Archive for the ‘Troubleshooting Khatarnak.exe’ Category

10.31
08

Steps to remove the virus Khatarnak.exe

by Satish Sridharan ·

This virus uses a file name that is a name of a legitimate windows process so its necessary to locate this file(s) using Process Explorer. Also note the path and file name of all files detected as WORM_AUTORUN.ACO. If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.

  1. Download Process Explorer.
  2. Extract the contents of the compressed (ZIP) file to a location of your choice.
  3. Execute Process Explorer by double-clicking PROCEXP.EXE.
  4. In the Process Explorer window, locate the malware file(s) detected earlier.
  5. Right-click on the detected files, then click Kill Process Tree.
  6. Do the same for all detected malware files in the list of running processes.
  7. Close Process Explorer.

If the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Removing/Restoring Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate the entry:
    Shell = “Explorer.exe KHATARNAK.exe”
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    explorer.exe
  5. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  6. In the right panel, locate and delete the entry:
    KHATARNAK Loader = “%System%\KHATARNAK.exe”
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Removing Other Added Entries from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>System
  2. In the right panel, locate and delete the following:
    DisableTaskMgr = “1″
  3. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
  4. In the right panel, locate and delete the following:
    NofolderOptions = “1″
  5. Close Registry Editor.