Elusive trojan Haher

Discussion in 'Computer Security' started by anikya, Feb 11, 2004.

  1. anikya

    anikya Guest

    I'm really at my wits end.

    RAV online found win32/haher a trojan in my computer.

    Following is the report:
    C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
    C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
    C:\System Volume
    Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
    e - Trojan:Win32/Haher -> Infected

    RAV is unable to clean the infected files. Their tech support wrote back to
    say I need to find some other way to remove it.

    I've run every online scan and quite a few trial version AV programs but
    none reported this infection.

    Digital Patrol has haher in their database, but does not catch it in their
    scan.

    Why is RAV is the only prog to id this trojan? Is it because it "unpacks
    executables"?
    Are there other programs that would scan inside .exe, too?

    The following page
    http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
    remove this virus. It requires manually going into sys config and MS-DOS,
    but does not instruct on how.

    What can I do?

    anikya
     
    anikya, Feb 11, 2004
    #1
    1. Advertising

  2. In article <pQoWb.471933$X%5.234919@pd7tw2no>, anikya@faked_anikya.com
    says...
    > I'm really at my wits end.
    >
    > RAV online found win32/haher a trojan in my computer.
    >
    > Following is the report:
    > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
    > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
    > C:\System Volume
    > Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
    > e - Trojan:Win32/Haher -> Infected


    Turn off System Restore (properties of MyComputer, C:)
    Boot into Safe Mode with Command Prompt (f8 during boot sequence to get
    boot options menu)
    CD \WINDOWS\SYSTEM32
    DEL wextract.exe
    CD dllcache
    DEL wextract.exe
    Re-boot

    If it won't let you DEL the files, REN them to some other name instead,
    eg REN wextract.exe wextract.xex


    --
    Order 1000 pieces of a given atom & get a 10% discount

    (http://www.indigo.com/models/orbit-molecular-model-components.html)
     
    DaveOldBlokeBudd, Feb 11, 2004
    #2
    1. Advertising

  3. "anikya" <anikya@faked_anikya.com> wrote in message
    news:pQoWb.471933$X%5.234919@pd7tw2no...
    > I'm really at my wits end.
    >
    > RAV online found win32/haher a trojan in my computer.


    Norton doesn't list this trojan at all. Does anybody know why? Has it got
    another name or do they not yet know about it? If they don't how would I go
    about checking my pc for it?

    Cheers,

    Phil.
     
    Phil Da Lick!, Feb 11, 2004
    #3
  4. anikya

    anikya Guest

    Yep, other names: hakan, hangup
    very little info


    "Phil Da Lick!" <> ¦b¶l¥ó
    news:tksWb.2646$Y%9.net ¤¤¼¶¼g...
    > "anikya" <anikya@faked_anikya.com> wrote in message
    > news:pQoWb.471933$X%5.234919@pd7tw2no...
    > > I'm really at my wits end.
    > >
    > > RAV online found win32/haher a trojan in my computer.

    >
    > Norton doesn't list this trojan at all. Does anybody know why? Has it got
    > another name or do they not yet know about it? If they don't how would I

    go
    > about checking my pc for it?
    >
    > Cheers,
    >
    > Phil.
    >
    >
     
    anikya, Feb 11, 2004
    #4
  5. anikya

    anikya Guest

    Just one more question.
    I found this info in its "Properties"
    name WEXTRACT.EXE
    version 6.00.2800.1106 (xpsp1.020828-1920)

    Would deleting wextract.exe affect the operation system?
    Would I have to replace it with a healthy file?

    anikya


    "Dave OldBloke Budd" <> ¦b¶l¥ó
    news: ¤¤¼¶¼g...
    > In article <pQoWb.471933$X%5.234919@pd7tw2no>, anikya@faked_anikya.com
    > says...
    > > I'm really at my wits end.
    > >
    > > RAV online found win32/haher a trojan in my computer.
    > >
    > > Following is the report:
    > > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
    > > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->

