Notices

Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

Unable to remove 'hidden' virus/trojan/worn after wipeing drive

Post Reply New Thread Subscribe Search this Thread
 
 
Thread Tools
Old 02-16-08, 01:48 PM Thread Starter   #1
videobruce
Member



Join Date: Jan 2005
Location: Buffalo NY

 
Unable to remove 'hidden' virus/trojan/worn after wipeing drive


Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,
2. In a hard drive after one wipes the drive with zeros'?

I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

My Virus program (NOD32) see that file, but it can't find what is producing it.

I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.

__________________
When not in use, turn off the juice.
Think of someone else instead of just yourself. There is far more to it than your utility bill.
videobruce is offline   QUOTE Thanks
Old 02-16-08, 02:00 PM   #2
PLOBBY
Member



Join Date: Aug 2004

 
Did you update windows after the install? Are they legit versions of xp/2k? And what version of each? Pro..home...etc...

They are both definitely windows services.

"svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated."

"dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated."

Are there more than one processes of svchost.exe running under the task manager?

__________________
"Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

~DM
PLOBBY is offline   QUOTE Thanks
Old 02-16-08, 02:18 PM Thread Starter   #3
videobruce
Member



Join Date: Jan 2005
Location: Buffalo NY

 
No updates, XP Pro w/sp2 and 2k w/sp4
I only put the required drivers in and three programs.

Yes, to more than one "svchost.exe" in XP as there always is and in 2k there are two (lower case).

__________________
When not in use, turn off the juice.
Think of someone else instead of just yourself. There is far more to it than your utility bill.
videobruce is offline   QUOTE Thanks
Old 02-16-08, 02:25 PM   #4
PLOBBY
Member



Join Date: Aug 2004

 
And it is uploading something right now as well?

__________________
"Oh man oh how I wish I didn't smoke Or drink to reason with my head But sometimes this thick confusion Grows until I cannot bear it at all Needle to the vein Needle to the vein Take this needle from my vein my friend"

~DM
PLOBBY is offline   QUOTE Thanks
Old 02-19-08, 06:42 AM Thread Starter   #5
videobruce
Member



Join Date: Jan 2005
Location: Buffalo NY

 
No, as soon as I see it happening I shut it down. I'm not on that box when I'm here.

UPDATE:

I have been thinking this whole deal over and I now think this might be a case of this PC being targeted as a 'zombie' with the 'host' logging the IP address waiting for the connection to become active again.

1. This only seems to happen using a dial up connection. The same PC using my broadband DSL doesn't activate anything.
2. I get different problems between XP and 2k. In XP, the modem gets locked up by another process, it can't be disconnected and you can't open any new web pages, you have to reboot. In 2k, it reboots the PC and deletes the dial up connection altogether (happen on two different installs).

Since virus scans don't show anything, can this be possible, or has anyone heard of something like this happening?? IOWs', there really isn't any 'virus' in this box untill it is sent when each new dialup session is detected if those two duplicate files weren't already deleted.

__________________
When not in use, turn off the juice.
Think of someone else instead of just yourself. There is far more to it than your utility bill.
videobruce is offline   QUOTE Thanks
Old 02-19-08, 08:06 AM   #6
Adragontattoo
Trailer Chasing Senior

 
Adragontattoo's Avatar 

Join Date: Mar 2006
Location: Northwestern corner of Va. USA, Northern Hemisphere, Earth, Sol Sector, outer arm of spiral galaxy

 
Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,


2. In a hard drive after one wipes the drive with zeros'?

There are IIRC about 6 viruses that stay resident and are HW destructive.

6

They are not sent out because they serve no purpose to virus writers other then pure and simple destruction.

Have you tried disconnecting ALL the HDD and only leaving the single OS drive connected? This includes USB, CD/DVD etc.

The other option you have is to run a low level format of the Drive and then install a Linux or other OS to completely overwrite the existing boot sectors etc.

I have yet to hear of any virus/adware that can stay resident after a full format other then the one I mentioned above.

Let DLLHOST etc get out to the outside world and then run a netstat/a to see where it is going to.

DLLHOST is a system process usually but it can also be a virus, find out where it is going and then let us know, we cna help you a bit more from there.

__________________
Only ISP provided, .EDU, .GOV, .MIL e-mail addresses are Classifieds approved. Are you unable to access the Classifieds?
Click here to find out why!
The Forum Rules FAQ|
Classies Rules and Regs
Prices, slashes and edits
Quality over Quantity Pictures are NOT req.
Adopt an animal if you want one, dont use a breeder!
Adragontattoo is offline Author Profile Heatware Profile   QUOTE Thanks
Old 02-19-08, 12:51 PM   #7
DirtSandwich
Member

 
DirtSandwich's Avatar 

Join Date: Jan 2008
Location: Boise, Idaho

 
Quote:
Originally Posted by videobruce View Post
Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,
2. In a hard drive after one wipes the drive with zeros'?

I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

I use a program called DU Meter and I see this upload activity. I then check Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

My Virus program (NOD32) see that file, but it can't find what is producing it.

