• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Unable to remove 'hidden' virus/trojan/worn after wipeing drive

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

videobruce

Member
Joined
Jan 6, 2005
Location
Buffalo NY
Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,
2. In a hard drive after one wipes the drive with zeros'?

I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

My Virus program (NOD32) see that file, but it can't find what is producing it.

I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.
 
Did you update windows after the install? Are they legit versions of xp/2k? And what version of each? Pro..home...etc...

They are both definitely windows services.

"svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated."

"dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated."

Are there more than one processes of svchost.exe running under the task manager?
 
No updates, XP Pro w/sp2 and 2k w/sp4
I only put the required drivers in and three programs.

Yes, to more than one "svchost.exe" in XP as there always is and in 2k there are two (lower case).
 
No, as soon as I see it happening I shut it down. I'm not on that box when I'm here.

UPDATE:

I have been thinking this whole deal over and I now think this might be a case of this PC being targeted as a 'zombie' with the 'host' logging the IP address waiting for the connection to become active again.

1. This only seems to happen using a dial up connection. The same PC using my broadband DSL doesn't activate anything.
2. I get different problems between XP and 2k. In XP, the modem gets locked up by another process, it can't be disconnected and you can't open any new web pages, you have to reboot. In 2k, it reboots the PC and deletes the dial up connection altogether (happen on two different installs).

Since virus scans don't show anything, can this be possible, or has anyone heard of something like this happening?? IOWs', there really isn't any 'virus' in this box untill it is sent when each new dialup session is detected if those two duplicate files weren't already deleted.
 
Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,


2. In a hard drive after one wipes the drive with zeros'?

There are IIRC about 6 viruses that stay resident and are HW destructive.

6

They are not sent out because they serve no purpose to virus writers other then pure and simple destruction.

Have you tried disconnecting ALL the HDD and only leaving the single OS drive connected? This includes USB, CD/DVD etc.

The other option you have is to run a low level format of the Drive and then install a Linux or other OS to completely overwrite the existing boot sectors etc.

I have yet to hear of any virus/adware that can stay resident after a full format other then the one I mentioned above.

Let DLLHOST etc get out to the outside world and then run a netstat/a to see where it is going to.

DLLHOST is a system process usually but it can also be a virus, find out where it is going and then let us know, we cna help you a bit more from there.
 
Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,
2. In a hard drive after one wipes the drive with zeros'?

I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

My Virus program (NOD32) see that file, but it can't find what is producing it.

I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.

if these symptoms are the only thing you see then it's not a virus. Keep in mind connecting via dialup and via LAN are two different beasts.

Are you seeing things other than those two things?
 
svchost.exe (Service Host) is a generic process which Windows will spawn to start up some services that don't have their own .exe file. A clean install of Windows XP will have several instances of svchost.exe running in the background.

I've never heard of dllhost.exe myself, but based on the description given by PLOBBY its existence sounds legit enough.

You might want to try downloading Process Explorer to get a little more information about these processes. You should be able to figure out exactly what each instance of svchost.exe and dllhost.exe are doing.


EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.

JigPu
 
EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.JigPu

there are flash burn viruses that can kill a bios chip, but only if the chip itself is flash based. They just write to the chip over and over and over until it burns the chip out.

I heard about a new 'virus' that is able to modify the bios but from what I understand it's just proof of concept at this point. If someone is able to craft that in a repeatable virus... wow, that would be incredible.
 
I think that it's more likely that if it is a virus, that is is getting put back on the machine instead of it surviving a full destructive format.

Assuming that it is indeed a virus (which I am not troo sure would be a correct assumption at this point) it could get on your system from another system in your network, or from living on the media you are using to install the os or other utilities from, or also if there is a vulnerability that allows the outside world to touch your machine.
 
I remember seeing something like this a couple of years back, when XP was just coming into sp2. If memory serves me, the svchost and dllhost are NOT supposed to be capitalized at all. If they are, then there may be something going on in your Windows\System or \System32 directory. Also, clean out your "local settings" folder, or just look for any .exe files that start with "tmp" and are followed by numbers. I had this happen last week on my "c" drive, and i ended up doing a full wipe and clean install to sp3. It was really set in bad, because usually i have no problem finding and deleting most of this stuff, but this one was based off that old "mass-mailer" worm, and it continued to send email out to different people when you weren't looking.
 
Back