    Infected
    > > C:\System Volume
    > >

    Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
    > > e - Trojan:Win32/Haher -> Infected

    >
    > Turn off System Restore (properties of MyComputer, C:)
    > Boot into Safe Mode with Command Prompt (f8 during boot sequence to get
    > boot options menu)
    > CD \WINDOWS\SYSTEM32
    > DEL wextract.exe
    > CD dllcache
    > DEL wextract.exe
    > Re-boot
    >
    > If it won't let you DEL the files, REN them to some other name instead,
    > eg REN wextract.exe wextract.xex
    >
    >
    > --
    > Order 1000 pieces of a given atom & get a 10% discount
    >
    > (http://www.indigo.com/models/orbit-molecular-model-components.html)
     
    anikya, Feb 11, 2004
    #5
  6. anikya

    optikl Guest

    anikya wrote:

    > Just one more question.
    > I found this info in its "Properties"
    > name WEXTRACT.EXE
    > version 6.00.2800.1106 (xpsp1.020828-1920)
    >
    > Would deleting wextract.exe affect the operation system?
    > Would I have to replace it with a healthy file?
    >
    > anikya
    >

    Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
    legitimate windows file. I'd submit it (copy) for analysis before you
    delete anything. FWIW, I have the same file on my system in
    Windows\System32 and Trend Micro finds nothing wrong with it.
    Go do an on-line scan at Trend Micro, using HouseCall:
    http://www.trendmicro.com/en/home/us/personal.htm
     
    optikl, Feb 12, 2004
    #6
  7. "anikya" <anikya@faked_anikya.com> wrote in message news:pQoWb.471933$X%5.234919@pd7tw2no...
    > I'm really at my wits end.
    >
    > RAV online found win32/haher a trojan in my computer.


    Some online scanners are a little oversensitive (prone to
    false positive identification of malware). I suggest getting
    second or third opinions from other scanners before trying
    to delete things.

    ....of course, renaming suspect files probably won't hurt,
    just remember to make certain the malware isn't allowed
    to become active.

    If no other scanner picks it up, it is probably a false positive
    and RAV would like to know about it so that they can fix
    their scanner.

    > Following is the report:
    > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
    > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected


    I don't know for sure, but this seems to me to be a legitimate
    application (or utility). The OS seems to want it cached for
    some reason.

    > C:\System Volume
    > Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
    > e - Trojan:Win32/Haher -> Infected


    This is just a restore point, it should go away when you purge
    the restore points.

    > RAV is unable to clean the infected files. Their tech support wrote back to
    > say I need to find some other way to remove it.


    You should be able to delete (or better yet to rename) those
    first two items from safe mode (command prompt), but they
    may be legitimate.

    > I've run every online scan and quite a few trial version AV programs but
    > none reported this infection.


    Looking more and more like a false positive detection.

    > Digital Patrol has haher in their database, but does not catch it in their
    > scan.


    Hmmm, more and more....

    > Why is RAV is the only prog to id this trojan? Is it because it "unpacks
    > executables"?


    From the name, I would think that that file is used to "extract" from
    ..cab files (or some sort of archive). It might look too much like the
    trojan for the online scanner to differentiate between thyem.

    > Are there other programs that would scan inside .exe, too?


    ....all of them (well, most of them).

    An exe can be a runtime unpacker, which malware often uses.
    Most, if not all, of the AV scanners support a wide variety of
    "unpackers" so that they can look within "packed" executables.

    > The following page
    > http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
    > remove this virus. It requires manually going into sys config and MS-DOS,
    > but does not instruct on how.


    Don't worry too much about it until you confirm that it really
    is malware, and not a legitimate OS suite utility.

    > What can I do?


    Breathe in.....exhale.....breathe in......exhale.... :O)

    Submit the file to RAV for further scrutiny and see what they
    have to say about it.
     
