How to Remove AhnRpta.exe Virus

**DAMIA** · 11-06-2009

Hello , My Computer was Running a bit Slow , So Went to take a look in task manager , i Found these unusual AhnRpta.exe file running in the windows task manager , it was taking up lots of cpu time , so i think it is a virus only
It is not being detected by my antivirus , Please Help What Should i Do to remove this virus ? please tell me How to Delete AhnRpta.exe Virus thanks in advance

**Steve123** · 11-06-2009

AhnRpta.exe is Trojan/Backdoor. You Can the Kill the process AhnRpta.exe in the task managet and remove AhnRpta.exe from Windows startup. hope this will solve your problem

**Big Fish** · 11-06-2009

You Cam Use Spybot - Search & Destroy detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications. Spyware silently tracks your surfing behaviour to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven't intentionally installed, if your browser crashes inexplicably, or if your home page has been "hijacked" (or changed without your knowledge), your computer is most probably infected with spyware. Even if you don't see the symptoms, your computer may be infected, because more and more spyware is emerging. Spybot-S&D is free, so there's no harm giving it a try to see if something has invaded your computer.

**DAIJIRO** · 11-06-2009

Hello , I Got the method to remove the Virus , you can remove it using combofix but ComboFix is a powerful tool that should not be used lightly. This procedure has been created specifically for this user. If you are not this user, do not run the risk of seriously damage your installation of Windows!

Disable your antivirus (Avast and BitDefender?) And TeaTimer, Spybot Search & Destroy to hinder ComboFix while working.
If you Cannot disable TeaTimer, uninstall Spybot. When you reinstall your PC will be clean.
remove all your removable drives (USB keys, external hard drives etc. ...)
Open Notepad (Start / Programs / Accessories / Notepad)
Selects all the text in the box below and copy-paste it into Notepad.

File::
C:\ur0.com
C:\opgde.exe
c:\windows\AhnRpta.exe
L:\cv22.cmd
K:\l3v.exe
K:\2aaxaiy.exe

Registry:

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer \mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer \ mountpoints2\(1500d200-11dd-ab64-8772-0040f4d56557)]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer \ mountpoints2\(2b0458d4-f30d-11dd-87bf-001b2fc085ab)]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer \ mountpoints2\(fcbae572-db5d-11dd-87aa-001b2fc085ab)]

Save this file as CFScript.txt on your desktop.

Do a drag and drop the icon of the file CFScript on the ComboFix icon
When the window ask the conditions of use, click OK to start the script.
Be Patient During the scan time. The Screen will disappear several times: it is normal!
Do not touch anything until the scan is not finished.
Once the scan is completed, a report will appear check virus would have been removed

**babluvsn** · 09-11-2009

Hi,
This is bablu and i have a serious problem with this one and eating up my process time and also i always see some thing named HERSS in my startup tab when using MSCONFIG tool. How many times i ever disable it but its just vain

.I followed all your combofix techniques and still unsuccessfull.I wish to some better tech salvy and below is an attachment of the log file created by COMBOFIX, may be any one read some thing from it and help me resolve this issue !!!

ComboFix 09-11-08.03 - Administrator 11/09/2009 10:54.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.103 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AhnRpta.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AIC32P

