Elusive trojan Haher

[anikya]

I'm really at my wits end.

RAV online found win32/haher a trojan in my computer.

Following is the report:
C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
C:\System Volume
Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
e - Trojan:Win32/Haher -> Infected

RAV is unable to clean the infected files. Their tech support wrote back to
say I need to find some other way to remove it.

I've run every online scan and quite a few trial version AV programs but
none reported this infection.

Digital Patrol has haher in their database, but does not catch it in their
scan.

Why is RAV is the only prog to id this trojan? Is it because it "unpacks
executables"?
Are there other programs that would scan inside .exe, too?

The following page
http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
remove this virus. It requires manually going into sys config and MS-DOS,
but does not instruct on how.

What can I do?

anikya

 

[DaveOldBlokeBudd]

I'm really at my wits end.

RAV online found win32/haher a trojan in my computer.

Following is the report:
C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
C:\System Volume
Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
e - Trojan:Win32/Haher -> Infected

Turn off System Restore (properties of MyComputer, C
Boot into Safe Mode with Command Prompt (f8 during boot sequence to get
boot options menu)
CD \WINDOWS\SYSTEM32
DEL wextract.exe
CD dllcache
DEL wextract.exe
Re-boot

If it won't let you DEL the files, REN them to some other name instead,
eg REN wextract.exe wextract.xex

 

[Phil Da Lick!]

I'm really at my wits end.

RAV online found win32/haher a trojan in my computer.

Norton doesn't list this trojan at all. Does anybody know why? Has it got
another name or do they not yet know about it? If they don't how would I go
about checking my pc for it?

Cheers,

Phil.

 

[anikya]

Yep, other names: hakan, hangup
very little info

 

[anikya]

Just one more question.
I found this info in its "Properties"
name WEXTRACT.EXE
version 6.00.2800.1106 (xpsp1.020828-1920)

Would deleting wextract.exe affect the operation system?
Would I have to replace it with a healthy file?

anikya

 

[optikl]

Just one more question.
I found this info in its "Properties"
name WEXTRACT.EXE
version 6.00.2800.1106 (xpsp1.020828-1920)

Would deleting wextract.exe affect the operation system?
Would I have to replace it with a healthy file?

anikya

Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
legitimate windows file. I'd submit it (copy) for analysis before you
delete anything. FWIW, I have the same file on my system in
Windows\System32 and Trend Micro finds nothing wrong with it.
Go do an on-line scan at Trend Micro, using HouseCall:
http://www.trendmicro.com/en/home/us/personal.htm

 

[FromTheRafters]

I'm really at my wits end.

RAV online found win32/haher a trojan in my computer.

Some online scanners are a little oversensitive (prone to
false positive identification of malware). I suggest getting
second or third opinions from other scanners before trying
to delete things.

....of course, renaming suspect files probably won't hurt,
just remember to make certain the malware isn't allowed
to become active.

If no other scanner picks it up, it is probably a false positive
and RAV would like to know about it so that they can fix
their scanner.

Following is the report:
C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected

I don't know for sure, but this seems to me to be a legitimate
application (or utility). The OS seems to want it cached for
some reason.

C:\System Volume
Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex
e - Trojan:Win32/Haher -> Infected

This is just a restore point, it should go away when you purge
the restore points.

RAV is unable to clean the infected files. Their tech support wrote back to
say I need to find some other way to remove it.

You should be able to delete (or better yet to rename) those
first two items from safe mode (command prompt), but they
may be legitimate.

I've run every online scan and quite a few trial version AV programs but
none reported this infection.

Looking more and more like a false positive detection.

Digital Patrol has haher in their database, but does not catch it in their
scan.

Hmmm, more and more....

Why is RAV is the only prog to id this trojan? Is it because it "unpacks
executables"?

From the name, I would think that that file is used to "extract" from
..cab files (or some sort of archive). It might look too much like the
trojan for the online scanner to differentiate between thyem.

Are there other programs that would scan inside .exe, too?

....all of them (well, most of them).

