Moderator edit: do not download/use this, it is a virus.
This thread is here merely because it contains more information on this thing.

Ha bet you thought someone was gonna ask how

lol moving on...

Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.block-checker.com

anyone had that annoying message? what do they make of the program if you're using it

Moderator edit: do not download/use this, it is a virus.

looks dodgy the download count keep changing plus it says 100% accuarte and is for yahoo as well

Well it just told me my friend sent the message but on his screen i sent it... whatever it is, its dodgy

lmao

<!--
function RandomNumber(upper_limit)
{
return Math.round(upper_limit * Math.random());
}
//-->
</script>

<script language="JavaScript">
<!--
var upper_limit = 1000000;
document.write(RandomNumber(upper_limit) + ' Downloads');
//-->

quote:

---

Originally posted by ~INVASION~
lmao

<!--
function RandomNumber(upper_limit)
{
return Math.round(upper_limit * Math.random());
}
//-->
</script>

<script language="JavaScript">
<!--
var upper_limit = 1000000;
document.write(RandomNumber(upper_limit) + ' Downloads');
//-->

---

it's probably a trojan/keylogger or something

someone should reverse it

okay, i've asked segosa to reverse it, first results, it is a virus, which means do not install it

strange that my anti virus never picked it up

thanks anyways m_e

rofl at newbs



block checkers don't work.....it wasn't gonna be anything else apart from a trojan

Its so called "version check" when it starts is this:

code:

---

POST /version.html HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Content-Length: 0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.block-checker.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 17 Aug 2005 15:51:18 GMT
Server: Apache
Last-Modified: Fri, 12 Aug 2005 00:00:51 GMT
ETag: "190107-b-34f0d2c0"
Accept-Ranges: bytes
Content-Length: 11
Content-Type: text/html
Age: 1
Connection: close

version 1.0

---

code:

---

08/11/2005  04:50 PM           720,896 Block Checker.exe
08/10/2005  07:46 PM            49,152 block-checker.exe
08/10/2005  07:45 PM            28,672 csrss.exe
08/17/2005  05:51 PM             2,037 setup.log
08/11/2005  04:16 PM            16,384 setup_finish.exe
10/18/2003  05:58 PM            64,512 uninstall.exe
               6 File(s)        881,653 bytes

---

Sounds kind of lame tbh.

i have installed it !!


well i have unistall it, and i used microsoft antispyware to remove from start up,and to remove any trace it left, now i will scan my pc with Mcafee , auto message is gone by now!!

Apparantely you can uninstall it with Contol Panel > Add/Remove Programs

I highly doubt it removes the virus too.

quote:

---

Originally posted by segosa
I highly doubt it removes the virus too.

---

i'm gonna check using Mcafee and reply

wat a rip off i've never tried a block checker, if u got  block there must be a reason fo rit but be careful w/ wat u install

If any i think NoRooms list manager is the one i use alot. Sure they can't be relied up on 100% but anything is good enough.

Im gonna inform my contacts about the virus tho.

quote:

---

Originally posted by mwe99
If any i think NoRooms list manager is the one i use alot. Sure they can't be relied up on 100% but anything is good enough.

---

quote:

---

Originally posted by Millenium_edition

quote:

---

Originally posted by mwe99
If any i think NoRooms list manager is the one i use alot. Sure they can't be relied up on 100% but anything is good enough.

---

you seem to have no understanding whatsoever of what this tool does. it checks if people have deleted you, certainely NOT blocked. yes, there is a difference, a big difference, actually. more on this: http://shoutbox.menthix.net/showthread.php?tid=44...d=461135#pid461135

---

quote:

---

Originally posted by mwe99
Who is gonna keep you on their list after they have blocked you.

---

quote:

---

Originally posted by mwe99
I would appreciate you not yelling at me or public discrediting me, believe it or not i know what to tool does, but thought of this? Who is gonna keep you on their list after they have blocked you.

---

I got this message from one of my friends earlier today, good thing I trusted my instincts. I'm probably gonna go to his house tonight and fix it up.

I think you should:
Delete the folder from the program files and the .INI files from the system folder, and then use MSCONFIG to remove it from startup. After that, open Add/Remove Programs, then click remove on the block checker, this would most likely detect the absence of the program and remove it from the list. Then virus and adware/spyware scan.

