ADBreak

Overview

Summary

AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.

Excerpt from the license agreement: 'THE BROWSER ENHANCEMENT WILL REPLACE YOUR DEFAULT HOMEPAGE. THIS HOMEPAGE WILL APPEAR ON YOUR SYSTEM AS LONG AS YOU HAVE THE BROWSER ENHANCEMENT INSTALLED. INFORMATION CONSOLES MAY BE LAUNCHED FOR THE DURATION OF TIME YOU SPEND ONLINE. THESE CONSOLES MAY CONTINUE TO BE LAUNCHED AS LONG AS YOU HAVE THE BROWSER ENHANCEMENT INSTALLED ON YOUR MACHINE. THE DEFAULT SEARCH ENGINE CAN BE REPLACED BY A NEW STANDARD SEARCH ENGINE. BY DOWNLOADING THE SOFTWARE, YOU UNDERSTAND THAT THESE CHANGES CANNOT BE REVERSED WITHOUT RUNNING THE REMOVAL EXECUTABLE THAT CAN BE FOUND AT http://www.adbreak.com/pb/Remove.exe or click here. IF YOU TRY TO CHANGE THE ITEMS ABOVE MANUALLY, YOUR CHANGES WILL BE LOST WHEN YOU REBOOT OR TURN OFF YOUR COMPUTER.' -

Alias

Backdoor Program [Panda], Backdoor.WbeCheck.a [Kaspersky], Floid.dll, Floid.dr [McAfee], security risk or a "backdoor" program [F-Prot], Trojan.Win32.WbeCheck, Win32.WbeCheck [Computer Associates], Win32/PSW.WbeCheck.A trojan [Eset], Win32/WbeCheck!Trojan [Computer Associates],

Category

Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

Homepage Hijacker: Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Password Capture: A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.

Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Variants

AdBreak.FHFMM ·

Reasons For Retention

Changes browser settings other than homepage, without user permission.

Origins

Group

AdBreak.com

Vendor

AdBreak.com

URL

http://www.adbreak.com/ (down as of April 4, 2004)

Date of Origin

Variants from April, 2002 to October, 2002

Detection and Removal

Manual Removal

There is no uninstall option, but AdBreak has madea remover available.

Before you can delete the program DLL, you must deregisterit. With some versions of the software this can be donewith regsvr32; open a DOS command prompt window (Start->Programs->Accessories)and enter the command:

cd "%WinDir%\System"
regsvr32 /u "%WinDir%\kvnab.dll
(Change the name of the DLL in this line for the differentvariants.)

For some of the earlier variants, if this fails withan error about there being no DllUnregisterServer entrypoint, try the command:

rundll32%WinDir%\kvnab.dll,PBUninstall
(Again, change the DLL name if necessary.)

Next, run 'regedit' and open the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runkey. Remove the 'CCB Enhancement' value. Open 'RunOnce'and remove the 'AdBreak' value if you have it. You canalso delete HKEY_CURRENT_USER\Software\AdBreak and 'OpenData'to clean up if you like.

Restart the computer and you should be able to deleteall the files listed in the table above.

Stop Running Processes:

Kill these running processes with Task Manager:

Remove Autorun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ccb enhancement, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\adbreak, delete it and reboot the machine immediately.

Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

Clean Registry:

Remove these registry items (if present) with RegEdit:

Remove Files:

Remove these files (if present) with Windows Explorer:

systemroot+\cbinst$.exesystemroot+\exrem.inisystemroot+\fhfmm.dllsystemroot+\fhfmm.exesystemroot+\fhfmm.txtsystemroot+\fhfmm1.tmpsystemroot+\fhfmm2.tmpsystemroot+\fhfmm3.tmpsystemroot+\hcwprn.exesystemroot+\kkcomp.dllsystemroot+\kkcomp.exesystemroot+\kkcomp.oldsystemroot+\kkcomp.tmpsystemroot+\kvnab$.exesystemroot+\kvnab.dllsystemroot+\kvnab.exesystemroot+\kvnab.inisystemroot+\kvnab.oldsystemroot+\kvnab.tmpsystemroot+\liqad.dllsystemroot+\liqad.exesystemroot+\liqad.inisystemroot+\liqad.oldsystemroot+\liqad.tmpsystemroot+\liqui.dllsystemroot+\liqui.exesystemroot+\liqui.txtsystemroot+\liqui1.tmpsystemroot+\liqui2.tmpsystemroot+\liqui3.tmpsystemroot+\ltosie.oldsystemroot+\odidbu.insystemroot+\odidbu.inisystemroot+\pbsysie.dllsystemroot+\plotpp.tmpsystemroot+\settn.dllsystemroot+\system\fhfmm.dllsystemroot+\system32\fhfmm.dllsystemroot+\wbecheck.exesystemroot+\wbecheck.oldsystemroot+\wbecheck.tmpsystemroot+\xabrk.dllsystemroot+\xadbrk.dllsystemroot+\xadbrk.exesystemroot+\xadbrk1.tmpsystemroot+\xadbrk2.tmpsystemroot+\xadbrk3.tmp

Restore Settings:

After following the instructions above, you will still need to restore your original settings and prevent this from happening again.

ABetterInternet.Aurora ABetterInternet.Ceres ABetterInternet.DrPMon ABrowser ACXInstall ADBreak ADE.demojoke ADHostCenter ADMDNews2.0 ADMHack