HOW TO REMOVE THE "BLOCK CHECKER" MALWARE CORRECTLY =================================================== Originally composed by Fergy at the Plus! forums and further modified by CookieRevised Step 1: Killing the processes ----------------------------- * Download Sysinternals' "Process Explorer" and install it. http://www.sysinternals.com/Utilities/ProcessExplorer.html * Open Process Explorer and kill "csrss.exe" first. To avoid killing the wrong csrss.exe process, look at the "User Name" column which lists who has started the process. If it is "SYSTEM" or "NT AUTHORITY" or the likes, then it means it is the legit windows process started by Windows itself and shouldn't be killed. If it is your username/computername then it means the csrss.exe process has started up as a normal user program and thus is not legit and the fake one. This is the one you need to kill... In Process Explorer, you can also look at the path of csrss.exe by right clicking on it and choose "Properties". If it is "C:\Program Files\Block Checker" then it is the fake one you need to kill... * While still in Process Explorer, kill "block-checker.exe" if it is still there. Step 2: Removing the files -------------------------- * Uninstall the block checker by going to "Add/Remove Programs" in the control panel. * Go into "C:\Program Files" and delete the folder labelled "Block Checker" if it is still there (where C:\ is the drive you installed Windows on). * Delete the "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" files located in Windows' system folder (C:\Windows\System). * Clean out your recycle bin to totally remove the files from your HDD. Step 3: Fixing the registry --------------------------- * Open your registry editor (Start > Run > regedit.exe) and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the key named "block-checker". (You can find a small tutorial on working in the registry on http://www.helpdesk.umd.edu/topics/troubleshooting/os/windows_2000/555/#change as deleting the wrong keys could corrupt Windows). --------------------------- Note 1: The reason why you need to use a program like Process Explorer to kill "csrss.exe" is because the Windows Task/Process Manager could refuse to kill "csrss.exe" as it could think it is a legit system process. Also, not all Windows versions have a Task/Process Manager that is able to list and kill all processes. Note 2: Do not use MSCONFIG to delete startup entries. This will NOT permanently delete the startup entries, and above all Windows will use an alternative boot sequence to start up. This boot sequence is easly switched back by accident and the things you wanted to be deleted will be put back! If you must use a program to alter the registry, then use a program like AutoRuns (this program will also list ALL the startup entries that exist in Windows; MSCONFIG seriously lacks an extreme large amount of such entries). --------------------------- These instructions can also be found here: http://msghelp.net/showthread.php?tid=49089&pid=517501#pid517501 The (technical) writing of what the malware will do can be found here: http://msghelp.net/showthread.php?tid=49089&pid=514801#pid514801 --------------------------- Thanks go out to Segosa for reverse engeneering this malware, and Fergy and CookieRevised for writing these removal instructions. --------------------------- In future DO NOT CLICK LINKS that appear without first asking where they came from. Also block checkers DO NOT work and aren't reliable at all!!!