Startdrv.exe removed

Removing startdrv.exe - trojan backdoor cutwail family virus
November 18, 2007 - 23:18 — webmaster

Recently we came across a virus in one of our customers computers. The system was brought in with the complaint that it was running very slow and internet access was too slow to be of any use. We scanned the system with AVG and as was expected found a slew of viruses which AVG removed successfully after a complete scan. All but one - a file named startdrv.exe located at C:\Windows\Temp\startdrv.exe. AVG could not delete the file, neither could we delete it manually from Windows.

We then booted into the system using Ubuntu Live CD and then deleted C:\Windows\Temp\startdrv.exe. Surprisingly once we booted back into windows the file came back again as if from out of nowhere. After searching on the net we figured out that this was a a virus with rootkit functionality. The file was detected as Trojan horse BackDoor.Generic7.QQK virus. This virus gets loaded into kernel space as a driver and runs an SMTP server on the host PC to send spam mails to contacts of the logged on user.

Removing the Virus
1) Boot using a Ubuntu Live CD (or any other OS bootable cd)
2) Delete C:/Windows/temp/startdrv.exe and C:/Windows/system32/runtime2.sys (variants of the virus drops files with different names into the system32 folder)
3) Boot into Windows, open regedit and delete the keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv
HKLM\SYSTEM\CurrentControlSet\Services\runtime2
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys

Startdrv.exe removed

I remove the startdrv.exe using the method in the first post the only difference is that the runtime2.sys file not exist, the file I found is ctl_w32.sys and the keys are
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv
HKLM\SYSTEM\CurrentControlSet\Services\ ctl_w32
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ ctl_w32.sys