Trojan.Blusod

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\”EULAAccepted” = “1″

Restore the following registry entries to their previous values, if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”lph[RANDOM CHARACTERS]” = “%System%\lph[RANDOM CHARACTERS].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\”InstallationID” = “906b1f2d-66b5-439e-8c02-9d08858fe527″
HKEY_CURRENT_USER\Control Panel\Desktop\”ConvertedWallpaper” = “%System%\ph[RANDOM CHARACTERS].bmp”
HKEY_CURRENT_USER\Control Panel\Desktop\”SCRNSAVE.EXE” = “%System%\blph[RANDOM CHARACTERS].scr”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispBackgroundPage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispScrSavPage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\”FirstRun” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\”FirstRun” = “0″
HKEY_CURRENT_USER\Control Panel\Colors\”Background” = “0 0 255″
HKEY_CURRENT_USER\Control Panel\Desktop\”ScreenSaveActive” = “1″
HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = “0″

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

For the SoftwareNotifier “InstallationID” … is the value listed (906…) the value I should change the entry TO?

Bob, You can just delete the entry, anyway it is just being used by the trojan. Just make sure you have a backup of your Registry before modifying it.

Thank you so much for posting this.. i had the same virus and I fixed my pc with your help!

wow i cannot express my gratification enough to whomever posted this!, thank you kind sir you are a gentleman and a scholar

Thanks for this! It worked!

Just as an aside, it also will remove the current wallpaper and, at least in Vista 32-bit, remove the Desktop Wallpaper option in the Personalization menu. It also appears to change the background color of the desktop to blue, possible the reason for the name “blusod” (blue screen of death).

Er… sorry to double post, but I see that’s already covered in the description under the registry entries that use Background and TileWallpaper. My mistake.

I deleted the entry, and even ran that registry restore ‘UnHookExec’ thingy, and this stupid trojan IS STILL ON MY COMPUTER. any ideas?! this is really annoying and I don’t want to have to erase my computer and start new

Hey, thanks for everything, it’s worked… almost. I got rid of the trojan, however, my desktop is gone, my vista appearance gone too… now it looks like msw9x… yeah… sucks. Also, it keeps on popping up a message saying that the host server has an error.

Any help on getting my desktop and theme back would be appreciated!

Thanks allready, everything else seams to be working well after getting rid of this pain in the 4ss…

Any advise on what the values for these keys might have been before the virus changed them?

How do I know what to change them to?

Thanks
Rob

Thank you, i havent checked it yet but with replies like these i’m sure it would work. Thanx in advance

hello, I have had the same nasty Trojan attack. The virus has been removed as far as Norton is concerned and the registry files restored, but my Internet is now unable to contact any symantec websites and I still get redirected or server not responding. I have seen and blocked remote connections to my PC and stopped packages from downloading. is there something i have missed out or a way of fixing this problem? I appreciate any help in fixing this most annoying attack.

thanks

Arth

hi,

i did the suggested steps and it cleaned most of it. But now it kills my Windows Installer and my novell login dialog box not functioning well, it disable my OK and Advanced button everytime i log in from windows taskbar… help!!!

Symantic Anti-Virus removed all when I was asleep. I didn’t even know I had it.

hey guys i removed the virus but when i righ click my desktop, i dont have the same options as before for display properties. its missing “screensaver” i only have thems, appearance, and settings. please help! i dont know how to restore registry keys.

i have norton installed on my system and although i have done the regedit and virus scan on my system i still cannot remove this virus from my system it still shows in norton scan and my system will still not run. is there any other way of removing this virus? or should i format my system completely and reinstall windows or would this not work ?

please help as it is begining to get to the stage of me throwing it out of the window lol

thanks

I managed to get rid of most of the trojan.blusod hkey settings, but i still have no screen saver because I don’t know what my old settings were before the virus.

Any help would be appreciated

Thanks

This tool will work in getting rid of left over registry entries >> malwarebytes (mbam-setup.exe). I’ve used it on several machines that were initially infected with anti virus xp 08 and also had trojan.blusod. http://www.malwarebytes.org/mbam.php

Thanks
Dawn

Got the virus with Norton installed, updated and running. Says it blocked it and removed it but now my background and screensaver are gone. Sugumar with Norton told me to contact Dell…or I could pay Norton $99 to fix my PC for me.

I love tech support from Pakistan!

HOW DO I KNOW WHAT THE PREVIOUS VALUES ARE IN MY REGISTRY? THANKS

its ridiculous you write “change these back to their default values”

How on earth are we suppose to know what they are, or even find out what they are?

:(

malwarebytesg is the ONLY thing that I’ve found that works with this. I would recommend downloading, install, update and then boot in safe mode and run the scan. It will restore your registry with default values so you don’t have to guess what your original values were.

I followed all of the instructions and have the system back to normal…Except…I cannot get System Restore to start up again. Is there something obvious that I should do? (Under “Properties” at My Computer the box for “Turn Off System Restore” is and remains unchecked).

Looking at the very first question by bob haig re the Software Notifier “Installation ID”. Can you explain exactly what I should be doing there? Do I (a) type in the value (“906..etc.), (b) do I delete this value, or (c) do I delete all of the “Installation ID” entry. This is the one instruction that I wonder whether I am just not clear on.

HI Guys. And thank you for the tip on Malware. I does seem to work and get rid of the virus etc, with the least amount of effort. But i too have the same prob as John. I too am unable to re-instate my System Restore.. It say system restore (Disabled by Group policy) I will keep searching and let you know if i find anything.

Cheers

hi, Malware i beleive removed or cleaned the trojan.blusod virus from my computer however, i still do not have the ability to restore to a previous date for my system restore….Does tht mean it is still affected?

Hi, I had the same problem as Rhys and John, I thought I completely fixed my registry but system restore still refused to work (in my case, Norton refused to regognice C:\ drive for defragmenting and windows defragmenter didn’t work either). So I did what Damn suggested and installed and used malewarebytes and it fixed all my problems, registry is fixed, system restore is working perfectly and Norton and Windows defrag properly again. Thanks a bunch Dawn.

Here’s the link for malewarebytes again;
http://www.malwarebytes.org/mbam.php

Right click on My Computer icon, left click on Manage, then click the + on Services and Applications, and click on Services, and scroll down to System Restore Services and verify that it is set to Automatic. To do this – right click on System Restore Services, then left click on properties – the start up type should be automatic. After you set that to automatic – right click on System Restore Services again and make sure stop is the option which would mean the service is started.

If that doesn’t work – try this:
Go to Start>Run, type in gpedit.msc and hit enter. Under Computer
Configuration, click on the + next to Administrative Templates, click on the + next to System, then click on the System Restore folder. In the right-hand pane, double-click on Turn off Configuration and under the Setting tab click in the radio button beside Not Configured. Click on Apply then OK. Then go back and do above to make sure the service is started.

Yes, your wallpaper changing ability is probably disabled in the registry.Click “Start” then “Run” type in “regedit” and hit enter.

Then browse to the following key.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

You can click any of the following keys (that appear in your list), then just hit the delete key on your keyboard.

“NoChangingWallPaper”
“NoAddingComponents”
“NoComponents”
“NoDeletingComponents”
“NoEditingComponents”
“NoCloseDragDropBands”
“NoMovingBands”
“NoHTMLWallPaper”=

Then restart your computer.

I am also a victim of this worm. What random numbers go in here? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
”lph[RANDOM CHARACTERS]” = “%System%\lph[RANDOM CHARACTERS].exe”

This was where the virus was and I deleted it. System restore looks like it workd but the restore fails.

Thanks,

Eve

please scan my system