how to kill winlogon.exe csrss.exe worm
Riky
knows how to kill them???
webDEViL
The reason why they are probably coming back is because those little bastards don't die easily. Next time press harder and keep holding until all the sticky thing peeps from the sides of the shoe.
Hope this helps!
Sent from my iPhone
On 17 Mar 2011, at 05:34 PM, Riky <ratis...@gmail.com> wrote:
> i am getting these 2 worms every tym eventhough after formating, any1
> knows how to kill them???
>
> --
> null - Spreading the right Information
> null Mailing list charter: http://null.co.in/section/about/null_list_charter/
>
> This list is supported by Institute of Information Security http://iisecurity.in
> Real-world hackers, real-world training – Certified Professional Hacker at IIS
Manthan
The process winlogon.exe runs in the background. Winlogon is a part of the Windows Login subsystem, and is necessary for user authorization and Windows activation checks.
This is the user-mode portion of the Win32 subsystem; Win32.sys is the kernel-mode portion. Csrss stands for Client/Server Run-Time Subsystem, and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and implementing some portions of the 16-bit virtual MS-DOS environment.
So basically they are not worms but essential files required for system to perform well.
Also, there are chances that they may forged and can act as virus or worm. They usually come as auto-run Worms
i am getting these 2 worms every tym eventhough after formating, any1
knows how to kill them???
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Real-world hackers, real-world training – Certified Professional Hacker at IIS
--
Thanks & Regards
mhshah
+91-9967771131/ +91-9029092684
Facebook 
LinkedInContact me:
shahma...@gmail.com 
mhsh...@hotmail.com
Traverse Code
i am getting these 2 worms every tym eventhough after formating, any1
knows how to kill them???
TAS
-
TAS
http://twitter.com/p0wnsauc3
Do you what UTM stands for? A: I dunno, U Tell Me?
TAS
TAS
Worm killer recipe was intense..I will see if I can win using this recipe when playing worms3D ;)
Sent from BlackBerry® - Vodafone
-----Original Message-----
From: Riyaz Ahemed <riyazw...@gmail.com>
Sender: null-...@googlegroups.com
Date: Thu, 17 Mar 2011 06:34:56
To: null<null-...@googlegroups.com>
Reply-To: null-...@googlegroups.com
Subject: [null] Re: how to kill winlogon.exe csrss.exe worm
@TAS: Use a BROOM! [BIOS Repair Omni Occult Module] :D :D
@Riky: Try this http://www.oxfordcroquet.com/care/worms/index.asp,
they dont die easily mind you. webDEViL is right (partly), you need to
beat the shit out of them. I normally mix 8 parts of vodka and 2 parts
of lizol and spray on them and watch them wriggle to death. Heavenly
feeling, mind you.
Regards,
karniv0re
> TAShttp://twitter.com/p0wnsauc3
> On 17 March 2011 18:06, Traverse Code <traversec...@gmail.com> wrote:
>
> > There are few reasons why the worm comes back even after format. Some are,
> > 1. If it has infected the BIOS, no matter how many times you format it, the
> > worm get backs to the newly formated OS. Make sure if the BIOS is clean.
> > 2. If Autorun is enabled obviusly that would trigger the worm when you
> > plugin the pen drive or external hard disk if incase you are restoring the
> > backup.
> > Regards,
> > Shiv
Riyaz Ahemed
@Riky: Try this http://www.oxfordcroquet.com/care/worms/index.asp,
they dont die easily mind you. webDEViL is right (partly), you need to
beat the shit out of them. I normally mix 8 parts of vodka and 2 parts
of lizol and spray on them and watch them wriggle to death. Heavenly
feeling, mind you.
Regards,
karniv0re
On Mar 17, 6:12 pm, TAS <p0wnsa...@gmail.com> wrote:
> -
> On 17 March 2011 18:06, Traverse Code <traversec...@gmail.com> wrote:
>
> > There are few reasons why the worm comes back even after format. Some are,
> > 1. If it has infected the BIOS, no matter how many times you format it, the
> > worm get backs to the newly formated OS. Make sure if the BIOS is clean.
> > 2. If Autorun is enabled obviusly that would trigger the worm when you
> > plugin the pen drive or external hard disk if incase you are restoring the
> > backup.
> > Regards,
> > Shiv
Riky
$system.volume.information thought they r from these 2
Subrat Sarkar
If you have formatted your disk and still facing same problem then it is not a Worm, it may be file infector virus or may have autoplay option in drive.
Winlogon.exe and csrss.exe names are only used by windows as there genuine application it doesn't mean that every binary/executable having same name is not malicious.
So first confirm location means from where they are executing. And I m sure that It has not modified your BIOS so don't use any BIOS recovery application.
Can u send me those files along with Registry details ?
thnx n bdy i m getting 2 folders named $Recycle.bin n
$system.volume.information thought they r from these 2
--
Pushkar Pashupat
The folders you are getting are too genuine folders of Windows.
As mentioned earlier in this conv, winlogon and csrss are also genuine
executables of windows so I guess you need not worry about any
infection.
But still winlogon and csrss can be a infection only if these
executables are located in other than their standard location i.e
Windows system folders.
Worms do not reside into the system if it is formatted. It has to be a
MBR rootkit or any similar infection.
--
Thanking You.
Warm Regards.
Pushkar
Sudhanwa Jogalekar
If it is really necessary, you may further think of running Windoze in VM.
-Sudhanwa
On Thu, Mar 17, 2011 at 5:34 PM, Riky <ratis...@gmail.com> wrote:
> i am getting these 2 worms every tym eventhough after formating, any1
> knows how to kill them???
>
> --
> null - Spreading the right Information
> null Mailing list charter: http://null.co.in/section/about/null_list_charter/
>
> This list is supported by Institute of Information Security http://iisecurity.in
> Real-world hackers, real-world training – Certified Professional Hacker at IIS
>
--
~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!
www.projects4students.com
Anant Shrivastava
Hi Corrupt.
BTW i am not able to find Aseem's presentation in the list @ nullcon.net
was thinking of linking that here.
Anant Shrivastava
CEH | RHCE
Mob : 91-9764899904
E-mail : an...@anantshri.info
Web : http://anantshri.info
Aditya Lad
But I am curious about the following :
1. Most important: Why do you think it is a worm/malware? I mean any bad symptoms? You have not mentioned any?
2. The best I can advise is, if your antivirus suggests a detection and is unable to remove it, find the manual steps for removal through google. (since you need to know the official name of that worm)
3. Download and execute Dr. WebCureIT (http://www.freedrweb.com/cureit/?lng=en), its free for home PCs, and atleast will let you know if anything is hidden in the process memory of winlogon/csrss.
Aditya.
Riky
INFORMATION, coz of them..coz when i m accessing those 2 folders via
linux i m getting 2 files inside these 2 folders winogon.exe n
csrss.exe
Manthan
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Real-world hackers, real-world training – Certified Professional Hacker at IIS
--
hackoshack rock
TAS
Turn off the system restore on all your drives and reboot the system. The SYSTEM VOLUME folder. If you want use the restore functionality then turn on the restore again.
If all the methods on the below emails trail don't help, unplug your hard drive and try a new one. And stop chasing winlogon and csrss worms
TAS!
Sent from BlackBerry® - Vodafone