Task Manager ,Regedit Disabled .TANATO.M Virus

Pratish Y2J · 06-06-2009, 03:36 PM

Task Manager ,Regedit Disabled .TANATO.M Virus
I brought my friend's pendrive when i opened it i saw a autorun.ini and i suddenly removed the pendrive .And when i press Ctrl + Alt +Del my taskmanger was gone it has been disabled by the administrater and same with regedit .I tried The Gpedit.msc method and it just enabled the taskmanager for 2 or 3 seconds after that again it showed problem.I scan my computer with AVG 8 latest It showed a lot of TANATO.M Virus in almost every exe of my games ,softwares and even system files,I deleted many files through AVG and then i uninstalled AVG becasue i wont let me open any thing .PLEASE HELP i also cant copy and paste any files as it freezes my COmputer

HERE IS MY HIJACK THIS LOG

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:35 PM, on 6/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Give4Free Plugin Installer - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - C:\Program Files\Give4Free Plugin\ibho.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [D3DOverrider] "C:\Program Files\RivaTuner v2.24\Tools\D3DOverrider\D3DOverrider.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [USBFW] C:\Program Files\Net Studio\USB FireWall\USB FireWall.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com...reqlab_srl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5479CF09-41E3-40BC-ADA2-61E2DD95FC66}: NameServer = 218.248.255.212 218.248.255.139
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
 
--
End of file - 8012 bytes

**bakuryu** · 06-06-2009, 10:41 PM

Fix the following entries in HijackThis :

Code:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Give4Free Plugin Installer - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - C:\Program Files\Give4Free Plugin\ibho.dll (file missing)
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUfox000

Use Killbox and delete the file : C:\WINDOWS\system32\winsys2.exe

reboot and run some online scans.

Best Online Anti-Virus Scanner & Free Virus Scan - Kaspersky Lab
Free ESET Online Antivirus Scanner
Free Online Virus Scan - BitDefender Online Scanner
Online Scanner

Free online Trojan Scanner - Scan your system for Trojans
ewido - anti-spyware and anti-malware solutions
a-squared Web Malware Scanner - Scan and clean your computer from Trojans, Worms, Dialers, Keyloggers and Spyware/Adware for free!

Download and run CCleaner and clean out all temporary files. Disable System Restore, install Spybot S&D and Lavasoft Adaware, update there definitions and run a full scan.

Pratish Y2J · 07-06-2009, 10:46 AM

well i formated my pc .But i want to ask a question whenever this virus come. and i somehow go to regedit i always find 2 reg file named disable regedit it value is one and disable taskmanager its value is also one and when i delete or change thier value they return to their same position any solution .And thanks for reply.

**bakuryu** · 07-06-2009, 06:39 PM

it runs a service in the background or hooks into another service that will automatically change that registry value. You need to have a good antivirus to prevent infection.

jhongzter · 12-06-2009, 08:40 PM

if you can't find this file "winsys2.exe"
use Seach in START then search the ff keyword (*.exe)
winsys2.exe Delete it when its an Application or its a Folder Application
because theres no .exe Folder Logo registered in computer

AvanzaPower · 19-06-2009, 08:09 AM

its normal for virus to disable task manager..hehe

Wolfie276 · 20-06-2009, 03:49 PM

try booting into safemode, delete the file and registry keys and then come back and tell us how it went

AvanzaPower · 02-07-2009, 12:50 AM

tanato virus, this is first time I heard about it

pacatganazz · 02-07-2009, 07:17 AM

use use hijack n delete file in list have name "disable regedit"
when your registry system can open then you need to find "disabletaskmg"
if that file has found..and show (1) at the last of file name you need to change 1 to 0 like this (0)..try to fine again until oll file search has finnish..thanks

