Block-Checker - Printable Version
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Block-Checker (/showthread.php?tid=49089)
Block-Checker by mwe99 on 08-17-2005 at 03:29 PM
Moderator edit: do not download/use this, it is a virus.
RE: Block-Checker by absorbation on 08-17-2005 at 03:31 PM
looks dodgy the download count keep changing plus it says 100% accuarte and is for yahoo as well
RE: Block-Checker by mwe99 on 08-17-2005 at 03:32 PM
Well it just told me my friend sent the message but on his screen i sent it... whatever it is, its dodgy
RE: Block-Checker by ~INVASION~ on 08-17-2005 at 03:34 PM
RE: Block-Checker by mwe99 on 08-17-2005 at 03:36 PM
Yar i just found that, to remove it if the uninstaller mysteriously doesnt work you have to boot in safe mode and edit the registry
RE: Block-Checker by Millenium_edition on 08-17-2005 at 03:41 PM
it's probably a trojan/keylogger or something
RE: Block-Checker by mwe99 on 08-17-2005 at 04:04 PM
strange that my anti virus never picked it up
RE: Block-Checker by toddy on 08-17-2005 at 04:05 PM
rofl at newbs
RE: Block-Checker by segosa on 08-17-2005 at 04:17 PM
Its so called "version check" when it starts is this:
If you enter an address and click check all it does is contact http://blockstatus.com/msn/stchecker with the appropriate POST variables filled in. Effectively ripping off their service.
Installs these files in C:\Program Files\Block Checker
code:"Block Checker.exe" is the one which is the block checker, the others run in the background:
csrss.exe and block-checker.exe are executed at the end of installation. csrss.exe is the name of a critical Windows process, obviously why the file was named that.
setup_finish.exe (coded in VB) is the file which is executed at the end of installation and it executes csrss.exe and block-checker.exe. It also seems to attempt to delete "system.exe".
csrss.exe is written in VB too, and its purpose is simply to constantly scan the process list and make sure block-checker.exe is there. If it isn't, it will restart the exe.
And of course our lovely block-checker.exe's reason for running is to search for Yahoo, MSN and AIM conversation windows it can send the following messages to:
"Hey you can see who's blocking you on MSN! Download it now http://www.block-checker.com"
"Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on MSN because I use http://www.block-checker.com"
"Did they block you too? Download a free MSN Block Checker http://www.block-checker.com"
"Find out who's blocking you on MSN, Download it free from http://www.block-checker.com"
"Find out who's blocking you on Yahoo, Download it free from http://www.block-checker.com"
"Did you know you can find out who blocked you on Yahoo? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on Yahoo because I use http://www.block-checker.com"
"Did they block you too? Download a free Yahoo Block Checker http://www.block-checker.com"
"Hey you can see who's blocking you on MSN! Download it now http://www.block-checker.com"
"Find out who's blocking you on AIM, Download it free from http://www.block-checker.com"
"Did you know you can find out who blocked you on AIM? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on AIM because I use http://www.block-checker.com"
"Did they block you too? Download a free AIM Block Checker http://www.block-checker.com"
"Hey you can see who's blocking you on AIM! Download it now http://www.block-checker.com"
The code has evidence that it also searches the process list for csrss.exe to keep it running, but I think their plan backfired as it will always find the legitimate Windows csrss.exe file.
To send messages to MSN Messenger conversation windows it searches for windows containing " - Conversation" and uses sendkeys to send the message.
It creates files "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" in the system directory which look like they include the people the message has already been sent to, in order not to resend it to anyone...
It adds itself to startup,of course, under HKLM with the name "block-checker" pointing to C:\Program Files\Block Checker\block-checker.exe.
@mwe99: well how the hell is your antivirus going to pick it up if THIS IS A NEW VIRUS? An antivirus can't detect what it doesn't know about.
RE: Block-Checker by Concord Dawn on 08-17-2005 at 04:33 PM
Sounds kind of lame tbh.
RE: Block-Checker by zaher1988 on 08-17-2005 at 04:36 PM
i have installed it !!
RE: Block-Checker by mwe99 on 08-17-2005 at 04:41 PM
Apparantely you can uninstall it with Contol Panel > Add/Remove Programs
RE: Block-Checker by segosa on 08-17-2005 at 04:45 PM
I highly doubt it removes the virus too.
