“Hi, I think my computer has a virus.”
“Yeah, Windows doesn’t load properly, I get my wallpaper, but there’s no icons and no taskbar, and I get an error message saying-”
“Userinit.exe failed to initialize, 0xc0000005?”
“Yep. Seen it a lot lately. Bring it in.”
It’s a new strain of the Virtumonde or Vundo virus, or whatever it’s calling itself these days. We’ve seen about nine machines come into the shop with it in the last 3 days or so, and it’s recent enough that none of the usual tools are seeing it. Not even the venerable NOD32 (Australian site) seems to know about it yet.
I fought it to a standstill by scanning with everything – and then there was one last little file that none of them could see that caused the above situation. It was c:\windows\__c00f220b.dat and to get rid of it without using a DOS or Live boot disc I needed killbox.
Update: 16th August
Here’s a screenshot of c:\windows\system32 in explorer, with all the files you should delete selected:
Things to note:
- Sort the folder by date modified, and show in detail view like the screenshot. The infected files will be about 80% of the first page of most recently modified files here.
- Except the .dat file (__c004379C.dat) the filenames are completely random, up to eight characters long and only A-Z; mostly lower case, but sometimes there’s a few uppercase letters too. Easily recognisable because they’re unpronouncable (very few vowels), but if you say it in your head and it sounds like it could be an abbreviation, google it first.
- It’s mostly .dll files, with a few .exe files thrown in for good measure (as well as the .dat file). I have also seen some .ini and .ini2 files, which are instantly recognisable – try opening them in notepad and you’ll just see garbage, because they’re actually binary files (not human-readable text files like inis are meant to be).
- This is the folder where Windows stores its most important files. Randomly deleting stuff from here is a bad, bad idea and could lead to a reinstall whether you like it or not. If in doubt, find someone more familiar with computers, offer them a beer or something, and get them to do it for you.
Update: 22nd July
I’ve seen Combofix take care of this virus all by itself, in one shot. From the walkthrough on that page it looks like there’s a few more steps than what I’ve written out below, but doesn’t make it as easy to screw up and delete the wrong files as with my method.
Update: 23rd June 2008
Some facts we’ve gathered:
- It doesn’t appear to spread via USB thumbdrives, or over the network. We still aren’t sure what causes it, but recently installing some pirated software seems to be a common theme so far.
- Once you’ve logged in, it will deliberately crash processes using rundll32.exe. userinit.exe is the most obvious, but it means you can’t run Add/Remove Programs or a command prompt window.
- It will also crash the installers for some antivirus/antispyware programs, including NOD32 2.7.
- NOD32 version 3 detects the .dat file as trojan.NZG. VundoFix doesn’t detect it at all.
You can still log into your machine and keep using it by doing the following:
- Start the machine. When the userinit.exe error message pops up, hit OK twice (two error messages), and hit Ctrl+Alt+Delete to load the Task Manager.
- Click on File -> Run…, type “explorer” and hit OK. The taskbar and desktop icons should now load, as will about eight “could not initialize properly” messages about Rundll32.exe. Click OK on each of these.
The following seems to be a pretty foolproof way to kill the virus. You’ll need Spybot Search & Destroy (remember www.safer-networking.org is the genuine address if you have to google it later) and Killbox.
- Install Spybot. Fully update it, may as well immunize with it, then run a scan. It should pick up and remove several Virtumonde infections. Don’t reboot yet.
- Run Killbox, and use it to remove all the __C00????.dat files in c:/windows/system32/ (there may be only one; I’ve seen five at once before). You will have to set them to delete on reboot as they’re actually still running. Don’t reboot until you’ve killboxed all of them.
- Reboot. Your computer will probably still be infected, but you’ll now be able to log in without manually running Explorer. I strongly recommend you download NOD 3 and run a full scan with it.