Unable to remove 'hidden' virus/trojan/worn after wipeing drive

videobruce · 02-16-08, 01:48 PM

Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,
2. In a hard drive after one wipes the drive with zeros'?

I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

My Virus program (NOD32) see that file, but it can't find what is producing it.

I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.

PLOBBY · 02-16-08, 02:00 PM

Did you update windows after the install? Are they legit versions of xp/2k? And what version of each? Pro..home...etc...

They are both definitely windows services.

"svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated."

"dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated."

Are there more than one processes of svchost.exe running under the task manager?

videobruce · 02-16-08, 02:18 PM

No updates, XP Pro w/sp2 and 2k w/sp4
I only put the required drivers in and three programs.

Yes, to more than one "svchost.exe" in XP as there always is and in 2k there are two (lower case).

PLOBBY · 02-16-08, 02:25 PM

And it is uploading something right now as well?

videobruce · 02-19-08, 06:42 AM

No, as soon as I see it happening I shut it down. I'm not on that box when I'm here.

UPDATE:

I have been thinking this whole deal over and I now think this might be a case of this PC being targeted as a 'zombie' with the 'host' logging the IP address waiting for the connection to become active again.

1. This only seems to happen using a dial up connection. The same PC using my broadband DSL doesn't activate anything.
2. I get different problems between XP and 2k. In XP, the modem gets locked up by another process, it can't be disconnected and you can't open any new web pages, you have to reboot. In 2k, it reboots the PC and deletes the dial up connection altogether (happen on two different installs).

Since virus scans don't show anything, can this be possible, or has anyone heard of something like this happening?? IOWs', there really isn't any 'virus' in this box untill it is sent when each new dialup session is detected if those two duplicate files weren't already deleted.

Adragontattoo · 02-19-08, 08:06 AM

Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,

2. In a hard drive after one wipes the drive with zeros'?

There are IIRC about 6 viruses that stay resident and are HW destructive.

6

They are not sent out because they serve no purpose to virus writers other then pure and simple destruction.

Have you tried disconnecting ALL the HDD and only leaving the single OS drive connected? This includes USB, CD/DVD etc.

The other option you have is to run a low level format of the Drive and then install a Linux or other OS to completely overwrite the existing boot sectors etc.

I have yet to hear of any virus/adware that can stay resident after a full format other then the one I mentioned above.

Let DLLHOST etc get out to the outside world and then run a netstat/a to see where it is going to.

DLLHOST is a system process usually but it can also be a virus, find out where it is going and then let us know, we cna help you a bit more from there.

DirtSandwich · 02-19-08, 12:51 PM

Quote:

Originally Posted by videobruce

Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,
2. In a hard drive after one wipes the drive with zeros'?

I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

My Virus program (NOD32) see that file, but it can't find what is producing it.

I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.

if these symptoms are the only thing you see then it's not a virus. Keep in mind connecting via dialup and via LAN are two different beasts.

Are you seeing things other than those two things?

JigPu · 02-19-08, 02:02 PM

svchost.exe (Service Host) is a generic process which Windows will spawn to start up some services that don't have their own .exe file. A clean install of Windows XP will have several instances of svchost.exe running in the background.

I've never heard of dllhost.exe myself, but based on the description given by PLOBBY its existence sounds legit enough.

You might want to try downloading Process Explorer to get a little more information about these processes. You should be able to figure out exactly what each instance of svchost.exe and dllhost.exe are doing.

EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.

JigPu

DirtSandwich · 02-20-08, 01:56 AM

Quote:

Originally Posted by JigPu

EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.JigPu

there are flash burn viruses that can kill a bios chip, but only if the chip itself is flash based. They just write to the chip over and over and over until it burns the chip out.

I heard about a new 'virus' that is able to modify the bios but from what I understand it's just proof of concept at this point. If someone is able to craft that in a repeatable virus... wow, that would be incredible.

DorianBrytestar · 02-20-08, 02:55 PM

I think that it's more likely that if it is a virus, that is is getting put back on the machine instead of it surviving a full destructive format.

