I need some help please. I've run out of stuff to do... My PC here at work is infected with troj_qoolaid.s as reported by trend officescan. The infected file is listed as c:\windows\system32\piqprp.exe the problem is I can't find that file to delete it! I look at all system files/hidden files, still no luck.

As far as I can tell, the trojan is installing spyware and making popups, nothing worse. But it's really annoying!

I've tried a few free online scans, they either don't find it or find it but can't clean it for some reason. The stupid software we use at work is "trend micro officescan" which keeps finding it every few minutes, but cant clean it either.

I think part of the problem is that I can't turn off "system restore" since I don't have admin rights. The helpdesk monkey has been in here twice to try and fix it with no luck...

Any other ideas?

UPDATE: Even in safe mode w/networking (which I'm using now) I still get popups. Completely clean on scans with ad aware, spybot, and several others. So I know it's the trojan causing the problems.

It sounds like their might be a rootkit on it that is hiding the file (maybe the sony rootkit?). Try going into a command prompt and typing 'del c:\windows\system32\piqprp.exe' and that might delete.

I've just started reading about rootkit, don't know much about them. In any case, I tried your suggestion, and it said "access denied" so the file IS in fact there, I just can't find it using windows no matter what. What I tried is to rename it, a trick that has worked in the past. That way, maybe it won't be able to launch itself. Then eventually I'll figure out how to delete it.

I'm gonna reset now, to get out of safe mode, so we'll see how that worked.

OK, so I tried that... Windows refuses to boot in normal mode. So I'm back to safe mode.... don't know what to do!

Download a program called "Move on Boot". After you install it, right click the file and select "delete this file after next boot." This program deletes files before they have a chance to load into windows, therefore solving your "acess denied" problem. If you still need some help, feel free to PM me.