Overview
Summary:
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Excerpt from the license agreement: 'THE BROWSER ENHANCEMENT WILL REPLACE YOUR DEFAULT HOMEPAGE. THIS HOMEPAGE WILL APPEAR ON YOUR SYSTEM AS LONG AS YOU HAVE THE BROWSER ENHANCEMENT INSTALLED. INFORMATION CONSOLES MAY BE LAUNCHED FOR THE DURATION OF TIME YOU SPEND ONLINE. THESE CONSOLES MAY CONTINUE TO BE LAUNCHED AS LONG AS YOU HAVE THE BROWSER ENHANCEMENT INSTALLED ON YOUR MACHINE. THE DEFAULT SEARCH ENGINE CAN BE REPLACED BY A NEW STANDARD SEARCH ENGINE. BY DOWNLOADING THE SOFTWARE, YOU UNDERSTAND THAT THESE CHANGES CANNOT BE REVERSED WITHOUT RUNNING THE REMOVAL EXECUTABLE THAT CAN BE FOUND AT http://www.adbreak.com/pb/Remove.exe or click here. IF YOU TRY TO CHANGE THE ITEMS ABOVE MANUALLY, YOUR CHANGES WILL BE LOST WHEN YOU REBOOT OR TURN OFF YOUR COMPUTER.' - source
Alias:
Category:
Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.
Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.
Error Page Hijacker:
Homepage Hijacker: Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
Password Capture: A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.
Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.
Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.
Variants:
Similar Pests:
Origins
Group:
Vendor:
URL:
Date of Origin:
Distribution
Distribution:
Operation
Advertising:
Storage Required:
Browser Performance:
Risks
Privacy Issues:
Security Issues:
Detection and Removal
Automatic Removal:
PestPatrol detects this.
PestPatrol removes this.
Manual Removal:
There is no uninstall option, but AdBreak has made a remover available.
Before you can delete the program DLL, you must deregister it. With some versions of the software this can be done with regsvr32; open a DOS command prompt window (Start->Programs->Accessories) and enter the command:
cd "%WinDir%\System"
regsvr32 /u "%WinDir%\kvnab.dll
(Change the name of the DLL in this line for the different variants.)
For some of the earlier variants, if this fails with an error about there being no DllUnregisterServer entry point, try the command:
rundll32 %WinDir%\kvnab.dll,PBUninstall
(Again, change the DLL name if necessary.)
Next, run 'regedit' and open the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key. Remove the 'CCB Enhancement' value. Open 'RunOnce' and remove the 'AdBreak' value if you have it. You can also delete HKEY_CURRENT_USER\Software\AdBreak and 'OpenData' to clean up if you like.
Restart the computer and you should be able to delete all the files listed in the table above.
Kill these running processes with Task Manager:
Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ccb enhancement, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\adbreak, delete it and reboot the machine immediately.
Unregister these DLLs with Regsvr32, then reboot:
Remove these registry items (if present) with RegEdit:
Remove these files (if present) with Windows Explorer:
After following the instructions above, you will still need to restore your original settings and prevent this from happening again.
Research
File Analyses:
- ADBreak: cbinst$.exe · kvnab.dll · pbsysie.dll · wbecheck.exe