news from the frontlines: the userinit virus (updated 16-8-08)

(phone rings)
“Hi, I think my computer has a virus.”
“Yeah?”
“Yeah, Windows doesn’t load properly, I get my wallpaper, but there’s no icons and no taskbar, and I get an error message saying-”
Userinit.exe failed to initialize, 0xc0000005?”
“…Yes…”
“Yep. Seen it a lot lately. Bring it in.”

It’s a new strain of the Virtumonde or Vundo virus, or whatever it’s calling itself these days. We’ve seen about nine machines come into the shop with it in the last 3 days or so, and it’s recent enough that none of the usual tools are seeing it. Not even the venerable NOD32 (Australian site) seems to know about it yet.

I fought it to a standstill by scanning with everything – and then there was one last little file that none of them could see that caused the above situation. It was c:\windows\__c00f220b.dat and to get rid of it without using a DOS or Live boot disc I needed killbox.

Update: 16th August

Here’s a screenshot of c:\windows\system32 in explorer, with all the files you should delete selected:

Things to note:

  • Sort the folder by date modified, and show in detail view like the screenshot. The infected files will be about 80% of the first page of most recently modified files here.
  • Except the .dat file (__c004379C.dat) the filenames are completely random, up to eight characters long and only A-Z; mostly lower case, but sometimes there’s a few uppercase letters too. Easily recognisable because they’re unpronouncable (very few vowels), but if you say it in your head and it sounds like it could be an abbreviation, google it first.
  • It’s mostly .dll files, with a few .exe files thrown in for good measure (as well as the .dat file). I have also seen some .ini and .ini2 files, which are instantly recognisable – try opening them in notepad and you’ll just see garbage, because they’re actually binary files (not human-readable text files like inis are meant to be).
  • This is the folder where Windows stores its most important files. Randomly deleting stuff from here is a bad, bad idea and could lead to a reinstall whether you like it or not. If in doubt, find someone more familiar with computers, offer them a beer or something, and get them to do it for you.

Update: 22nd July

I’ve seen Combofix take care of this virus all by itself, in one shot. From the walkthrough on that page it looks like there’s a few more steps than what I’ve written out below, but doesn’t make it as easy to screw up and delete the wrong files as with my method.

Update: 23rd June 2008

Some facts we’ve gathered:

  • It doesn’t appear to spread via USB thumbdrives, or over the network. We still aren’t sure what causes it, but recently installing some pirated software seems to be a common theme so far.
  • Once you’ve logged in, it will deliberately crash processes using rundll32.exe. userinit.exe is the most obvious, but it means you can’t run Add/Remove Programs or a command prompt window.
  • It will also crash the installers for some antivirus/antispyware programs, including NOD32 2.7.
  • NOD32 version 3 detects the .dat file as trojan.NZG. VundoFix doesn’t detect it at all.

You can still log into your machine and keep using it by doing the following:

  1. Start the machine. When the userinit.exe error message pops up, hit OK twice (two error messages), and hit Ctrl+Alt+Delete to load the Task Manager.
  2. Click on File -> Run…, type “explorer” and hit OK. The taskbar and desktop icons should now load, as will about eight “could not initialize properly” messages about Rundll32.exe. Click OK on each of these.

The following seems to be a pretty foolproof way to kill the virus. You’ll need Spybot Search & Destroy (remember www.safer-networking.org is the genuine address if you have to google it later) and Killbox.

  1. Install Spybot. Fully update it, may as well immunize with it, then run a scan. It should pick up and remove several Virtumonde infections. Don’t reboot yet.
  2. Run Killbox, and use it to remove all the __C00????.dat files in c:/windows/system32/ (there may be only one; I’ve seen five at once before). You will have to set them to delete on reboot as they’re actually still running. Don’t reboot until you’ve killboxed all of them.
  3. Reboot. Your computer will probably still be infected, but you’ll now be able to log in without manually running Explorer. I strongly recommend you download NOD 3 and run a full scan with it.

14 Responses to “news from the frontlines: the userinit virus (updated 16-8-08)”

  1. Virtumonde Removal Guides says:

    Killbox and spybot are great tools for being free. Spyware doctor also does remove this threat. At least it has the last few times I have used i on computer infected with Virtumonde. A good tip for everyone out there. Use the system restore feature first. go back to when you were not infected. then boot into safe mode and run the free Spybot and the vundofix.exe program. Re-boot and you should be good to go. Killbox as mentioned above can help out big time as well.

  2. Virtumonde says:

    I have been fighting the virtumonde stain out in the field for years now. I’t would not be all that but if the dam thing did not change all the time. combofix, Vundofix, spybot, ad-aware and avast are some free based programs that help to remove this threat.

  3. VundoRemover says:

    I needed to get a real vundo infection for testing purposes. It took me less than fifteen minutes of googling, downloading and installing a piece of software that contained embedded code of Trojan Vundo. It’s no surprise McAfee VirusScan showed no signs of infection – yet errors started popping up, one of them being a software.php file which Windows was unable to open (that’s natural – a don’t have a Win32 PHP parser installed). Just curious what Vundo can make if it executes a php code?.. Also, the parasite quickly created a folder in Program files, settled in restore point, places autorun entries in the registry, etc. No wonder this is a hard to remove trojan.

  4. Dan says:

    I’ve tried following your instructions down to the letter but couldn’t get it working…and it’s getting very frustrating…i’ve ran spybot, removed virtumonde infections but i haven’t run killbox because i couldn’t locate ay _C00*.dat files…any suggestios?

    i’m still able to long on with the “explorer” workaround and spybot has not picked up anything since…. but i still cannot log in without the errors and the workaround…

    any help would be great… thanks

  5. Chris Tore Johansen says:

    I do not understand this: remove all the __C00????.dat files in c:/windows/system32/…..I can not find any files there matching your description…

    This is a list of all of my .dat-files in that directory:

    atiicdxx.dat
    dssec.dat
    emptyregdb.dat
    FNTCACHE.DAT
    ieapfltr.dat
    mlang.dat
    mlfcache.dat
    noise.dat
    perfc009.dat
    perfd009.dat
    perfh009.dat
    perfi009.dat

    I have just downloaded, installed and runned Spybot S&D, and the virus is still there…I have installed Killbox as well, but I do not know witch files to use it on…

    Please help.

  6. Tom Stephenson says:

    I had the same problem with a customers machine…. He brought it to me with popups and problems. I ran spybot and it identified the Virtualmonde and vundo malware. I worked on it for a while and was able to remove them with a bit of playing around…. not sure what I did, they kept coming back after deletion. After removal and nothing showing in Spybot scans I had dialog boxes at startup saying Userinit failed to initialize (two of them) followed by a number of dialog boxes relating to rundll not initializing. Just a blank screen at startup. I had to run explorer.exe from the task manager.

    I used a piece of software called Malwarebytes from http://malwarebytes.org. I picked up a pile more infections that Spybot, Trend Micro Housecall, and Avast did not find after multiple scans. It also cleaned everything up with a click and I no longer get the dialog boxes. Hope this helps someone that has become a bit frustrated with ths problem.

  7. tim says:

    Hey guys,

    I can’t remember for sure now, but the .dat files might be hidden.

    I actually haven’t seen this virus at work in at least a month now, so I think the major AV programs all know how to deal with it now. The best I can recommend is to try ComboFix, or NOD32.

    If you still can’t get rid of it, ring around your local PC stores and see who’ll fix it for you for the least 😉

  8. ben says:

    I work with tim. My usual process is to boot into a Bart-PE environment, delete all the new .sys, dll and .dat files created in sys32, then jump into safe-mode and run the following
    *BDC Commandline/Portable
    *NOD32
    *Spybot
    *Spyware Doctor
    *Superantispyware
    Then a bit of a cleanup and update + defrag and thats usually enough.

  9. Freddo says:

    I got one… Thanks for telling me how to kill it. But it is still blocking Google.

  10. Freddo says:

    Oh yea and it is still giving me pop ups and crap.

  11. tim says:

    Freddo: Sounds like you’ve got more adware to clean up. As far as I know, the userinit virus just seems to make it impossible to log in without ctrl+alt+del and manually starting explorer.

    Check out Spybot or SuperAntiSpyware above. They’re both free, and excellent – we use them in the shop to do some of our cleaning.

  12. Joseph Sykes says:

    Thanks to Tom Stephenson for the tip to http://malwarebytes.org. Installed and ran it and fix all my __c000***.dat trojan problems.

  13. Virtumondeo says:

    I think Virtumonde virus showed how actually vulnerable and imperfect popular antivirus suites are. People bundle their computers with loads of security programs only to find out that virtumonde feels just great in their protected systems.
    At Yahoo Answers it’s often recommended to install a dozen of all kinds of malware removers. Takes quite some time, but not always helps to clean out the pest.
    Quite unexpectedly, best virtumonde removal tools so far are free and don’t need installation. Apart from popular VundoFix, a-squared offers a command-line scanner that works good in Safe Mode.

  14. Megan Alper says:

    Good that you shared that info. I`m sick of my infected pc.

Leave a Reply

Line and paragraph breaks automatic.
XHTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>