quote:Originally posted by Fergy
thanks cookie. When i did it, blockchecker.exe was a branch of the fake csrss.exe, perhaps i killed the blockchecker.exe process first and the csrss process restarted it.
yep, indeed... as explained in Segosa's post, csrss.exe constantly checks for blockchecker.exe. If blockchecker.exe is killed it is restarted again by csrss.exe. Hence you need to kill csrss.exe first
(btw, I modified your step-by-step instructions and posted it on mess.be; I will also repeat it here, so I can update it if needed)
How to remove the "Block Checker" malware correctly
Originally composed by Fergy here and further modified by CookieRevised
Step 1: Killing the processes
Download Sysinternals' "Process Explorer" here and install it.
Open Process Explorer and kill "csrss.exe" first.
To avoid killing the wrong csrss.exe process, look at the "User Name" column which lists who has started the process.
If it is "SYSTEM" or "NT AUTHORITY" or the likes, then it means it is the legit windows process started by Windows itself and shouldn't be killed. If it is your username/computername then it means the csrss.exe process has started up as a normal user program and thus is not legit and the fake one. This is the one you need to kill...
In Process Explorer, you can also look at the path of csrss.exe (right click on it and choose "Properties"). If it is "C:\Program Files\Block Checker" then it is the fake one.
While still in Process Explorer, kill "block-checker.exe" if it is still there.
Step 2: Removing the files
Uninstall the block checker by going to "Add/Remove Programs" in the control panel.
Go into "C:\Program Files" and delete the folder labelled "Block Checker" (where C:\ is the drive you installed Windows on) if it is still there.
Delete the "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" files located in windows' system folder (C:\Windows\System).
Clean out your recycle bin to totally remove the files from your HDD.
Step 3: Fixing the registry
Open your registry editor (Start > Run > regedit.exe) and navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and delete the key named "block-checker".
(For a small tutorial on this, go to this site, because deleting the wrong keys could corrupt Windows).
-------
Note 1: The reason why you need to use a program like Process Explorer to do this is because the Windows Task/Process Manager itself could refuse to kill "csrss.exe" as it could think it is a legit system process. Also, not all Windows versions have a Task/Process Manager that is able to kill processes.
Note 2: Do not use MSCONFIG to delete startup entries. This will NOT permanently delete the startup entries, and above all Windows will use an alternative boot sequence to start up. This boot sequence is easly switched back by accident and the things you wanted deleted will be put back! If you must use a program to alter the registry, then use a program like AutoRuns (this program will also list ALL the startup entries that exist in Windows; MSCONFIG seriously lacks an extreme large amount of such entries).
Note 3: (technical) info of what this malware exactly does can be found in Segosa's reply.
/ 
