Recently, I’ve found some infected systems that will also install the BSOD screensaver.
At first, I thought the customer (or someone related) had installed the BSOD screensaver as a joke, and it was unrelated to the infection.
But the first time this happened, the customer called me a few days later to say that something was still wrong with the system… I was told: The system would show a “blue screen with white writing”, and then the PC would restart.
I know I wouldn’t leave a system in such a state (and I had forgotten about the BSOD screensaver…), so I re-visited the customer as soon as possible.
I was not happy to see that the system was working fine and the BSOD (blue screen of death) would go away by just moving the mouse.
However, changing the screensaver wasn’t as easy as I thought… the malware had also hidden some tabs from the display properties (desktop tab and screen saver tab).
So after some fishing around I found that a minor change in the registry made the tabs re-appear (go to HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem , and delete the NoDispScrSavPage and NoDispBackgroundPage keys.