I got a call out to a customers business today. He had two pc's infected with some kind of new virus. I couldn't run any apps from safemode and couldn't get them to boot from cd or usb. I'll dig into them more tonight and pull the drives for a scan on the bench pc. Thought the boot thing was weird. Must have affected the bios. Both machines were identical Dells. Got a feeling these will be getting a format before it's over. Last resort of coarse.

Anyone else seen this lately?

I ran into a malware that stopped me from loading any program in safemode, awhile the program would run it stopped anything from coming up on the screen. Eventually I ended up closing the exe's in task manager and was able to install something in safe mode.

So can you not even get into bios to change boot order? any chance its just a keyboard issue? Some motherboards need a ps/2 keyboard to get into bios before windows is loaded.

This sounds like it did the same things as the one I posted about a while back. http://www.technibble.com/forums/showthread.php?t=7605

I ran into a malware that stopped me from loading any program in safemode, awhile the program would run it stopped anything from coming up on the screen. Eventually I ended up closing the exe's in task manager and was able to install something in safe mode.

So can you not even get into bios to change boot order? any chance its just a keyboard issue? Some motherboards need a ps/2 keyboard to get into bios before windows is loaded.

I can get into the bios and adjust the boot order, but no matter what I set it to it boot straight into windows. Even if I hold down F12 and tell it to boot from cd or usb it goes straight to windows.

I'm hoping when I mount the drives in my bench pc I can run combofix and kill it.

I don't know if this will work, but you could try booting into diagnostic mode. To do this go to msconfig and select "Diagnostic Startup". This is similar to safe mode but I think its even more restrictive.

Of course, this assumes that you can even load msconfig, which seems doubtful in your case...

IDKMB (I dont know much but. . )

Pull the drive, reset the bios to factory, slave the drive to the shop machine to clean it, reinstall the drive and see what you have.

PLEASE: Post what you find !

btw: I am pulling / slaving / disinfecting about 50% of drives now.

It is prob a variant of this: http://www.prevx.com/blog/131/MBR-Rootkit-reloaded.html

Try turning off the computer half way while loading windows... when the bar is up Then you will usually get an option for safe mode... last known good config etc. I know its shady but it has saved me a few times.

also is the cd drive really old?

I had as similar ransom-ware attack awhile back with a customer.
Same thing couldn't install or run anything from usb key or live cd

it was mostly "antispyware 2009" that was causing my issues but the pc was just Riddled with virus.

luckily enough it was just a porn browsing pc so a nuke and pave was my best option.

Try turning off the computer half way while loading windows... when the bar is up Then you will usually get an option for safe mode... last known good config etc. I know its shady but it has saved me a few times.

also is the cd drive really old?

I can get into safe mode - that's not the issue. When you get into safemode you can't run any apps.


IDKMB (I dont know much but. . )

Pull the drive, reset the bios to factory, slave the drive to the shop machine to clean it, reinstall the drive and see what you have.

PLEASE: Post what you find !

btw: I am pulling / slaving / disinfecting about 50% of drives now.

That's what I'm doing. I don't usually have to pull and slave them but, this virus doesn't want to play nicely.
I'll post my findings in a few hours.

I finally got fed up with the damn thing and formatted. I would have kept fighting it if I had time. Customer needs systems back ASAP though. I have to say this is the toughest one I have ever seen. I'm thankful for the business that malware creates for us but I would like to see someone go to prison for this one.

If you name your executable to a system file like ´svchost.exe´they will then run. Rename process explorer to it and you can then stop the process

That's a great idea. I'll give it a try next time. I have renamed common apps before to get them to run but never thought of this.

I use unhackme it make short work of jobs like that it catches the files before the os loads and puts them on hold and asks you if you would like to delete them.

Its worth the money with time it saves anything with no name in company field is suspect if in doubt google it or look it up in program.

You could use rootrepeal on deep hd scan it still in beta.

Could someone explain the actual mechanics of a virus that won't let a computer boot from CD?

Thanks.....

I fought a similar infection today, combofix, autoruns, hijackthis, malwarebytes, unhackme all wouldn't run or they would run for about 5seconds before being terminated. I was able to load ubcd though and run superantispyware and it seemingly cleaned about a dozen or so infected files not including about 200 tracking cookies out the computer but I still wasn't able to run those programs. I went to run secedit to reset permissions but it said I was missing scecli.dll...hmmm ok I tried copying the scecli.dll from ubcd to the system32..the file is being used by another program. I deleted it with unlocker but it came right back on reboot. I finally used rootrepeal and it found SCECLI.DLL hooked to lsass.exe, unhooked and deleted scecli.dll rebooted to windows xp cd and ran fixmbr through recovery console. Loaded windows copied scecli.dll from ubcd back into system32 and now everything works again. Ran combofix and malwarebytes and it came back clean.

So obviously SCECLI.dll was modified or replaced, scedli.dll controls the group policy. I should also mention that renaming applications did not work either.

Wow, good job! Thanks for posting that. :)

@ JRD Thanks, I'll try that next time.