Assuming that it is indeed a virus (which I am not troo sure would be a correct assumption at this point) it could get on your system from another system in your network, or from living on the media you are using to install the os or other utilities from, or also if there is a vulnerability that allows the outside world to touch your machine.

PoX Freak · 02-21-08, 10:03 AM

I remember seeing something like this a couple of years back, when XP was just coming into sp2. If memory serves me, the svchost and dllhost are NOT supposed to be capitalized at all. If they are, then there may be something going on in your Windows\System or \System32 directory. Also, clean out your "local settings" folder, or just look for any .exe files that start with "tmp" and are followed by numbers. I had this happen last week on my "c" drive, and i ended up doing a full wipe and clean install to sp3. It was really set in bad, because usually i have no problem finding and deleting most of this stuff, but this one was based off that old "mass-mailer" worm, and it continued to send email out to different people when you weren't looking.

02-16-08, 01:48 PM	Thread Starter #1
videobruce Member Join Date: Jan 2005 Location: Buffalo NY	Unable to remove 'hidden' virus/trojan/worn after wipeing drive Can a virus/trojan/malware/worm etc. reside; 1. In a motherboards Bios, 2. In a hard drive after one wipes the drive with zeros'? I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection. I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode. My Virus program (NOD32) see that file, but it can't find what is producing it. I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here. Any ideas as this never happened to me before that I couldn't get rid of the 'problem'. __________________ Copyright protection & Intellectual property my ass. All the studios want is more money & control. Enough is enough!
	QUOTE Thanks

02-16-08, 02:00 PM	#2
PLOBBY Member Join Date: Aug 2004	Did you update windows after the install? Are they legit versions of xp/2k? And what version of each? Pro..home...etc... They are both definitely windows services. "svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated." "dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated." Are there more than one processes of svchost.exe running under the task manager? __________________ "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend" ~DM
	QUOTE Thanks

02-16-08, 02:18 PM	Thread Starter #3
videobruce Member Join Date: Jan 2005 Location: Buffalo NY	No updates, XP Pro w/sp2 and 2k w/sp4 I only put the required drivers in and three programs. Yes, to more than one "svchost.exe" in XP as there always is and in 2k there are two (lower case). __________________ Copyright protection & Intellectual property my ass. All the studios want is more money & control. Enough is enough!
	QUOTE Thanks

02-16-08, 02:25 PM	#4
PLOBBY Member Join Date: Aug 2004	And it is uploading something right now as well? __________________ "Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend" ~DM
	QUOTE Thanks

02-19-08, 06:42 AM	Thread Starter #5
videobruce Member Join Date: Jan 2005 Location: Buffalo NY	No, as soon as I see it happening I shut it down. I'm not on that box when I'm here. UPDATE: I have been thinking this whole deal over and I now think this might be a case of this PC being targeted as a 'zombie' with the 'host' logging the IP address waiting for the connection to become active again. 1. This only seems to happen using a dial up connection. The same PC using my broadband DSL doesn't activate anything. 2. I get different problems between XP and 2k. In XP, the modem gets locked up by another process, it can't be disconnected and you can't open any new web pages, you have to reboot. In 2k, it reboots the PC and deletes the dial up connection altogether (happen on two different installs). Since virus scans don't show anything, can this be possible, or has anyone heard of something like this happening?? IOWs', there really isn't any 'virus' in this box untill it is sent when each new dialup session is detected if those two duplicate files weren't already deleted. __________________ Copyright protection & Intellectual property my ass. All the studios want is more money & control. Enough is enough!
	QUOTE Thanks

