Can a virus/trojan/malware/worm etc. reside;

1. In a motherboards Bios,
2. In a hard drive after one wipes the drive with zeros'?

I have 'something' that is creating a duplicate Windows file and putting in the Windows\Systen32\Wins folder called "DLLHOST.EXE" and possibly "SVCHOST.EXE" (in all caps) that starts up by itself and starts sending data over by DSL connection.

I use a program called DU Meter and I see this upload activity. I then chexk Task Manager and this "DLLHOST.EXE" shows (again, in all caps) which I notice right off the bat. I can't stop the process unless I boot into Safe Mode.

My Virus program (NOD32) see that file, but it can't find what is producing it.

I have wiped the drive using the manufactures 'write zeros to the drive', reformatted and reloade the O/S (orginally XP, now 2k), but this is still here.

Any ideas as this never happened to me before that I couldn't get rid of the 'problem'.

Could it be?...
Win32.Worm.Welchia.A (http://www.bitdefender.com/VIRUS-1476-en--Win32.Worm.Welchia.A.html)

Funny I just came across that. I noticed the date of 2003. Seems kinda old for today. The description seems close to my situation.
Anyway, I ran it, but it didn't turn up anything.

But, why doesn't that virus scanner pick it up and why after a full wipe and re-install it is still there??

In XP/2k case doesn't really matter...it is a case insensitive OS. What you are using to view the file name plays more of a role in whether the name is displayed in lower case or caps than just about anything else.

For svchost see...

http://support.microsoft.com/kb/314056

http://support.microsoft.com/kb/250320

They describe the legit behavior.

Now, for more on Welchia/Nachi...

http://vil.nai.com/vil/Content/v_100559.htm

http://www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99

http://www.symantec.com/security_response/writeup.jsp?docid=2004-021115-2540-99

http://support.microsoft.com/kb/833330

Ok, I ran this tool;
http://www.gmer.net/index.php

It detected a 'hidden module' on the computer that didn't have a problem. It then appears that this is affecting the older PC (with the known problem).

The problem is it doesn't give me the option to remove this 'hidden module'.
Now what?

Download Eraser 5.8 (http://www.heidi.ie/eraser/download.php) and create a nuke disk.

Boot and since this is a Linux boot loader, it will not be affected by a windows worm. This will allow you to erase the hard drive completely. Then reinstall windows and this should take care of it.

Nachi/welchia will infect ANY vulnerable computer on a network. That means if you are running a network and have any unpatched XP/2k machines on it you can be passing the infection back and forth, locally.

That worm deleted itself in 2004 so I doubt that was the problem.

I installed Trend Micros' AntiVirus and it found 7 'trojans' that NOD32 didn't. I re-ran GMER and it was clean.

I wonder whether the FREE TRIAL version of TrojanHunter (http://www.misec.net/trojanhunter/) would declare your system free of Trojans?

TrojanHunter was the only program to find [and eliminate] the only trojan that ever I knew got onto my system. :)

Screenshot (http://www.misec.net/images/th_standard_fullsize.png)

Not all variants of it uninstalled itself...plus the uninstaller was 'broken' on some installations. It is still in the wild and still active...even with most of the installs uninstalling themselves. It can be reactivated from an old backup/archive file.

The key to preventing it and similar ones is to make sure the patches from MS are installed.

UPDATE:

I have been thinking this whole deal over and I now think this might be a case of this PC being targeted as a 'zombie' with the 'host' logging the IP address waiting for the connection to become active again.

1. This only seems to happen using a dial up connection. The same PC using my broadband DSL doesn't activate anything.
2. I get different problems between XP and 2k. In XP, the modem gets locked up by another process, it can't be disconnected and you can't open any new web pages, you have to reboot. In 2k, it reboots the PC and deletes the dial up connection altogether (happen on two different installs).

Since virus scans don't show anything, can this be possible, or has anyone heard of something like this happening?? IOWs', there really isn't any 'virus' in this box untill it is sent when each new dialup session is detected if those two duplicate files weren't already deleted.

What kind of modem?

That is sounding more like a physical modem problem than anything viral...especially if it is an internal 'softmodem'/'winmodem'...

Most botnet/zombie masters will ignore dialup (and yes, running the IP can usually tell them if it is broadband or dialup)...in fact some have automated checks to purge the dial up connections.

Dialup IPs change very frequently, like every time you connect, so the idea of something 'waiting' for you to dial up IP is stretching it a bit. The fact that there is also no 'problem' on the ethernet connection seems to indicate the lack of infection. If it were local, then all connections would be affected...and the chance of it 'stalking' your dial up is slim...not going to say none, but still your average snowball has a better chance of survival in that really hot place...

Of course, that could be a moot point, if your one of dial up ISP's servers is infected with something like Welchia...in which case, I'd be hunting down a new ISP.