Results 1 to 11 of 11
  1. #1
    Member
    Join Date
    Jan 2005
    Location
    Buffalo NY
    Posts
    316

    Unable to remove 'hidden' virus/trojan/worn after wipeing drive

    Can a virus/trojan/malware/worm etc. reside;

    1. In a motherboards Bios,
    2. In a hard drive after one wipes the drive with zeros'?

    I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

    I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

    My Virus program (NOD32) see that file, but it can't find what is producing it.

    I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

    Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.
    When not in use, turn off the juice.
    Think of someone else instead of just yourself. There is far more to it than your utility bill.

  2. #2
    Member
    Join Date
    Aug 2004
    Posts
    1,469
    Did you update windows after the install? Are they legit versions of xp/2k? And what version of each? Pro..home...etc...

    They are both definitely windows services.

    "svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated."

    "dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated."

    Are there more than one processes of svchost.exe running under the task manager?
    "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

    ~DM

  3. #3
    Member
    Join Date
    Jan 2005
    Location
    Buffalo NY
    Posts
    316
    No updates, XP Pro w/sp2 and 2k w/sp4
    I only put the required drivers in and three programs.

    Yes, to more than one "svchost.exe" in XP as there always is and in 2k there are two (lower case).
    When not in use, turn off the juice.
    Think of someone else instead of just yourself. There is far more to it than your utility bill.

  4. #4
    Member
    Join Date
    Aug 2004
    Posts
    1,469
    And it is uploading something right now as well?
    "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

    ~DM

  5. #5
    Member
    Join Date
    Jan 2005
    Location
    Buffalo NY
    Posts
    316
    No, as soon as I see it happening I shut it down. I'm not on that box when I'm here.

    UPDATE:

    I have been thinking this whole deal over and I now think this might be a case of this PC being targeted as a 'zombie' with the 'host' logging the IP address waiting for the connection to become active again.

    1. This only seems to happen using a dial up connection. The same PC using my broadband DSL doesn't activate anything.
    2. I get different problems between XP and 2k. In XP, the modem gets locked up by another process, it can't be disconnected and you can't open any new web pages, you have to reboot. In 2k, it reboots the PC and deletes the dial up connection altogether (happen on two different installs).

    Since virus scans don't show anything, can this be possible, or has anyone heard of something like this happening?? IOWs', there really isn't any 'virus' in this box untill it is sent when each new dialup session is detected if those two duplicate files weren't already deleted.
    When not in use, turn off the juice.
    Think of someone else instead of just yourself. There is far more to it than your utility bill.

  6. #6
    Trailer Chasing Senior Adragontattoo's Avatar
    Join Date
    Mar 2006
    Location
    Northwestern corner of Va. USA, Northern Hemisphere, Earth, Sol Sector, outer arm of spiral galaxy
    Posts
    5,260
    Can a virus/trojan/malware/worm etc. reside;

    1. In a motherboards Bios,


    2. In a hard drive after one wipes the drive with zeros'?

    There are IIRC about 6 viruses that stay resident and are HW destructive.

    6

    They are not sent out because they serve no purpose to virus writers other then pure and simple destruction.

    Have you tried disconnecting ALL the HDD and only leaving the single OS drive connected? This includes USB, CD/DVD etc.

    The other option you have is to run a low level format of the Drive and then install a Linux or other OS to completely overwrite the existing boot sectors etc.

    I have yet to hear of any virus/adware that can stay resident after a full format other then the one I mentioned above.

    Let DLLHOST etc get out to the outside world and then run a netstat/a to see where it is going to.

    DLLHOST is a system process usually but it can also be a virus, find out where it is going and then let us know, we cna help you a bit more from there.
    Only ISP provided, .EDU, .GOV, .MIL e-mail addresses are Classifieds approved. Are you unable to access the Classifieds?
    Click here to find out why!
    The Forum Rules FAQ|
    Classies Rules and Regs
    Prices, slashes and edits
    Quality over Quantity Pictures are NOT req.
    Adopt an animal if you want one, dont use a breeder!

