«

I'm really at my wits end.

RAV online found win32/haher a trojan in my computer.

Following is the report:
C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
C:\System Volume
Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
e - Trojan:Win32/Haher -> Infected

RAV is unable to clean the infected files. Their tech support wrote back to
say I need to find some other way to remove it.

I've run every online scan and quite a few trial version AV programs but
none reported this infection.

Digital Patrol has haher in their database, but does not catch it in their
scan.

Why is RAV is the only prog to id this trojan? Is it because it "unpacks
executables"?
Are there other programs that would scan inside .exe, too?

The following page
http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
remove this virus. It requires manually going into sys config and MS-DOS,
but does not instruct on how.

What can I do?

anikya

In article <pQoWb.471933$X%5.234919@pd7tw2no>, anikya@faked_anikya.com
says...
> I'm really at my wits end.
>
> RAV online found win32/haher a trojan in my computer.
>
> Following is the report:
> C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\System Volume
> Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> e - Trojan:Win32/Haher -> Infected

Turn off System Restore (properties of MyComputer, C
Boot into Safe Mode with Command Prompt (f8 during boot sequence to get
boot options menu)
CD \WINDOWS\SYSTEM32
DEL wextract.exe
CD dllcache
DEL wextract.exe
Re-boot

If it won't let you DEL the files, REN them to some other name instead,
eg REN wextract.exe wextract.xex


--
Order 1000 pieces of a given atom & get a 10% discount

(http://www.indigo.com/models/orbit-m...omponents.html)

"anikya" <anikya@faked_anikya.com> wrote in message
newsQoWb.471933$X%5.234919@pd7tw2no...
> I'm really at my wits end.
>
> RAV online found win32/haher a trojan in my computer.

Norton doesn't list this trojan at all. Does anybody know why? Has it got
another name or do they not yet know about it? If they don't how would I go
about checking my pc for it?

Cheers,

Phil.

Yep, other names: hakan, hangup
very little info


"Phil Da Lick!" <> ¦b¶l¥ó
news:tksWb.2646$Y% ¤¤¼¶¼g...
> "anikya" <anikya@faked_anikya.com> wrote in message
> newsQoWb.471933$X%5.234919@pd7tw2no...
> > I'm really at my wits end.
> >
> > RAV online found win32/haher a trojan in my computer.
>
> Norton doesn't list this trojan at all. Does anybody know why? Has it got
> another name or do they not yet know about it? If they don't how would I
go
> about checking my pc for it?
>
> Cheers,
>
> Phil.
>
>

Just one more question.
I found this info in its "Properties"
name WEXTRACT.EXE
version 6.00.2800.1106 (xpsp1.020828-1920)

Would deleting wextract.exe affect the operation system?
Would I have to replace it with a healthy file?

anikya


"Dave OldBloke Budd" <> ¦b¶l¥ó
news: t ¤¤¼¶¼g...
> In article <pQoWb.471933$X%5.234919@pd7tw2no>, anikya@faked_anikya.com
> says...
> > I'm really at my wits end.
> >
> > RAV online found win32/haher a trojan in my computer.
> >
> > Following is the report:
> > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->
Infected
> > C:\System Volume
> >
Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> > e - Trojan:Win32/Haher -> Infected
>
> Turn off System Restore (properties of MyComputer, C
> Boot into Safe Mode with Command Prompt (f8 during boot sequence to get
> boot options menu)
> CD \WINDOWS\SYSTEM32
> DEL wextract.exe
> CD dllcache
> DEL wextract.exe
> Re-boot
>
> If it won't let you DEL the files, REN them to some other name instead,
> eg REN wextract.exe wextract.xex
>
>
> --
> Order 1000 pieces of a given atom & get a 10% discount
>
> (http://www.indigo.com/models/orbit-m...omponents.html)

anikya wrote:

> Just one more question.
> I found this info in its "Properties"
> name WEXTRACT.EXE
> version 6.00.2800.1106 (xpsp1.020828-1920)
>
> Would deleting wextract.exe affect the operation system?
> Would I have to replace it with a healthy file?
>
> anikya
>
Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
legitimate windows file. I'd submit it (copy) for analysis before you
delete anything. FWIW, I have the same file on my system in
Windows\System32 and Trend Micro finds nothing wrong with it.
Go do an on-line scan at Trend Micro, using HouseCall:
http://www.trendmicro.com/en/home/us/personal.htm

"anikya" <anikya@faked_anikya.com> wrote in message newsQoWb.471933$X%5.234919@pd7tw2no...
> I'm really at my wits end.
>
> RAV online found win32/haher a trojan in my computer.

Some online scanners are a little oversensitive (prone to
false positive identification of malware). I suggest getting
second or third opinions from other scanners before trying
to delete things.

....of course, renaming suspect files probably won't hurt,
just remember to make certain the malware isn't allowed
to become active.

If no other scanner picks it up, it is probably a false positive
and RAV would like to know about it so that they can fix
their scanner.

> Following is the report:
> C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected

I don't know for sure, but this seems to me to be a legitimate
application (or utility). The OS seems to want it cached for
some reason.

> C:\System Volume
> Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> e - Trojan:Win32/Haher -> Infected

This is just a restore point, it should go away when you purge
the restore points.

> RAV is unable to clean the infected files. Their tech support wrote back to
> say I need to find some other way to remove it.

