Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Elusive trojan Haher

Reply
Thread Tools

Elusive trojan Haher

 
 
anikya
Guest
Posts: n/a
 
      02-11-2004
I'm really at my wits end.

RAV online found win32/haher a trojan in my computer.

Following is the report:
C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
C:\System Volume
Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
e - Trojan:Win32/Haher -> Infected

RAV is unable to clean the infected files. Their tech support wrote back to
say I need to find some other way to remove it.

I've run every online scan and quite a few trial version AV programs but
none reported this infection.

Digital Patrol has haher in their database, but does not catch it in their
scan.

Why is RAV is the only prog to id this trojan? Is it because it "unpacks
executables"?
Are there other programs that would scan inside .exe, too?

The following page
http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
remove this virus. It requires manually going into sys config and MS-DOS,
but does not instruct on how.

What can I do?

anikya



 
Reply With Quote
 
 
 
 
DaveOldBlokeBudd
Guest
Posts: n/a
 
      02-11-2004
In article <pQoWb.471933$X%5.234919@pd7tw2no>, anikya@faked_anikya.com
says...
> I'm really at my wits end.
>
> RAV online found win32/haher a trojan in my computer.
>
> Following is the report:
> C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\System Volume
> Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> e - Trojan:Win32/Haher -> Infected


Turn off System Restore (properties of MyComputer, C
Boot into Safe Mode with Command Prompt (f8 during boot sequence to get
boot options menu)
CD \WINDOWS\SYSTEM32
DEL wextract.exe
CD dllcache
DEL wextract.exe
Re-boot

If it won't let you DEL the files, REN them to some other name instead,
eg REN wextract.exe wextract.xex


--
Order 1000 pieces of a given atom & get a 10% discount

(http://www.indigo.com/models/orbit-m...omponents.html)
 
Reply With Quote
 
 
 
 
Phil Da Lick!
Guest
Posts: n/a
 
      02-11-2004
"anikya" <anikya@faked_anikya.com> wrote in message
newsQoWb.471933$X%5.234919@pd7tw2no...
> I'm really at my wits end.
>
> RAV online found win32/haher a trojan in my computer.


Norton doesn't list this trojan at all. Does anybody know why? Has it got
another name or do they not yet know about it? If they don't how would I go
about checking my pc for it?

Cheers,

Phil.


 
Reply With Quote
 
anikya
Guest
Posts: n/a
 
      02-11-2004
Yep, other names: hakan, hangup
very little info


"Phil Da Lick!" <(E-Mail Removed)> 在郵件
news:tksWb.2646$Y%(E-Mail Removed)9.net 中撰寫...
> "anikya" <anikya@faked_anikya.com> wrote in message
> newsQoWb.471933$X%5.234919@pd7tw2no...
> > I'm really at my wits end.
> >
> > RAV online found win32/haher a trojan in my computer.

>
> Norton doesn't list this trojan at all. Does anybody know why? Has it got
> another name or do they not yet know about it? If they don't how would I

go
> about checking my pc for it?
>
> Cheers,
>
> Phil.
>
>



 
Reply With Quote
 
anikya
Guest
Posts: n/a
 
      02-11-2004
Just one more question.
I found this info in its "Properties"
name WEXTRACT.EXE
version 6.00.2800.1106 (xpsp1.020828-1920)

Would deleting wextract.exe affect the operation system?
Would I have to replace it with a healthy file?

anikya


"Dave OldBloke Budd" <(E-Mail Removed)> 在郵件
news:(E-Mail Removed) t 中撰寫...
> In article <pQoWb.471933$X%5.234919@pd7tw2no>, anikya@faked_anikya.com
> says...
> > I'm really at my wits end.
> >
> > RAV online found win32/haher a trojan in my computer.
> >
> > Following is the report:
> > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->

Infected
> > C:\System Volume
> >

Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> > e - Trojan:Win32/Haher -> Infected

>
> Turn off System Restore (properties of MyComputer, C
> Boot into Safe Mode with Command Prompt (f8 during boot sequence to get
> boot options menu)
> CD \WINDOWS\SYSTEM32
> DEL wextract.exe
> CD dllcache
> DEL wextract.exe
> Re-boot
>
> If it won't let you DEL the files, REN them to some other name instead,
> eg REN wextract.exe wextract.xex
>
>
> --
> Order 1000 pieces of a given atom & get a 10% discount
>
> (http://www.indigo.com/models/orbit-m...omponents.html)



