1. /
  2. Security Response/
  3. Adware.BlazeFind

Adware.BlazeFind - Removal

Updated:
February 13, 2007 11:37:03 AM
Type:
Adware
Risk Impact:
High
File Names:
2_0_1browserhelper2.dll unstsa2.exe key2.txt installer2.exe omniscient.exe Omni
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Removal Tool
Symantec Security Response has developed a removal tool for Adware.BlazeFind. Use this removal tool first, as it is the easiest way to remove this threat.

The tool can be found here:
http://securityresponse.symantec.com/avcenter/FxBlzFnd.exe

The current version of the tool is 1.0.1 and will have a digital signature timestamp equivalent to 03/20/2005 10:17 PM.

Notes:

    • The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.

It has been reported that a computer on which Adware.BlazeFind is installed may also have other security risks. Symantec recommends that the following steps be carried out:
  1. Apply the Adware.BlazeFind Removal Tool.
  2. Update the definitions by starting the Symantec program and running LiveUpdate.
  3. Run a full system scan to detect any other security risks on the computer.
  4. If the scan detects any further security risks, check for removal tools at http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html.
  5. If there are no removal tools for the security risks that are detected, follow the manual removal instructions listed in the threat report.

Manual Removal
The publisher of Adware.BlazeFind has instructions on how to uninstall their product using the Windows Add/Remove programs utility. Although it has not been confirmed by Security Response that this will work in all cases, this should be tried first.

BlazeFind has uninstall instructions in sections seven and eight of the following Web page:
http://blazefind.com/?section=help

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Adware.BlazeFind.
  3. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Adware.BlazeFind, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

3. Deleting the value from the registry


WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "Windows SA" = "%PROGRAMFILES%\WindowsSA\omniscient.exe"

  5. Navigate to the subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

  6. In the right pane, delete the values:

    "Taskbar" = "[binary data]"
    "TaskbarWinXp" = "[binary data]"

    Note: By deleting the above values, custom created taskbars will also be removed.

  7. Navigate to and delete the following subkeys if present:

    HKEY_CLASSES_ROOT\BridgeX.Installer
    HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand
    HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand.1
    HKEY_CLASSES_ROOT\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
    HKEY_CLASSES_ROOT\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}
    HKEY_CLASSES_ROOT\CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
    HKEY_CLASSES_ROOT\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848}
    HKEY_CLASSES_ROOT\Typelib\{0B3569D7-1EA4-4CBA-AC13-225902619789}
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SR 2.0
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SA
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    HKEY_LOCAL_MACHINE\Software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows SA
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}


Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver