Steps to remove the virus Khatarnak.exe
This virus uses a file name that is a name of a legitimate windows process so its necessary to locate this file(s) using Process Explorer. Also note the path and file name of all files detected as WORM_AUTORUN.ACO. If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.
- Download Process Explorer.
- Extract the contents of the compressed (ZIP) file to a location of your choice.
- Execute Process Explorer by double-clicking PROCEXP.EXE.
- In the Process Explorer window, locate the malware file(s) detected earlier.
- Right-click on the detected files, then click Kill Process Tree.
- Do the same for all detected malware files in the list of running processes.
- Close Process Explorer.
If the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.
Removing/Restoring Autostart Entries from the Registry
This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs.
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run - In the right panel, locate the entry:
Shell = “Explorer.exe KHATARNAK.exe” - Right-click on the value name and choose Modify. Change the value data of this entry to:
explorer.exe - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run - In the right panel, locate and delete the entry:
KHATARNAK Loader = “%System%\KHATARNAK.exe”
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Removing Other Added Entries from the Registry
- Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Policies>System - In the right panel, locate and delete the following:
DisableTaskMgr = “1″ - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Policies>Explorer - In the right panel, locate and delete the following:
NofolderOptions = “1″ - Close Registry Editor.
February 21st, 2009 at 1:18 pm
awesome job satish keep up the good work… u seem 2 be better than many antivirus solutions…:) thanks man
February 21st, 2009 at 1:21 pm
You are welcome.I once had the same virus in my system. I had to follow those same steps.
August 31st, 2009 at 9:01 am
Thanks satish
November 24th, 2009 at 9:46 pm
http://www.satishmania.com is very informative. The article is very professionally written. I enjoy reading http://www.satishmania.com every day.
payday loans bc
payday loans
April 11th, 2010 at 3:25 am
Would you tell me where did you download your site template ?
April 11th, 2010 at 9:50 am
If you own a Wordpress site you get the option to use their Wordpress templates and modify it. Thats what I did.
April 18th, 2010 at 12:38 am
I’m sure that i will come back to your blog. Well written articles !
April 27th, 2010 at 9:21 am
Bookmarked your blog. Thank you for sharing. Definitely worth the time away from my classwork.
April 27th, 2010 at 7:49 pm
Very interesting website, but you must improve your template graphics.
May 13th, 2010 at 3:00 pm
Considerable grit as usual…
May 18th, 2010 at 8:38 pm
I searched many websites and here i found what i was looking for, thanks for valuable post
May 29th, 2010 at 12:43 am
gooday there, i just found your website listed on yahoo, and i must comment that you compose awesomely good via your website. i am actually struck by the method that you express yourself, and the message is superb. anyways, i would also love to know whether you would love to exchange links with my web portal? i will be more than willing to reciprocate and put your link on in the blogroll. anticipating for your answer, thanks and have a great day!
June 3rd, 2010 at 2:51 pm
I really enjoyed this post. I can tell you put in a great deal of effort and time into this post. I will be back to read more as you post more!
June 11th, 2010 at 7:44 pm
I was looking for crucial information on this subject. The information was important as I am about to launch my own hair removal service blog. Thanks for providing a missing link in my business.
June 21st, 2010 at 4:16 am
Heya¡my very first comment on your site. ,I have been reading your blog for a while and thought I would completely pop in and drop a friendly note. . It is great stuff indeed. I also wanted to ask..is there a way to subscribe to your site via email?
July 2nd, 2010 at 11:25 pm
I’ve been checking your blog for a while now, seems like everyday I learn something new
Thanks
July 12th, 2010 at 7:19 pm
Yes subscribe by using the link at the bottom
July 23rd, 2010 at 8:43 am
This web site has surely changed my point of view on this subject. Theres no way I wouldve considered about it this way if I hadnt appear across your weblog. All I was performing was cruising the web and I discovered your web site and all of the sudden my views have altered. Very good on you, man!
August 16th, 2010 at 8:13 pm
or we can remove that like this :
Just type msconfig in RUN and u will get the msconfig popup box and there u can see startup as last tab and in that u can see khatarnak.exe as checked or marked. just unmark it and restart the system. u have to do this after cleaning up ur system with any antivirus.