BACKDOOR-CQN Manual removal
Tuesday, January 22nd, 2008So, I was just surfing the net the other day, minding my own business and then, WHAM! I started getting a McAfee warning on bootup that I had a BACKDOOR-CQN trojan. No problem! I made sure my McAfee was up to date, ran the full disk check and it didn’t find a blessed thing. Grrrr, I updated my cleanboot definitions, burned a new CD and booted. Ran the FULL check.. NOTHING! What the F? Maybe it was cleaned already? NOPE!!! My software is at least smart enough to keep coming up at boot saying that it found (and deleted) the virus SYSTEMS.SYS in the C:\WINDOWS\WINDOWS directory. The WHAT directory???
Onto the NAI website to find out how to remove this sucker.. “Use the latest engine and def files”… NO KIDDING, REALLY? No manual removal method listed and I couldn’t find squat on the Internet. Damn I hate computers.
So, I rolled up my sleaves and dug in. Doesn’t seem too hard. There’s something in the STARTUP folder, under the RUN command in the registry and I’ve deleted the directory in Windows. BAHM! It’s back again.. AHHHHHH!!!!!!!
After picking up my laptop from the other side of the room, I’m back to figuring this out… After a quick boot into safe mode and some searching around the system, THERE IT IS!!!!! Last piece of the puzzle solved and it’s back to safe computing for me.
If YOU happen to get the wonderful little charm and your virus software sucked as much as mine in getting rid of it, here’s how I was able to eradicate this little son of a behive…
Boot into Safe Mode.
Open REGEDIT
In both HKLM and HKLU, go to the RUN listing and nuke the setting for C:\WINDOWS\WINDOWS\SYSTEMS.EXE
Of course, nuke the C:\WINDOWS\WINDOWS directory. Should only contain the SYSTEMS.EXE file.
Kill the launch file in C:\DOCUMENTS AND SETTINGS\ALL USERS\STARTUP\SYSTEMS.EXE
Lastly, here was the file I missed the first time;
C:\WINDOWS\PREFETCH\SYSTEMS.EXE-2D5B743C.pf NuKE IT!!!
Reboot your machine and you should be right as rain. It’s easy peesy, lemon squeezy.
Good luck!