 
Reply With Quote
 
optikl
Guest
Posts: n/a
 
      02-12-2004
anikya wrote:

> Just one more question.
> I found this info in its "Properties"
> name WEXTRACT.EXE
> version 6.00.2800.1106 (xpsp1.020828-1920)
>
> Would deleting wextract.exe affect the operation system?
> Would I have to replace it with a healthy file?
>
> anikya
>

Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
legitimate windows file. I'd submit it (copy) for analysis before you
delete anything. FWIW, I have the same file on my system in
Windows\System32 and Trend Micro finds nothing wrong with it.
Go do an on-line scan at Trend Micro, using HouseCall:
http://www.trendmicro.com/en/home/us/personal.htm
 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a
 
      02-12-2004

"anikya" <anikya@faked_anikya.com> wrote in message newsQoWb.471933$X%5.234919@pd7tw2no...
> I'm really at my wits end.
>
> RAV online found win32/haher a trojan in my computer.


Some online scanners are a little oversensitive (prone to
false positive identification of malware). I suggest getting
second or third opinions from other scanners before trying
to delete things.

....of course, renaming suspect files probably won't hurt,
just remember to make certain the malware isn't allowed
to become active.

If no other scanner picks it up, it is probably a false positive
and RAV would like to know about it so that they can fix
their scanner.

> Following is the report:
> C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected


I don't know for sure, but this seems to me to be a legitimate
application (or utility). The OS seems to want it cached for
some reason.

> C:\System Volume
> Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> e - Trojan:Win32/Haher -> Infected


This is just a restore point, it should go away when you purge
the restore points.

> RAV is unable to clean the infected files. Their tech support wrote back to
> say I need to find some other way to remove it.


You should be able to delete (or better yet to rename) those
first two items from safe mode (command prompt), but they
may be legitimate.

> I've run every online scan and quite a few trial version AV programs but
> none reported this infection.


Looking more and more like a false positive detection.

> Digital Patrol has haher in their database, but does not catch it in their
> scan.


Hmmm, more and more....

> Why is RAV is the only prog to id this trojan? Is it because it "unpacks
> executables"?


From the name, I would think that that file is used to "extract" from
..cab files (or some sort of archive). It might look too much like the
trojan for the online scanner to differentiate between thyem.

> Are there other programs that would scan inside .exe, too?


....all of them (well, most of them).

An exe can be a runtime unpacker, which malware often uses.
Most, if not all, of the AV scanners support a wide variety of
"unpackers" so that they can look within "packed" executables.

> The following page
> http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
> remove this virus. It requires manually going into sys config and MS-DOS,
> but does not instruct on how.


Don't worry too much about it until you confirm that it really
is malware, and not a legitimate OS suite utility.

> What can I do?


Breathe in.....exhale.....breathe in......exhale.... :O)

Submit the file to RAV for further scrutiny and see what they
have to say about it.


 
Reply With Quote
 
anikya
Guest
Posts: n/a
 
      02-12-2004
I have sort of exhausted scanning sources, trying all the online scans and
some of the trials.
Since the trojan never turned up in any other scan I was wondering about
oversensitivity, too.
I've written to RAV, but their reply is just generalizations.
Good suggestion - breathe, breathe, breathe....
Thanks.

anikya


"FromTheRafters" <!(E-Mail Removed)> 在郵件
news:(E-Mail Removed) 中撰寫...
>
> "anikya" <anikya@faked_anikya.com> wrote in message

newsQoWb.471933$X%5.234919@pd7tw2no...
> > I'm really at my wits end.
> >
> > RAV online found win32/haher a trojan in my computer.

