Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.BlazeFind

Adware.BlazeFind

Updated:
February 13, 2007
Risk Impact:
High
File Names:
2_0_1browserhelper2.dll unstsa2.exe key2.txt installer2.exe omniscient.exe Omni
Systems Affected:
Windows

Behavior


Adware.BlazeFind installs itself as a Browser Helper Object and redirects search queries. It may restart explorer.exe and hook itself into different processes. It can display advertisements on the compromised computer.

Note: Definitions prior to April 20, 2005 may detect this threat as Adware.Blazefind.

Symptoms


Your Symantec program detects Adware.Blazefind.
Redirection of search queries in Internet Explorer.
Presence of the process "omniscient.exe".

Behavior


Adware.Blazefind must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version July 21, 2017 revision 020
  • Initial Daily Certified version March 22, 2004
  • Latest Daily Certified version July 22, 2017 revision 001
  • Initial Weekly Certified release date March 22, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Adware.Blazefind performs the following actions:
    1. Creates the following files:

      • %System%\2_0_1browserhelper2.dll
      • %System%\UnstSA2.exe
      • %System%\key2.txt
      • installer2.exe
      • omniscient.exe
      • Omniscienthook.dll
      • omniband.dll
      • wsaupdater.exe

        Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    2. Registers itself as a Browser Helper Object

    3. May add the value:

      "Windows SA" = "%ProgranFiles%\WindowsSA\omniscient.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the adware runs every time Windows starts.

      Note: The file omniscient.exe is not always created.

    4. May modify the values:

      "Taskbar" = "[binary data]"
      "TaskbarWinXp" = "[binary data]"

      in the registry subkey:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

      so that the adware is loaded as taskbar every time the user logs onto Windows.

    5. May create some of the following files:

      • %Windir%\System32car.ico
      • %Windir%\System32casino.ico
      • %Windir%\System32creditcard.bmp
      • %Windir%\System32Go.ico
      • %Windir%\System32omniprivacy.khtml

        Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

    6. May create some of the following registry subkeys:

      HKEY_CLASSES_ROOT\BridgeX.Installer
      HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand
      HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand.1
      HKEY_CLASSES_ROOT\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
      HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
      HKEY_CLASSES_ROOT\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}
      HKEY_CLASSES_ROOT\CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
      HKEY_CLASSES_ROOT\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848}
      HKEY_CLASSES_ROOT\Typelib\{0B3569D7-1EA4-4CBA-AC13-225902619789}
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SR 2.0
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SA
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
      HKEY_LOCAL_MACHINE\Software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows SA
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
      HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}

    7. May exhibit some of the following behaviour:

      • Restarts explorer.exe and hooks the .dll into all processes that inherit from IEFrame class.
      • Redirects search queries in Internet Explorer to www.blazefind.com
      • Adds "Main Links" menu to Internet Explorer browser that contain links to other Web sites.
      • Displays advertisements listed in the encrypted file %Windir%\System32\omniprivacy.khtml.



    Removal Tool
    Symantec Security Response has developed a removal tool for Adware.BlazeFind. Use this removal tool first, as it is the easiest way to remove this threat.

    The tool can be found here:
    http://securityresponse.symantec.com/avcenter/FxBlzFnd.exe

    The current version of the tool is 1.0.1 and will have a digital signature timestamp equivalent to 03/20/2005 10:17 PM.

    Notes:

      • The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.

    It has been reported that a computer on which Adware.BlazeFind is installed may also have other security risks. Symantec recommends that the following steps be carried out:
    1. Apply the Adware.BlazeFind Removal Tool.
    2. Update the definitions by starting the Symantec program and running LiveUpdate.
    3. Run a full system scan to detect any other security risks on the computer.
    4. If the scan detects any further security risks, check for removal tools at http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html.
    5. If there are no removal tools for the security risks that are detected, follow the manual removal instructions listed in the threat report.

    Manual Removal
    The publisher of Adware.BlazeFind has instructions on how to uninstall their product using the Windows Add/Remove programs utility. Although it has not been confirmed by Security Response that this will work in all cases, this should be tried first.

    BlazeFind has uninstall instructions in sections seven and eight of the following Web page:
    http://blazefind.com/?section=help

    The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
    1. Update the definitions.
    2. Run a full system scan and delete all the files detected as Adware.BlazeFind.
    3. Delete the value that was added to the registry.
    For specific details on each of these steps, read the following instructions.

    1. Updating the definitions
    To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

    2. Scanning for and deleting the files
    1. Start your Symantec antivirus program, and then run a full system scan.
    2. If any files are detected as Adware.BlazeFind, click Delete.


      Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

    3. Deleting the value from the registry



    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit

      Then click OK. (The Registry Editor opens.)

    3. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete the value:

      "Windows SA" = "%PROGRAMFILES%\WindowsSA\omniscient.exe"

    5. Navigate to the subkey:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

    6. In the right pane, delete the values:

      "Taskbar" = "[binary data]"
      "TaskbarWinXp" = "[binary data]"

      Note: By deleting the above values, custom created taskbars will also be removed.

    7. Navigate to and delete the following subkeys if present:

      HKEY_CLASSES_ROOT\BridgeX.Installer
      HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand
      HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand.1
      HKEY_CLASSES_ROOT\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
      HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
      HKEY_CLASSES_ROOT\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}
      HKEY_CLASSES_ROOT\CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
      HKEY_CLASSES_ROOT\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848}
      HKEY_CLASSES_ROOT\Typelib\{0B3569D7-1EA4-4CBA-AC13-225902619789}
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SR 2.0
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SA
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
      HKEY_LOCAL_MACHINE\Software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows SA
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
      HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}