I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloaded the O/S (orginally XP, now 2k), but this is still here.

Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.
if these symptoms are the only thing you see then it's not a virus. Keep in mind connecting via dialup and via LAN are two different beasts.

Are you seeing things other than those two things?
DirtSandwich is offline   QUOTE Thanks
Old 02-19-08, 02:02 PM   #8
JigPu
Inactive Pokémon Moderator

 
JigPu's Avatar 

Join Date: Jun 2001
Location: Vancouver, WA

10 Year Badge
 
svchost.exe (Service Host) is a generic process which Windows will spawn to start up some services that don't have their own .exe file. A clean install of Windows XP will have several instances of svchost.exe running in the background.

I've never heard of dllhost.exe myself, but based on the description given by PLOBBY its existence sounds legit enough.

You might want to try downloading Process Explorer to get a little more information about these processes. You should be able to figure out exactly what each instance of svchost.exe and dllhost.exe are doing.


EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.

JigPu

__________________
.... ASRock Z68 Extreme3 Gen3
.... Intel Core i5 2500 ........................ 4 thread ...... 3300 MHz ......... -0.125 V
2x ASUS GTX 560 Ti ............................... 1 GiB ....... 830 MHz ...... 2004 MHz
.... G.SKILL Sniper Low Voltage ............. 8 GiB ..... 1600 MHz ............ 1.25 V
.... OCZ Vertex 3 ................................. 120 GB ............. nilfs2 ..... Arch Linux
.... Kingwin LZP-550 .............................. 550 W ........ 94% Eff. ....... 80+ Plat
.... Nocuta NH-D14 ................................ 20 dB ..... 0.35 C°/W ................ 7 V


"In order to combat power supply concerns, Nvidia has declared that G80 will be the first graphics card in the world to run entirely off of the souls of dead babies. This will make running the G80 much cheaper for the average end user."
"GeForce 8 Series." Wikipedia, The Free Encyclopedia. 7 Aug 2006, 20:59 UTC. Wikimedia Foundation, Inc. 8 Aug 2006.
JigPu is offline   QUOTE Thanks
Old 02-20-08, 01:56 AM   #9
DirtSandwich
Member

 
DirtSandwich's Avatar 

Join Date: Jan 2008
Location: Boise, Idaho

 
Quote:
Originally Posted by JigPu View Post
EDIT: As to your original questions, I've never heard of any form of malware which resides in the BIOS or survives a zeroing (as opposed to just a format) of the HD. This isn't so say its not possible, just that I haven't ever heard of such a thing.JigPu
there are flash burn viruses that can kill a bios chip, but only if the chip itself is flash based. They just write to the chip over and over and over until it burns the chip out.

I heard about a new 'virus' that is able to modify the bios but from what I understand it's just proof of concept at this point. If someone is able to craft that in a repeatable virus... wow, that would be incredible.
DirtSandwich is offline   QUOTE Thanks
Old 02-20-08, 02:55 PM   #10
DorianBrytestar

 
DorianBrytestar's Avatar 

Join Date: Nov 2006
Location: Buford, Georgia

 
I think that it's more likely that if it is a virus, that is is getting put back on the machine instead of it surviving a full destructive format.

Assuming that it is indeed a virus (which I am not troo sure would be a correct assumption at this point) it could get on your system from another system in your network, or from living on the media you are using to install the os or other utilities from, or also if there is a vulnerability that allows the outside world to touch your machine.

__________________
Lego PCs for the win!
For everyone's sanity, please only make one change at a time!
DorianBrytestar is offline   QUOTE Thanks
Old 02-21-08, 10:03 AM   #11
PoX Freak
Member

 
PoX Freak's Avatar 

Join Date: Jun 2003
Location: North Carolina

 
I remember seeing something like this a couple of years back, when XP was just coming into sp2. If memory serves me, the svchost and dllhost are NOT supposed to be capitalized at all. If they are, then there may be something going on in your Windows\System or \System32 directory. Also, clean out your "local settings" folder, or just look for any .exe files that start with "tmp" and are followed by numbers. I had this happen last week on my "c" drive, and i ended up doing a full wipe and clean install to sp3. It was really set in bad, because usually i have no problem finding and deleting most of this stuff, but this one was based off that old "mass-mailer" worm, and it continued to send email out to different people when you weren't looking.
PoX Freak is offline   QUOTE Thanks

Post Reply New Thread Subscribe


Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

Thread Tools Search this Thread
Search this Thread:

Advanced Search


Mobile Skin
All times are GMT -5. The time now is 09:43 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
You can add these icons by updating your profile information to include your Heatware ID, Benching Profile ID or your Folding/SETI profile ID. Edit your profile!
X

Welcome to Overclockers.com

Create your username to jump into the discussion!

New members like you have made this the best community on the Internet since 1998!


(4 digit year)

Why Join Us?

  • Share experience
  • Max out your hardware
  • Best forum members anywhere
  • Customized forum experience

Already a member?