06-06-2009, 10:41 PM	#2
bakuryu ƒ(ψ)=Θº×φ Join Date: May 2006 Location: India Age: 23 Posts: 6,621 Thanks: 19 Thanked 645 Times in 603 Posts Rep Power: 87 OS:	Re: Task Manager ,Regedit Disabled .TANATO.M Virus Fix the following entries in HijackThis : Code: R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: Give4Free Plugin Installer - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - C:\Program Files\Give4Free Plugin\ibho.dll (file missing) O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUfox000 Use Killbox and delete the file : C:\WINDOWS\system32\winsys2.exe reboot and run some online scans. Best Online Anti-Virus Scanner & Free Virus Scan - Kaspersky Lab Free ESET Online Antivirus Scanner Free Online Virus Scan - BitDefender Online Scanner Online Scanner Free online Trojan Scanner - Scan your system for Trojans ewido - anti-spyware and anti-malware solutions a-squared Web Malware Scanner - Scan and clean your computer from Trojans, Worms, Dialers, Keyloggers and Spyware/Adware for free! Download and run CCleaner and clean out all temporary files. Disable System Restore, install Spybot S&D and Lavasoft Adaware, update there definitions and run a full scan. __________________ Please don't click here

07-06-2009, 10:46 AM	#3
Pratish Y2J Newbie Join Date: Oct 2008 Age: 15 Posts: 16 Thanks: 2 Thanked 0 Times in 0 Posts Rep Power: 0	Re: Task Manager ,Regedit Disabled .TANATO.M Virus well i formated my pc .But i want to ask a question whenever this virus come. and i somehow go to regedit i always find 2 reg file named disable regedit it value is one and disable taskmanager its value is also one and when i delete or change thier value they return to their same position any solution .And thanks for reply.

07-06-2009, 06:39 PM	#4
bakuryu ƒ(ψ)=Θº×φ Join Date: May 2006 Location: India Age: 23 Posts: 6,621 Thanks: 19 Thanked 645 Times in 603 Posts Rep Power: 87 OS:	Re: Task Manager ,Regedit Disabled .TANATO.M Virus it runs a service in the background or hooks into another service that will automatically change that registry value. You need to have a good antivirus to prevent infection.

12-06-2009, 08:40 PM	#5
jhongzter Newbie Join Date: Jun 2009 Posts: 2 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 0 OS:	Re: Task Manager ,Regedit Disabled .TANATO.M Virus if you can't find this file "winsys2.exe" use Seach in START then search the ff keyword (*.exe) winsys2.exe Delete it when its an Application or its a Folder Application because theres no .exe Folder Logo registered in computer

19-06-2009, 08:09 AM	#6
AvanzaPower Newbie Join Date: May 2009 Age: 41 Posts: 23 Thanks: 0 Thanked 3 Times in 3 Posts Rep Power: 0 OS:	Re: Task Manager ,Regedit Disabled .TANATO.M Virus its normal for virus to disable task manager..hehe __________________ http://tipsforantivirus.blogspot.com

20-06-2009, 03:49 PM	#7
Wolfie276 Advanced Member (250+) Join Date: Nov 2007 Location: /etc/init.d/ Posts: 441 Thanks: 15 Thanked 7 Times in 7 Posts Rep Power: 0 OS:	Re: Task Manager ,Regedit Disabled .TANATO.M Virus try booting into safemode, delete the file and registry keys and then come back and tell us how it went __________________ (\__/) (='.'=) This is Bunny. Copy and paste bunny into your (" )_(" ) signature to help him gain world domination. http://www.youtube.com/watch?v=ZXD4N_Mi1iE&fmt=22# Freelancer Evolving

02-07-2009, 12:50 AM	#8
AvanzaPower Newbie Join Date: May 2009 Age: 41 Posts: 23 Thanks: 0 Thanked 3 Times in 3 Posts Rep Power: 0 OS:	Re: Task Manager ,Regedit Disabled .TANATO.M Virus tanato virus, this is first time I heard about it

02-07-2009, 07:17 AM	#9
pacatganazz Junior Member (25+) Join Date: May 2009 Location: i live in malaysia Age: 23 Posts: 47 Thanks: 27 Thanked 39 Times in 24 Posts Rep Power: 1 OS:	Re: Task Manager ,Regedit Disabled .TANATO.M Virus use use hijack n delete file in list have name "disable regedit" when your registry system can open then you need to find "disabletaskmg" if that file has found..and show (1) at the last of file name you need to change 1 to 0 like this (0)..try to fine again until oll file search has finnish..thanks

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

New To Site?	Need Help?
Register to Participate Meet our Staff Refer Forum Rules Contact Us	Frequently Asked Questions Did you forget your password? Mark Forums Read

Task Manager ,Regedit Disabled .TANATO.M Virus

Computer Security