You should be able to delete (or better yet to rename) those
first two items from safe mode (command prompt), but they
may be legitimate.

> I've run every online scan and quite a few trial version AV programs but
> none reported this infection.

Looking more and more like a false positive detection.

> Digital Patrol has haher in their database, but does not catch it in their
> scan.

Hmmm, more and more....

> Why is RAV is the only prog to id this trojan? Is it because it "unpacks
> executables"?

From the name, I would think that that file is used to "extract" from
..cab files (or some sort of archive). It might look too much like the
trojan for the online scanner to differentiate between thyem.

> Are there other programs that would scan inside .exe, too?

....all of them (well, most of them).

An exe can be a runtime unpacker, which malware often uses.
Most, if not all, of the AV scanners support a wide variety of
"unpackers" so that they can look within "packed" executables.

> The following page
> http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
> remove this virus. It requires manually going into sys config and MS-DOS,
> but does not instruct on how.

Don't worry too much about it until you confirm that it really
is malware, and not a legitimate OS suite utility.

> What can I do?

Breathe in.....exhale.....breathe in......exhale.... :O)

Submit the file to RAV for further scrutiny and see what they
have to say about it.

I have sort of exhausted scanning sources, trying all the online scans and
some of the trials.
Since the trojan never turned up in any other scan I was wondering about
oversensitivity, too.
I've written to RAV, but their reply is just generalizations.
Good suggestion - breathe, breathe, breathe....
Thanks.

anikya


"FromTheRafters" <!> ¦b¶l¥ó
news: ¤¤¼¶¼g...
>
> "anikya" <anikya@faked_anikya.com> wrote in message
newsQoWb.471933$X%5.234919@pd7tw2no...
> > I'm really at my wits end.
> >
> > RAV online found win32/haher a trojan in my computer.
>
> Some online scanners are a little oversensitive (prone to
> false positive identification of malware). I suggest getting
> second or third opinions from other scanners before trying
> to delete things.
>
> ...of course, renaming suspect files probably won't hurt,
> just remember to make certain the malware isn't allowed
> to become active.
>
> If no other scanner picks it up, it is probably a false positive
> and RAV would like to know about it so that they can fix
> their scanner.
>
> > Following is the report:
> > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->
Infected
>
> I don't know for sure, but this seems to me to be a legitimate
> application (or utility). The OS seems to want it cached for
> some reason.
>
> > C:\System Volume
> >
Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> > e - Trojan:Win32/Haher -> Infected
>
> This is just a restore point, it should go away when you purge
> the restore points.
>
> > RAV is unable to clean the infected files. Their tech support wrote back
to
> > say I need to find some other way to remove it.
>
> You should be able to delete (or better yet to rename) those
> first two items from safe mode (command prompt), but they
> may be legitimate.
>
> > I've run every online scan and quite a few trial version AV programs but
> > none reported this infection.
>
> Looking more and more like a false positive detection.
>
> > Digital Patrol has haher in their database, but does not catch it in
their
> > scan.
>
> Hmmm, more and more....
>
> > Why is RAV is the only prog to id this trojan? Is it because it "unpacks
> > executables"?
>
> From the name, I would think that that file is used to "extract" from
> .cab files (or some sort of archive). It might look too much like the
> trojan for the online scanner to differentiate between thyem.
>
> > Are there other programs that would scan inside .exe, too?
>
> ...all of them (well, most of them).
>
> An exe can be a runtime unpacker, which malware often uses.
> Most, if not all, of the AV scanners support a wide variety of
> "unpackers" so that they can look within "packed" executables.
>
> > The following page
> > http://vil.nai.com/vil/content/Print100513.htm gives instructions on how
to
> > remove this virus. It requires manually going into sys config and
MS-DOS,
> > but does not instruct on how.
>
> Don't worry too much about it until you confirm that it really
> is malware, and not a legitimate OS suite utility.
>
> > What can I do?
>
> Breathe in.....exhale.....breathe in......exhale.... :O)
>
> Submit the file to RAV for further scrutiny and see what they
> have to say about it.
>
>

"optikl" <> ??? news:4jAWb.11011$uV3.23269@attbi_s51
???...
> anikya wrote:
>
> > Just one more question.
> > I found this info in its "Properties"
> > name WEXTRACT.EXE
> > version 6.00.2800.1106 (xpsp1.020828-1920)
> >
> > Would deleting wextract.exe affect the operation system?
> > Would I have to replace it with a healthy file?
> >
> > anikya
> >
> Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
> legitimate windows file. I'd submit it (copy) for analysis before you
> delete anything. FWIW, I have the same file on my system in
> Windows\System32 and Trend Micro finds nothing wrong with it.
> Go do an on-line scan at Trend Micro, using HouseCall:
> http://www.trendmicro.com/en/home/us/personal.htm


I was wondering whether the wextract file itself got itself infected..I did
go to HouseCall, found nothing. I'm more and more inclined, after reading
posters' responses, to believe this is a false positive.
anikya

anikya wrote:

>
> I was wondering whether the wextract file itself got itself infected..I did
> go to HouseCall, found nothing. I'm more and more inclined, after reading
> posters' responses, to believe this is a false positive.
> anikya
>
>

That file all by itself wouldn't get infected. If you had a virus
problem, it wouldn't be confined to just one file. A trojan could
identify itself as a legitimate file and hide (rename) the file it was
replacing. I doubt any of that has happened. RAV has its heuristics
cranked.