Crypserv.exe and Svcpack.exe

I have recently found these two files running after booting up (Crypserv.exe and Svcpack.exe), and think they may be causing problems on my system. Just recently (past few days) my pc has been disconnecting from the net then reconnecting every 3 minutes or so. When I close/stop these two applications the problem disappears. I've run virus checks and ad-ware software (spybot, adaware, cwsshredder, hikackthis) but they haven't found/fixed the problem, that I can tell.

Both these files/exes exist in \windows\system32:
has anyone ever heard of these 2 programs? Are they viruses? If not, what? They aren't scheduled to run when I check with msconfig, so I don't know what is launching them or how to stop them (or if indeed they may be required for something else). I did a search on the net and microsoft knowledgebase butdon't see anything specific that may help. Also, all my MS updates/patches are applied based on what Windows Update says. I'm running WinXP with SP1.

Here is the contents Hijackthis.log, if that might help narrow down the problem:

***
Logfile of HijackThis v1.97.3
Scan saved at 12:24:19 AM, on 10/26/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Restart\Restart.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
E:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-1.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-1.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Mirabilis ICQ] E:\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm ",ExportedCheckODLs
O4 - HKCU\..\Run: [Restart] C:\Program Files\Restart\Restart.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ] E:\ICQ\ICQ.exe -trayboot
O8 - Extra context menu item: &Check Spelling - res://E:\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://E:\ieSpell\iespell.dll/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/315b1818fe17411c4916/netzip/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.6781944444
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\Tcpip\..\{4C9959C8-6801-4AD0-9E05-0AF6F5627F7D}: NameServer = 216.127.92.38
O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
***

Thx,

 

WELL! Turns out it's the 'svcpack.exe' file for sure. When I shut it down I never disconnect, but when it's running the disconnect/connect is continuous (every 3 - 4 minutes).

I've found an entry for it in the registry too under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" for key " "Userinit ".

Has anyone heard of this program? I don't see any references regarding it being a virus, but it's definitely causing probs with my connection.

I've removed it for now and will from the registry as well, but I'd sure like to know where it came from.

Thx.

 

Mike, did you notice that you still have the DReplace.dll file on the BHO O2 line?

You might want to read this:

http://forums.spywareinfo.com/index.php?showtopic=14501&hl=dreplace\.dll

 

Hmmm.. did what that link suggested and rebooted, but notice that I still have entries for DReplace.dll in my registry (when I run regedit). Also the DReplace.dll file is still in my windows/system32 dir.

Aren't HJT and the userinit.scp supposed to remove the entries and the file (or do I do that manually)?

I posted to the link you gave too.. Thx!

 

Same file here

Hi
I found yesterday svcpack.exe proggie on my computer.
Since then, It has tried to connect several IP addresses.
Now deleted the file and cleaned registry.
NAV says its not a virus. Spy-Bot and Ad-aware says its not a spy.
Even Google didnt know this file...
Really wanna know what is this program?
-tUoMo-

 

I found answer from Spywareinfo forums.
It's a brand new version of the CoolWebSearch parasite.
Check out this topic.
http://forums.spywareinfo.com/index.php?showtopic=14984

 

That's what I thought! I couldn't find anything about it anywhere either. Cleaned it the same way you did, but am still wondering about this DLL mentioned in the topic above "DReplace.dll ". It's still on my system and in my registry although doesn't seem to be causing any problems now.

(To read more details goto:
http://forums.spywareinfo.com/index.php?showtopic=14501&hl=dreplace\.dll