    FromTheRafters, Feb 12, 2004
    #7
  8. anikya

    anikya Guest

    I have sort of exhausted scanning sources, trying all the online scans and
    some of the trials.
    Since the trojan never turned up in any other scan I was wondering about
    oversensitivity, too.
    I've written to RAV, but their reply is just generalizations.
    Good suggestion - breathe, breathe, breathe....
    Thanks.

    anikya


    "FromTheRafters" <!> ¦b¶l¥ó
    news: ¤¤¼¶¼g...
    >
    > "anikya" <anikya@faked_anikya.com> wrote in message

    news:pQoWb.471933$X%5.234919@pd7tw2no...
    > > I'm really at my wits end.
    > >
    > > RAV online found win32/haher a trojan in my computer.

    >
    > Some online scanners are a little oversensitive (prone to
    > false positive identification of malware). I suggest getting
    > second or third opinions from other scanners before trying
    > to delete things.
    >
    > ...of course, renaming suspect files probably won't hurt,
    > just remember to make certain the malware isn't allowed
    > to become active.
    >
    > If no other scanner picks it up, it is probably a false positive
    > and RAV would like to know about it so that they can fix
    > their scanner.
    >
    > > Following is the report:
    > > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
    > > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->

    Infected
    >
    > I don't know for sure, but this seems to me to be a legitimate
    > application (or utility). The OS seems to want it cached for
    > some reason.
    >
    > > C:\System Volume
    > >

    Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
    > > e - Trojan:Win32/Haher -> Infected

    >
    > This is just a restore point, it should go away when you purge
    > the restore points.
    >
    > > RAV is unable to clean the infected files. Their tech support wrote back

    to
    > > say I need to find some other way to remove it.

    >
    > You should be able to delete (or better yet to rename) those
    > first two items from safe mode (command prompt), but they
    > may be legitimate.
    >
    > > I've run every online scan and quite a few trial version AV programs but
    > > none reported this infection.

    >
    > Looking more and more like a false positive detection.
    >
    > > Digital Patrol has haher in their database, but does not catch it in

    their
    > > scan.

    >
    > Hmmm, more and more....
    >
    > > Why is RAV is the only prog to id this trojan? Is it because it "unpacks
    > > executables"?

    >
    > From the name, I would think that that file is used to "extract" from
    > .cab files (or some sort of archive). It might look too much like the
    > trojan for the online scanner to differentiate between thyem.
    >
    > > Are there other programs that would scan inside .exe, too?

    >
    > ...all of them (well, most of them).
    >
    > An exe can be a runtime unpacker, which malware often uses.
    > Most, if not all, of the AV scanners support a wide variety of
    > "unpackers" so that they can look within "packed" executables.
    >
    > > The following page
    > > http://vil.nai.com/vil/content/Print100513.htm gives instructions on how

    to
    > > remove this virus. It requires manually going into sys config and

    MS-DOS,
    > > but does not instruct on how.

    >
    > Don't worry too much about it until you confirm that it really
    > is malware, and not a legitimate OS suite utility.
    >
    > > What can I do?

    >
    > Breathe in.....exhale.....breathe in......exhale.... :O)
    >
    > Submit the file to RAV for further scrutiny and see what they
    > have to say about it.
    >
    >
     
    anikya, Feb 12, 2004
    #8
  9. anikya

    anikya Guest

    "optikl" <> ??? news:4jAWb.11011$uV3.23269@attbi_s51
    ???...
    > anikya wrote:
    >
    > > Just one more question.
    > > I found this info in its "Properties"
    > > name WEXTRACT.EXE
    > > version 6.00.2800.1106 (xpsp1.020828-1920)
    > >
    > > Would deleting wextract.exe affect the operation system?
    > > Would I have to replace it with a healthy file?
    > >
    > > anikya
    > >

    > Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
    > legitimate windows file. I'd submit it (copy) for analysis before you
    > delete anything. FWIW, I have the same file on my system in
    > Windows\System32 and Trend Micro finds nothing wrong with it.
    > Go do an on-line scan at Trend Micro, using HouseCall:
    > http://www.trendmicro.com/en/home/us/personal.htm



