I could not find much more info on usprserv, and what I did find was HiJackThis references to a library file that could not be found. Some were as old as 2004, some had reference to a numbered dll file in a Temp directory, and some had reference to a Documents.dll file in the root directory. But all of them said the file could not be found, which indicated that the file had been removed by some other means. In your case, even the reference to the file appears to have been removed from the registry.
So I concentrated on finding out more about library services loaded via svchost.exe. I have often thought that the svchost container was a perfect place to hide a virus because it is difficult to find and remove. But, there is not a lot of information available on how that would be implemented. I suppose that makes a lot of sense, because Microsoft never intended it to be used for anything but loading kernel based library files. As a matter of fact, when I attempted to simulate what would happen if a library file loaded via svchost.exe was missing, the system detected it on boot up and recreated it. It was a disabled system file, but I had nothing else to work with. On XP, there is nothing to prevent a hacker from replacing an existing service dll, but it can't just be deleted or renamed. Vista actually checks the hash code signature against against a saved one to prevent this.
What I did learn however, is that the file is never instantiated until is it used. When it is in auto, it is instantiated on boot up, but otherwise it is not loaded. When it is in manual, it is instantiated the first time it is called upon. When it is disabled, it cannot be loaded or started. You won't even see anything in the event log (system) because a load is never attempted. The information is loaded into the registry, and then ignored because it is not a system file.
Therefore, I feel relatively safe in saying that with the service disabled, you have nothing to worry about.
J.A. Coutts