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-02 22:06 . 2009-11-02 22:06 12464 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-11-02 22:06 . 2009-11-02 22:06 360584 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-02 22:05 . 2009-11-02 22:05 333192 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-02 22:05 . 2009-11-02 22:05 28424 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-02 22:05 . 2009-11-09 05:16 -------- dc----w- c:\windows\system32\drivers\Avg
2009-10-30 08:20 . 2009-11-08 18:23 -------- dc----w- c:\documents and settings\Administrator\Application Data\vlc
2009-10-30 07:55 . 2009-10-30 08:26 -------- dc----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-30 07:50 . 2009-10-30 07:51 -------- dc----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-30 07:47 . 2009-11-05 23:12 -------- dc----w- c:\program files\QuickTime
2009-10-30 07:46 . 2009-11-05 23:12 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-30 07:46 . 2009-10-30 07:46 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2009-10-30 07:45 . 2009-11-05 23:10 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-30 07:43 . 2009-10-30 07:57 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-10-29 22:15 . 2009-10-29 22:15 -------- dc----w- c:\documents and settings\Administrator\Application Data\AVG9
2009-10-29 22:07 . 2009-10-29 22:10 -------- dc----w- C:\$AVG
2009-10-29 22:06 . 2009-11-09 05:15 -------- dc----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-29 22:05 . 2009-10-29 22:09 -------- dc----w- c:\windows\SxsCaPendDel
2009-10-23 21:48 . 2009-11-09 04:55 0 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2009-10-23 21:36 . 2009-10-23 21:36 198064 -c--a-w- c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-10-23 21:36 . 2009-11-03 22:09 -------- dc----w- c:\documents and settings\Administrator\Application Data\IDM
2009-10-23 21:36 . 2009-11-09 02:26 -------- dc----w- c:\documents and settings\Administrator\Application Data\DMCache
2009-10-23 21:35 . 2009-10-23 21:38 -------- dc----w- c:\program files\Internet Download Manager
2009-10-18 09:00 . 2009-10-18 09:00 -------- dc----w- c:\windows\Profiles
2009-10-18 09:00 . 2009-10-19 14:26 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-18 09:00 . 2009-10-18 09:00 -------- dc----w- c:\windows\system32\Adobe
2009-10-18 09:00 . 2009-10-18 09:00 -------- dc----w- c:\documents and settings\Administrator\Application Data\InterTrust
2009-10-18 09:00 . 1998-10-29 09:15 306688 -c--a-w- c:\windows\IsUninst.exe
2009-10-15 06:09 . 2009-09-09 10:43 210352 -c--a-w- c:\windows\system32\idmmbc.dll
2009-10-10 13:33 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\hidserv.dll
2009-10-10 13:33 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-10-10 13:33 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-10 13:33 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-10-10 13:33 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-10 13:33 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 02:13 . 2009-09-19 13:45 -------- dc----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-11-03 23:40 . 2009-09-22 00:40 -------- dc----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-10-29 22:06 . 2009-10-05 11:32 -------- dc----w- c:\program files\AVG
2009-10-08 07:10 . 2008-04-14 00:42 69120 -c--a-w- c:\windows\system32\notepad.exe.tmp
2009-10-06 20:26 . 2009-10-06 20:26 -------- dc----w- c:\program files\uTorrent
2009-10-06 15:09 . 2009-10-06 15:08 -------- dc----w- c:\program files\Yahoo!
2009-10-06 06:57 . 2009-10-06 06:57 -------- dc----w- c:\program files\VideoLAN
2009-10-05 22:47 . 2005-06-21 11:18 155648 ----a-w- c:\windows\system32\igfxtray.exe
2009-10-05 22:32 . 2009-09-20 11:13 290816 -c--a-w- c:\windows\AUD_ALLOS_5.10.0.6020_PV_RealtekAC97.exe
2009-09-23 20:45 . 2009-09-23 20:44 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-21 01:58 . 2009-09-21 01:58 -------- dc----w- c:\program files\Realtek AC97
2009-09-20 21:30 . 2009-09-20 21:30 -------- dc----w- c:\program files\Google
2009-09-20 08:41 . 2009-09-20 08:41 -------- dc----w- c:\program files\Free-Soft
2009-09-20 02:18 . 2009-09-19 13:02 17856 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 17:49 . 2009-09-19 17:49 -------- dc----w- c:\program files\Realtek
2009-09-19 17:49 . 2009-09-19 12:47 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-09-19 17:48 . 2009-09-19 12:47 -------- dc----w- c:\program files\Common Files\InstallShield
2009-09-19 17:30 . 2009-09-19 17:30 -------- dc----w- c:\program files\Microsoft ActiveSync
2009-09-19 13:46 . 2009-09-19 13:46 0 -c--a-w- c:\windows\nsreg.dat
2009-09-19 13:12 . 2009-09-19 12:34 86327 -c--a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-19 12:50 . 2009-09-19 12:50 -------- dc----w- c:\program files\Intel
2009-09-19 12:48 . 2009-09-19 12:48 -------- dc----w- c:\program files\Realtek Sound Manager
2009-09-19 12:48 . 2009-09-19 12:48 -------- dc----w- c:\program files\AvRack
2009-09-19 12:37 . 2009-09-19 12:37 -------- dc----w- c:\program files\microsoft frontpage
2009-09-19 12:31 . 2009-09-19 12:31 21640 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-08-18 12:08 . 2009-10-06 15:09 607472 -c--a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2003-03-21 08:07 . 2003-03-21 08:07 16056 -c--a-w- c:\program files\owcstp16.dll
.

------- Sigcheck -------

[-] 2008-08-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-02 2010904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BD344AF4-67AB-4E19-A630-7435587D320B}"= "c:\windows\system32\ahndoor0.dll" [2008-04-14 62482]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-02 22:06 12464 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"wuauserv"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"avg9wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\softwares\\win2k_xp14103.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSTORDB.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/3/2009 3:35 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/3/2009 3:36 AM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/9/2009 8:34 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/3/2009 3:35 AM 285392]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {B915058B-E311-4665-926A-3D6870FF2ED0} = 61.1.96.69,61.1.96.71
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5ogg5f5i.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 11:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-706699826-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,51,b6,43,7f,0e,5b,40,94,c7,c9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,51,b6,43,7f,0e,5b,40,94,c7,c9,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,51,b6,43,7f,0e,5b,40,94,c7,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1044)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-09 11:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 05:38
ComboFix2.txt 2009-11-09 02:19
ComboFix3.txt 2009-11-09 01:58

Pre-Run: 4,010,332,160 bytes free
Post-Run: 3,991,830,528 bytes free

- - End Of File - - F67D7A9F1B6B94C771337D44B4CA252E

Looking forward for support .you can even update me through an email :
lee_1431@yahoo.com