RE: Block-Checker by mwe99 on 08-17-2005 at 04:47 PM
I was thinking the same, they also have an advanced removal that involves start up and you deleting stuff out of the registry
RE: Block-Checker by zaher1988 on 08-17-2005 at 04:48 PM
i'm gonna check using Mcafee and reply
RE: Block-Checker by guanako on 08-17-2005 at 05:14 PM
wat a rip off i've never tried a block checker, if u got block there must be a reason fo rit but be careful w/ wat u install
RE: Block-Checker by mwe99 on 08-17-2005 at 05:16 PM
If any i think NoRooms list manager is the one i use alot. Sure they can't be relied up on 100% but anything is good enough.
RE: Block-Checker by Millenium_edition on 08-17-2005 at 05:29 PM
quote:you seem to have no understanding whatsoever of what this tool does. it checks if people have deleted you, certainely NOT blocked. yes, there is a difference, a big difference, actually. more on this: http://shoutbox.menthix.net/showthread.php?tid=44...d=461135#pid461135
RE: Block-Checker by mwe99 on 08-17-2005 at 06:06 PM
I would appreciate you not yelling at me or public discrediting me, believe it or not i know what to tool does, but thought of this? Who is gonna keep you on their list after they have blocked you.
RE: Block-Checker by CookieRevised on 08-17-2005 at 06:07 PM
quote:blocking isn't only done because people annoy people. There are other reasons as well...
edit: eg: you don't want to be disturbed for a while, yet you want to be able to answer that oh-so-important question from that special someone....
RE: Block-Checker by Joa on 08-17-2005 at 06:51 PM
you have a good point, though cookie is right too. the person who blocks you will not always delete you from their list...
check out this thread. i know it is not the best way to detect blocking, but considering that there is no other way, it is not SO bad ..though it is rather limited.
RE: Block-Checker by Fergy on 08-19-2005 at 05:50 AM
I got this message from one of my friends earlier today, good thing I trusted my instincts. I'm probably gonna go to his house tonight and fix it up.
RE: Block-Checker by segosa on 08-19-2005 at 09:40 AM
RE: RE: Block-Checker by CookieRevised on 08-19-2005 at 12:06 PM
quote:MSCONFIG does NOT remove it completely from the registry, it creates a backup of it when you "delete" it...
Go directly to your registry (regedit.exe) and delete it yourself or use a decent 3rd party program...
For more info on MSCONFIG and this issue, see:
CookieRevised's reply to Start-up Programs
RE: Block-Checker by Fergy on 08-19-2005 at 02:44 PM
Thanks for the advice, unfortunatley i couldn't go to my friend's house today (I was sick) so i'd probably go there sometime this weekend.
RE: RE: Block-Checker by kipper2258 on 08-20-2005 at 03:31 PM
I know the feeling, do it all the time
RE: Block-Checker by Val on 08-21-2005 at 04:11 AM
i knew that was a virus from the begging just the wired shit that they would alwasy say the same shit over and over again lol and the they started to give me winks lol
RE: Block-Checker by Fergy on 08-21-2005 at 04:06 PM
I've finally had time to remove one of these suckers from someones computer (over remote assistance too). The problem is that the CSRSS.EXE process can't be killed by windows task manager because it thinks it's a proper windows progress
PS: Make sure you empty your Recycle Bin
RE: Block-Checker by CookieRevised on 08-21-2005 at 04:41 PM
quote:they aren't always "next to eachother" though...
To avoid killing the wrong csrss.exe process, look at the "user name" field which started the process.
If it is "SYSTEM" or "NT AUTHORITY" or the likes then it means it is the legit windows process.
If it is your username/computername then it means the csrss.exe has started up as a normal program and thus the process is not legit and a fake. This is the one you need to kill...
You could also check out the path of the csrss.exe in Process Explorer (right click on it and choose properties). If it is "c:\program files\block checker" or the likes, then you got the right one also...
Good compiled list though ...
Though I would also suggest to move the "uninstall blockchecker" step further down, after you've killed the processes.
RE: Block-Checker by Fergy on 08-21-2005 at 04:54 PM
thanks cookie. When i did it, blockchecker.exe was a branch of the fake csrss.exe, perhaps i killed the blockchecker.exe process first and the csrss process restarted it.
RE: Block-Checker by CookieRevised on 08-21-2005 at 05:19 PM
Step 2: Removing the files
Step 3: Fixing the registry
Note 1: The reason why you need to use a program like Process Explorer to do this is because the Windows Task/Process Manager itself could refuse to kill "csrss.exe" as it could think it is a legit system process. Also, not all Windows versions have a Task/Process Manager that is able to kill processes.
