I have two files that I cannot get rid of. They are fanqe.exe and oqwmec.exe. Someone please check my hijackthis log file. Strange thing is when I reboot into safe mode these files are not in the c:windows\system32 directory but they are now and of course they are in use. there's also a file called hxjnk.exe that is in the startmenu\run sirectory of all users and it's in use but when I reboot into safe mode it's not there either.

Hya Maximus , welcome to PCHF.

Lets see what we can do , i dont see the last two files you mentioned in youre hjt log. Do they change there name everytime , or do they stay the same?


Boot in safemode (hit f8 when booting up)

1. On the Tools menu in Windows Explorer, click Folder Options.
2. Click the View tab.
3. Under Hidden files and folders, click Show hidden files and folders.
4. If you see a warning message, click Yes.
5. Click Apply.
6. Click OK.

Then fix these with hjt:

Delete the file in bold , and search for and delete this file aswell:

pvuuois.exe

And have you just disabled things trough Msconfig? If yes , what where those?

When done post a new hjt log please.

I tried doing what you said and it still didn't work. It keeps replicating itself somehow. When I booted to safe mode, I click the boxes next to the lines you said and clicked fix checked and then I rescan they are there again. So I go to regedit and try to manually delete the entries and when I do, I close regedit, load it back up and it's there again like I didn't even modify it. As far as msconfig is concerned, I've modified it dozens of times and the entries keep coming back. Three lines keep coming back, 2 entries for oqwmec.exe and 1 entry for hxjnk.exe. Like I said, when I reboot to safe mode, these files are not on my computer. Only when I boot normally, but they are in use. LAst night I ran Blacklight Beta from F-Secure and it found like 5 files, deleted them and when I scan now it says 0 files found but it still didn't help me. Also, I created a batch file with the taskill command like this
@echo off
taskkill /PID 1816 /f /t
taskkill /PID 2180 /f /t
taskkill /PID 4016 /f /t
taskkill /PID 2076 /f /t
but it runs forever because these files keep recreating themselves with new PID's.

So there are entry's disabled now in msconfig? If yes , then eneble them again , reboot and make a new hjt log please.

But also after enebling them again , but before running hjt please do a Panda AV scan here:

http://www.pandasoftware.com/products/activescan

Save and post the resulting log from it , and a new hjt log.

Joe, I think I may have Qoolaid. I went to McAfee and did an online scan and it found three files and labeled them as Qoolaid. So after searching this forum for Qoolaid I came to a previous post you helped someone with and it's almost identical to mine. This thing apparently creates random file names like fanqe.exe, pvuuois.exe, and hxjnk.exe. This is the post I'm talking about her http://www.pchelpforum.com/fixed-hij...-program.htmle. Do you think this may be it? If so, should I follow this previous post step by step?

Yup , if Mcafee indentifys the files as Qoolaid then im sure it is correct.


Lets get rid of it.

This process probebly has to be repeated 2 or 3 times , but that is normal with this infection.


Please Download RKFiles.zip

Create a new folder C:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into the new folder you just created.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder.

Restart to safe mode. (tap f8 key during bootup)

Open the C:\Antispyware\RKFiles folder
Double click on RKFILES.BAT
Give it time to run. this may take a while.
Save the text file it creates.
It should save by default to C:\Log.txt

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text file opens, post it when done.

It'll take a while to run a full scan so please be patient.


Restart into regular Windows mode and post the contents of C:\log.txt and the find-qoologic results. And did you had items disabled with msconfig? If yes then also post a new hjt log with everything enebled.

If not , then the last hjt is good enough.

Joe, thanks for all of your help. I was able to fix my problem based on information from this forum and Geeks to Go. This is by far the most amazing malware I've ever seen. It's ability to create random file names and hooks into system files to keep itself from being found and deleted. Mad love to all you guys for helping everyone. Thanks again. BTW, please take a look at my current HJT log file to see if you notice anything else odd.