Msn Messenger Block Checker

[Krisboats]

After having so many people now start a conversation with me and have this thing tell me there may be people blocking me on msn (if they have it's probably because i annoyed them or they're c***s so i don't care). Could people please take the time to get rid of these and not just let it stay on your computers. Here's a little bit about it that i found (on www.askmarvin.ca) and thought would be useful:

That problem is occurring because you have been infected with AdWare called Adware.BlockChecker

Here's some details on it;

File names: block-checker.exe

When Adware.BlockChecker is executed, it performs the following actions:

Adds the value:

"BlockChecker" = "path of itself"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.

Creates the following registry subkeys:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL

Sends one of the following messages to the contacts of Microsoft Messenger, Yahoo Instant Messenger and AOL Instant Messenger:

Find out who's blocking you on MSN, Download it free from [http://]www.block-checker[REMOVED].com

Did you know you can find out who blocked you on MSN? Check it out, it's free [http://]www.block-checker[REMOVED].com

I know who's blocking me on MSN because I use [http://]www.block-checker[REMOVED].com

Did they block you too? Download a free MSN Block Checker [http://]www.block-checker[REMOVED].com

Hey you can see who's blocking you on MSN! Download it now [http://]www.block-checker[REMOVED].com

Find out who's blocking you on Yahoo, Download it free from [http://]www.block-checker[REMOVED].com

Did you know you can find out who blocked you on Yahoo? Check it out, it's free [http://]www.block-checker[REMOVED].com

I know who's blocking me on Yahoo because I use [http://]www.block-checker[REMOVED].com

Did they block you too? Download a free Yahoo Block Checker [http://]www.block-checker[REMOVED].com

I know who's blocking me on AIM because I use [http://]www.block-checker[REMOVED].com

Find out who's blocking you on AIM, Download it free from [http://]www.block-checker[REMOVED].com

Did you know you can find out who blocked you on AIM? Check it out, it's free [http://]www.block-checker[REMOVED].com

Did they block you too? Download a free AIM Block Checker [http://]www.block-checker[REMOVED].com

Hey you can see who's blocking you on AIM! Download it now [http://]www.block-checker[REMOVED].com

And here's how to get rid of it:

1 Go to control panel > add/remove programs and look for anything you don't want and uninstall the program(s)

2 Download Adaware SE Run it and first check if there is a new update. Then select "Perform full system scan" and on the same page uncheck "Search for negligible risk entries" as they are no security threat.

If Adaware finds something click next > scan summary > check the things you want to remove > next > ok to confirm

3 If you have Windows 2000/Xp you can try these two antispyware program. Better than Adaware. Make sure you update them before you start. For best results please scan in safe mode.

Ewido Security Suite <-----recommended

Windows® Defender

4 Run at least one of these free online virusscans. Try to delete what they find

Panda active scan <-----recommended

TrendMicros Housecall <----Works with Firefox/Netscape. Must have Java enabled

Bitdefenders online scan

After you done all above and still have problems you can download the newest version of Hijackthis here

Unzip it to an own folder, for example C:\hjt\

Do NOT run it from a temp folder or your desktop!

Also scan with Hijackthis in "normal" mode, not safe mode

Run it and choose "Do a system scan and save the logfile" It will open a window in Notepad.

Copy and paste the log to your new topic.

If you start a new topic, please let us know how everything turned out...Good or bad

Good luck and all the best

I also found this from punkrider last year that may help get rid of it:

This can be categorized as "virus", or at least a very dodgy program

POST /version.html HTTP/1.1 
Content-Type: application/x-www-form-urlencoded 
Accept-Language: en-us 
Content-Length: 0 
Accept: */* 
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 
Host: www.block-checker.com 
Connection: Keep-Alive 

HTTP/1.1 200 OK 
Date: Wed, 17 Aug 2005 15:51:18 GMT 
Server: Apache 
Last-Modified: Fri, 12 Aug 2005 00:00:51 GMT 
ETag: "190107-b-34f0d2c0" 
Accept-Ranges: bytes 
Content-Length: 11 
Content-Type: text/html 
Age: 1 
Connection: close 

version 1.0 


If you enter an address and click check all it does is contact http://blockstatus.com/msn/stchecker with the appropriate POST variables filled in. Effectively ripping off their service. 

Installs these files in C:\Program Files\Block Checker

08/11/2005 04:50 PM 720,896 Block Checker.exe

08/10/2005 07:46 PM 49,152 block-checker.exe

08/10/2005 07:45 PM 28,672 csrss.exe

08/17/2005 05:51 PM 2,037 setup.log

08/11/2005 04:16 PM 16,384 setup_finish.exe

10/18/2003 05:58 PM 64,512 uninstall.exe

6 File(s) 881,653 bytes

"Block Checker.exe" is the one which is the block checker, the others run in the background:

csrss.exe and block-checker.exe are executed at the end of installation. csrss.exe is the name of a critical Windows process, obviously why the file was named that.

setup_finish.exe (coded in VB) is the file which is executed at the end of installation and it executes csrss.exe and block-checker.exe. It also seems to attempt to delete "system.exe".

csrss.exe is written in VB too, and its purpose is simply to constantly scan the process list and make sure block-checker.exe is there. If it isn't, it will restart the exe.

And of course our lovely block-checker.exe's reason for running is to search for Yahoo, MSN and AIM conversation windows it can send the following messages to:

"Hey you can see who's blocking you on MSN! Download it now *sitelink*"

"Did you know you can find out who blocked you on MSN? Check it out, it's free *sitelink*"

"I know who's blocking me on MSN because I use *sitelink*"

"Did they block you too? Download a free MSN Block Checker *sitelink*"

"Find out who's blocking you on MSN, Download it free from *sitelink*"

"Find out who's blocking you on Yahoo, Download it free from *sitelink*"

"Did you know you can find out who blocked you on Yahoo? Check it out, it's free *sitelink*"

"I know who's blocking me on Yahoo because I use *sitelink*"

"Did they block you too? Download a free Yahoo Block Checker *sitelink*"

"Hey you can see who's blocking you on MSN! Download it now *sitelink*"

"Find out who's blocking you on AIM, Download it free from *sitelink*"

"Did you know you can find out who blocked you on AIM? Check it out, it's free *sitelink*"

"I know who's blocking me on AIM because I use *sitelink*"

"Did they block you too? Download a free AIM Block Checker *sitelink*"

"Hey you can see who's blocking you on AIM! Download it now *sitelink*"

The code has evidence that it also searches the process list for csrss.exe to keep it running, but I think their plan backfired as it will always find the legitimate Windows csrss.exe file.

To send messages to MSN Messenger conversation windows it searches for windows containing " - Conversation" and uses sendkeys to send the message.

It creates files "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" in the system directory which look like they include the people the message has already been sent to, in order not to resend it to anyone...

It adds itself to startup,of course, under HKLM with the name "block-checker" pointing to C:\Program Files\Block Checker\block-checker.exe.

This is a new virus, an antivirus can't detect what it doesn't know about

Hope it helps people out and if anybody opens msn and shows me a block checker announcement they are going to get a roasting. :$