Last week my system got struck with Win32.sality virus and several trojan infected files called khatra.exe,ghost.exe,xplorer.exe and khatarnakh.exe were injected into the running process.These viruses can be called as a variant of newfolder virus which has been brought into very existence since the creation of USB drives.
This all happened since due to some reasons I had to turn off UAC in Vista and one of my friends came and plugged his lovely flash drive into my system.Rest is all understood.
The problem with the khatra virus or ghost.exe virus is that it creates multiple copies of the EXE trojan virus inside every folder using the folder’s name itself.These virus infected applications could be misunderstood to be a folder since it has the same looks and a user might double click on them,again executing the virus itself.It’s a smart virus,and starts by disabling your Regedit, msconfig and in some cases control panel as well as your folder options.
This virus has some symptoms when ever you try to open browser and search remove khatra.exe the browser will automatically close,also you cannot delete khatra.exe or gHost.exe or Xplorer.exe which are created by the same virus as these processes will keep running.It aslo disables the security option in windows vista and also the control panel is remains inaccessible.It tries to hack your outlook express for harvesting email address and attaches itself to your mails.
Click “deny” if the above popup appears at any instant.AVG antivirus is useless and itself gets disabled on the attack of the virus.
To regain back the disabled folder options,regedit,msconfig and task manager you could use Remove Restrictions Tool.Run RRT as an administrator to performing actions.
How to delete and Remove Khatra.exe, ghost.exe ,xplorer.exe virus or in one word WIN32.Sality Virus.
Download Protector plus and run the application as an administrator(right click file and choose run as administrator)
Click Scan and the program will find every instance of the virus and delete them.
Restart the system and install a fresh copy of Avast Free edition antivirus and choose to scan the local disk drives.
How to Enable Security Center in Vista after removing khatra virus
Open the Start Menu.
1. In the white line (Start Search) area, type services and press Enter.
2. Scroll down and right click on Security Center and click on Properties.
A) Next to Startup type, click on Disabled and select Automatic.
B) Click on the Apply button.
C) Click on the Start button.
Turn UAC ON in windows vista to prevent virus attack.
Download Sality/khatra/ghost virus removal tool -Protector plus from here
Comments on this entry are closed.
Here are the results of khatra.exe virus by virustotal.
a-squared 4.5.0.24 2009.08.13 Trojan-Dropper.Win32.Autoit!IK
AhnLab-V3 5.0.0.2 2009.08.13 –
AntiVir 7.9.1.1 2009.08.13 TR/Autoit.mjc
Antiy-AVL 2.0.3.7 2009.08.13 –
Authentium 5.1.2.4 2009.08.13 W32/Dropper.AHOI
Avast 4.8.1335.0 2009.08.12 Win32:Sality
AVG 8.5.0.406 2009.08.13 –
BitDefender 7.2 2009.08.13 Gen:Trojan.Heur.Ei3frztlVldib
CAT-QuickHeal 10.00 2009.08.13 Trojan.Agent.ATV
ClamAV 0.94.1 2009.08.13 Trojan.Autoit-75
Comodo 1965 2009.08.13 TrojWare.Win32.TrojanDropper.Autoit.k
DrWeb 5.0.0.12182 2009.08.13 WORM.Virus
eSafe 7.0.17.0 2009.08.13 Win32.Dropper.Autoit
eTrust-Vet 31.6.6675 2009.08.13 Win32/SillyAutorun.AJH
F-Prot 4.4.4.56 2009.08.13 W32/Dropper.AHOI
F-Secure 8.0.14470.0 2009.08.13 Trojan-Dropper.Win32.Autoit.k
