What is Ahkntfs.exe? Is it most likely spyware. How do you remove it? This is the topic of this tutorial.
This is what I know of Ahkntfs.exe so far:
I am running a Windows 2000 machine. I use Mozilla Firefox as my web browser. I am not sure whether it exploited a bug in Firefox or if it got on my system some other way.
On my Win2K machine, the file path is "C:\WINNT\System32\?hkntfs.exe". The command line "C:\WINNT\system32\Ahkntfs.exe".
(note: Please do not confuse this with the file "C:\WINNT\System32\chkntfs.exe" as this is the "NTFS Volume Maintenance Utility" from Microsoft. In other words, chkntfs.exe is part of Windows and should not be deleted.)
FaberToys AutoRun lists the name as "Qydihius". Google came up with nothing for this. This is generated at random. I then opened FaberToys Windows Explorer and found that ahkntfs.exe has a window attached to it titled "Untitled - NDrv". I Googled NDrv and it came back as spyware. I imagine that Ahkntfs is just their newest version.
TCPView tells me that Ahkntfs uses UDP port 2546 on the local machine and listens for incoming connections from any port on the remote machine.
I was not able to locate this file in Explorer, and I tried to use a hex editor to open the file, but it could not find it.
I found the following entry in the Windows Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Qydihius"="C:\\WINNT\\system32\\?hkntfs.exe"
Apparently the "Qydihius" part is generated at random and may be different on your machine.
They are for Windows 2000 / XP, but should be very similar on other versions of Windows. Feel free to add you comments to this page to add / correct anything.
To remove Ahkntfs.exe, open the Task Manager (right click the Taskbar and click on "Task Manager..."), click on Ahkntfs.exe, and click the End Process button. Click the Yes button to confirm. The ?hkntfs.exe file will not show up in Windows Explorer, so we must delete it from the command prompt. Click "Start", then click "Run...", type cmd, and then click the OK button. This will open the command prompt and then type
del C:\WINNT\System32\?hkntfs.exe
This will delete the file, but you will not have any confirmation of this. If you see an error similar to
Could Not Find C:\WINNT\System32\?hkntfs.exe
then check to see if you typed in the command exactly as I have above. You can then use Autoruns to remove the registry key listed above.
If for some reason you could not delete the file using the process above, you may try to delete it with KillBox.
The ? parameter for the delete command IS a wildcard as posted below by Matt B. This will indeed delete both Ahkntfs.exe AND Chkntfs.exe. You should make a backup of this file just to be safe, but on my Windows 2000 system the Chkntfs.exe file is replaced as soon as it is deleted as it is protected by Windows (c:\winnt\system32\dllcache\chkntfs.exe). I have no idea if Windows XP does this, but I assume it does. Sorry if this caused anyone any problems.
You may also wish to manually check the Windows Registry to ensure that it didn't leave anything else. Click "Start", "Run...", and enter regedit in the textbox, then click the OK button. Click on "My Computer". Then click the "Edit" menu and click "Find...". Enter ?hkntfs.exe in the "Find what:" textbox. Make sure all three checkboxes have a check in them. Click the Find Next button. If it finds anything, right-click on it and click "Delete".
Comments:
Posted by Anonymous
Windows 2000 -> in Explore chkntfs.exe (Chkntfs.exe was original Win file).
Command line the same (?hkntfs.exe) . The second file hszfan.dll was installed
at the same time. This version uses UDP port 1256 on the local machine and
listens for incoming connections from any port on the remote machines.