how to remove AhnRpta.exe ?

3 Answers

Relevance
  • 1 decade ago
    Favorite Answer

    This is a new virus, so the antivirus don't remove it yet, if you wait a few days and update your antivirus it will be take care of. I you can't wait and want to remove it manually, I'll give you the step by step -I found it in a forum in spanish and translated it - and of course, I tried it myself and got rid of the virus.

    WARNING: this tutorial is not for the faint of heart. It will be better if you have ever edited your windows registry manually. Touching the registry is risky, if you screw up you will have to format and reinstall windows. So I take no responsabilities here. If you are not sure about this, ask a friend that is comfortable editing the registry to do it for you.

    Here it goes:

    1) Download REG UNLOCKER http://rapidshare.com/files/159109150/RegUnlocker....

    2) Execute reg unlocker (select all options) and as quick as you can, open the task manager (CTR+ ALT +DEL) and kill the process EXPLORER.EXE

    3) don't worry if all programs start closing and you end with the task manager alone, that is the point

    4) Using the task manager kill the process AhnRpta.exe which is the virus of course you'll have to do this dozens of times thru this tutorial, because it keeps starting itself again

    5) run REGUNLOCKER again. With the task manager go to Applications--> New Task and write "explorer" (without quotes) Remember step 4. Now in the explorer window go to Tools -- Folder Options -- View and select "show hidden files and folders" accept and go to the task manager and kill "explorer.exe" there.

    6) Dont forget step 4. Now, you only have open the task manager in the tab applications click New Task and write

    "msconfig" without quotes, (never forget step 4) go to the start tab and look for olhrwef, deselect it, apply, but don't restart the system, no yet.(step 4), now in the task manager, go to applications - New Task and write "regedit" without quotes. Browse the following path

    * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB4C402 F-882A-4526-8C08-51278EA437C1}

    * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB4C402 F-882A-4526-8C08-51278EA437C1}\InprocServer32

    * HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB4C402 F-882A-8C08-4526-51278EA437C1}

    the last part can vary a little in each computer, but the firts dozen of numbers will be the same. Delete the keys (I mean, delete the last folder for example {BB4C402F-882A-4526-8C08-51278EA437C1} don't delete the root folders or you will completly screw up your system.

    also browse to

    # [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]

    * {BB4C402F-882A-4526-8C08-51278EA437C1} = "hook dll rising"

    and delete the key... be careful in this part you don't have to delete the complete folder, in the right pane look for the "hook dll rising" part and delete that one only.

    Don't forget step 4.

    You can closes the registry and go back to the task manager. New task, click browse and go to

    "c:\windows\" you will find the file "AhnRpta.exe" delete it.

    Now go to "C:\WINDOWS\system32" look for the file "olhrwef" and delete it (note: I didn't found it in my pc but this part was in the original tutorial that I followed).

    Also delete the following files in that folder

    afmain0.dll

    afmain1.dll

    afmain2.dll

    If you can't find these files, repeat step 5 and try again, that did it for me.

    Now you can restart your computer and use ccleaner to delete any trace of the damn virus that may be left in the registry (if you skip this step won't do any harm tho).

    Source(s): forum posting, personal experience.
  • 1 decade ago

    I have the same problem. Cannot seem to get rid of it. I tried antivirus (also online scanner), spybot, hijackthis and more and so far the problem is still there.

    I know that 2 files are infected (autorun.inf and iq.bat). I am pretty sure that the autorun point at the second but removing all of these 3 files does not help since they reappear right away.

    Any idea?

  • 1 decade ago

    same here :(, also autorun.inf loads automaticly iq.bat

    plus there is a file c:\windows\system32\driver\klif.sys

    if anyone finds out the solution email me:

    enter_in_the_Darkness@yahoo.com

Still have questions? Get your answers by asking now.