Difficult virus!

oreganp · 01-21-2005, 05:20 PM

Hi All,

I have a Windows 2000 server running Symantec Corp Edition 8.0. The daily scan picked up a backdoor.trojan in a file named userbin.dll. The anti-virus won't clean, quarentine or delete the file. It also doesn't tell me much about it.

I've tried running a bootable McAfee Virusscan CDROM with the latest defs and same thing, won't get rid of it.

I ran an online scan using www.ravantivirus.com. However, this scan found the little known win32/sfind virus in scan.exe...but it didn't find find the virus in userbin.dll. Similarly, the Symantec product can find the backdoor.trojan in userbin.dll, but not the win32/sfind in scan.exe....weird!!

I've searched the Internet high and low for anything that might give me a lead with the userbin.dll file, but I haven't found anything. Similarly, win32/sfind isn't very common and there's not much out there on that one either.

Lastly, used pandavirus online and Panda does not find ANY viruses. Ok, someone please tell me that I am not loosing my mind. Any and all suggestions will be greatly appreciated

Patrick

mobo · 01-21-2005, 06:22 PM

What you need t o know is the path to the userbin.dll file. It should have been reported by Norton.
Now set the system to show hidden files and folders as per http://www.spyware911.net/showhiddenfiles.htm

Then open windows explorer, find , copy and paste the dll to the desktop. Zip it up with winzip or winrar then email it to me here moboATspyware911.net

I can have itr analyzed and get back to you..

Apokalipse · 01-25-2005, 07:16 AM

after you email him the .dll, you might be able to delete it by using a bootable Linux CD (windows viruses don't affect Linux)
you can use a bootable Linux CD to do a lot of repair work.
although if your hard drive is NTFS, getting it to write to NTFS can be difficult at first.

oreganp · 01-25-2005, 08:04 AM

Well, I'm not exactly sure what the userbin.dll file is used for, and perhaps I should install HiJack, but I am unable to copy the file to submit.

Any suggestions?

southernlady · 01-25-2005, 08:26 AM

Since you can't email the dll file, try running HiJack This. Liz

oreganp · 01-27-2005, 09:59 AM

Folks, thanks for all the replies. In the end, it was a new variant of a virus, discovered on 19 January. The virus was called backdoor-AZF.dll. I've since removed the virus from my server. Thanks again for your comments and response!!

01-21-2005, 05:20 PM	#1 (permalink)
oreganp Newb Techie Join Date: Jan 2005 Posts: 3	Difficult virus! Hi All, I have a Windows 2000 server running Symantec Corp Edition 8.0. The daily scan picked up a backdoor.trojan in a file named userbin.dll. The anti-virus won't clean, quarentine or delete the file. It also doesn't tell me much about it. I've tried running a bootable McAfee Virusscan CDROM with the latest defs and same thing, won't get rid of it. I ran an online scan using www.ravantivirus.com. However, this scan found the little known win32/sfind virus in scan.exe...but it didn't find find the virus in userbin.dll. Similarly, the Symantec product can find the backdoor.trojan in userbin.dll, but not the win32/sfind in scan.exe....weird!! I've searched the Internet high and low for anything that might give me a lead with the userbin.dll file, but I haven't found anything. Similarly, win32/sfind isn't very common and there's not much out there on that one either. Lastly, used pandavirus online and Panda does not find ANY viruses. Ok, someone please tell me that I am not loosing my mind. Any and all suggestions will be greatly appreciated Patrick

01-21-2005, 06:22 PM	#2 (permalink)
mobo True Techie Join Date: May 2003 Posts: 221	What you need t o know is the path to the userbin.dll file. It should have been reported by Norton. Now set the system to show hidden files and folders as per http://www.spyware911.net/showhiddenfiles.htm Then open windows explorer, find , copy and paste the dll to the desktop. Zip it up with winzip or winrar then email it to me here moboATspyware911.net I can have itr analyzed and get back to you.. __________________ Security Tools \| Spyware Scan \| Prevention 101

01-25-2005, 07:16 AM	#3 (permalink)
Apokalipse Multicellular Eukaryote Join Date: Jun 2003 Location: Melbourne, Australia Posts: 12,878	after you email him the .dll, you might be able to delete it by using a bootable Linux CD (windows viruses don't affect Linux) you can use a bootable Linux CD to do a lot of repair work. although if your hard drive is NTFS, getting it to write to NTFS can be difficult at first. __________________ 1 + 1 = 3 if you define 3 as a result of 1 + 1

01-25-2005, 08:04 AM	#4 (permalink)
oreganp Newb Techie Join Date: Jan 2005 Posts: 3	Unable to copy userbin.dll Well, I'm not exactly sure what the userbin.dll file is used for, and perhaps I should install HiJack, but I am unable to copy the file to submit. Any suggestions?

01-25-2005, 08:26 AM	#5 (permalink)
southernlady Monster Techie Join Date: Nov 2004 Posts: 1,346	Since you can't email the dll file, try running HiJack This. Liz __________________ Priority Computers \| AdAware SE \| SpyBot-Search & Destroy \| SpywareBlaster \| SpywareGuard \| HijackThis \| Stealing is illegal Powered by Emily!

01-27-2005, 09:59 AM	#6 (permalink)
oreganp Newb Techie Join Date: Jan 2005 Posts: 3	Folks, thanks for all the replies. In the end, it was a new variant of a virus, discovered on 19 January. The virus was called backdoor-AZF.dll. I've since removed the virus from my server. Thanks again for your comments and response!!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode