How to remove the "Block Checker" malware
correctly
Originally composed by Fergy
here and further modified by CookieRevised
Step
1: Killing the processes
- Download Sysinternals' "Process Explorer"
here and install it.
- Open Process Explorer and kill "csrss.exe" first.
To avoid killing the wrong csrss.exe process, look at the "User Name" column
which lists who has started the process.
If it is "SYSTEM" or "NT AUTHORITY" or the likes, then it means it is the
legit windows process started by Windows itself and shouldn't be killed. If
it is your username/computername then it means the csrss.exe process has
started up as a normal user program and thus is not legit and the fake one.
This is the one you need to kill...
In Process Explorer, you can also look at the path of csrss.exe (right click
on it and choose "Properties"). If it is "C:\Program Files\Block Checker"
then it is the fake one.
The reason why you need to use a program like
Process Explorer to do this is because the Windows Task/Process Manager
itself refuses to kill "csrss.exe" as it always thinks it is a legit system
process...
- While still in Process Explorer, kill "block-checker.exe" if it is still
there.
Step 2: Removing the files
- Uninstall the block checker by going to "Add/Remove Programs" in the
control panel.
- Go into "C:\Program Files" and delete the folder labelled "Block
Checker" (where C:\ is the drive you installed Windows on) if it is still
there.
- Delete the "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini"
files located in windows' system folder (C:\Windows\System).
- Clean out your recycle bin to totally remove the files from your HDD.
Step 3: Fixing the registry
- Open your registry editor (Start > Run > regedit.exe) and navigate to
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and
delete the key named "block-checker".
(For a small tutorial on this, go to
this site, because deleting the wrong keys could corrupt Windows).
Do not use MSCONFIG to delete startup entries. This will NOT
permanently delete the startup entries, and above all Windows will use an
alternative boot sequence to start up. This boot sequence is easly switched
back by accident and the things you wanted deleted will be put back! If you
must use a program to alter the registry, then use a program like
AutoRuns (this program will also list ALL the startup entries that exist
in Windows; MSCONFIG seriously lacks an extreme large amount of such
entries).
In future DONT CLICK LINKS that appear first without you asking for them
Sources:
http://www.msghelp.net/showthread.php?tid=49089
http://www.msghelp.net/showthread.php?tid=49089&pid=517501#pid517501
some more technical
info of what this malware exactly does can be read
here in Segosa's post.