    I was wondering whether the wextract file itself got itself infected..I did
    go to HouseCall, found nothing. I'm more and more inclined, after reading
    posters' responses, to believe this is a false positive.
    anikya
     
    anikya, Feb 12, 2004
    #9
  10. anikya

    optikl Guest

    anikya wrote:

    >
    > I was wondering whether the wextract file itself got itself infected..I did
    > go to HouseCall, found nothing. I'm more and more inclined, after reading
    > posters' responses, to believe this is a false positive.
    > anikya
    >
    >


    That file all by itself wouldn't get infected. If you had a virus
    problem, it wouldn't be confined to just one file. A trojan could
    identify itself as a legitimate file and hide (rename) the file it was
    replacing. I doubt any of that has happened. RAV has its heuristics
    cranked.
     
    optikl, Feb 12, 2004
    #10
  11. anikya

    anikya Guest

    "optikl" <> ??? news:CbKWb.14036$uV3.34097@attbi_s51
    ???...
    > anikya wrote:
    >
    > >
    > > I was wondering whether the wextract file itself got itself infected..I

    did
    > > go to HouseCall, found nothing. I'm more and more inclined, after

    reading
    > > posters' responses, to believe this is a false positive.
    > > anikya
    > >
    > >

    >
    > That file all by itself wouldn't get infected. If you had a virus
    > problem, it wouldn't be confined to just one file. A trojan could
    > identify itself as a legitimate file and hide (rename) the file it was
    > replacing. I doubt any of that has happened. RAV has its heuristics
    > cranked.


    I'm nearer to solving this mystery because RAV asked me to send them the
    suspected file at last. Waiting to see what they say.

    anikya
     
    anikya, Feb 13, 2004
    #11
  12. anikya

    anikya Guest

    Re: Elusive trojan Haher - RAV replies

    The verdict is out.

    RAV very quickly gave me 2 answers:

    1. "The file is infected with Trojan:Win32/Haher." Yes, they call it a
    trojan.

    2. "Usually you cannot clean those files, because the whole file contains
    the malware, and the solution is to remove the malware (the file) manually.
    Before doing this you may have to remove any references to those files from
    SYSTEM.INI file (this file in in your Windows directory, i.e. C:\WINDOWS).
    After a reboot all should be ok."

    I'm not sure I should delete/remove a file called wextract.exe in
    windows\system32.

    Please someone help: go to RAV online and scan your System32 files and see
    if they find any Haher in your wextract.exe, too.

    anikya




    "anikya" <anikya@faked_anikya.com> ¦b¶l¥ó
    news:pQoWb.471933$X%5.234919@pd7tw2no ¤¤¼¶¼g...
    > I'm really at my wits end.
    >
    > RAV online found win32/haher a trojan in my computer.
    >
    > Following is the report:
    > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
    > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
    > C:\System Volume
    >

    Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
    > e - Trojan:Win32/Haher -> Infected
    >
    > RAV is unable to clean the infected files. Their tech support wrote back

    to
    > say I need to find some other way to remove it.
    >
    > I've run every online scan and quite a few trial version AV programs but
    > none reported this infection.
    >
    > Digital Patrol has haher in their database, but does not catch it in their
    > scan.
    >
    > Why is RAV is the only prog to id this trojan? Is it because it "unpacks
    > executables"?
    > Are there other programs that would scan inside .exe, too?
    >
    > The following page
    > http://vil.nai.com/vil/content/Print100513.htm gives instructions on how

    to
    > remove this virus. It requires manually going into sys config and MS-DOS,
    > but does not instruct on how.
    >
    > What can I do?
    >
    > anikya
    >
    >
    >
     
