I got a call last week from a firm I had been in contact with, but had not done any work.
One of the principals had gotten a viral infection: Antivirus XP 2008. I assisted with the removal of it, but got a call about 15 minutes after I left that the “Blue Screen” was still there.
When I got back on site, I saw what appeared to be a Blue Screen of Death (BSOD), followed by a partial reboot, followed by a BSOD, followed by a partial reboot…rinse and repeat. I started to hyperventilate (figuring I would be there all night), when the user pointed out that he could just press CTRL-ALT-DEL and the Task Manager would pop up.
After a little research, I discovered that this is just a very diabolical screen saver. And, to make things more complicated, registry entries are put in to keep you from turning it off.
From Symantec’s website, here is how you manually remove the Trojan.BluSOD:
Note: Be sure to backup the registry before working on it!
Navigate to and delete the following registry entries:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\"EULAAccepted" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"lph[RANDOM CHARACTERS]" = "%System%\lph[RANDOM CHARACTERS].exe"Restore the following registry entries to their previous values, if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\"InstallationID" = "[RANDOM CLSID]"
HKEY_CURRENT_USER\Control Panel\Desktop\"ConvertedWallpaper" = "%System%\ph[RANDOM CHARACTERS].bmp"
HKEY_CURRENT_USER\Control Panel\Desktop\"SCRNSAVE.EXE" = "%System%\blph[RANDOM CHARACTERS].scr"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"NoDispBackgroundPage" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"NoDispScrSavPage" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\"Start" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\"ImagePath" = "*system32\DRIVERS\sr.sys*"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\"FirstRun" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\"Start" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\"ImagePath" = "*system32\DRIVERS\sr.sys*"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\"FirstRun" = "0"
HKEY_CURRENT_USER\Control Panel\Colors\"Background" = "0 0 255"
HKEY_CURRENT_USER\Control Panel\Desktop\"ScreenSaveActive" = "1"
HKEY_CURRENT_USER\Control Panel\Desktop\"TileWallpaper" = "0"Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
Thanks, Google and Peter Norton!