  7. #7
    Member DirtSandwich's Avatar
    Join Date
    Jan 2008
    Location
    Boise, Idaho
    Posts
    257
    Quote Originally Posted by videobruce View Post
    Can a virus/trojan/malware/worm etc. reside;

    1. In a motherboards Bios,
    2. In a hard drive after one wipes the drive with zeros'?

    I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

    I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

    My Virus program (NOD32) see that file, but it can't find what is producing it.

    I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

    Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.
    if these symptoms are the only thing you see then it's not a virus. Keep in mind connecting via dialup and via LAN are two different beasts.

    Are you seeing things other than those two things?

  8. #8
    Inactive Pokémon Moderator JigPu's Avatar
    Join Date
    Jun 2001
    Location
    Vancouver, WA
    Posts
    6,576
    svchost.exe (Service Host) is a generic process which Windows will spawn to start up some services that don't have their own .exe file. A clean install of Windows XP will have several instances of svchost.exe running in the background.

    I've never heard of dllhost.exe myself, but based on the description given by PLOBBY its existence sounds legit enough.

    You might want to try downloading Process Explorer to get a little more information about these processes. You should be able to figure out exactly what each instance of svchost.exe and dllhost.exe are doing.


    EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.

    JigPu
    .... ASRock Z68 Extreme3 Gen3
    .... Intel Core i5 2500 ........................ 4 thread ...... 3300 MHz ......... -0.125 V
    2x ASUS GTX 560 Ti ............................... 1 GiB ....... 830 MHz ...... 2004 MHz
    .... G.SKILL Sniper Low Voltage ............. 8 GiB ..... 1600 MHz ............ 1.25 V
    .... OCZ Vertex 3 ................................. 120 GB ............. nilfs2 ..... Arch Linux
    .... Kingwin LZP-550 .............................. 550 W ........ 94% Eff. ....... 80+ Plat
    .... Nocuta NH-D14 ................................ 20 dB ..... 0.35 C°/W ................ 7 V


    "In order to combat power supply concerns, Nvidia has declared that G80 will be the first graphics card in the world to run entirely off of the souls of dead babies. This will make running the G80 much cheaper for the average end user."
    "GeForce 8 Series." Wikipedia, The Free Encyclopedia. 7 Aug 2006, 20:59 UTC. Wikimedia Foundation, Inc. 8 Aug 2006.

  9. #9
    Member DirtSandwich's Avatar
    Join Date
    Jan 2008
    Location
    Boise, Idaho
    Posts
    257
    Quote Originally Posted by JigPu View Post
    EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.JigPu
    there are flash burn viruses that can kill a bios chip, but only if the chip itself is flash based. They just write to the chip over and over and over until it burns the chip out.

    I heard about a new 'virus' that is able to modify the bios but from what I understand it's just proof of concept at this point. If someone is able to craft that in a repeatable virus... wow, that would be incredible.

  10. #10
    DorianBrytestar's Avatar
    Join Date
    Nov 2006
    Location
    Buford, Georgia
    Posts
    553
    I think that it's more likely that if it is a virus, that is is getting put back on the machine instead of it surviving a full destructive format.

    Assuming that it is indeed a virus (which I am not troo sure would be a correct assumption at this point) it could get on your system from another system in your network, or from living on the media you are using to install the os or other utilities from, or also if there is a vulnerability that allows the outside world to touch your machine.
    Lego PCs for the win!
    For everyone's sanity, please only make one change at a time!

  11. #11
    Member PoX Freak's Avatar
    Join Date
    Jun 2003
    Location
    North Carolina
    Posts
    405
    I remember seeing something like this a couple of years back, when XP was just coming into sp2. If memory serves me, the svchost and dllhost are NOT supposed to be capitalized at all. If they are, then there may be something going on in your Windows\System or \System32 directory. Also, clean out your "local settings" folder, or just look for any .exe files that start with "tmp" and are followed by numbers. I had this happen last week on my "c" drive, and i ended up doing a full wipe and clean install to sp3. It was really set in bad, because usually i have no problem finding and deleting most of this stuff, but this one was based off that old "mass-mailer" worm, and it continued to send email out to different people when you weren't looking.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •