Trojan:Win32/Claywhist.A removal instruction

The Trojan:Win32/Claywhist.A is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Trojan:Win32/Claywhist.A virus can do?

• Behavioural detection: Executable code extraction – unpacking
• SetUnhandledExceptionFilter detected (possible anti-debug)
• Attempts to connect to a dead IP:Port (1 unique times)
• Creates RWX memory
• Possible date expiration check, exits too soon after checking local time
• Anomalous file deletion behavior detected (10+)
• Dynamic (imported) function loading detected
• Performs HTTP requests potentially not found in PCAP.
• A named pipe was used for inter-process communication
• CAPE extracted potentially suspicious content
• Drops a binary and executes it
• Authenticode signature is invalid
• Behavioural detection: Injection (Process Hollowing)
• Executed a process and injected code into it, probably while unpacking
• Attempts to remove evidence of file being downloaded from the Internet
• Deletes its original binary from disk
• Behavioural detection: Injection (inter-process)
• Behavioural detection: Injection with CreateRemoteThread in a remote process
• Installs itself for autorun at Windows startup
• Creates a hidden or system file
• Likely virus infection of existing system binary
• Overwrites an accessibility feature binary for Windows login bypass, persistence or privilege escalation
• Attempts to interact with an Alternate Data Stream (ADS)

How to determine Trojan:Win32/Claywhist.A?

File Info:
name: 5BB3DE28AF09A9DD776D.mlw
path: /opt/CAPEv2/storage/binaries/0072447fe81e5c2156c358e0e0d2dd912291eb82a2317226f6361374f34bb639
crc32: 35945835
md5: 5bb3de28af09a9dd776d242428f0dc83
sha1: fccdad87717a50772714d714c92e8ee4662fcf07
sha256: 0072447fe81e5c2156c358e0e0d2dd912291eb82a2317226f6361374f34bb639
sha512: 551216d0a7f028f2e7beb918dd0ffccea3374ae670689d0f5b498b0144e54eef5679e37171eb568ee543bdef121b1dafe10526f091b9b092372d6a300012c151
ssdeep: 196608:KZ0Fpt1ccOnlcdM6nCIEAzIciPsOQZsR5/Okl0TVFi:KGFpTccOlceK4AzCkOQ6RRbiFi
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T114C62313822E1E27EA36E97F9DBD7916CE8D71A26B51B68F104C845E20B7050CED372D
sha3_384: 9a1576573bd8eef9d30b619ee72cdd8798c3740caa0dd8a26156958519798a284b8dfacb9a363e7cf033fad622cc85ba
ep_bytes: 68007f00006a00ff157c204100e87ee9
timestamp: 2012-07-11 18:05:49

Version Info:
LegalCopyright: ©Zenith Computers 2010-2011
CompanyName: Zenith Computers
FileDescription: SecureDiagnosesUltra
FileVersion: 2.1.0
ProductVersion: 2.1.0
InternalName: SecureDiagnosesUltra
OriginalFilename: securediagnosesultra.exe
ProductName: SecureDiagnosesUltra
Translation: 0x0809 0x04b0

Trojan:Win32/Claywhist.A also known as:

How to remove Trojan:Win32/Claywhist.A?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.