Unable to remove 'hidden' virus/trojan/worn after wipeing drive

Internet Services

Website Development

Tech Hardware

02-19-08, 08:06 AM	#6
Adragontattoo Trailer Chasing Senior Join Date: Mar 2006 Location: 103 year old Victorian that I am renovat/moderniz-ing and fixing.	Can a virus/trojan/malware/worm etc. reside; 1. In a motherboards Bios, 2. In a hard drive after one wipes the drive with zeros'? There are IIRC about 6 viruses that stay resident and are HW destructive. 6 They are not sent out because they serve no purpose to virus writers other then pure and simple destruction. Have you tried disconnecting ALL the HDD and only leaving the single OS drive connected? This includes USB, CD/DVD etc. The other option you have is to run a low level format of the Drive and then install a Linux or other OS to completely overwrite the existing boot sectors etc. I have yet to hear of any virus/adware that can stay resident after a full format other then the one I mentioned above. Let DLLHOST etc get out to the outside world and then run a netstat/a to see where it is going to. DLLHOST is a system process usually but it can also be a virus, find out where it is going and then let us know, we cna help you a bit more from there. __________________ Only ISP provided, .EDU, .GOV, .MIL e-mail addresses are Classifieds approved. Are you unable to access the Classifieds? Click here to find out why! The Forum Rules FAQ\|Classies Rules and Regs Prices, slashes and edits Quality over Quantity Pictures are NOT req. Adopt an animal if you want one, dont use a breeder!
	QUOTE Thanks

02-19-08, 02:02 PM	#8
JigPu Inactive Pokémon Moderator Join Date: Jun 2001 Location: Vancouver, WA	svchost.exe (Service Host) is a generic process which Windows will spawn to start up some services that don't have their own .exe file. A clean install of Windows XP will have several instances of svchost.exe running in the background. I've never heard of dllhost.exe myself, but based on the description given by PLOBBY its existence sounds legit enough. You might want to try downloading Process Explorer to get a little more information about these processes. You should be able to figure out exactly what each instance of svchost.exe and dllhost.exe are doing. EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing. JigPu __________________ .... ASRock Z68 Extreme3 Gen3 .... Intel Core i5 2500 ........................ 4 thread ...... 3300 MHz ......... -0.125 V 2x ASUS GTX 560 Ti ............................... 1 GiB ....... 830 MHz ...... 2004 MHz .... G.SKILL Sniper Low Voltage ............. 8 GiB ..... 1600 MHz ............ 1.25 V .... OCZ Vertex 3 ................................. 120 GB ............. nilfs2 ..... Arch Linux .... Kingwin LZP-550 .............................. 550 W ........ 94% Eff. ....... 80+ Plat .... Nocuta NH-D14 ................................ 20 dB ..... 0.35 C°/W ................ 7 V "In order to combat power supply concerns, Nvidia has declared that G80 will be the first graphics card in the world to run entirely off of the souls of dead babies. This will make running the G80 much cheaper for the average end user." "GeForce 8 Series." Wikipedia, The Free Encyclopedia. 7 Aug 2006, 20:59 UTC. Wikimedia Foundation, Inc. 8 Aug 2006.
	QUOTE Thanks

02-20-08, 02:55 PM	#10
DorianBrytestar Join Date: Nov 2006 Location: Buford, Georgia	I think that it's more likely that if it is a virus, that is is getting put back on the machine instead of it surviving a full destructive format. Assuming that it is indeed a virus (which I am not troo sure would be a correct assumption at this point) it could get on your system from another system in your network, or from living on the media you are using to install the os or other utilities from, or also if there is a vulnerability that allows the outside world to touch your machine. __________________ Lego PCs for the win! For everyone's sanity, please only make one change at a time!
	QUOTE Thanks

02-21-08, 10:03 AM	#11
PoX Freak Member Join Date: Jun 2003 Location: North Carolina	I remember seeing something like this a couple of years back, when XP was just coming into sp2. If memory serves me, the svchost and dllhost are NOT supposed to be capitalized at all. If they are, then there may be something going on in your Windows\System or \System32 directory. Also, clean out your "local settings" folder, or just look for any .exe files that start with "tmp" and are followed by numbers. I had this happen last week on my "c" drive, and i ended up doing a full wipe and clean install to sp3. It was really set in bad, because usually i have no problem finding and deleting most of this stuff, but this one was based off that old "mass-mailer" worm, and it continued to send email out to different people when you weren't looking.
	QUOTE Thanks

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search