Removing startdrv.exe - trojan backdoor cutwail family virus

| | 1 min read

Recently we came across a virus in one of our customers computers. The system was brought in with the complaint that it was running very slow and internet access was too slow to be of any use. We scanned the system with AVG and as was expected found a slew of viruses which AVG removed successfully after a complete scan. All but one - a file named startdrv.exe located at C:\Windows\Temp\startdrv.exe. AVG could not delete the file, neither could we delete it manually from Windows.

We then booted into the system using Ubuntu Live CD and then deleted C:\Windows\Temp\startdrv.exe. Surprisingly once we booted back into windows the file came back again as if from out of nowhere. After searching on the net we figured out that this was a a virus with rootkit functionality. The file was detected as Trojan horse BackDoor.Generic7.QQK virus. This virus gets loaded into kernel space as a driver and runs an SMTP server on the host PC to send spam mails to contacts of the logged on user.

Removing the Virus
1) Boot using a Ubuntu Live CD (or any other OS bootable cd)
2) Delete C:/Windows/temp/startdrv.exe and C:/Windows/system32/runtime2.sys (variants of the virus drops files with different names into the system32 folder)
3) Boot into Windows, open regedit and delete the keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv
HKLM\SYSTEM\CurrentControlSet\Services\runtime2
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys

See http://ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=62470
for more details about the Cutwail family of viruses.