HELP!! Infected by CIA Trojan!!

eppik · Post by **eppik** » 10 Feb 2007, 08:04

I've been infected by CIA trojan. I blocks the Task MAnager, windows recovery, registry editing, etc..!!!!

I have kaspersky anti vir and i deleted all threaths also i instale a trojan remover but it didnt work!!

Plz HELP ME!!

Chaos1986 · Post by **Chaos1986** » 10 Feb 2007, 08:58

If You Can Some How Get To Your Task Manager http://www.spywaredb.com/remove-cia/
You Can Also Try http://security.symantec.com/sscv6/defa ... &venid=sym
And Click GO
Or Try http://www.ccleaner.com/
I Use It To Keep My Registry Clean.
Good Luck

eppik · Post by **eppik** » 10 Feb 2007, 09:20

i didnt help much cuz i cant acess task manager

isnt there a software to remove it?

I really need to acess task manager

PS i've gained acess to regedit now but stll need tsk manager to kill it

zer0Dose · Post by **zer0Dose** » 10 Feb 2007, 20:53

try using a differnt connection, the noob might disable task when ur online, but differnt IP, he wont know, unless he set it to disable task as soon as u opened the exe

google?

Post by **Gogeta70** » 10 Feb 2007, 21:11

This is simple. Boot up in safe mode, and follow the proper steps to move it. It may be preferrable to start in safe mode with networking. This way, you can come back here and look at the useful information given by Chaos1986.

eppik · Post by **eppik** » 11 Feb 2007, 04:57

The n00b set it do kill AV and firewall as whell as Task MNG and Regedit and windows recovery....

Damn even in safe mode i cant acess Task manager to kill the processes so i cant follow Chaos' advice on how to remove it.....

If i find the noobs IP ill kill him...

eppik · Post by **eppik** » 11 Feb 2007, 11:21

New update:

I CANT ACESS cmd.exe!!!

eppik · Post by **eppik** » 11 Feb 2007, 11:50

It was one of my friends he doesnt know english so he just checked every box in the server builder so now:

It hides from task manager
it hides from windows explorer
it hides from AV
it kills Firewall and AV

Advances:

I now get acess to task manager and cmd in networking safe mode, but the processes are hidden!

I really need to get rid of this plz

Post by **Gogeta70** » 11 Feb 2007, 13:16

Seems like it did some registry edits. Boot up in safe mode again, and do a system restore. Also, in safe mode, watch it boot up and at the bottom if it says it's loading some file and that you can cancel it, DO IT. It's probably that trojan integrating itself into safe mode. Anyway, once you've done system restore, try doing the things chaos recommended.

eppik · Post by **eppik** » 11 Feb 2007, 14:26

ill trie and update this post

it disabled sys restore in safe mode but i will do as you say:

press ESC when files are loading

UPDATE: When i press escape, the computer reeboots, and the system restore says that has been disabled by some thing called the Group policie or something like that

knightm4r3 · Post by **knightm4r3** » 14 Feb 2007, 18:56

Can you use BART cd?

Also, try to use a knoppix disk.

If you use the Knoppix disk, you'll have to just sat all permissions to admin and you should be able to access the windows partition. It is what I use anytime my windows dies.

eppik · Post by **eppik** » 16 Feb 2007, 06:34

yes i've got the Knoppix STD version (live cd)

How do i acess teh HD, and what do i do?

Pathogenic_Linx · Post by **Pathogenic_Linx** » 11 Mar 2007, 14:54

Sounds more like a root kit than anything else.

Post by **bad_brain** » 11 Mar 2007, 15:13

Pathogenic_Linx wrote:Sounds more like a root kit than anything else.

not exactly...a rootkit can't usually be found in the list of running tasks or opened ports, but on the other side a rootkit doesn't need to kill the AV or firewall. the AV usually can't detect it anyway because the rootkit is running on system level and not on application level, and because it binds to other services it doesn't need to open a own port.
but well, it's like viruses and worms, there is no "pure" malware around anymore, just mixes of different malware categories....so a RAT can partitially behave like a rootkit too...