Anyone agree/disagree?

I'd say

ctrl+alt+del, kill the extra csrss.exe first and then block-checker.exe (if you don't know which csrss.exe it is, use Process Explorer from sysinternals to see its path)

Then delete the contents of C:\Program Files\Block Checker and edit startup to stop block-checker.exe attempting to start.

Try find the ini files in the system directory, if you can't find them there then do a Windows search and see if they're located anywhere else for some reason.

It's probably not really needed, but I guess an adware/spyware scan can't hurt.

quote:

---

Originally posted by Fergy
(...) and then use MSCONFIG to remove it from startup.

---

Thanks for the advice, unfortunatley i couldn't go to my friend's house today (I was sick) so i'd probably go there sometime this weekend.

quote:

---

Originally posted by CookieRevised
eg: you don't want to be disturbed for a while, yet you want to be able to answer that oh-so-important question from that special someone....

---

i knew that was a virus from the begging just the wired shit that they would alwasy say the same shit over and over again lol and the they started to give me winks lol

I've finally had time to remove one of these suckers from someones computer (over remote assistance too). The problem is that the CSRSS.EXE process can't be killed by windows task manager because it thinks it's a proper windows progress

Anyways i have written up how to remove the virus, i've tried to make it as simplistic as possible.

--------------------------------------------------------------------
Steps for removing the "Block Checker" Virus

• Download a copy of Sysinternals Process Explorer Here
  
• "Un-Install" the block checker from Add/Remove Programs
  
• Open Process Explorer and kill the "csrss.exe" process that is not run by "SYSTEM" or "NT AUTHORITY" or similar (usually the fake is run by your username or computer name)
  
• Once you have killed the process csrss.exe find the process "blockchecker.exe" and kill that one
  
• Go into C:\Program Files and delete the folder labelled "Block checker" (where C:\ is the drive you installed Windows on)
  
• Open The Registry Editor (Start > Run > regedit.exe) and navigate through to
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the value named "BlockChecker"
  (For help on this section, go to this site, for a wrong move in here could damage your computer)
  
• Delete the "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" located in the windows syetm folder (C:\Windows\System)
  
• Enjoy your "Block Checker" Virus free system

quote:

---

Originally posted by Fergy
Open Process Explorer and kill the blockchecker.exe and csrss.exe processes that are next to each other

---

thanks cookie. When i did it, blockchecker.exe was a branch of the fake csrss.exe, perhaps i killed the blockchecker.exe process first and the csrss process restarted it.

*added that in to the steps*

quote:

---

Originally posted by Fergy
thanks cookie. When i did it, blockchecker.exe was a branch of the fake csrss.exe, perhaps i killed the blockchecker.exe process first and the csrss process restarted it.

---

yep, indeed... as explained in Segosa's post, csrss.exe constantly checks for blockchecker.exe. If blockchecker.exe is killed it is restarted again by csrss.exe. Hence you need to kill csrss.exe first

(btw, I modified your step-by-step instructions and posted it on mess.be; I will also repeat it here, so I can update it if needed)

• Download Sysinternals' "Process Explorer" here and install it.
  
• Open Process Explorer and kill "csrss.exe" first.
  To avoid killing the wrong csrss.exe process, look at the "User Name" column which lists who has started the process.
  If it is "SYSTEM" or "NT AUTHORITY" or the likes, then it means it is the legit windows process started by Windows itself and shouldn't be killed. If it is your username/computername then it means the csrss.exe process has started up as a normal user program and thus is not legit and the fake one. This is the one you need to kill...
  In Process Explorer, you can also look at the path of csrss.exe (right click on it and choose "Properties"). If it is "C:\Program Files\Block Checker" then it is the fake one.
  
• While still in Process Explorer, kill "block-checker.exe" if it is still there.

• Uninstall the block checker by going to "Add/Remove Programs" in the control panel.
  
• Go into "C:\Program Files" and delete the folder labelled "Block Checker" (where C:\ is the drive you installed Windows on) if it is still there.
  
• Delete the "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" files located in windows' system folder (C:\Windows\System).
  
• Clean out your recycle bin to totally remove the files from your HDD.