>
> Some online scanners are a little oversensitive (prone to
> false positive identification of malware). I suggest getting
> second or third opinions from other scanners before trying
> to delete things.
>
> ...of course, renaming suspect files probably won't hurt,
> just remember to make certain the malware isn't allowed
> to become active.
>
> If no other scanner picks it up, it is probably a false positive
> and RAV would like to know about it so that they can fix
> their scanner.
>
> > Following is the report:
> > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->

Infected
>
> I don't know for sure, but this seems to me to be a legitimate
> application (or utility). The OS seems to want it cached for
> some reason.
>
> > C:\System Volume
> >

Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> > e - Trojan:Win32/Haher -> Infected

>
> This is just a restore point, it should go away when you purge
> the restore points.
>
> > RAV is unable to clean the infected files. Their tech support wrote back

to
> > say I need to find some other way to remove it.

>
> You should be able to delete (or better yet to rename) those
> first two items from safe mode (command prompt), but they
> may be legitimate.
>
> > I've run every online scan and quite a few trial version AV programs but
> > none reported this infection.

>
> Looking more and more like a false positive detection.
>
> > Digital Patrol has haher in their database, but does not catch it in

their
> > scan.

>
> Hmmm, more and more....
>
> > Why is RAV is the only prog to id this trojan? Is it because it "unpacks
> > executables"?

>
> From the name, I would think that that file is used to "extract" from
> .cab files (or some sort of archive). It might look too much like the
> trojan for the online scanner to differentiate between thyem.
>
> > Are there other programs that would scan inside .exe, too?

>
> ...all of them (well, most of them).
>
> An exe can be a runtime unpacker, which malware often uses.
> Most, if not all, of the AV scanners support a wide variety of
> "unpackers" so that they can look within "packed" executables.
>
> > The following page
> > http://vil.nai.com/vil/content/Print100513.htm gives instructions on how

to
> > remove this virus. It requires manually going into sys config and

MS-DOS,
> > but does not instruct on how.

>
> Don't worry too much about it until you confirm that it really
> is malware, and not a legitimate OS suite utility.
>
> > What can I do?

>
> Breathe in.....exhale.....breathe in......exhale.... :O)
>
> Submit the file to RAV for further scrutiny and see what they
> have to say about it.
>
>



 
Reply With Quote
 
anikya
Guest
Posts: n/a
 
      02-12-2004

"optikl" <(E-Mail Removed)> ??? news:4jAWb.11011$uV3.23269@attbi_s51
???...
> anikya wrote:
>
> > Just one more question.
> > I found this info in its "Properties"
> > name WEXTRACT.EXE
> > version 6.00.2800.1106 (xpsp1.020828-1920)
> >
> > Would deleting wextract.exe affect the operation system?
> > Would I have to replace it with a healthy file?
> >
> > anikya
> >

> Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
> legitimate windows file. I'd submit it (copy) for analysis before you
> delete anything. FWIW, I have the same file on my system in
> Windows\System32 and Trend Micro finds nothing wrong with it.
> Go do an on-line scan at Trend Micro, using HouseCall:
> http://www.trendmicro.com/en/home/us/personal.htm



I was wondering whether the wextract file itself got itself infected..I did
go to HouseCall, found nothing. I'm more and more inclined, after reading
posters' responses, to believe this is a false positive.
anikya


 
Reply With Quote
 
optikl
Guest
Posts: n/a
 
      02-12-2004
anikya wrote:

>
> I was wondering whether the wextract file itself got itself infected..I did
> go to HouseCall, found nothing. I'm more and more inclined, after reading
> posters' responses, to believe this is a false positive.
> anikya
>
>


That file all by itself wouldn't get infected. If you had a virus
problem, it wouldn't be confined to just one file. A trojan could
identify itself as a legitimate file and hide (rename) the file it was
replacing. I doubt any of that has happened. RAV has its heuristics
cranked.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PowerPoint 2000 - elusive images Terry Pinnell Computer Support 1 01-23-2006 12:30 PM
The ever-elusive Nikon ML-L3 Remote Brian Digital Photography 9 10-20-2004 01:41 PM
Re: The Elusive Camera Strap Lisa Horton Digital Photography 2 08-17-2003 11:15 AM
Invalid Viewstate, Webfarms and the elusive HotFix 323744 Geraldine ASP .Net 0 07-31-2003 04:28 AM
Invalid Viewstate Webfarms and the elusive fix. Geraldine ASP .Net 0 07-30-2003 06:57 AM



Advertisments