Remember Clipboard Hijacking – Archived Help

Remember Clipboard Hijacking – Archived Help ?

Here was/is some real help….. (cbgerry/bluecollarpc – me)


Mystery web attack hijacks your clipboard

…..I am researching and cam across the possible way to backtrack this to origin perhaps in a rudimentary way that is not too hard. It is strange and is attracting the security news rooms. Hope this helps in the least as a starting place of a manual removal of a malware. Most likely, quality antivirus and antispyware will have it nailed within weeks tops.

From the idea of like a browser hijacker always setting its own Homepage, this is like tracking to the source of the “ownership”….

Apparently this may be an “in the wild threat” assuming these persons use quality antivirus and also have scanned with quality antispyware.

Let’s try a manual clearing of the Clipboard…

EmptyClipboard Function

The EmptyClipboard function empties the clipboard and frees handles to data in the clipboard. The function then assigns ownership of the clipboard to the window that currently has the clipboard open.


BOOL EmptyClipboard( VOID


This function has no parameters.

Return Value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.


Before calling EmptyClipboard, an application must open the clipboard by using the OpenClipboard function. If the application specifies a NULL window handle when opening the clipboard, EmptyClipboard succeeds but sets the clipboard owner to NULL. Note that this causes SetClipboardData to fail.

For an example, see Copying Information to the Clipboard.

Function Information

Minimum DLL Version user32.dll

Header Declared in Winuser.h, include Windows.h

Import library User32.lib

Minimum operating systems Windows 95, Windows NT 3.1

See Also

Clipboard, OpenClipboard, SetClipboardData, WM_DESTROYCLIPBOARD


A clue here to back track to whatever is repeatedly entering the information to the clipboard may be here as the “Clipboard Ownership” …..

Clipboard Ownership

The clipboard owner is the window associated with the information on the clipboard. A window becomes the clipboard owner when it places data on the clipboard — specifically, when it calls the EmptyClipboard function. The window remains the clipboard owner until it is closed or another window empties the clipboard.

When the clipboard is emptied, the clipboard owner receives a WM_DESTROYCLIPBOARD message. Following are some reasons why a window might process this message:

The window delayed rendering of one or more clipboard formats. In response to the WM_DESTROYCLIPBOARD message, the window might free resources it had allocated in order to render data on request. For more information about the rendering of data, see Delayed Rendering.

The window placed data on the clipboard in a private clipboard format. The data for private clipboard formats is not freed by the system when the clipboard is emptied. Therefore, the clipboard owner should free the data upon receiving the WM_DESTROYCLIPBOARD message. For more information about private clipboard formats, see Clipboard Formats….

The window placed data on the clipboard using the CF_OWNERDISPLAY clipboard format. In response to the WM_DESTROYCLIPBOARD message, the window might free resources it had used to display information in the clipboard viewer window. For more information about this alternative format, see Owner Display Format.


So you may try to discover the ownership by….

Clipboard Sequence Number

The clipboard for each window station has an associated clipboard sequence number. This number is incremented whenever the contents of the clipboard change. To obtain the clipboard sequence number, call the GetClipboardSequenceNumber function….


It would help if persons may try a HiJackThis Log and post it, may reveal a start up process involved.

Hope this may help and this is the strangest occurrence in security world I have seen since year 2001 on my first PC. Very strange and has some dark possibilities of greater attacks obviously. Let’s hope the whole heads up gets the security software industry’s help and removal signatures if indeed even a new category “Clipboard Hijacker”. What a first… What next ? yuck !

gerald philly pa usa

(Administrators may contact my registration private address for sure)


“Hi BlueCollar,

The Clipboard owner shows as FireFox or IExplore, which isn’t much help. ClipMate (my product) tracks the clipboard owner already, using the method that you describe. From the clipboard point of view, it’s just regular data coming from the browser, as if the user had copied it.”


Understood…. it was a shot in the dark to sift data from it. At least there was data. I am thinking tracing it back to any executable file installed or registry entry – or here, for the “ownership”, to an actual installation of some rogue element malware program.

That was my hunch that it is coming through a browser as opposed to another application like Paint for instance. That seems a clue as indicating even it may be some browser plug in from a drive by malware installation. It may pay to check the browser plug in list …..

IE (Internet Explorer)…. open browser > Tools > Internet Options > Programs > Add Ons ….. which will show the list of all plug ins including toolbars.

In this scenario it is possible it is a BHO Browser Help Object on Internet Explorer which includes minimum an Active X entry in the registry – but that would not explain Firefox which does not allow this (Active X, Active X Object, Active X Helper Object, Active X Control, Active X Control Object).

I ran the one HiJackThis Log in the News article CLSID Root key through here (example {1234-567-89-10123} ) :

CastleCops – CLSID / BHO List / Toolbar Master List

(Identify Malware Toolbars) This is the Master BHO and Toolbar list copyrighted by Tony Klein and CastleCops.

The other mention that it is an Java exploit would then include it occurring in Firefox. Thanks for the reply. I am definately following this story. A very unique and strange situation that obviously needs remedy.

Best 2 U,

gerald philly pa usa


What is clipboard hijack attack? Definition from

A clipboard hijacking is an exploit in which the attacker gains control of the victim’s clipboard and replaces its contents with their own data, such as a link to a …

Clipboard Hijack Spreads Panic

Since the middle of July, users around the web started reporting a strange persistent link present in their clipboard. First, it was believed it was a new Windows …

Adobe Flash ads launching clipboard hijack attack | ZDNet

Aug 18, 2008 · Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which…

Adobe Fixes Clickjacking and Clipboard Hijacking Vulnerabilities

The clipboard hijacking attacks started to spread panic several months ago when user reports of having their clipboard poisoned with strange persistent links flowed …

Posted in BlueCollarPC WordPress Blog. Tags: , , , , , , , , , . Comments Off on Remember Clipboard Hijacking – Archived Help
%d bloggers like this: