≡ Menu

How to delete Khatra.exe ,gHost.exe, Xplorer.exe Virus [Win32.Sality Removal Tool]

Last week my system got struck with Win32.sality virus and several trojan infected files called khatra.exe,ghost.exe,xplorer.exe and khatarnakh.exe were injected into the running process.These viruses can be called as a variant of newfolder virus which has been brought into very existence since the creation of USB drives.

computer virus trojan khatra.exe sality

This all happened since due to some reasons I had to turn off UAC in Vista and one of my friends came and plugged his lovely flash drive into my system.Rest is all understood.

The problem with the khatra virus or ghost.exe virus is that it creates multiple copies of the EXE trojan virus inside every folder using the folder’s name itself.These virus infected applications could be misunderstood to be a folder since it has the same looks and a user might double click on them,again executing the virus itself.It’s a smart virus,and starts by disabling your Regedit, msconfig and in some cases control panel as well as your folder options.

This virus has some symptoms when ever you try to open browser and search remove khatra.exe the browser will automatically close,also you cannot delete khatra.exe or gHost.exe or Xplorer.exe which are created by the same virus as these processes will keep running.It aslo disables the security option in windows vista and also the control panel is remains inaccessible.It tries to hack your outlook express for harvesting email address and attaches itself to your mails.


Click “deny” if the above popup appears at any instant.AVG antivirus is useless and itself gets disabled on the attack of the virus.

To regain back the disabled folder options,regedit,msconfig and task manager you could use Remove Restrictions Tool.Run RRT as an administrator to performing actions.

How to delete and Remove Khatra.exe, ghost.exe ,xplorer.exe virus or in one word WIN32.Sality Virus.

Download Protector plus and run the application as an administrator(right click file and choose run as administrator)

Click Scan and the program will find every instance of the virus and delete them.

Restart the system and install a fresh copy of Avast Free edition antivirus and choose to scan the local disk drives.

win32.sality virus avast scanner

How to Enable Security Center in Vista after removing khatra virus

Open the Start Menu.
1. In the white line (Start Search) area, type services and press Enter.

2. Scroll down and right click on Security Center and click on Properties.

A) Next to Startup type, click on Disabled and select Automatic.

B) Click on the Apply button.
C) Click on the Start button.

Turn UAC ON in windows vista to prevent virus attack.

removal tool khatra.exe sality virus

Download Sality/khatra/ghost virus removal tool -Protector plus from here

Comments on this entry are closed.

  • Virustotal August 13, 2009, 2:46 pm

    Here are the results of khatra.exe virus by virustotal.

    a-squared 2009.08.13 Trojan-Dropper.Win32.Autoit!IK
    AhnLab-V3 2009.08.13 –
    AntiVir 2009.08.13 TR/Autoit.mjc
    Antiy-AVL 2009.08.13 –
    Authentium 2009.08.13 W32/Dropper.AHOI
    Avast 4.8.1335.0 2009.08.12 Win32:Sality
    AVG 2009.08.13 –
    BitDefender 7.2 2009.08.13 Gen:Trojan.Heur.Ei3frztlVldib
    CAT-QuickHeal 10.00 2009.08.13 Trojan.Agent.ATV
    ClamAV 0.94.1 2009.08.13 Trojan.Autoit-75
    Comodo 1965 2009.08.13 TrojWare.Win32.TrojanDropper.Autoit.k
    DrWeb 2009.08.13 WORM.Virus
    eSafe 2009.08.13 Win32.Dropper.Autoit
    eTrust-Vet 31.6.6675 2009.08.13 Win32/SillyAutorun.AJH
    F-Prot 2009.08.13 W32/Dropper.AHOI
    F-Secure 8.0.14470.0 2009.08.13 Trojan-Dropper.Win32.Autoit.k
    Fortinet 2009.08.13 W32/AutoIt.K!tr
    GData 19 2009.08.13 Gen:Trojan.Heur.Ei3frztlVldib
    Ikarus T3. 2009.08.13 Trojan-Dropper.Win32.Autoit
    Jiangmin 11.0.800 2009.08.13 –
    K7AntiVirus 7.10.817 2009.08.12 Trojan-Dropper.Win32.Autoit.k
    Kaspersky 2009.08.13 Trojan-Dropper.Win32.Autoit.k
    McAfee 5707 2009.08.12 Generic.dx
    McAfee+Artemis 5707 2009.08.12 Generic.dx
    McAfee-GW-Edition 6.8.5 2009.08.13 Trojan.Autoit.mjc
    Microsoft 1.4903 2009.08.13 Worm:Win32/Abfewsm.A
    NOD32 4332 2009.08.13 probably a variant of Win32/Agent
    Norman 6.01.09 2009.08.13 AutoIt.BT
    nProtect 2009.1.8.0 2009.08.13 Trojan-Dropper/W32.AutoIt.506687
    Panda 2009.08.12 W32/Sohanat.AS.worm
    PCTools 2009.08.12 –
    Prevx 3.0 2009.08.13 High Risk Cloaked Malware
    Rising 2009.08.13 Trojan.Win32.Autoit.dwc
    Sophos 4.44.0 2009.08.13 W32/Autoit-EA
    Sunbelt 3.2.1858.2 2009.08.13 Trojan.Win32.Generic!BT
    Symantec 2009.08.13 W32.SillyFDC
    TheHacker 2009.08.13 Trojan/Dropper.Autoit.k
    TrendMicro 8.950.0.1094 2009.08.13 WORM_SOHANAD.LT
    VBA32 2009.08.13 Trojan-Dropper.Win32.Autoit.k
    ViRobot 2009.8.13.1883 2009.08.13 –
    VirusBuster 2009.08.13 Trojan.DR.Autoit.WG

  • honeyball September 11, 2009, 9:20 am

    Thank you verymuch.I had removed the virus.But there is some effects left behind.I cant open desktop properties and controlpanel of my computer please help me

  • renjith September 11, 2009, 2:03 pm

    have you tried the "remove restriction tool" i stated in the post

  • honey September 14, 2009, 9:45 am

    thank you verymuch.First i had ran RRT.Butr it doesnt worked .Now i tested with a new copy downloaded now it is okey.But after running RRT My connections with other computers gone.that is our network became a failure.But i appreciate you with your works.THank you verymuch

  • eko sn December 9, 2009, 12:38 pm

    Great article..
    thank's It's very helpfull for me.

  • ragesh December 17, 2009, 11:36 am


  • Vinod February 3, 2010, 6:53 pm

    Good article
    But i tried it by reinstalling OS
    then installing quick heal which is updated untill nov 2009
    Then scaning the whole computer
    And it worked

  • Anonymous February 21, 2010, 5:02 pm

    thank u 🙂

  • Anonymous April 14, 2010, 2:17 pm

    hi, i used the protector plus. but still cant install any antivirus sofwares. even after protector plus, the AV Software will get disabled as i start the scan. i tried AVG and Kaspersky. wht to do?

  • Anonymous October 2, 2010, 10:03 am

    Threat aliases for Worm.Abfewsm.b:

    AliasDetected by
    W32.SillyFDC Symantec
    Trojan.Autoit.tkw McAfee-GW-Edition
    W32/Yahlover.worm.gen.i.gen McAfee
    Artemis!1CFC086EAD82 McAfee+Artemis
    Worm/Autoit.ZIP AVG
    WORM_IMAUT.EC TrendMicro
    Trojan-Dropper.Win32.Autoit.p Kaspersky
    Worm:AutoIt/Sohanad.DP Microsoft
    Win32/Autoit.FK NOD32
    W32/Sohanat.AS.worm Panda
    Trojan.Generic.2052698 BitDefender
    Trojan-Dropper.Win32.Autoit.p F-Secure
    Trojan/Dropper.Autoit.k TheHacker
    Win32:Trojan-gen {Other} Avast
    Sohanad.BEW Norman
    Trojan-Dropper.Win32.Autoit Ikarus
    Trojan.Autoit-75 ClamAV
    Trojan-Dropper/W32.AutoIt.506687 nProtect
    suspected of Trojan.Autoit.ITN VBA32
    Trojan.Generic.2052698 GData
    W32/Autoit.BP!tr Fortinet
    Trojan-Dropper.Win32.Autoit.k Sunbelt
    WORM.Virus DrWeb
    Trojan-Dropper.Win32.Autoit!IK a-squared
    Medium Risk Malware Prevx
    Trojan.DR.Autoit.WD VirusBuster
    Email-Worm.Win32.Agent K7AntiVirus
    TrojWare.Win32.TrojanDropper.Autoit.k Comodo
    Worm.Win32.AutoIt.fa Rising
    Suspicious File eSafe
    Dropper.Autoit.506687 ViRobot
    W32/Dropper.AHOI F-Prot
    TR/Autoit.mjc AntiVir
    Win32/SillyAutorun.AJH eTrust-Vet
    Win32/Sohanad.worm.670720 AhnLab-V3
    W32/Autoit-BP Sophos
    W32/Dropper.AHOI Authentium

  • Anonymous December 19, 2010, 6:55 am

    It doesn't even let me install Avast. Any suggestions?

  • Anonymous February 14, 2011, 12:33 pm


  • JM Erestain March 28, 2011, 3:23 am

    gosh win32/sality affected 1200+ files in my comp!