I used ComboFix.exe.
I can now see Hidden Files and Folders. Same goes for System files.
BUT,
Ahnrpta.exe is STILL there !!!
. Also, a very interesting thing that keeps happening is that Avast continuously keeps blocking pop-ups and a particular script.
By now, I'm absolutely perplexed about HOW I can delete ahnrpta permanently. I tried using "Killbox" .. that doesn't work either.
Here's a list of the running programs.
Code:
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
D:\PROG FILES\AVAST ANTIVIRUS\aswUpdSv.exe
D:\PROG FILES\AVAST ANTIVIRUS\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
SVCHOST.EXE
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UTSCSI.EXE
D:\PROG FILES\AVAST ANTIVIRUS\ashMaiSv.exe
D:\PROG FILES\AVAST ANTIVIRUS\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\EzButton\EzButton.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\PROGFI~1\AVASTA~1\ashDisp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\AhnRpta.exe
C:\Program Files\Mozilla Firefox\firefox.exe
Apart from this, sometimes there's a very large number of
SVCHOST.exe processes that are running simultaneously. Out of this huge number (on an average - 12 ), 5 are under "SYSTEM" , 4 under "NETWORK SERVICE" and 3 or 4 under "LOCAL SERVICE".
Now , the interesting thing is that whenever I try to close the one which is hogging the maximum amount of memory, nothing happens. Whereas, if you close the ACTUAL process, Windows usually automatically shuts down. Fishy ?
I also tried this > A "tutorial on how to remove the
deadliest virus in the world " :rofl: I found this after googling "ahnrpta.exe removal"
Code:
1. Download REG UNLOCKER
2. Execute reg unlocker (select all options) and as quick as you can, open the task manager (CTR+ ALT +DEL) and kill the process EXPLORER.EXE (don’t worry if all programs start closing and you end with the task manager alone, that is the point)
3. Using the task manager kill the process AhnRpta.exe which is the virus of course you’ll have to do this dozens of times thru this tutorial, because it keeps starting itself again
4. run REGUNLOCKER again. With the task manager go to Applications–> New Task and write “explorer†(without quotes) Remember step 4. Now in the explorer window go to Tools  Folder Options  View and select “show hidden files and folders†accept and go to the task manager and kill “explorer.exe†there.
5. Dont forget step 4. Now, you only have open the task manager in the tab applications click New Task and write
“msconfig†without quotes, (never forget step 4) go to the start tab and look for olhrwef, deselect it, apply, but don’t restart the system, no yet.(step 4), now in the task manager, go to applications - New Task and write “regedit†without quotes. Browse the following path
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSI… F-882A-4526-8C08-51278EA437C1}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSI… F-882A-4526-8C08-51278EA437C1}\InprocSer…
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSI… F-882A-8C08-4526-51278EA437C1}
the last part can vary a little in each computer, but the firts dozen of numbers will be the same. Delete the keys (I mean, delete the last folder for example {BB4C402F-882A-4526-8C08-51278EA437C1} don’t delete the root folders or you will completly screw up your system.
also browse to
# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\W... entVersion\Explorer\ShellExecuteHooks]
* {BB4C402F-882A-4526-8C08-51278EA437C1} = “hook dll risingâ€
and delete the key… be careful in this part you don’t have to delete the complete folder, in the right pane look for the “hook dll rising†part and delete that one only.
Don’t forget step 4.
You can closes the registry and go back to the task manager. New task, click browse and go to
“c:\windows\†you will find the file “AhnRpta.exe†delete it.
Now go to “C:\WINDOWS\system32″ look for the file “olhrwef†and delete it (note: I didn’t found it in my pc but this part was in the original tutorial that I followed).
Also delete the following files in that folder
afmain0.dll
afmain1.dll
afmain2.dll
If you can’t find these files, repeat step 5 and try again.
SURPRISE SURPRISE !! On system reboot, there's your ahnrpta.exe resting under "running processes" like an old faithful dog who follows you back home.
I have forsaken the use of external drives temporarily because being a lazy bum that I am :rofl:, I get carried away and tend to double click the Hard-disk icon in My Computer instead of typing the letter in the address bar (THRICE !!!
:rofl: ).
Any alternate suggestions ?
PS: - I'm going to try ComboFix.exe repeatedly in the meantime. I'll try boot-scanning, I'll try using stinger,Killbox etc etc etc. and I shall triumph !! Victory of good over evil (well not as magnanimous or cool as Ram over Ravan or something, but yes, over that wicked little backdoor that pisses me off
hyeah: )
