Questionable files

Hi,

I have Windows XP. I have three problems that I'm hoping that someone can help me with.

Recently, I've been deluged with requests from Sygate to allow dll permissions. I usually Google them and if the dll belongs to a program that I use, such as Adobe Acrobat Reader, I'll allow it. Other times, the requests come in bundles so that if I don't allow ones that I don't want, I don't allow ones that I want. Is there a solution to this? Also, is it better to have Sygate ask me or should I put it on automatic? This just started about 2 weeks ago and I've had Sygate for about a year.

Also, there are a very few of the files that Sygate has asked me if I want to allow:

Ctfmon.exe
crrsc.exe
tlntsvr.exe
wxgn.exe

I Googled them and there seems to be a lot of controversy about them . . . whether they're Sygate/Microsoft spyware or files necessary for Sygate/Windows to operate.

The last problem that I'm having has to do with Microsoft/Windows asp.net. It can't be started in my pc because "aspnet_state could not be read." I decided to run Trend Micro Housecall and received this message: "MS06-033 - Vulnerability in asp.net could not allow information disclosure." In Services, I have asp.net on automatic and started. When I went to the Microsoft website, it led me around in circles. The directions that I received were to install a program. (This all happened at around 3 am and I was so tired that I can't remember the names of the programs.) When I downloaded it and tried to install it, I received a message that said that I needed to install another program first. When I downloaded and tried to install that program, I received an error message that said that the program couldn't find a certain file and the program could not be installed. The first message had to do with Internet Information Services. It stayed on my screen for about 15 seconds so I couldn't write down the entire message. It's showed up twice in the past couple of days, and I think they appeared at boot-up. The instructions at Microsoft were to start Background Intelligent Transfer Service. When I tried to start it, it couldn't be started because "The system cannot find the specified file." I also followed Microsoft instructions to change catroot (I think it was a huge mistake).

By the time I finished following all the directions that I received at Microsoft, my version of Windows was no longer validated and my pc barely ran. I did a System Restore to Thursday and my pc runs good again, but I still can't get Background Intelligent Transfer Service to start and my pc/Windows/programs just don't like that fact.

The reason I'm trying to resolve these problems is because my pc has again started to slow down to a crawl after I've opened up 40 or 50 safe websites/web pages (Major Geeks, Microsoft, eBay, Tiger Direct, New Egg, etc). It takes about 30 to 45 seconds for them to open. Is a cache getting full? I run CCleaner and flush DNS but nothing helps except rebooting.

Last week, I ran the entire battery of tests and posted a HJT log and my pc was basically squeaky clean. Within a few days after removing some files in the HJT log, my pc degraded to it's original state.

Would someone be able to shed some light on these issues? I know that this post contains a lot of problems and some of the info that I've given you is very poor. I can only say that when the messages appear again, I can give you more information about them.

Denise

 

HI!
Info on the files you listed:
Your search - crrsc.exe - did not match any documents.
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem
tlntsvr.exe is a part of the Microsoft Telnet application
wxgn.exe Did you mean: wgxn.exe
wgxn.exe a driver for Sygate
ctfmon.exe is a process belonging to Microsoft Office Suite

just a little help

 

Hi Tony. Thanks for replying, and sorry about the spelling of the file names.

One of the file names is csrrs.exe, not csrss or crrsc. I found several sites that say it's a Trojan or spyware but it was the file that Sygate asked to download to my pc. Here's one . . . http://www.softwaretipsandtricks.com/dangerous_files/2607-Csrrsexe.html.

The name of the other file is wgxn and the controversy about the file is located at https://www.grc.com/x/ne.dll?bh0bkyd2

These posts were dated 2004. Why am I now getting a request from Sygate to install this file after having used it for about a year?

So instead of using Sygate's stealth test, I used another, at https://www.grc.com/x/ne.dll?bh0bkyd2

These were the results. What do you think? Is this a legitimate site? What can I do about the fact that my pc replied to their ping? It knew my computer IP. Is it another case of "when I pressed 'proceed' I gave the program permission to get this information and there's really no problem with my pc security"?

