Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected Or Not?

  • This topic is locked This topic is locked
2 replies to this topic

#1 M_8


  • Members
  • 1 posts
  • Local time:03:20 AM

Posted 15 November 2006 - 05:39 PM

I've been trying to trim down startup auto-run programs and services to maximize system performance. While searching for descriptions of services running on my computer, I found this page on bleepingcomputer:


The library 'dhcp.dll' is loaded by 'svchost.exe', as you can see by this dump of active services (dhcp appears in the third instance of svchost.exe):

Image Name				   PID Services									 
========================= ====== =============================================
System Idle Process			0 N/A										  
System						 4 N/A										  
smss.exe					 856 N/A										  
csrss.exe					944 N/A										  
winlogon.exe				 968 N/A										  
services.exe				1012 Eventlog, PlugPlay						   
lsass.exe				   1024 PolicyAgent, ProtectedStorage, SamSs		 
svchost.exe				 1176 DcomLaunch, TermService					  
svchost.exe				 1276 RpcSs										
svchost.exe				 1316 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, 
								 ERSvc, EventSystem,						  
								 FastUserSwitchingCompatibility, helpsvc,	 
								 HidServ, lanmanserver, lanmanworkstation,	
								 Netman, Nla, RasMan, Schedule, seclogon,	 
								 SENS, SharedAccess, ShellHWDetection,		
								 srservice, TapiSrv, Themes, TrkWks, w32time, 
								 winmgmt, wscsvc, wuauserv					
EvtEng.exe				  1368 EvtEng									   
S24EvMon.exe				1460 S24EventMonitor							  
WLKEEPER.exe				1544 WLANKEEPER								   
ZCfgSvc.exe				 1584 N/A										  
Smc.exe					 1644 SmcService								   
svchost.exe				 1700 LmHosts, RemoteRegistry, WebClient		   
spoolsv.exe				 1780 Spooler									  
1XConfig.exe				 636 N/A										  
guard.exe				   1364 AVG Anti-Spyware Guard					   
avgamsvr.exe				1388 Avg7Alrt									 
avgupsvc.exe				1436 Avg7UpdSvc								   
BAsfIpM.exe				 1532 BAsfIpM									  
svchost.exe				 1612 BthServ									  
CTSVCCDA.EXE				1572 Creative Service for CDROM Access			
Iap.exe					 1896 Iap										  
NicConfigSvc.exe			1624 NICCONFIGSVC								 
RegSrvc.exe				 2012 RegSrvc									  
svchost.exe				  516 stisvc									   
explorer.exe				1596 N/A										  
wmiprvse.exe				1844 N/A										  
SynTPLpr.exe				2460 N/A										  
SynTPEnh.exe				2532 N/A										  
iFrmewrk.exe				2584 N/A										  
igfxpers.exe				2608 N/A										  
hkcmd.exe				   2620 N/A										  
igfxsrvc.exe				2876 N/A										  
DVDLauncher.exe			 2900 N/A										  
tfswctrl.exe				2908 N/A										  
quickset.exe				2968 N/A										  
rundll32.exe				2976 N/A										  
avgcc.exe				   3000 N/A										  
avgas.exe				   3040 N/A										  
TosBtMng.exe				3160 N/A										  
ZMover.exe				  3176 N/A										  
Buzof.exe				   3208 N/A										  
TosA2dp.exe				 3220 N/A										  
TosBtHSP.exe				3252 N/A										  
alg.exe					 4044 ALG										  
procexp.exe				  212 N/A										  
IEXPLORE.EXE				3984 N/A										  
cmd.exe					 3328 N/A										  
tasklist.exe				1656 N/A										  
wmiprvse.exe				3792 N/A

When I run SysInternals Autoruns, 'dhcp.dll' does not appear anywhere. Likewise, when I run HijackThis, 'dhcp.dll' doesn't appear in the log. The bleepingcomputer page linked above makes me nervous about having 'dhcp.dll' loaded all the time, but I can't figure out how it's loading.

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:36:57 PM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Grisoft\AVG Anti-Spyware\avgas.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Basta Computing\ZMover\ZMover.exe
C:\Program Files\Basta Computing\Buzof\Buzof.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SysInternals\AutoRuns\autoruns.exe
C:\Documents and Settings\M_8\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\RoboForm\roboform.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative MediaSource\Detector\CTDetect.exe /R"
O4 - Startup: Buzof.lnk = C:\Program Files\Basta Computing\Buzof\Buzof.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: ZMover.lnk = C:\Program Files\Basta Computing\ZMover\ZMover.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


I run the following on my computer, and all are fully up-to-date:
  • AVG Anti-Virus
  • AVG Anti-Spyware
  • Spybot Search & Destroy
  • Ad-Aware SE Personal
  • Spyware Blaster
  • Several registry scanners/cleaners
I also use the Sygate Personal Firewall. I know it's no longer supported, but I like it's interface and configurability, so I'm sticking with it for now.

I'd appreciate help with the following:
  • Is 'dhcp.dll' actually a malicious library?
  • If the answer to (1.) is yes, how do I get rid of 'dhcp.dll'?
  • Is there anything else in the process dump or HijackThis log above that I should be concerned about, or that I should change?


BC AdBot (Login to Remove)



#2 DaveM59


    Bleepin' Grandpa

  • Members
  • 1,355 posts
  • Gender:Male
  • Location:TN USA
  • Local time:04:20 AM

Posted 20 November 2006 - 09:54 PM

Hi M_8,

Short answer: Not. :thumbsup:

DHCP is an acronym for dynamic host configuration protocol. You can read about it here:


The standard Windows XP file that implements this protocol is mdhcp.dll, found in your \system32 folder.

The "m" prefixed to the acronym I suppose stands for Microsoft.

I'm sure the file listed in the BC database is malware, it's a favorite trick of the bad guys to give their file a name that is very similar to a legitimate file.

There are no signs of malware in your log. If you want to slim down your system, I suggest you look at the BC startup list. There is a link on that page to the forum dedicated to it. You will find lots of information there to help you in deciding which programs and services can be disabled.

Good luck,


#3 DaveM59


    Bleepin' Grandpa

  • Members
  • 1,355 posts
  • Gender:Male
  • Location:TN USA
  • Local time:04:20 AM

Posted 27 November 2006 - 10:03 PM

Due to lack of feedback, this topic is now closed. If you want it re-opened, please PM a moderator and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users