• Open your registry editor (Start > Run > regedit.exe) and navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and delete the key named "block-checker".
  (For a small tutorial on this, go to this site, because deleting the wrong keys could corrupt Windows).

thanks once again cookie

Not sure if this was mentioned or not... But this is being spread via IM too... Like... It'll send when you first talk to somebody without you sending it.... It's annoying and I thought it was a bit dodgy.... Any way to get rid of this?

quote:

---

Originally posted by qgroessl
Not sure if this was mentioned or not... But this is being spread via IM too... Like... It'll send when you first talk to somebody without you sending it.... It's annoying and I thought it was a bit dodgy.... Any way to get rid of this?

---

quote:

---

Originally posted by mwe99
That is the main spread method, if you follow the instructions from Fergy (its a good and helpful post) for the removal

---

quote:

---

Originally posted by qgroessl
Not sure if this was mentioned or not... But this is being spread via IM too... Like... It'll send when you first talk to somebody without you sending it.... It's annoying and I thought it was a bit dodgy.... Any way to get rid of this?

---

this seems to be spreading now

i got messages from some contacts already telling me to check out block checker, thats under a week, it took me 2 months to get my first message from the other viruses , (cant remember their names, bropia or smething)

quote:

---

Originally posted by lou_habs
think he meands by his contacts...

---

quote:

---

Find out who's blocking you on MSN, Download it free from http://www.block-checker.com

---

I remember bropia, it sucked. I think the block checker is spreading so fast because it has appeal and it doesn't end in a .pif

qgroessl, please read the thread before you post........

There are extremely detailed posts (which would have answered your questions) and removal instructions (which you also asks for) already posted some time ago.

Yes, the program sends messages to your contacts, again as explained in posts in this thread. You didn't had to give an example; Everything about that is already said before in much detail (look at Segosa's post).

Tip: and unless you have set the security in your browser in a bad way, nothing will ever be executed on its own when you click a link.

After helping out Paul Frome (Idium) with this virus (i've send him an e-mail with links to instructions), he decided to make a small txt file you can send to your contacts who got infected. It seems to be spreading fast as he already helped out 8 people with this aswell.

I attached the txt file here for your use.


Edit: attached new version, corrected by CookieRevised

i thought that a txt file would help ppl out so they can have a set of insrtructions which can be sent to anyone who was infected.

Is this a virus that connects to a botnet?

If it is, then can't someone find out what channel all these viruses are connecting to, find out the password of the virus, and then tell all the bots to download a tool that will uninstall the virus.

possably but i dont think this is one

Um thats all well and good but you don't need to download process explorer, just use ctrl+alt+del...

quote:

---

Originally posted by saralk
Is this a virus that connects to a botnet?

If it is, then can't someone find out what channel all these viruses are connecting to, find out the password of the virus, and then tell all the bots to download a tool that will uninstall the virus.

---

quote:

---

Originally posted by ShawnZ
Um thats all well and good but you don't need to download process explorer, just use ctrl+alt+del...

---

quote:

---

Originally posted by Sunshine
After helping out Paul Frome (Idium) with this virus (i've send him an e-mail with links to instructions), he decided to make a small txt file you can send to your contacts who got infected.

---

thanx cookie for correctin my write-up. ive got the new one now

as a note is there any way someone could make a removal tool, since contacts i give instructions to seem to be struggling

PEOPLE!! this is Not! a virus! it is just a program that checks for people are offline or online... but doesnt work.. and the message it gives out to your contacts is just a "tell a friend" thingy that comes with the block-checker program!
You can easily remove it by downloading there remover program from their site! HERE

quote:

---

Originally posted by lui2603
PEOPLE!! this is Not! a virus! it is just a program that checks for people are offline or online...

