HomeSystem Administration

Removing startdrv.exe - trojan backdoor cutwail family virus

November 18, 2007 - 23:18 — webmaster

Recently we came across a virus in one of our customers computers. The system was brought in with the complaint that it was running very slow and internet access was too slow to be of any use. We scanned the system with AVG and as was expected found a slew of viruses which AVG removed successfully after a complete scan. All but one - a file named startdrv.exe located at C:\Windows\Temp\startdrv.exe. AVG could not delete the file, neither could we delete it manually from Windows.

We then booted into the system using Ubuntu Live CD and then deleted C:\Windows\Temp\startdrv.exe. Surprisingly once we booted back into windows the file came back again as if from out of nowhere. After searching on the net we figured out that this was a a virus with rootkit functionality. The file was detected as Trojan horse BackDoor.Generic7.QQK virus. This virus gets loaded into kernel space as a driver and runs an SMTP server on the host PC to send spam mails to contacts of the logged on user.

Removing the Virus
1) Boot using a Ubuntu Live CD (or any other OS bootable cd)
2) Delete C:/Windows/temp/startdrv.exe and C:/Windows/system32/runtime2.sys (variants of the virus drops files with different names into the system32 folder)
3) Boot into Windows, open regedit and delete the keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv
HKLM\SYSTEM\CurrentControlSet\Services\runtime2
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys

See http://ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=62470
for more details about the Cutwail family of viruses.

Comments

March 7, 2009 - 12:05 — Anonymous (not verified)

What worked

superantispyware finaly removed it - and it was the ONLY thing that could remove it. SpyHunter 3.x couldn't do it.

January 12, 2009 - 01:42 — Mike Mills (not verified)

Thanks for some great advice

Thanks for some great advice on getting a nasty virus off of one of my computers. It worked great!!

January 2, 2008 - 09:23 — Anonymous (not verified)

Easier Solution...

After tearing my hair out for the past two days trying to get my ubuntu live cd version 5. something and 6.06 since those seem to be the only versions capable of having live cds, I just inserted my Windows XP operating system CD and was able to avoid all the ubuntu crap. then I just typed in R for repair when instructed and selected #3 the windows one.
Now I guess you need to be somewhat familiar with dos commands but all you have to do once you are logged into (oh yeah and I hope you know the administrator's password or you can't do this) the C:WINDOWS or in someone else's case the directory that they have windows installed on, then you just type in what they have in the original post for what you need to delete :
delete C:\Windows\system32\drivers\runtime2.sys (and yes you need to type in "delete" with a space after it)
delete C:\Windows\temp\startdrv

now follow the rest of their advice ...conveniently recopied so you don't even have to scroll back up...

3) Boot into Windows, open regedit and delete the keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv
HKLM\SYSTEM\CurrentControlSet\Services\runtime2
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys

Reboot to verify and you should at least be rid of that virus. Hope this saves someone else the headache and time lost it did me.
FYI: I was running windows XP on a HP AMD64 machine. and not sure but I was also having a problem with sulimo.dat but not sure if related.

April 3, 2008 - 06:46 — Rolly (not verified)

Cheers

Yeah this way worked for me, but I also read the below comments before bouncing the machine so I got the right sys file.
In my case it was the runtime.

What a bitch of a process to get rid of it...

If I find the bastard, I'll hold him down... and one of you can polish him off!! :)

December 21, 2007 - 18:09 — martin (not verified)

Can't get rid of virus

I still am trying to get rid of this startdrv.exe virus, but i cant delete the files when i booted with Ubuntu live.
It seems that deleting and writing to the hard disk is impossible. Can someone say why, an how do i solve this problem?

Thanks

December 21, 2007 - 22:07 — webmaster

Ubuntu version problem

The file system of your drive must be ntfs. That is the reason why you cannot do anything onto that drive.
Which version of Ubuntu are you using? The latest one, ie; Ubuntu 7.10 by default supports read/write option onto ntfs hard drives.

Joju Joshua
Team Zyxware

December 16, 2007 - 14:34 — sarah (not verified)

no runtime2.sys and regedit keys

Hi! I tried the method you suggested, but I didn't find any runtime2.sys files in system32. You mentioned that variants of the virus put files with different names in, so can you name any other possible filenames they might use? (I don't tinker around with the system32 folder very much, so I'm not familiar with what's supposed to be there and what's not).

Also, all three regedit keys weren't there. (But startdrv still is)

Thanks so much!

December 19, 2007 - 06:43 — Berch (not verified)

Startdrv.exe removed

I remove the startdrv.exe using the method in the first post the only difference is that the runtime2.sys file not exist, the file I found is ctl_w32.sys and the keys are
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv
HKLM\SYSTEM\CurrentControlSet\Services\ ctl_w32
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ ctl_w32.sys
Good luck ,
Berch.
Thanks so much!

December 16, 2007 - 20:54 — webmaster

Easy way to find viral files

Hi Sarah,
There is another way to check it. Go to system32 folder and sort files by date modified descending. You should see a set of newly created files including a .sys file and a few image and html files. These would most probably have the same 'last modified date'. These files are used to build the content of the spam emails that will be sent by the mail server setup by startdrv.exe. Once you shortlist the possible culprits perform a google search with the file names and see which is the real culprit. Also the file would have corresponding entries in the registry at the following keys
HKLM\SYSTEM\CurrentControlSet\Services\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
Do get back in touch if you need any further help
Cheers
Anoop John

December 12, 2007 - 21:00 — Anonymous (not verified)

Removing startdrv.exe - trojan backdoor cutwail family virus

The computer will not let me run the Ubuntu Live CD (or any other OS bootable cd); any suggestions?

December 13, 2007 - 13:00 — webmaster

Enable boot from CD

Where exactly does it prevent you from booting into the Ubuntu CD? Did you enable boot from CD from the BIOS? If not then when you restart the system, enter the BIOS menu and goto the boot configuration page and enable Boot from CD as the first boot option. Then try booting from the Ubuntu Live CD

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor
4 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.