Trojan.Blusod
Trojan.Blusod is a harmful Trojan developed to spread maliciously created security programs also known as rogue anti-virus. When executed on computer, Trojan.Blusod tries to contact distant server and download additional threats. The Trojan will set screen saver that acts as security alert messages containing the following strings:
Warning!
Spyware detected on your computer!
Install an antivirus or spyware remover to clean your computer.
Damage Level: Medium
Systems Affected: Windows 9x, ME, 2000, XP
Screen Shot Image:
How to Remove Trojan.Blusod:
FIRST AID TO STOP Trojan.Blusod:
When Trojan.Blusod virus infects a computer, it will modify system settings and inject itself to legitimate Windows files. System Restore is the tool-to-go-to in bringing back clean files and restoring earlier configuration. If you have saved previous restore point, please restore Windows to an earlier date.
REMOVAL TOOL:
Trojan.Blusod uses randomly created file names to hardly identify. With this, spotting associated files and deleting them manually is not advisable for beginners. Automatic removal is advised using legitimate and effective anti-malware solution called MalwareBytes’ Anti-Malware. Download removal tool here.
MANUAL REMOVAL OF Trojan.Blusod:
1. If an anti-virus program is present, update the definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- From the menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file(s).
4. Delete/Modify any values added to the registry if present.
- To edit the registry, click on Start. Search or Run regedit.exe.
Note: For a complete guide on Safe Mode and Registry Editor, please see tutorial links on the sidebar.
5. Exit registry editor and restart Windows.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- Trojan.Blusod modifies registry entries to show available image as background.
- This Trojan will drop files with two random file names.
- It will connect to predefined web sites to download more malware and execute on compromised computer.
Malicious Files Added by Trojan.Blusod:
%UserProfile%\Local Settings\Temp\.tt[TWO RANDOM CHARACTERS].tmp
%UserProfile%\Local Settings\Temp\.tt[TWO RANDOM CHARACTERS].tmp
%System%\system32\lph[RANDOM CHARACTERS].exe
%System%\system32\blph[RANDOM CHARACTERS].scr
%UserProfile%\Local Settings\Temp\.tt[TWO RANDOM CHARACTERS].tmp.vbs (This entry will disable System Restore)
%System%\system32\ph[RANDOM CHARACTERS].bmp (This is the image file displayed on screen)
File Location for Windows Versions:
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
- %System% for all versions of Windows it is located under C:\Windows\System32
Associated Windows Registry Entries:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\”EULAAccepted” = “1″ (This install the screen saver)
precisesecurity
Jun 28, 2008 @ 01:57:12
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Reboot Windows in Safe Mode. [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\”EULAAccepted” = “1″
Restore the following registry entries to their previous values, if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”lph[RANDOM CHARACTERS]” = “%System%\lph[RANDOM CHARACTERS].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\”InstallationID” = “906b1f2d-66b5-439e-8c02-9d08858fe527″
HKEY_CURRENT_USER\Control Panel\Desktop\”ConvertedWallpaper” = “%System%\ph[RANDOM CHARACTERS].bmp”
HKEY_CURRENT_USER\Control Panel\Desktop\”SCRNSAVE.EXE” = “%System%\blph[RANDOM CHARACTERS].scr”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispBackgroundPage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispScrSavPage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\”FirstRun” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\”FirstRun” = “0″
HKEY_CURRENT_USER\Control Panel\Colors\”Background” = “0 0 255″
HKEY_CURRENT_USER\Control Panel\Desktop\”ScreenSaveActive” = “1″
HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = “0″
6. Exit registry editor and restart Windows.
7. In order to make sure that threat is completely eliminated, carry out a full scan of your system using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.
bob haig
Jul 29, 2008 @ 17:57:21
For the SoftwareNotifier “InstallationID” … is the value listed (906…) the value I should change the entry TO?
precisesecurity
Jul 31, 2008 @ 01:21:05
Bob, You can just delete the entry, anyway it is just being used by the Trojan. Just make sure you have a backup of your Registry before modifying it.
Shal
Jul 31, 2008 @ 17:04:16
Thank you so much for posting this. I had the same virus and I fixed my PC with your help!
Ille B*tch
Aug 10, 2008 @ 00:31:16
Thanks for this! It worked!
abandonwareguru
Aug 10, 2008 @ 02:17:45
Just as an aside, it also will remove the current wallpaper and, at least in Vista 32-bit, remove the Desktop Wallpaper option in the Personalization menu. It also appears to change the background color of the desktop to blue, possible the reason for the name “blusod” (blue screen of death).
abandonwareguru
Aug 10, 2008 @ 02:19:48
Sorry to double post, but I see that’s already covered in the description under the registry entries that use Background and TileWallpaper. My mistake.
robert
Aug 10, 2008 @ 03:38:55
I deleted the entry, and even ran that registry restore ‘UnHookExec’ thing, and this Trojan is still on my computer ideas? this is really annoying and I don’t want to format my computer and start a new one.
L057
Aug 11, 2008 @ 21:26:08
Hey, thanks for everything, it’s worked, almost. I got rid of the Trojan, however, my desktop is gone, my Vista appearance gone too. Now it looks like Windows 98. Also, it keeps on popping up a message saying that the host server has an error.
Any help on getting my desktop and theme back would be appreciated!
Thanks already, everything else seams to be working well after getting rid of this.
Rob
Aug 13, 2008 @ 11:05:01
Any advise on what the values for these keys might have been before the virus changed them?
How do I know what to change them to?
Thanks
Rob
Omer
Aug 21, 2008 @ 05:59:33
Thank you, I haven’t checked it yet but with replies like these I’m sure it would work. Thanks in advance.
