Crypserv.exe and Svcpack.exe: disconnecting from Internet

[Mike S. Nowostawsky]

I have recently found these two files running after booting up (Crypserv.exe
and Svcpack.exe), and think they may be causing problems on my system. Just
recently (past few days) my pc has been disconnecting from the net then
reconnecting every 3 minutes or so. When I close/stop these two applications
the problem disappears. I've run virus checks and ad-ware software (spybot,
adaware, cwsshredder, hijackthis) but they haven't found/fixed the problem,
that I can tell.

Both these files/exes exist in \windows\system32:
has anyone ever heard of these 2 programs? Are they viruses? If not, what?
They aren't scheduled to run when I check with msconfig, so I don't know
what is launching them or how to stop them (or if indeed they may be
required for something else). I did a search on the net and microsoft
knowledgebase but don't see anything specific that may help. Also, all my MS
updates/patches are applied based on what Windows Update says. I'm running
WinXP with SP1.

Here is the contents Hijackthis.log, if that might help narrow down the
problem:

***
Logfile of HijackThis v1.97.3
Scan saved at 12:24:19 AM, on 10/26/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Restart\Restart.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
E:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://xwebsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http:///
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.search-1.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.search-1.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://xwebsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} -
C:\WINDOWS\System32\DReplace.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe
/startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Mirabilis ICQ] E:\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program
Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [Restart] C:\Program Files\Restart\Restart.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\RunOnce: [ICQ] E:\ICQ\ICQ.exe -trayboot
O8 - Extra context menu item: &Check Spelling -
res://E:\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options -
res://E:\ieSpell\iespell.dll/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150/315b1818fe1741...ip/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) -
http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.c...7919.6781944444
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment
1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment
1.4.1_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 -
HKLM\System\CS2\Services\Tcpip\..\{4C9959C8-6801-4AD0-9E05-0AF6F5627F7D}:
NameServer = 216.127.92.38
O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
***

Thx,


--
=================================================
Mike S. Nowostawsky:
Email: (e-mail address removed), (e-mail address removed)
Home Page: http://www3.sympatico.ca/mikenowo/
Lachine (Montreal), Quebec, Canada

 

[Mike S. Nowostawsky]

WELL! Turns out it's the 'svcpack.exe' file for sure. When I shut it down I
never disconnect, but when it's running the disconnect/connect is continuous
(every 3 - 4 minutes).

I've found an entry for it in the registry too under
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
for key ""Userinit".

Has anyone heard of this program? I don't see any references regarding it
being a virus, but it's definitely causing probs with my connection.

I've removed it for now and will from the registry as well, but I'd sure
like to know where it came from.

Thx.
--
=================================================
Mike S. Nowostawsky:
Email: (e-mail address removed), (e-mail address removed)
Home Page: http://www3.sympatico.ca/mikenowo/
Lachine (Montreal), Quebec, Canada