The goal of this project is to make virtual world a safer and better place without child pornography, major computer crime and RIAA.
Login As
You can log in if you are registered at one of these services:
Security Bulletins
Latest Malware Updates

Infostealer.Posteal

02/26/2015

Downloader.Busadom

02/26/2015

Trojan.Ladocosm

02/26/2015

SONAR.SuspDocRun

02/25/2015

SONAR.SuspHelpRun

02/25/2015
01/01/1970

Adware.BlazeFind

Type:  Adware
Discovered:  01.01.1970
Updated:  13.02.2007
Affected systems:  Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
AV Vendor:  Symantec

Description:


Adware.Blazefind performs the following actions:
  • Creates the following files:

    • %System%\2_0_1browserhelper2.dll
    • %System%\UnstSA2.exe
    • %System%\key2.txt
    • installer2.exe
    • omniscient.exe
    • Omniscienthook.dll
    • omniband.dll
    • wsaupdater.exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  • Registers itself as a Browser Helper Object

  • May add the value:

    "Windows SA" = "%ProgranFiles%\WindowsSA\omniscient.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

    Note: The file omniscient.exe is not always created.

  • May modify the values:

    "Taskbar" = "[binary data]"
    "TaskbarWinXp" = "[binary data]"

    in the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

    so that the adware is loaded as taskbar every time the user logs onto Windows.

  • May create some of the following files:

    • %Windir%\System32car.ico
    • %Windir%\System32casino.ico
    • %Windir%\System32creditcard.bmp
    • %Windir%\System32Go.ico
    • %Windir%\System32omniprivacy.khtml

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  • May create some of the following registry subkeys:

    HKEY_CLASSES_ROOT\BridgeX.Installer
    HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand
    HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand.1
    HKEY_CLASSES_ROOT\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
    HKEY_CLASSES_ROOT\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}
    HKEY_CLASSES_ROOT\CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
    HKEY_CLASSES_ROOT\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848}
    HKEY_CLASSES_ROOT\Typelib\{0B3569D7-1EA4-4CBA-AC13-225902619789}
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SR 2.0
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SA
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    HKEY_LOCAL_MACHINE\Software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows SA
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}

  • May exhibit some of the following behaviour:

    • Restarts explorer.exe and hooks the .dll into all processes that inherit from IEFrame class.
    • Redirects search queries in Internet Explorer to www.blazefind.com
    • Adds "Main Links" menu to Internet Explorer browser that contain links to other Web sites.
    • Displays advertisements listed in the encrypted file %Windir%\System32\omniprivacy.khtml.


    Removal instructions from Symantec Security Response Team


    Removal Tool
    Naked Security has developed a removal tool for Adware.BlazeFind. Use this removal tool first, as it is the easiest way to remove this threat.

    The tool can be found here:
    http://securityresponse.symantec.com/avcenter/FxBlzFnd.exe

    The current version of the tool is 1.0.1 and will have a digital signature timestamp equivalent to 03/20/2005 10:17 PM.

    Notes:

      • The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.

    It has been reported that a computer on which Adware.BlazeFind is installed may also have other security risks. Symantec recommends that the following steps be carried out:
  • Apply the Adware.BlazeFind Removal Tool.
  • Update the definitions by starting the Symantec program and running LiveUpdate.
  • Run a full system scan to detect any other security risks on the computer.
  • If the scan detects any further security risks, check for removal tools at http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html.
  • If there are no removal tools for the security risks that are detected, follow the manual removal instructions listed in the threat report.
    Manual Removal
    The publisher of Adware.BlazeFind has instructions on how to uninstall their product using the Windows Add/Remove programs utility. Although it has not been confirmed by Security Response that this will work in all cases, this should be tried first.

    BlazeFind has uninstall instructions in sections seven and eight of the following Web page:
    http://blazefind.com/?section=help

    The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  • Update the definitions.
  • Run a full system scan and delete all the files detected as Adware.BlazeFind.
  • Delete the value that was added to the registry.
    For specific details on each of these steps, read the following instructions.

    1. Updating the definitions
    To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

    2. Scanning for and deleting the files
  • Start your Symantec antivirus program, and then run a full system scan.
  • If any files are detected as Adware.BlazeFind, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.
    3. Deleting the value from the registry

    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
  • Click Start, and then click Run. (The Run dialog box appears.)
  • Type regedit

    Then click OK. (The Registry Editor opens.)

  • Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • In the right pane, delete the value:

    "Windows SA" = "%PROGRAMFILES%\WindowsSA\omniscient.exe"

  • Navigate to the subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

  • In the right pane, delete the values:

    "Taskbar" = "[binary data]"
    "TaskbarWinXp" = "[binary data]"

    Note: By deleting the above values, custom created taskbars will also be removed.

  • Navigate to and delete the following subkeys if present:

    HKEY_CLASSES_ROOT\BridgeX.Installer
    HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand
    HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand.1
    HKEY_CLASSES_ROOT\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
    HKEY_CLASSES_ROOT\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}
    HKEY_CLASSES_ROOT\CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
    HKEY_CLASSES_ROOT\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848}
    HKEY_CLASSES_ROOT\Typelib\{0B3569D7-1EA4-4CBA-AC13-225902619789}
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SR 2.0
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SA
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    HKEY_LOCAL_MACHINE\Software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows SA
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}


  • Security Advisories Database

    Remote Code Execution Vulnerability in Microsoft OpenType Font Driver

    A remote attacker can execute arbitrary code on the target system.

    07/21/2015

    SQL Injection Vulnerability in Piwigo

    SQL inection vulnerability has been discovered in Piwigo.

    02/05/2015

    Cross-site Scripting Vulnerability in DotNetNuke

    A cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke.

    02/05/2015

    Cross-site Scripting Vulnerability in Hitachi Command Suite

    A cross-site scripting vulnerability was found in Hitachi Command Suite.

    02/02/2015

    Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk Handling

    An attacker can perform a denial of service attack.

    01/30/2015

    Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-Forwards

    An attacker can perform a denial of service attack.

    01/30/2015

    Denial of service vulnerability in MalwareBytes Anti-Exploit "mbae.sys"

    An attacker can perform a denial of service attack.

    01/30/2015

    Denial of service vulnerability in Linux Kernel splice

    An attacker can perform a denial of service attack.

    01/29/2015

    Denial of service vulnerability in Python Pillow Module PNG Text Chunks Decompression

    An attacker can perform a denial of service attack.

    01/20/2015