An exe can be a runtime unpacker, which malware often uses.
Most, if not all, of the AV scanners support a wide variety of
"unpackers" so that they can look within "packed" executables.

The following page
http://vil.nai.com/vil/content/Print100513.htm gives instructions on how to
remove this virus. It requires manually going into sys config and MS-DOS,
but does not instruct on how.

Don't worry too much about it until you confirm that it really
is malware, and not a legitimate OS suite utility.

What can I do?

Breathe in.....exhale.....breathe in......exhale.... :O)

Submit the file to RAV for further scrutiny and see what they
have to say about it.

 

[anikya]

I have sort of exhausted scanning sources, trying all the online scans and
some of the trials.
Since the trojan never turned up in any other scan I was wondering about
oversensitivity, too.
I've written to RAV, but their reply is just generalizations.
Good suggestion - breathe, breathe, breathe....
Thanks.

anikya

 

[anikya]

Do a Google on wextract.exe. It's quite possible that RAV is FP'ing a
legitimate windows file. I'd submit it (copy) for analysis before you
delete anything. FWIW, I have the same file on my system in
Windows\System32 and Trend Micro finds nothing wrong with it.
Go do an on-line scan at Trend Micro, using HouseCall:
http://www.trendmicro.com/en/home/us/personal.htm

I was wondering whether the wextract file itself got itself infected..I did
go to HouseCall, found nothing. I'm more and more inclined, after reading
posters' responses, to believe this is a false positive.
anikya

 

[optikl]

I was wondering whether the wextract file itself got itself infected..I did
go to HouseCall, found nothing. I'm more and more inclined, after reading
posters' responses, to believe this is a false positive.
anikya

That file all by itself wouldn't get infected. If you had a virus
problem, it wouldn't be confined to just one file. A trojan could
identify itself as a legitimate file and hide (rename) the file it was
replacing. I doubt any of that has happened. RAV has its heuristics
cranked.

 

[anikya]

That file all by itself wouldn't get infected. If you had a virus
problem, it wouldn't be confined to just one file. A trojan could
identify itself as a legitimate file and hide (rename) the file it was
replacing. I doubt any of that has happened. RAV has its heuristics
cranked.

I'm nearer to solving this mystery because RAV asked me to send them the
suspected file at last. Waiting to see what they say.

anikya

 

[anikya]

The verdict is out.

RAV very quickly gave me 2 answers:

1. "The file is infected with Trojan:Win32/Haher." Yes, they call it a
trojan.

2. "Usually you cannot clean those files, because the whole file contains
the malware, and the solution is to remove the malware (the file) manually.
Before doing this you may have to remove any references to those files from
SYSTEM.INI file (this file in in your Windows directory, i.e. C:\WINDOWS).
After a reboot all should be ok."

I'm not sure I should delete/remove a file called wextract.exe in
windows\system32.

Please someone help: go to RAV online and scan your System32 files and see
if they find any Haher in your wextract.exe, too.

anikya

 

[Geese_Hunter]

The verdict is out.

RAV very quickly gave me 2 answers:

1. "The file is infected with Trojan:Win32/Haher." Yes, they call it a
trojan.

2. "Usually you cannot clean those files, because the whole file contains
the malware, and the solution is to remove the malware (the file) manually.
Before doing this you may have to remove any references to those files from
SYSTEM.INI file (this file in in your Windows directory, i.e. C:\WINDOWS).
After a reboot all should be ok."

I'm not sure I should delete/remove a file called wextract.exe in
windows\system32.

Please someone help: go to RAV online and scan your System32 files and see
if they find any Haher in your wextract.exe, too.

anikya





Information\_restore{98BDF40A-19C4-4B43-B477-27F9F90D580A}\RP313\A0056340.ex

I scanned my system32 & am not infected. It could be that RAV is finding a
piece of the virus that is still left on your machine, & the other progs
don't care about the piece.

If you delete it you won't be able to extract, install or clean up your cab
files. Since it's an Internet Explorer file you could uninstall IE, & then
reinstall it, or another browser