Is there a way to configure Sygate to block, drop, and ignore such ping requests in order to better hide systems from hackers?

The reasons for these questions are due to my disgust with Microsoft's spyware and the hole that it left open when it updated my pc and installed wgatray.exe. Once it determined that I had genuine Windows, it should have removed the file. I want to be able to trust Sygate but not if it's going to be spying on me and leaving my pc open to threats by allowing another pc to communicate with mine.

http://www.answersthatwork.com/Tasklist_pages/tasklist_t.htm says:

This tells me that this is a dangerous service and should be blocked by Sygate, and that Sygate should know better than to ask me if I want to allow it to have access to my pc.

So these files aren't innocent. They have the capability of causing a lot of damage.

Up until about a few months ago, Sygate basically ran automatically. I had no problems with it and I had no viruses, trojans, malware, adware, etc. I wasn't constantly asked if I want to allow dll's. Somewhere along the line, the settings were changed, probably by a virus, spyware, malware, etc. Even though I ran all the tests and posted all the logs and deleted certain entries that appeared in the results of HJT, my computer's operation has changed drastically within the past 3 months and there is no "logical" explanation for it, so I'm looking for the illogical. Something is wrong with it and it started when Microsoft felt that it had the right to install an "update," which was really spyware, and giving it the innocent name of Windows Genuine Advantage. Not only did it do that, but it didn't tell me what it did, why it did it, what the ramifications were of having wgatray.exe in my pc, and leaving a security hole the size of a hole in outter space. I've had my pc for 4 years and I'm on it almost constantly, so I know it the way a mother knows when a child isn't acting right, so there must be something wrong with the child. Did it catch something . . . does it have a virus? The doctor says "no" but the child is ill. Why else would it be collapsing (crashing) all of a sudden. Why else would it no longer be able to do things that it usually did with no problem, simple tasks such as walking quickly (opening pages quickly), etc?

To quote Shakespeare (sp?) . . . There's something rotten in the state of Denmark.

Denise

 

csrrs.exe is a process which is registered as W32.Gaobot.AO Worm.
This is probably why the Telnet Service is running.
I suggest you change all your passwords, check your banking info to make sure it's secure, etc.
The best advice I can offer is to go HERE: READ & RUN ME FIRST Before Asking for Support http://forums.majorgeeks.com/showthread.php?t=35407 Follow all the steps.
Then read this: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting http://forums.majorgeeks.com/showthread.php?t=38752
Then post HERE:
Malware Removal http://forums.majorgeeks.com/forumdisplay.php?f=35
The Malware Forum is the BEST!

 

*UGH!* I just did that last week and it took me about 24 hours.

How could I have possibly caught something like this? As I said, in the past week, I've been only to safe sites and I haven't downloaded/installed any new programs.

Should I uninstall and reinstall Sygate also? It isn't working right if it's letting in these viruses and trojans.

I also just disabled and stopped Telnet in Services and, in Sygate Applications, I changed Windows\system32\tlntsvr.exe from 'ask' to 'block'.

If you have any other thoughts, please let me know.

Denise

 

I hear ya...it's a pain in the behind and very frustrating.
Things may have been missed the first time around, so you were'nt really CLEAN.
You are right...'the baby is sick and needs a Doctor. The neighbor's home remedies won't do.'
Chin up and Good Luck!

 

I was reading another post about problems with a pc here at Major Geeks

http://forums.majorgeeks.com/showthread.php?t=99597

I had SpyHunter by Enigma. It wasn't a program that could be uninstalled using Add/Remove Programs so I searched hidden and system files and folders and did a search for SpyHunter and then Enigma and deleted all.

I also have a file named eSellerateEngine.dll (post #21) which the writer was told to delete. It's located in my C:\Windows. Should I delete it also?

Please let me know asap because I'd like to get started running the programs but I want to wait for your answer regarding whether or not I should delete C:\Windows\eSellerateEngine.dll now or at another time.

Denise

 

Denise, this thread should be in Malware. Everything you are listing here is malware. I'm going to have this thread moved and we'll run a few different tools to see what we can find.

