Re: Elusive trojan Haher - RAV replies
From: anikya (anikya_at_faked_anikya.com)
Date: Mon, 16 Feb 2004 10:04:51 GMT
The verdict is out.
RAV very quickly gave me 2 answers:
1. "The file is infected with Trojan:Win32/Haher." Yes, they call it a
2. "Usually you cannot clean those files, because the whole file contains
the malware, and the solution is to remove the malware (the file) manually.
Before doing this you may have to remove any references to those files from
SYSTEM.INI file (this file in in your Windows directory, i.e. C:\WINDOWS).
After a reboot all should be ok."
I'm not sure I should delete/remove a file called wextract.exe in
Please someone help: go to RAV online and scan your System32 files and see
if they find any Haher in your wextract.exe, too.
"anikya" <anikya@faked_anikya.com> ¦b¶l¥ó
> I'm really at my wits end.
> RAV online found win32/haher a trojan in my computer.
> Following is the report:
> C:\WINDOWS\SYSTEM32\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\WINDOWS\SYSTEM32\dllcache\wextract.exe - Trojan:Win32/Haher -> Infected
> C:\System Volume
> e - Trojan:Win32/Haher -> Infected
> RAV is unable to clean the infected files. Their tech support wrote back
> say I need to find some other way to remove it.
> I've run every online scan and quite a few trial version AV programs but
> none reported this infection.
> Digital Patrol has haher in their database, but does not catch it in their
> Why is RAV is the only prog to id this trojan? Is it because it "unpacks
> Are there other programs that would scan inside .exe, too?
> The following page
> http://vil.nai.com/vil/content/Print100513.htm gives instructions on how
> remove this virus. It requires manually going into sys config and MS-DOS,
> but does not instruct on how.
> What can I do?