Note 2: Do not use MSCONFIG to delete startup entries. This will NOT permanently delete the startup entries, and above all Windows will use an alternative boot sequence to start up. This boot sequence is easly switched back by accident and the things you wanted deleted will be put back! If you must use a program to alter the registry, then use a program like AutoRuns (this program will also list ALL the startup entries that exist in Windows; MSCONFIG seriously lacks an extreme large amount of such entries).
Note 3: (technical) info of what this malware exactly does can be found in Segosa's reply.
RE: Block-Checker by Fergy on 08-21-2005 at 05:29 PM
thanks once again cookie
RE: Block-Checker by qgroessl on 08-22-2005 at 01:46 AM
Not sure if this was mentioned or not... But this is being spread via IM too... Like... It'll send when you first talk to somebody without you sending it.... It's annoying and I thought it was a bit dodgy.... Any way to get rid of this?
RE: Block-Checker by mwe99 on 08-22-2005 at 02:10 AM
That is the main spread method, if you follow the instructions from Fergy (its a good and helpful post) for the removal
RE: Block-Checker by qgroessl on 08-22-2005 at 03:23 AM
I don't think there's anything to remove? I've never downloaded the software let alone gone to the website...
RE: Block-Checker by Lou on 08-22-2005 at 03:35 AM
quote:think he meands by his contacts...
RE: Block-Checker by ~INVASION~ on 08-22-2005 at 03:56 AM
this seems to be spreading now
RE: Block-Checker by qgroessl on 08-22-2005 at 04:07 AM
Exactly... and I guess they get it from me also though. so it's both... I send it to them... and they send it to me... the message goes like this:
I wouldn't click the link though.
RE: Block-Checker by Fergy on 08-22-2005 at 04:19 AM
I remember bropia, it sucked. I think the block checker is spreading so fast because it has appeal and it doesn't end in a .pif
RE: Block-Checker by CookieRevised on 08-22-2005 at 09:35 AM
qgroessl, please read the thread before you post........
RE: Block-Checker by Sunshine on 08-24-2005 at 10:12 AM
After helping out Paul Frome (Idium) with this virus (i've send him an e-mail with links to instructions), he decided to make a small txt file you can send to your contacts who got infected. It seems to be spreading fast as he already helped out 8 people with this aswell.
RE: Block-Checker by Idium on 08-24-2005 at 10:34 AM
i thought that a txt file would help ppl out so they can have a set of insrtructions which can be sent to anyone who was infected.
RE: Block-Checker by saralk on 08-24-2005 at 10:47 AM
Is this a virus that connects to a botnet?
RE: Block-Checker by Idium on 08-24-2005 at 02:15 PM
possably but i dont think this is one
RE: Block-Checker by ShawnZ on 08-24-2005 at 02:29 PM
Um thats all well and good but you don't need to download process explorer, just use ctrl+alt+del...
RE: RE: Block-Checker by segosa on 08-24-2005 at 02:50 PM
No, and no.
Botnets have far better protection from outsiders than that.
First the channel is set +u (if the IRCd is UnrealIRCd) so that anyone who isn't an op (all the bots, and you if you joined the channel) can only see ops in the channel. If you joined the botnet channel you'd only see people who were op, and that'd be only a couple of people.
Then there's a password to login to the bots, that is easily found if you have the trojan's exe, but it is almost useless in a case like this because the bots will only allow people with a certain hostmask to login.
A hostmask is something like this:
That's ident@hostname and hostname is something your ISP will give you. The problem is, since the bot owners own the server and are administrators of the IRC server, they can set their hostname to be anything they want. Usually it's something stupid like fbi.gov, something no one could get.
So no, it's not that easy...
ShawnZ: Windows' task manager won't give you any clue which csrss.exe is the trojan one.
RE: Block-Checker by CookieRevised on 08-24-2005 at 03:34 PM
quote:yes you do....
Windows Task/Process Manager refuses to kill "csrss.exe" as it could think it is a system process... Also, not all Windows versions offer a process killing ability like in XP...
Everything written in the "uninstall guide" (every word and sentence) and also the order it has been written in, is important and have underlying meanings and purposes...
RE: Block-Checker by Fergy on 08-24-2005 at 04:34 PM
I liked this idea, but i don't like reading .txt files, so i made an HTML version, it's not that much bigger.
RE: Block-Checker by Idium on 08-24-2005 at 05:50 PM
thanx cookie for correctin my write-up. ive got the new one now
RE: Block-Checker by kipper2258 on 08-24-2005 at 09:35 PM
as a note is there any way someone could make a removal tool, since contacts i give instructions to seem to be struggling
RE: Block-Checker by lui2603 on 08-24-2005 at 11:51 PM
PEOPLE!! this is Not! a virus! it is just a program that checks for people are offline or online... but doesnt work.. and the message it gives out to your contacts is just a "tell a friend" thingy that comes with the block-checker program!