---

quote:

---

Originally posted by lui2603

You can easily remove it by downloading there remover program from their site! HERE

---

quote:

---

Originally posted by Fergy

quote:

---

Originally posted by lui2603
You can easily remove it by downloading there remover program from their site! HERE

---

That doesnt completely remove it. Follow cookierevised's instructiopns to erase it completely

---

quote:

---

Originally posted by lui2603
You can easily remove it by downloading there remover program from their site! HERE

---

quote:

---

Originally posted by CookieRevised
[size=1]

quote:

---

Originally posted by Fergy


[*]Open Process Explorer and kill "csrss.exe" first.
To avoid killing the wrong csrss.exe process, look at the "User Name" column which lists who has started the process.
If it is "SYSTEM" or "NT AUTHORITY" or the likes, then it means it is the legit windows process started by Windows itself and shouldn't be killed. If it is your username/computername then it means the csrss.exe process has started up as a normal user program and thus is not legit and the fake one. This is the one you need to kill...
In Process Explorer, you can also look at the path of csrss.exe (right click on it and choose "Properties"). If it is "C:\Program Files\Block Checker" then it is the fake one.
[*]While still in Process Explorer, kill "block-checker.exe" if it is still there.[/list]

---

I'm trying to do this part of the process to get rid of this virus anyway the only csrss.exe i can find running its discription is Client Server Runningtime Process and the company name is Microsoft Corporation, I'm guessing thats ilgit but not knowing much about computers i though it best to ask, sorry to be a pain.

---

the fake csrss.exe should be located in C:\Program Files\Block Checker
There should be 2 in there and in the information section down the bottom it should tell you the location. make sure you have looked through it thouroghly.

ok ive looked again and there is only the one, and i dont have anything to do with block checker in my program files, my dad was playing with my pc last night and trying to get rid of it, maybe he deleted it all then, im still getting some messages on msn though.

You're GETTING messages sure, from OTHER people who are infected.

i installed this and then uninstalled this and all of the items in cookieRevised instructions were already deleted when I tried to follow them. The uninstaller seemed to work perfectly well for me. I didn;t have to do nething extra

quote:

---

Originally posted by benjyrama
i installed this and then uninstalled this and all of the items in cookieRevised instructions were already deleted when I tried to follow them. The uninstaller seemed to work perfectly well for me. I didn;t have to do nething extra

---

quote:

---

Originally posted by segosa
You're GETTING messages sure, from OTHER people who are infected.

---

can someone tell me how to remove this blockchecker ?????

quote:

---

Originally posted by underacloud11
can someone tell me how to remove this blockchecker ?????

---

A friend's son installed this, realised their mistake and tried to uninstall it without using the process described in this thread and now they are unable to login to messenger or view www.hotmail.com.

I called around to them on Saturday and worked through the process but it seemed slightly different (not sure if they installed a different version or if it is because of their attempts at uninstall). The most notable was that the exclusion****.ini files were in the application data folder for the user account rather than system.

Also, it seems to cross install between user accounts (unless everyone in that family installed Block Checker and just blamed him - possible).

When the process described in this thread didn't work, I had to give up as I was meant to be elsewhere but promised to return and sort it out this week.

Has anyone got any ideas how to regain access to hotmail and messenger?

Has anyone seen this before?

Thanks,

Dave

the way u posted is not effective...
the block-checker still remain in my comp...
pls help...
process explorer9x cannot kill the process...

My daughter downloaded the Blockchecker from AIM and I have spent the last few hours trying to find out what was going on with this dang computer.  Once I found out, I then tried to get rid of it.  This was the second site I found for info and was all ready to just come back tomorrow (it's a lengthy process) when I took one more look for some sort of help.  Woohoo!!  I finally succeeded with that and it was VERY easy and painless.  I went to the following site (http://www.jayloden.com/block-checker.htm) and it took less than five minutes and as of right now, there is absolutely no trace of Blockchecker.  I truly hope this helps others with the same problem.  I'm not positive but this may be an AIMFix only, but I do know that it WILL work for AIM.

quote:

---

Originally posted by Ladylibra_10
I'm not positive but this may be an AIMFix only

---

[size=4][color=red][b][font=Tahoma[/font][align=justify]IT DOES NOT WORK ITS A VIRUS DO NOT DOWNLOAD IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Yep, this program gave me three Trojan viruses. I detected the viruses with AVG Free, you can Google it and download, it's free and it works. I also have a virus vault that I put my viruses in to disable their activity. I also killed all signs of Block Checker on my computer.

Several of my friends had this, they were all slightly technologically impaired, and had no idea what they were doing, it was very hard to tell them what to do over MSN without using remote assistance. Eventually I succeeded in my blind instructions and obviously they had uninstalled it (the tell-a-friend-about-the-virus-i-have message never showed up again. EVER.).