Steps to remove the virus Khatarnak.exe

This virus uses a file name that is a name of a legitimate windows process so its necessary to locate this file(s) using Process Explorer. Also note the path and file name of all files detected as WORM_AUTORUN.ACO. If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.

  1. Download Process Explorer.
  2. Extract the contents of the compressed (ZIP) file to a location of your choice.
  3. Execute Process Explorer by double-clicking PROCEXP.EXE.
  4. In the Process Explorer window, locate the malware file(s) detected earlier.
  5. Right-click on the detected files, then click Kill Process Tree.
  6. Do the same for all detected malware files in the list of running processes.
  7. Close Process Explorer.

If the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Removing/Restoring Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate the entry:
    Shell = “Explorer.exe KHATARNAK.exe”
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    explorer.exe
  5. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  6. In the right panel, locate and delete the entry:
    KHATARNAK Loader = “%System%\KHATARNAK.exe”
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Removing Other Added Entries from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>System
  2. In the right panel, locate and delete the following:
    DisableTaskMgr = “1″
  3. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
  4. In the right panel, locate and delete the following:
    NofolderOptions = “1″
  5. Close Registry Editor.

19 thoughts on “Steps to remove the virus Khatarnak.exe

  1. awesome job satish keep up the good work… u seem 2 be better than many antivirus solutions…:) thanks man

  2. You are welcome.I once had the same virus in my system. I had to follow those same steps.

  3. If you own a WordPress site you get the option to use their WordPress templates and modify it. Thats what I did.

  4. I’m sure that i will come back to your blog. Well written articles !

  5. Bookmarked your blog. Thank you for sharing. Definitely worth the time away from my classwork.

  6. I searched many websites and here i found what i was looking for, thanks for valuable post

  7. gooday there, i just found your website listed on yahoo, and i must comment that you compose awesomely good via your website. i am actually struck by the method that you express yourself, and the message is superb. anyways, i would also love to know whether you would love to exchange links with my web portal? i will be more than willing to reciprocate and put your link on in the blogroll. anticipating for your answer, thanks and have a great day!

  8. I really enjoyed this post. I can tell you put in a great deal of effort and time into this post. I will be back to read more as you post more!

  9. I was looking for crucial information on this subject. The information was important as I am about to launch my own hair removal service blog. Thanks for providing a missing link in my business.

  10. Heya¡­my very first comment on your site. ,I have been reading your blog for a while and thought I would completely pop in and drop a friendly note. . It is great stuff indeed. I also wanted to ask..is there a way to subscribe to your site via email?

  11. I’ve been checking your blog for a while now, seems like everyday I learn something new :-) Thanks

  12. This web site has surely changed my point of view on this subject. Theres no way I wouldve considered about it this way if I hadnt appear across your weblog. All I was performing was cruising the web and I discovered your web site and all of the sudden my views have altered. Very good on you, man!

  13. or we can remove that like this :

    Just type msconfig in RUN and u will get the msconfig popup box and there u can see startup as last tab and in that u can see khatarnak.exe as checked or marked. just unmark it and restart the system. u have to do this after cleaning up ur system with any antivirus.

Leave a Reply

Your email address will not be published. Required fields are marked *

*


9 - one =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>