Products
- Cross Device
- PC & Mac
- Mobile/Tablet
- Other Services
  - McAfee Virus Removal Service
  - View All
- Free Tools
Virus Information
Security Advice
Support
Free Trials

Virus Profile: Adclicker-DF

Threat Search

Virus Profile information details
Risk Assessment:	Home N/A \| Corporate N/A
Date Discovered:	8/22/2005
Date Added:	8/22/2005
Origin:	Unknown
Length:	N/A
Type:	Trojan
Subtype:	Adware
DAT Required:	4565
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Presence of aforementioned files and registry keys.

Methods of Infection

N/A This is not a virus or trojan.

View Virus Characteristics

Virus Characteristics

This Trojan lowers internet security settings, adds itself to firewall exclusion policies and downloads multiple adwares.

It adds itself to Add Remove Program with the names "Block-checker 1.0" and "System Process". If the user tries to uninstall "System Process", this Trojan attempts to download various adwares on the system. This is related to Block-Checker.com.

Upon installation the program it displays EULA. The privacy policy is located at

http://www.system-processes.com/liscense.php .

It is observed to contact the following sites apart from various other
adware sites that it downloads.

System Changes

Adds the following domains to the following key with the default value of 0x00000001, so that they are always allowed.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\P3P\History\

tkqlhce.com
qksrv.net
linksynergy.com
kqzyfj.com
jdoqocy.com
fastclick.net
fastclick.com
dpbolvw.net
commission-junction.com
cc-dt.com
bfast.com
anrdoezrs.net

Files Added

%SystemDir%\navshext.dll (49 KB)

%SystemDir%\ccapp.exe (16 KB)

c:\program files\block checker\uninstall.exe (63 KB)

c:\program files\block checker\setup_finish.exe (16 KB)

c:\program files\block checker\setup.log (2 KB)

c:\program files\block checker\csrss.exe (28 KB)

c:\program files\block checker\block-checker.exe (48 KB)

c:\program files\block checker\block checker.exe (704 KB)

c:\documents and settings\all users\start menu\programs\block checker\block checker\block checker.lnk (1 KB)

c:\documents and settings\administrator\
application data\microsoft\internet explorer\quick launch\block checker.lnk (1 KB)

Registry

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\BlockChecker: "C:\Program Files\Block Checker\block-checker.exe

HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
"ThreadingModel"="Apartment"

HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
"(default)"="C:\WINDOWS\System32\navshext.dll"

HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
"default"="System Process"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\SharedDLLs\C:\Program Files\Block Checker\block-checker.exe: 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\System Process\ModId: "3"

HKEY_LOCAL_MACHINE\SOFTWARE\System Process\Started: 0x00000001

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.system-processes.com:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\Startup"UninstallString"
="C:\WINDOWS\System32\ccapp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\Startup"DisplayName"
="System Process"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion \Uninstall\Block Checker
"UninstallString"=""C:\Program Files\Block Checker\uninstall.exe""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion \Uninstall\Block Checker
"DisplayName"="Block Checker 1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\SharedDLLs "C:\Program Files\Block Checker\block-checker.exe"="1"

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
"LastDate"=""

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
"DaysToClear"="0"

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
"LastDate"=""

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
"DaysToClear"="0"

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
"LastDate"=""

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
"DaysToClear"="0"

Back To Overview View Removal Instructions

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

View Virus Characteristics

Virus Information

Display Threat Alerts on Your Site

Virus Profile: Adclicker-DF

Description

Indication of Infection

Methods of Infection

Virus Characteristics

Virus Information

Indications of Infection:

PRODUCTS

VIRUS SECURITY

SUPPORT

SOCIALIZE WITH US ON

SIGN UP FOR SECURITY NEWS

WE ACCEPT THE FOLLOWING