EmptyClipboard, an application must open the clipboard
by using the OpenClipboard function. If the application specifies a
NULL window handle when opening the clipboard, EmptyClipboard succeeds
but sets the clipboard owner to NULL. Note that this causes
SetClipboardData to fail.
For an example, see Copying Information to the Clipboard.
Function Information
Minimum DLL Version user32.dll
Header Declared in Winuser.h, include Windows.h
Import library User32.lib
Minimum operating systems Windows 95, Windows NT 3.1
See Also
Clipboard, OpenClipboard, SetClipboardData, WM_DESTROYCLIPBOARD
————NEXT:
A clue here to back track to whatever is repeatedly entering the
information to the clipboard may be here as the “Clipboard Ownership”
…..
Clipboard Ownership
http://msdn.microsoft.com/en-us/libr...oard_Ownership
The clipboard owner is the window associated with the information on
the clipboard. A window becomes the clipboard owner when it places
data on the clipboard — specifically, when it calls the EmptyClipboard
function. The window remains the clipboard owner until it is closed or
another window empties the clipboard.
When the clipboard is emptied, the clipboard owner receives a
WM_DESTROYCLIPBOARD message. Following are some reasons why a window
might process this message:
The window delayed rendering of one or more clipboard formats. In
response to the WM_DESTROYCLIPBOARD message, the window might free
resources it had allocated in order to render data on request. For
more information about the rendering of data, see Delayed Rendering.
The window placed data on the clipboard in a private clipboard format.
The data for private clipboard formats is not freed by the system when
the clipboard is emptied. Therefore, the clipboard owner should free
the data upon receiving the WM_DESTROYCLIPBOARD message. For more
information about private clipboard formats, see Clipboard Formats….
http://msdn.microsoft.com/en-us/libr...13(VS.85).aspx
The window placed data on the clipboard using the CF_OWNERDISPLAY
clipboard format. In response to the WM_DESTROYCLIPBOARD message, the
window might free resources it had used to display information in the
clipboard viewer window. For more information about this alternative
format, see Owner Display Format.
————-NEXT:
So you may try to discover the ownership by….
Clipboard Sequence Number
The clipboard for each window station has an associated clipboard
sequence number. This number is incremented whenever the contents of
the clipboard change. To obtain the clipboard sequence number, call
the GetClipboardSequenceNumber function….
http://msdn.microsoft.com/en-us/libr...42(VS.85).aspx
—————–
It would help if persons may try a HiJackThis Log and post it, may
reveal a start up process involved. Grab that info at my alternate
www.BlueCollarPC.Org site here:
Submit HiJackThis Logs (Information)
http://www.bluecollarpc.org/_mgxroot/page_10736.html
I am webmaster of both www.BlueCollarpC.Net and www.BlueCollarPC.Org
you can email here bluecollarpc at yahoo.com (my Yahoo ID)
You’ll find my groups/lists linked at my sites. Hope this may help and
this is the strangest occurrence in security world I have seen since
year 2001 on my first PC. Very strange and has some dark possibilities
of greater attacks obviously. Let’s hope the whole heads up gets the
security software industry’s help and removal signatures if indeed
even a new category “Clipboard Hijacker”. What a first… What next ?
yuck !
gerald philly pa usa
(Administrators may contact my registration private address for sure)
If anyone comes up with anything they can paste as the actual
installation - do indeed enter that at CounterSpy, Webroot Spysweeper,
Trend Micro, others. As well - here at this product site which has the
largest definitions database probably in the world at over 1 Million
Definitions currently. Industry leader Webroot is above 300,000 as
comparison…. SCAN WITH THIS (most aggressive roto router ! ) :
a-squared trojan remover (Free Working Version for life and Proactive
Premium Version)
http://www.emsisoft.com/en/software/free/
a-squared (a-squared) is a complementary product to antivirus software
and desktop firewalls on MS Windows computers. Antivirus software
specializes in detecting classic viruses. Many available products have
weaknesses in detecting other malicious software (Malware) like
Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
that malware writers exploit. Automatic updates: In a-squared Free the
updater must be run manually. The auto-update feature of a-squared
Personal checks hourly for new available updates and installs them
automatically. a-squared Free is freeware! You can download and use it
completely for free.
…..If indeed it is detected in the Microsoft Free Malicious Software
Removal Tool monthly through normal Windows Updates on ‘Patch
Tuesday’ (second Tuesday each month) surely the removal definitions
will be added to Windows Defender (antispyware) or One Care and should
be worth the scan….
Microsoft AntiSpyware is now Windows Defender
[working-freeware from Microsoft]
http://www.microsoft.com/athome/secu...e/default.mspx
Windows Defender is a free program that helps protect your computer
against pop-ups, slow performance, and security threats caused by
spyware and other unwanted software. It features Real-Time Protection,
a monitoring system that recommends actions against spyware when it’s
detected, and a new streamlined interface that minimizes interruptions
and helps you stay productive.
gerald philly pa usa
_________________
Webmaster www.BlueCollarPC.Net
Tags: Clip Board, clipboard
Posted in BCPCNet WebLog, SpyLerts
Reply With Quote