Expert: Carolyn Meinel - 11/30/2004

Question
I've been plagued by pop-ups despite my best efforts to clean up. A couple of facts:

Ad-aware - doesn't find anything
Spybot - doesn't find anything

I have this annoying process that appears in the task manager every time I open my browser - regardless of the URL the home page is set to.

AHKNTFS.EXE

I've searched my registry, my hard drive, microsoft, trend micro, castlecops, google...no hits on AHKNTFS.EXE.

So...I'm wondering if anyone else has this process running, or if anyone knows what it does. I'm paranoid that it is some piece of spyware unning undetected.

I'm running Windows 2000 Professional and I would love to get my computer back.

Thanks for any help.
-MP

Answer
I've come across two other cases of ahkntfs.exe, but nobody has yet figured out what this rare case of malware might be doing. However, the fact that it only activates when you run your browser supports your suspicion that it is some sort of spyware or adware.

A quick fix is to use a browser that is less susceptible to infection. Firefox, free from Mozilla.org, is an excellent alternative.

A program that might be able to help you eradicate this infection from Internet Explorer is BHODemon. It is free from http://www.definitivesolutions.com/bhodemon.htm It enables you to control the "browser helper objects" of Internet Explorer (IE). Perhaps it will find one of these that launches ahkntfs.exe.

If none of this works, then it is time to take drastic measures. What worries me is that ahkntfs.exe may have turned your computer into a "zombie" and be connecting to some sort of criminal computer network. It could be used to do anything from sending spam to running a fraudulent website to storing credit card information and stealing money from online banks.

To get more of an idea of the kinds of things your computer might be doing, see:
http://www.usatoday.com/money/industries/technology/2004-09-08-zombieuser_x.htm

So how do you find out what is going on, and how do you get rid of that program? If you want to help out law enforcement, you could install a firewall program that could give you a lot of details about what programs are connecting to the Internet, and to what other computers yours is connecting. Zone Alarm from Zonelabs.com has a free version and will keep a log of the attacks. If you don't want to deal directly with the FBI, a responsible intermediary is the people at http://www.incidents.org An advantage of reporting anything you see is that this will make it absolutely certain that you don't later get into trouble for anything done with your computer.

If your firewall showed a lot of attempts of Internet connections with your computer, and you have any reason to believe it was taken over by organized crime, you will be far safer if you back up your files, reformat your hard drive and reinstall everything. (Make sure you have given any evidence to law enforcement first!) Don't go online until after you have installed your firewall. Then, don't reload your backups or reinstall any programs from your backups until you get your antivirus installed and updated.