Arthur
Aug 26, 2008 @ 13:06:21
Hello, I have had the same nasty Trojan attack. The virus has been removed as far as Norton is concerned and the registry files restored, but my Internet is now unable to contact any Symantec web sites and I still get redirected or server not responding. I have seen and blocked remote connections to my PC and stopped packages from downloading. is there something I have missed out or a way of fixing this problem? I appreciate any help in fixing this most annoying attack.
thanks
Arth
oward
Aug 28, 2008 @ 01:13:41
Hi, I did the suggested steps and it cleaned most of it. But now it kills my Windows Installer and my Novell login dialog box not functioning well, it disable my OK and Advanced button every time I log in from Windows taskbar. Please help!
Nan
Aug 31, 2008 @ 18:07:05
Symantic Anti-Virus removed all when I was asleep. I didn’t even know I had it.
chris
Sep 02, 2008 @ 09:00:09
Hey guys, I removed the virus but when I right click my desktop, I don’t have the same options as before for display properties. Its missing “screen saver,” I only have are, appearance, and settings. Please help! I don’t know how to restore registry keys.
Joe
Sep 02, 2008 @ 16:01:16
I have Norton installed on my system and although I have done the regedit and virus scan on my system I still cannot remove this virus from my system it still shows in Norton scan and my system will still not run. is there any other way of removing this virus? Or should I format my system completely and reinstall Windows or would this not work?
Please help as it is beginning to get to the stage of me throwing it out of the window.
Thanks
bing
Sep 03, 2008 @ 21:15:35
I managed to get rid of most of the trojan.blusod hkey settings, but I still have no screen saver because I don’t know what my old settings were before the virus.
Any help would be appreciated
Thanks
by Dawn
Sep 05, 2008 @ 03:38:15
This tool will work in getting rid of left over registry entries >> malwarebytes (mbam-setup.exe). I’ve used it on several machines that were initially infected with anti virus XP 08 and also had trojan.blusod. http://www.malwarebytes.org/mbam.php
Thanks
Dawn
Lori
Sep 06, 2008 @ 02:12:57
Got the virus with Norton installed, updated and running. Says it blocked it and removed it but now my background and screen saver are gone. Sugumar with Norton told me to contact Dell…or I could pay Norton $99 to fix my PC for me.
I love tech support from Pakistan!
Lori
Sep 08, 2008 @ 16:58:41
MalwareBytes is the ONLY thing that I’ve found that works with this. I would recommend downloading, install, update and then boot in safe mode and run the scan. It will restore your registry with default values so you don’t have to guess what your original values were.
John Sivertsen
Sep 09, 2008 @ 01:14:42
I followed all of the instructions and have the system back to normal. Except, I cannot get System Restore to start up again. Is there something obvious that I should do? (Under “Properties” at My Computer the box for “Turn Off System Restore” is and remains unchecked).
Looking at the very first question by Bob Haig about the Software Notifier “Installation ID”. Can you explain exactly what I should be doing there? Do I (a) type in the value (“906..etc.), (b) do I delete this value, or (c) do I delete all of the “Installation ID” entry. This is the one instruction that I wonder whethere I am just not clear on.
Rhys Frampton
Sep 13, 2008 @ 14:13:03
HI Guys. And thank you for the tip on Malware. I does seem to work and get rid of the virus etc, with the least amount of effort. But I too have the same problem as John. I too am unable to re-instate my System Restore.. It say system restore (Disabled by Group policy) I will keep searching and let you know if I find anything.
Cheers
xoxo
Sep 15, 2008 @ 20:59:21
Hi, Malwarebytes I believe removed or cleaned the Trojan from my computer. However, I still do not have the ability to restore to a previous date for my system restore. Does that mean it is still infected?
Vikenti
Sep 16, 2008 @ 03:03:14
Hi, I had the same problem as Rhys and John, I thought I completely fixed my registry but system restore still refused to work (in my case, Norton refused to recognize C:\ drive for defragmenting and windows defragmenter didn’t work eithere). So I did what was suggested and installed and used MalwareBytes and it fixed all my problems, registry is fixed, system restore is working perfectly and Norton and Windows defrag properly again. Thanks a bunch Dawn.
Dawn
Sep 18, 2008 @ 02:01:35
Right click on My Computer icon, left click on Manage, then click the + on Services and Applications, and click on Services, and scroll down to System Restore Services and verify that it is set to Automatic. To do this – right click on System Restore Services, then left click on properties – the start up type should be automatic. After you set that to automatic – right click on System Restore Services again and make sure stop is the option which would mean the service is started.
Dawn
Sep 18, 2008 @ 02:11:30
If that doesn’t work – try this:
Go to Start>Run, type in gpedit.msc and hit enter. Under Computer
Configuration, click on the + next to Administrative Templates, click on the + next to System, then click on the System Restore folder. In the right-hand pane, double-click on Turn off Configuration and under the Setting tab click in the radio button beside Not Configured. Click on Apply then OK. Then go back and do above to make sure the service is started.
Techuser
Sep 18, 2008 @ 21:54:05
Yes, your wallpaper changing ability is probably disabled in the registry.Click “Start” then “Run” type in “regedit” and hit enter.
Then browse to the following key.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
You can click any of the following keys (that appear in your list), then just hit the delete key on your keyboard.
“NoChangingWallPaper”
“NoAddingComponents”
“NoComponents”
“NoDeletingComponents”
“NoEditingComponents”
“NoCloseDragDropBands”
“NoMovingBands”
“NoHTMLWallPaper”=
Then restart your computer.
Eve
Sep 28, 2008 @ 17:00:51
I am also a victim of this worm. What random numbers go in here? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
”lph[RANDOM CHARACTERS]” = “%System%\lph[RANDOM CHARACTERS].exe”
This was where the virus was and I deleted it. System restore looks like it worked but the restore fails.
Thanks,
Eve