    anikya, Feb 16, 2004
    #12
  13. anikya

    Geese_Hunter Guest

    Re: Elusive trojan Haher - RAV replies

    "anikya" <anikya@faked_anikya.com> wrote in message
    news:7B0Yb.528244$ts4.446330@pd7tw3no...
    > The verdict is out.
    >
    > RAV very quickly gave me 2 answers:
    >
    > 1. "The file is infected with Trojan:Win32/Haher." Yes, they call it a
    > trojan.
    >
    > 2. "Usually you cannot clean those files, because the whole file contains
    > the malware, and the solution is to remove the malware (the file)

    manually.
    > Before doing this you may have to remove any references to those files

    from
    > SYSTEM.INI file (this file in in your Windows directory, i.e. C:\WINDOWS).
    > After a reboot all should be ok."
    >
    > I'm not sure I should delete/remove a file called wextract.exe in
    > windows\system32.
    >
    > Please someone help: go to RAV online and scan your System32 files and see
    > if they find any Haher in your wextract.exe, too.
    >
    > anikya
    >
    >
    >
    >
    > "anikya" <anikya@faked_anikya.com> ¦b¶l¥ó
    > news:pQoWb.471933$X%5.234919@pd7tw2no ¤¤¼¶¼g...
    > > I'm really at my wits end.
    > >
    > > RAV online found win32/haher a trojan in my computer.
    > >
    > > Following is the report:
    > > C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
    > > C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher ->

    Infected
    > > C:\System Volume
    > >

    >

    Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
    > > e - Trojan:Win32/Haher -> Infected
    > >
    > > RAV is unable to clean the infected files. Their tech support wrote back

    > to
    > > say I need to find some other way to remove it.
    > >
    > > I've run every online scan and quite a few trial version AV programs but
    > > none reported this infection.
    > >
    > > Digital Patrol has haher in their database, but does not catch it in

    their
    > > scan.
    > >
    > > Why is RAV is the only prog to id this trojan? Is it because it "unpacks
    > > executables"?
    > > Are there other programs that would scan inside .exe, too?
    > >
    > > The following page
    > > http://vil.nai.com/vil/content/Print100513.htm gives instructions on how

    > to
    > > remove this virus. It requires manually going into sys config and

    MS-DOS,
    > > but does not instruct on how.
    > >
    > > What can I do?
    > >
    > > anikya
    > >
    > >
    > >

    I scanned my system32 & am not infected. It could be that RAV is finding a
    piece of the virus that is still left on your machine, & the other progs
    don't care about the piece.

    If you delete it you won't be able to extract, install or clean up your cab
    files. Since it's an Internet Explorer file you could uninstall IE, & then
    reinstall it, or another browser


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.588 / Virus Database: 372 - Release Date: 2/13/2004
     
    Geese_Hunter, Feb 16, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lisa Horton

    Re: The Elusive Camera Strap

    Lisa Horton, Aug 16, 2003, in forum: Digital Photography
    Replies:
    2
    Views:
    456
    Jack Mac
    Aug 17, 2003
  2. Brian

    The ever-elusive Nikon ML-L3 Remote

    Brian, Oct 19, 2004, in forum: Digital Photography
    Replies:
    9
    Views:
    328
    Brian
    Oct 20, 2004
  3. Terry Pinnell

    PowerPoint 2000 - elusive images

    Terry Pinnell, Jan 23, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    414
    Miggsee
    Jan 23, 2006
  4. =?Utf-8?B?QWxwaGEyNA==?=

    Elusive Pages

    =?Utf-8?B?QWxwaGEyNA==?=, Mar 17, 2007, in forum: Windows 64bit
    Replies:
    0
    Views:
    373
    =?Utf-8?B?QWxwaGEyNA==?=
    Mar 17, 2007
  5. Rita Berkowitz

    D3 Captures Elusive Blue Goose!

    Rita Berkowitz, Feb 3, 2008, in forum: Digital Photography
    Replies:
    11
    Views:
    539
    Noons
    Feb 6, 2008
Loading...

Share This Page