Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Elusive trojan Haher

Reply
Thread Tools

Elusive trojan Haher

 
 
anikya
Guest
Posts: n/a
 
      02-13-2004

"optikl" <(E-Mail Removed)> ??? news:CbKWb.14036$uV3.34097@attbi_s51
???...
> anikya wrote:
>
> >
> > I was wondering whether the wextract file itself got itself infected..I

did
> > go to HouseCall, found nothing. I'm more and more inclined, after

reading
> > posters' responses, to believe this is a false positive.
> > anikya
> >
> >

>
> That file all by itself wouldn't get infected. If you had a virus
> problem, it wouldn't be confined to just one file. A trojan could
> identify itself as a legitimate file and hide (rename) the file it was
> replacing. I doubt any of that has happened. RAV has its heuristics
> cranked.


I'm nearer to solving this mystery because RAV asked me to send them the
suspected file at last. Waiting to see what they say.

anikya


 
Reply With Quote
 
 
 
 
anikya
Guest
Posts: n/a
 
      02-16-2004
The verdict is out.

RAV very quickly gave me 2 answers:

1. "The file is infected with Trojan:Win32/Haher." Yes, they call it a
trojan.

2. "Usually you cannot clean those files, because the whole file contains
the malware, and the solution is to remove the malware (the file) manually.
Before doing this you may have to remove any references to those files from
SYSTEM.INI file (this file in in your Windows directory, i.e. C:\WINDOWS).
After a reboot all should be ok."

I'm not sure I should delete/remove a file called wextract.exe in
windows\system32.

Please someone help: go to RAV online and scan your System32 files and see
if they find any Haher in your wextract.exe, too.

anikya




"anikya" <anikya@faked_anikya.com> 在郵件
newsQoWb.471933$X%5.234919@pd7tw2no 中撰寫...
> I'm really at my wits end.
>
> RAV online found win32/haher a trojan in my computer.
>
> Following is the report:
> C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\System Volume
>

Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> e - Trojan:Win32/Haher -> Infected
>
> RAV is unable to clean the infected files. Their tech support wrote back

to
> say I need to find some other way to remove it.
>
> I've run every online scan and quite a few trial version AV programs but
> none reported this infection.
>
> Digital Patrol has haher in their database, but does not catch it in their
> scan.
>
> Why is RAV is the only prog to id this trojan? Is it because it "unpacks
> executables"?
> Are there other programs that would scan inside .exe, too?
>
> The following page
> http://vil.nai.com/vil/content/Print100513.htm gives instructions on how

to
> remove this virus. It requires manually going into sys config and MS-DOS,
> but does not instruct on how.
>
> What can I do?
>
> anikya
>
>
>



 
Reply With Quote
 
 
 
 
Geese_Hunter
Guest
Posts: n/a
 
      02-16-2004

"anikya" <anikya@faked_anikya.com> wrote in message
news:7B0Yb.528244$ts4.446330@pd7tw3no...
> The verdict is out.
>
> RAV very quickly gave me 2 answers:
>
> 1. "The file is infected with Trojan:Win32/Haher." Yes, they call it a
> trojan.
>
> 2. "Usually you cannot clean those files, because the whole file contains
> the malware, and the solution is to remove the malware (the file)

manually.
> Before doing this you may have to remove any references to those files

from
> SYSTEM.INI file (this file in in your Windows directory, i.e. C:\WINDOWS).
> After a reboot all should be ok."
>
> I'm not sure I should delete/remove a file called wextract.exe in
> windows\system32.
>
> Please someone help: go to RAV online and scan your System32 files and see
> if they find any Haher in your wextract.exe, too.
>
> anikya
>
>
>
>
> "anikya" <anikya@faked_anikya.com> 在郵件
> newsQoWb.471933$X%5.234919@pd7tw2no 中撰寫...
> > I'm really at my wits end.
> >
> > RAV online found win32/haher a trojan in my computer.
> >
> > Following is the report:
> > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->

Infected
> > C:\System Volume
> >

>

Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
> > e - Trojan:Win32/Haher -> Infected
> >
> > RAV is unable to clean the infected files. Their tech support wrote back

> to
> > say I need to find some other way to remove it.
> >
> > I've run every online scan and quite a few trial version AV programs but
> > none reported this infection.
> >
> > Digital Patrol has haher in their database, but does not catch it in

their
> > scan.
> >
> > Why is RAV is the only prog to id this trojan? Is it because it "unpacks
> > executables"?
> > Are there other programs that would scan inside .exe, too?
> >
> > The following page
> > http://vil.nai.com/vil/content/Print100513.htm gives instructions on how

> to
> > remove this virus. It requires manually going into sys config and

MS-DOS,
> > but does not instruct on how.
> >
> > What can I do?
> >
> > anikya
> >
> >
> >

I scanned my system32 & am not infected. It could be that RAV is finding a
piece of the virus that is still left on your machine, & the other progs
don't care about the piece.

If you delete it you won't be able to extract, install or clean up your cab
files. Since it's an Internet Explorer file you could uninstall IE, & then
reinstall it, or another browser


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.588 / Virus Database: 372 - Release Date: 2/13/2004


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PowerPoint 2000 - elusive images Terry Pinnell Computer Support 1 01-23-2006 12:30 PM
The ever-elusive Nikon ML-L3 Remote Brian Digital Photography 9 10-20-2004 01:41 PM
Re: The Elusive Camera Strap Lisa Horton Digital Photography 2 08-17-2003 11:15 AM
Invalid Viewstate, Webfarms and the elusive HotFix 323744 Geraldine ASP .Net 0 07-31-2003 04:28 AM
Invalid Viewstate Webfarms and the elusive fix. Geraldine ASP .Net 0 07-30-2003 06:57 AM



Advertisments