Trojan:Win32/Claywhist.A removal instruction

The Trojan:Win32/Claywhist.A is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Trojan:Win32/Claywhist.A virus can do?

• Behavioural detection: Executable code extraction – unpacking
• SetUnhandledExceptionFilter detected (possible anti-debug)
• Attempts to connect to a dead IP:Port (1 unique times)
• Creates RWX memory
• Possible date expiration check, exits too soon after checking local time
• Anomalous file deletion behavior detected (10+)
• Dynamic (imported) function loading detected
• Performs HTTP requests potentially not found in PCAP.
• A named pipe was used for inter-process communication
• CAPE extracted potentially suspicious content
• Drops a binary and executes it
• Authenticode signature is invalid
• Behavioural detection: Injection (Process Hollowing)
• Executed a process and injected code into it, probably while unpacking
• Attempts to remove evidence of file being downloaded from the Internet
• Deletes its original binary from disk
• Behavioural detection: Injection (inter-process)
• Behavioural detection: Injection with CreateRemoteThread in a remote process
• Installs itself for autorun at Windows startup
• Creates a hidden or system file
• Likely virus infection of existing system binary
• Overwrites an accessibility feature binary for Windows login bypass, persistence or privilege escalation
• Attempts to interact with an Alternate Data Stream (ADS)

How to determine Trojan:Win32/Claywhist.A?

File Info:
name: 5BB3DE28AF09A9DD776D.mlwpath: /opt/CAPEv2/storage/binaries/0072447fe81e5c2156c358e0e0d2dd912291eb82a2317226f6361374f34bb639crc32: 35945835md5: 5bb3de28af09a9dd776d242428f0dc83sha1: fccdad87717a50772714d714c92e8ee4662fcf07sha256: 0072447fe81e5c2156c358e0e0d2dd912291eb82a2317226f6361374f34bb639sha512: 551216d0a7f028f2e7beb918dd0ffccea3374ae670689d0f5b498b0144e54eef5679e37171eb568ee543bdef121b1dafe10526f091b9b092372d6a300012c151ssdeep: 196608:KZ0Fpt1ccOnlcdM6nCIEAzIciPsOQZsR5/Okl0TVFi:KGFpTccOlceK4AzCkOQ6RRbiFitype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T114C62313822E1E27EA36E97F9DBD7916CE8D71A26B51B68F104C845E20B7050CED372Dsha3_384: 9a1576573bd8eef9d30b619ee72cdd8798c3740caa0dd8a26156958519798a284b8dfacb9a363e7cf033fad622cc85baep_bytes: 68007f00006a00ff157c204100e87ee9timestamp: 2012-07-11 18:05:49
Version Info:
LegalCopyright: ©Zenith Computers 2010-2011CompanyName: Zenith ComputersFileDescription: SecureDiagnosesUltraFileVersion: 2.1.0ProductVersion: 2.1.0InternalName: SecureDiagnosesUltraOriginalFilename: securediagnosesultra.exeProductName: SecureDiagnosesUltraTranslation: 0x0809 0x04b0

Trojan:Win32/Claywhist.A also known as:

How to remove Trojan:Win32/Claywhist.A?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.