Parasite: AdBreak

This record last updated Tue Sep 20 2005 00:34:14

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which hijacks your home page, search and error pages to point to AdBreak’s servers.

Variants

There are at many variants of AdBreak. They differ in the filenames used and sometimes the servers they connect to. Files you are likely to find in the Windows directory for each variant are:

Installer	Hijacker	BHO	Settings	Temp file	Backup	Other
AdBreak/wbeCheck
wbeInst$.exe	wbeCheck.exe	pbsysie.dll	exrem.ini	wbeCheck.tmp	wbeCheck.old
AdBreak/CB
cbinst$.exe	hcwprn.exe	settn.dll	odidbu.ini	plotpp.tmp	ltosie.old
AdBreak/kvnab
kvnab$.exe	kvnab.exe	kvnab.dll	kvnab.ini	kvnab.tmp	kvnab.old	kvnab.dll_
AdBreak/liqad
liqad$.exe	liqad.exe	liqad.dll	liqad.ini	liqad.tmp	liqad.old	liqad.dll_
AdBreak/kkcomp
kkcomp$.exe	kkcomp.exe	kkcomp.dll	kvnab.ini	kkcomp.tmp	kkcomp.old	kkcomp.dll_
AdBreak/xadbrk
xadbrk_.exe	xadbrk.exe	xadbrk.dll	xabrk.dll	xadbrk1.tmp	xadbrk2.tmp	xadbrk3.tmp
AdBreak/fhfmm
fhfmm-Uninstaller.exe	fhfmm.exe	fhfmm.dll	fhfmm.txt	fhfmm1.tmp	fhfmm2.tmp	fhfmm3.tmp
AdBreak/liqui
liqui-Uninstaller.exe	liqui.exe	liqui.dll	liqui.txt	liqui1.tmp	liqui2.tmp	liqui3.tmp

When running, these variants may connect to www.larint.com, adbreak.sylip.com, www.adbreak.com, and possibly other servers.

Also known as

Floid.dll, by McAfee (the reason for this name is unknown). Trojan.Win32.WbeCheck by F-Secure.

Distribution

Common sources of the software are currently unknown, but the manufacturers of AdBreak encourage software authors to piggy-back-install it, and webmasters to load it through ActiveX drive-by-downloads.

What it does

Advertising

Yes. Opens pop-up adverts whilst browsing with IE.

Privacy violation

Yes. Passes URLs of sites visited when adverts are shown.

Security issues

Yes. Can execute arbitrary unsigned code (as an update mechanism).

Stability problems

None known.

Removal

There is no uninstall option, but AdBreak have made a remover available (if you trust them). Spybot S&D, Ad-Aware and McAfee VirusScan can remove the earlier variants (CB, wbeCheck, kvnab).

Manual removal

Before you can delete the program DLL, you must deregister it. With some versions of the software this can be done with regsvr32; open a DOS command prompt window (Start->Programs->Accessories) and enter the command:

cd "%WinDir%\System"
regsvr32 /u "%WinDir%\kvnab.dll"

(Change the name of the DLL in this line for the different variants.)

For some of the earlier variants, if this fails with an error about there being no DllUnregisterServer entry point, try the command:

rundll32 %WinDir%\kvnab.dll,PBUninstall

(Again, change the DLL name if necessary.)

Next, run ‘regedit’ and open the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key. Remove the ‘CCB Enhancement’ value. Open ‘RunOnce’ and remove the ‘AdBreak’ value if you have it. You can also delete HKEY_CURRENT_USER\Software\AdBreak and ‘OpenData’ to clean up if you like.

Restart the computer and you should be able to delete all the files listed in the table above.