Block-Checker |
Author: |
Message: |
CookieRevised
Elite Member
Posts: 15517 Reputation: 173
– / /
Joined: Jul 2003
Status: Away
|
RE: Block-Checker
quote: Originally posted by Fergy
thanks cookie. When i did it, blockchecker.exe was a branch of the fake csrss.exe, perhaps i killed the blockchecker.exe process first and the csrss process restarted it.
yep, indeed... as explained in Segosa's post, csrss.exe constantly checks for blockchecker.exe. If blockchecker.exe is killed it is restarted again by csrss.exe. Hence you need to kill csrss.exe first
(btw, I modified your step-by-step instructions and posted it on mess.be; I will also repeat it here, so I can update it if needed)
-----IMPORTANT---------------IMPORTANT---------------IMPORTANT---------------IMPORTANT-----
How to remove the "Block Checker" malware correctly
Originally composed by Fergy here and further modified by CookieRevised
Step 1: Killing the processes- Download Sysinternals' "Process Explorer" here and install it.
- Open Process Explorer and kill "csrss.exe" first.
To avoid killing the wrong csrss.exe process, look at the "User Name" column which lists who has started the process.
If it is "SYSTEM" or "NT AUTHORITY" or the likes, then it means it is the legit windows process started by Windows itself and shouldn't be killed. If it is your username/computername then it means the csrss.exe process has started up as a normal user program and thus is not legit and the fake one. This is the one you need to kill...
In Process Explorer, you can also look at the path of csrss.exe (right click on it and choose "Properties"). If it is "C:\Program Files\Block Checker" then it is the fake one.
- While still in Process Explorer, kill "block-checker.exe" if it is still there.
Step 2: Removing the files- Uninstall the block checker by going to "Add/Remove Programs" in the control panel.
- Go into "C:\Program Files" and delete the folder labelled "Block Checker" (where C:\ is the drive you installed Windows on) if it is still there.
- Delete the "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" files located in windows' system folder (C:\Windows\System).
- Clean out your recycle bin to totally remove the files from your HDD.
Step 3: Fixing the registry- Open your registry editor (Start > Run > regedit.exe) and navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and delete the key named "block-checker".
(For a small tutorial on this, go to this site, because deleting the wrong keys could corrupt Windows).
-------
Note 1: The reason why you need to use a program like Process Explorer to do this is because the Windows Task/Process Manager itself could refuse to kill "csrss.exe" as it could think it is a legit system process. Also, not all Windows versions have a Task/Process Manager that is able to kill processes.
Note 2: Do not use MSCONFIG to delete startup entries. This will NOT permanently delete the startup entries, and above all Windows will use an alternative boot sequence to start up. This boot sequence is easly switched back by accident and the things you wanted deleted will be put back! If you must use a program to alter the registry, then use a program like AutoRuns (this program will also list ALL the startup entries that exist in Windows; MSCONFIG seriously lacks an extreme large amount of such entries).
Note 3: (technical) info of what this malware exactly does can be found in Segosa's reply.
-----IMPORTANT---------------IMPORTANT---------------IMPORTANT---------------IMPORTANT-----
This post was edited on 08-25-2005 at 08:52 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
|
|
08-21-2005 05:19 PM |
|
|
Fergy
Full Member
Posts: 164 Reputation: 7
36 / /
Joined: Nov 2004
|
RE: Block-Checker
thanks once again cookie
I should change my sig ay?
|
|
08-21-2005 05:29 PM |
|
|
qgroessl
Veteran Member
Posts: 1615 Reputation: 22
33 / – /
Joined: Jul 2005
Status: Away
|
RE: Block-Checker
Not sure if this was mentioned or not... But this is being spread via IM too... Like... It'll send when you first talk to somebody without you sending it.... It's annoying and I thought it was a bit dodgy.... Any way to get rid of this?
|
|
08-22-2005 01:46 AM |
|
|
mwe99
Veteran Member
Posts: 2514 Reputation: 67
36 / /
Joined: Jul 2004
|
O.P. RE: Block-Checker
quote: Originally posted by qgroessl
Not sure if this was mentioned or not... But this is being spread via IM too... Like... It'll send when you first talk to somebody without you sending it.... It's annoying and I thought it was a bit dodgy.... Any way to get rid of this?
That is the main spread method, if you follow the instructions from Fergy (its a good and helpful post) for the removal
|
|
08-22-2005 02:10 AM |
|
|
qgroessl
Veteran Member
Posts: 1615 Reputation: 22
33 / – /
Joined: Jul 2005
Status: Away
|
RE: Block-Checker
quote: Originally posted by mwe99
That is the main spread method, if you follow the instructions from Fergy (its a good and helpful post) for the removal
I don't think there's anything to remove? I've never downloaded the software let alone gone to the website...
|
|
08-22-2005 03:23 AM |
|
|
Lou
Veteran Member
Posts: 2475 Reputation: 43
– / /
Joined: Aug 2004
|
RE: Block-Checker
quote: Originally posted by qgroessl
Not sure if this was mentioned or not... But this is being spread via IM too... Like... It'll send when you first talk to somebody without you sending it.... It's annoying and I thought it was a bit dodgy.... Any way to get rid of this?
think he meands by his contacts...
The future holds bright things in it\\\'s path, but only time will tell what they are and where they come from.
Messenger Stuff Forums
|
|
08-22-2005 03:35 AM |
|
|
~INVASION~
Veteran Member
Posts: 1094 Reputation: 29
36 / /
Joined: May 2004
Status: Away
|
RE: Block-Checker
this seems to be spreading now
i got messages from some contacts already telling me to check out block checker, thats under a week, it took me 2 months to get my first message from the other viruses , (cant remember their names, bropia or smething )
{WindowsLive Butterfly ~ 2006 - 2009}
|
|
08-22-2005 03:56 AM |
|
|
qgroessl
Veteran Member
Posts: 1615 Reputation: 22
33 / – /
Joined: Jul 2005
Status: Away
|
RE: Block-Checker
quote: Originally posted by lou_habs
think he meands by his contacts...
Exactly... and I guess they get it from me also though. so it's both... I send it to them... and they send it to me... the message goes like this:
quote: Find out who's blocking you on MSN, Download it free from http://www.block-checker.com
I wouldn't click the link though.
This post was edited on 08-22-2005 at 10:30 AM by WDZ.
|
|
08-22-2005 04:07 AM |
|
|
Fergy
Full Member
Posts: 164 Reputation: 7
36 / /
Joined: Nov 2004
|
RE: Block-Checker
I remember bropia, it sucked. I think the block checker is spreading so fast because it has appeal and it doesn't end in a .pif
I should change my sig ay?
|
|
08-22-2005 04:19 AM |
|
|
CookieRevised
Elite Member
Posts: 15517 Reputation: 173
– / /
Joined: Jul 2003
Status: Away
|
RE: Block-Checker
qgroessl, please read the thread before you post........
There are extremely detailed posts (which would have answered your questions) and removal instructions (which you also asks for) already posted some time ago.
Yes, the program sends messages to your contacts, again as explained in posts in this thread. You didn't had to give an example; Everything about that is already said before in much detail (look at Segosa's post).
Tip: and unless you have set the security in your browser in a bad way, nothing will ever be executed on its own when you click a link.
This post was edited on 08-23-2005 at 06:22 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
|
|
08-22-2005 09:35 AM |
|
|
Pages: (7):
« First
«
1
2
3
[ 4 ]
5
6
7
»
Last »
|
|