 

That's fine Shadow. At first I thought it I just needed to change some Windows and/or Sygate settings, so I put it here under software.

I just ran a preliminary scan with Spyware Doctor and it found no infections. I'm concerned about eSellerateEngine.dll, although the link that Tim gave me said

Until the whole battery of tests are analayzed or one of you terrific guys tell me I should remove it asap, I'll leave it in my pc.

I'm thinking of changing my home page to the MajorGeeks Log-In page.

Denise

 

Last night I checked through the list of alternate programs to try in order to find problems. I chose SpyNoMore. I disconnected from the internet and unplugged it from the wall, then Control Panel > Folders > View and unchecked Show Hidden Files and Folders > Hide Protected Operating Systems and Files before I ran it. These are the results. There was no option to save a report. In order for SpyNoMore to remove them, I have to purchase the program:

Is there a way to remove these items without having to purchase the program?

Denise

 

Stop using Programs that myself or another of the Malware Fighters does not tell you to use. Most Trial/Demo programs don't remove what they find.

 

Shadow, please stop ordering me about. . . the SpyNoMore scan was listed in MajorGeeks' lists of alternative scans and the programs contained in the list were offered to freely use, and I did. If the results of that particular scan are dubious, then the SpyNoMore link should be removed from the list of alternative scans.

On another note, I moved the problems that I'm having with my pc to the Malware Forum, as you suggested. I'm receiving assisance for both malware and software problems. The person who is helping me has remarked that several of the problems regarding settings and other software programming should be discussed in this forum. He has helped me with some of the problems I was having and if he can't help me with the remainder of them, I'll come back here and ask for assistance to resolve those that still need attention.

I'm only trying to get my computer fixed . . . I'm not looking to start any wars.

Denise

 

Look, I don't know why you guys are cranky but I don't appreciate being talked to like this. I came here for help, not to have a pie thrown in my face. If SpyNoMore wasn't on the list, then I was redirected. I don't know any other reason why I would have chosen SpyNoMore instead of a program recommended by MajorGeeks. As you can see by my posts, I'm here often because I trust MajorGeeks. I don't come here for help and then not accept it. SpyNoMore is uninstalled. My list of Add/Remove Programs:

Shockwave
SpyBot Search & Destroy
Spyware Doctor

I also did a search for SpyNoMore and the only mention of it in my pc is its bookmark and the scan report that I generated and posted here, which I just deleted.

I ran another Panda scan for Local Disks and there was no option, no button, no link to get a report. The last 1/4 to 1/3 of the right hand side of the screen doesn't show up and the page can't be maximized. If the link to have a report generated is on that side of the screen, I can't see it.

I tried running a BitDefender scan but I still can't run one. . . . I get the yellow triangle with the exclamation point in it, the options "yes" or "no," and neither selection starts the program.

Denise

 

To get back on the topic, a couple of weeks ago, I was able to run a BitDefender Scan and a Panda ActiveScan. I was also able to get a report from one of them but not the other. If my memory serves me correctly, I believe that I was able to get a report from Panda, and BitDefender doesn't generate a report. It may be the other way around though.

For some reason, I can't run Bit Defender and I can't get a report from Panda after scanning Local Disks. I also can't start BITS.

Are these malware problems or software problems? Would you rather I end this post in the Malware forum and start a new post in the Software forum for these remaining issues or would you rather I stay in the Malware forum for something and open a post in the Software forum for something else?

Denise

 

Shadow said that he was going to move this post from the Software forum to the Malware forum. . . he must have done it. I'll open a new post for the remaining items in the Software forum.

Thanks again . . . Denise

 

Since Shadow moved the post, I think Shadow should move them back. I will post the link to the forum in one of my posts. I never looked at the name of the forum on the top of the posts so I don't know when he moved them, but I believe that it was after I wrote a post in the Malware forum.

The two topics became intermingled as there seemed to be a common cause . . . malware. Now that the two have been separated, the topic of BITS can be addressed in the Software Forum.

Denise

 

I did, thanks, and I'll be trying it soon.