RE: Block-Checker by Fergy on 08-25-2005 at 04:34 AM
quote:It is considered as malware. It takes up your memory and does not do anything except for spammin others with their advertising.
quote:That doesnt completely remove it
follow cookierevised's instructiopns to erase it completely
RE: RE: Block-Checker by CookieRevised on 08-25-2005 at 04:48 AM
quote:It isn't even a program but a very bad compiled list of instructions with many (important) things left out.
RE: Block-Checker by kipper2258 on 08-25-2005 at 03:49 PM
That has to be one of the worst removal "programs" I have ever seen, people like this deserve to be sued for the misleading information they provide
RE: RE: Block-Checker by selene on 08-26-2005 at 02:56 PM
RE: Block-Checker by Fergy on 08-26-2005 at 03:55 PM
the fake csrss.exe should be located in C:\Program Files\Block Checker
RE: Block-Checker by selene on 08-26-2005 at 04:05 PM
ok ive looked again and there is only the one, and i dont have anything to do with block checker in my program files, my dad was playing with my pc last night and trying to get rid of it, maybe he deleted it all then, im still getting some messages on msn though.
RE: Block-Checker by segosa on 08-26-2005 at 04:37 PM
You're GETTING messages sure, from OTHER people who are infected.
RE: Block-Checker by benjyrama on 08-27-2005 at 11:53 AM
i installed this and then uninstalled this and all of the items in cookieRevised instructions were already deleted when I tried to follow them. The uninstaller seemed to work perfectly well for me. I didn;t have to do nething extra
RE: Block-Checker by CookieRevised on 08-27-2005 at 04:06 PM
quote:Hence I said to run the uninstaller first and why I said "if it still exists" in several of the points...
note that the uninstaller doesn't always seem to work (as reported by many people)
RE: RE: Block-Checker by selene on 08-31-2005 at 01:31 AM
when they were being sent from me?
Oh well it dont matter now its gone
RE: Block-Checker by underacloud11 on 09-04-2005 at 10:01 PM
can someone tell me how to remove this blockchecker ?????
RE: RE: Block-Checker by CookieRevised on 09-05-2005 at 04:46 AM
quote:Complete and detailed instructions have been posted already, here. Please read threads before posting and asking which has already been said.
RE: Block-Checker by daveok on 09-19-2005 at 06:06 AM
A friend's son installed this, realised their mistake and tried to uninstall it without using the process described in this thread and now they are unable to login to messenger or view www.hotmail.com.
RE: Block-Checker by jiz on 03-07-2006 at 01:04 AM
the way u posted is not effective...
RE: Block-Checker by Ladylibra_10 on 04-12-2006 at 05:30 AM
My daughter downloaded the Blockchecker from AIM and I have spent the last few hours trying to find out what was going on with this dang computer. Once I found out, I then tried to get rid of it. This was the second site I found for info and was all ready to just come back tomorrow (it's a lengthy process) when I took one more look for some sort of help. Woohoo!! I finally succeeded with that and it was VERY easy and painless. I went to the following site (http://www.jayloden.com/block-checker.htm) and it took less than five minutes and as of right now, there is absolutely no trace of Blockchecker. I truly hope this helps others with the same problem. I'm not positive but this may be an AIMFix only, but I do know that it WILL work for AIM.
RE: Block-Checker by NiteMare on 04-12-2006 at 06:16 AM
quote:whats AIMfix, i know what AIM is but i've never heard of AIMfix
RE: Block-Checker by adam9106 on 05-21-2006 at 07:15 PM
[size=4][color=red][b][font=Tahoma[/font][align=justify]IT DOES NOT WORK ITS A VIRUS DO NOT DOWNLOAD IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
RE: Block-Checker by Beabees on 08-03-2006 at 06:57 PM
Yep, this program gave me three Trojan viruses. I detected the viruses with AVG Free, you can Google it and download, it's free and it works. I also have a virus vault that I put my viruses in to disable their activity. I also killed all signs of Block Checker on my computer.
RE: Block-Checker by ryxdp on 08-09-2006 at 06:32 AM
Several of my friends had this, they were all slightly technologically impaired, and had no idea what they were doing, it was very hard to tell them what to do over MSN without using remote assistance. Eventually I succeeded in my blind instructions and obviously they had uninstalled it (the tell-a-friend-about-the-virus-i-have message never showed up again. EVER.).