Fortinet 3.120.0.0 2009.08.13 W32/AutoIt.K!tr
GData 19 2009.08.13 Gen:Trojan.Heur.Ei3frztlVldib
Ikarus T3.1.1.64.0 2009.08.13 Trojan-Dropper.Win32.Autoit
Jiangmin 11.0.800 2009.08.13 –
K7AntiVirus 7.10.817 2009.08.12 Trojan-Dropper.Win32.Autoit.k
Kaspersky 7.0.0.125 2009.08.13 Trojan-Dropper.Win32.Autoit.k
McAfee 5707 2009.08.12 Generic.dx
McAfee+Artemis 5707 2009.08.12 Generic.dx
McAfee-GW-Edition 6.8.5 2009.08.13 Trojan.Autoit.mjc
Microsoft 1.4903 2009.08.13 Worm:Win32/Abfewsm.A
NOD32 4332 2009.08.13 probably a variant of Win32/Agent
Norman 6.01.09 2009.08.13 AutoIt.BT
nProtect 2009.1.8.0 2009.08.13 Trojan-Dropper/W32.AutoIt.506687
Panda 10.0.0.14 2009.08.12 W32/Sohanat.AS.worm
PCTools 4.4.2.0 2009.08.12 –
Prevx 3.0 2009.08.13 High Risk Cloaked Malware
Rising 21.42.34.00 2009.08.13 Trojan.Win32.Autoit.dwc
Sophos 4.44.0 2009.08.13 W32/Autoit-EA
Sunbelt 3.2.1858.2 2009.08.13 Trojan.Win32.Generic!BT
Symantec 1.4.4.12 2009.08.13 W32.SillyFDC
TheHacker 6.3.4.3.383 2009.08.13 Trojan/Dropper.Autoit.k
TrendMicro 8.950.0.1094 2009.08.13 WORM_SOHANAD.LT
VBA32 3.12.10.9 2009.08.13 Trojan-Dropper.Win32.Autoit.k
ViRobot 2009.8.13.1883 2009.08.13 –
VirusBuster 4.6.5.0 2009.08.13 Trojan.DR.Autoit.WG
Thank you verymuch.I had removed the virus.But there is some effects left behind.I cant open desktop properties and controlpanel of my computer please help me
fhop2009@gmail.com
@honeyball
have you tried the "remove restriction tool" i stated in the post
thank you verymuch.First i had ran RRT.Butr it doesnt worked .Now i tested with a new copy downloaded now it is okey.But after running RRT My connections with other computers gone.that is our network became a failure.But i appreciate you with your works.THank you verymuch
fhop2009@gmail.com
Great article..
thank's It's very helpfull for me.
thanks………….
Good article
But i tried it by reinstalling OS
then installing quick heal which is updated untill nov 2009
Then scaning the whole computer
And it worked
thank u 🙂
hi, i used the protector plus. but still cant install any antivirus sofwares. even after protector plus, the AV Software will get disabled as i start the scan. i tried AVG and Kaspersky. wht to do?
Threat aliases for Worm.Abfewsm.b:
AliasDetected by
W32.SillyFDC Symantec
Trojan.Autoit.tkw McAfee-GW-Edition
W32/Yahlover.worm.gen.i.gen McAfee
Artemis!1CFC086EAD82 McAfee+Artemis
Worm/Autoit.ZIP AVG
WORM_IMAUT.EC TrendMicro
Trojan-Dropper.Win32.Autoit.p Kaspersky
Worm:AutoIt/Sohanad.DP Microsoft
Win32/Autoit.FK NOD32
W32/Sohanat.AS.worm Panda
Trojan.Generic.2052698 BitDefender
Trojan-Dropper.Win32.Autoit.p F-Secure
Trojan/Dropper.Autoit.k TheHacker
Win32:Trojan-gen {Other} Avast
Sohanad.BEW Norman
Trojan-Dropper.Win32.Autoit Ikarus
Trojan.Autoit-75 ClamAV
Trojan-Dropper/W32.AutoIt.506687 nProtect
suspected of Trojan.Autoit.ITN VBA32
Trojan.Generic.2052698 GData
W32/Autoit.BP!tr Fortinet
Trojan-Dropper.Win32.Autoit.k Sunbelt
WORM.Virus DrWeb
Trojan-Dropper.Win32.Autoit!IK a-squared
Medium Risk Malware Prevx
Trojan.DR.Autoit.WD VirusBuster
Email-Worm.Win32.Agent K7AntiVirus
TrojWare.Win32.TrojanDropper.Autoit.k Comodo
Worm.Win32.AutoIt.fa Rising
Suspicious File eSafe
Dropper.Autoit.506687 ViRobot
W32/Dropper.AHOI F-Prot
TR/Autoit.mjc AntiVir
Win32/SillyAutorun.AJH eTrust-Vet
Win32/Sohanad.worm.670720 AhnLab-V3
W32/Autoit-BP Sophos
W32/Dropper.AHOI Authentium
It doesn't even let me install Avast. Any suggestions?
Suprrrr!!!!!!
gosh win32/sality affected 1200+ files in my comp!