InterMute > Threat
Research
AdBreak consists of a Browser Helper Object which opens pop-up
advertising as you use Internet Explorer, and a task run at
startup which highjacks your home page, search and error pages
to point to AdBreak's servers.
Variants
There are at many variants of AdBreak. They differ in the
filenames used and sometimes the servers they connect to.
Files you are likely to find in the Windows directory for
each variant are:
| Installer |
Highjacker |
BHO |
Settings |
Temp file |
Backup |
Other |
| AdBreak/wbeCheck |
| wbeInst$.exe |
wbeCheck.exe |
pbsysie.dll |
exrem.ini |
wbeCheck.tmp |
wbeCheck.old |
|
| AdBreak/CB |
| cbinst$.exe |
hcwprn.exe |
settn.dll |
odidbu.ini |
plotpp.tmp |
ltosie.old |
|
| AdBreak/kvnab |
| kvnab$.exe |
kvnab.exe |
kvnab.dll |
kvnab.ini |
kvnab.tmp |
kvnab.old |
kvnab.dll_ |
| AdBreak/liqad |
| liqad$.exe |
liqad.exe |
liqad.dll |
liqad.ini |
liqad.tmp |
liqad.old |
liqad.dll_ |
| AdBreak/kkcomp |
| kkcomp$.exe |
kkcomp.exe |
kkcomp.dll |
kvnab.ini |
kkcomp.tmp |
kkcomp.old |
kkcomp.dll_ |
| AdBreak/xadbrk |
| xadbrk_.exe |
xadbrk.exe |
xadbrk.dll |
xabrk.dll |
xadbrk1.tmp |
xadbrk2.tmp |
xadbrk3.tmp |
| AdBreak/fhfmm |
| fhfmm-Uninstaller.exe |
fhfmm.exe |
fhfmm.dll |
fhfmm.txt |
fhfmm1.tmp |
fhfmm2.tmp |
fhfmm3.tmp |
| AdBreak/liqui |
| liqui-Uninstaller.exe |
liqui.exe |
liqui.dll |
liqui.txt |
liqui1.tmp |
liqui2.tmp |
liqui3.tmp |
|
When running, these variants may connect to www.larint.com,
adbreak.sylip.com, www.adbreak.com, and possibly other servers.
Also known as
Floid.dll, by McAfee (the reason for this name is
unknown). Trojan.Win32.WbeCheck by F-Secure.
Distribution
Common sources of the software are currently unknown, but
the manufacturers of AdBreak encourage software authors to
piggy-back-install it, and webmasters to load it through ActiveX
drive-by-downloads.
What it does
Advertising
Yes. Opens pop-up adverts whilst browsing with IE.
Privacy violation
Yes. Passes URLs of sites visited when adverts are shown.
Security issues
Yes. Can execute arbitrary unsigned code (as an update mechanism).
Stability problems
None known.
Manual removal
Before you can delete the program DLL, you must deregister
it. With some versions of the software this can be done with
regsvr32; open a DOS command prompt window (Start->Programs->Accessories)
and enter the command:
cd "%WinDir%\System"
regsvr32 /u "%WinDir%\kvnab.dll"
(Change the name of the DLL in this line for the different
variants.)
For some of the earlier variants, if this fails with an error
about there being no DllUnregisterServer entry point, try
the command:
rundll32 %WinDir%\kvnab.dll,PBUninstall
(Again, change the DLL name if necessary.)
Next, run 'regedit' and open the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
key. Remove the 'CCB Enhancement' value. Open 'RunOnce' and
remove the 'AdBreak' value if you have it. You can also delete
HKEY_CURRENT_USER\Software\AdBreak and 'OpenData' to clean
up if you like.
Restart the computer and you should be able to delete all
the files listed in the table above.
|
