Arrival Details
This adware may be downloaded by other malware/grayware/spyware from remote sites.
It may be downloaded from app stores/third party app stores.
Installation
This adware drops the following files:
- %Temp%\nseF.tmp\IEKill.dll
- %Temp%\nseF.tmp\KillProcDLL.dll
- %Temp%\nseF.tmp\UnProtectMode.dll
- %Temp%\nseF.tmp\DLLWebCount.dll
- %Temp%\nseF.tmp\SelfDelete.dll
- C:\DelUS.bat
- C:\Program Files\SRankingPopView\srankingp.exe (detected as ADW_KRADDARE.GA)
- C:\Program Files\SRankingPopView\sranking.dll (detected as ADW_KRADDARE.GA)
- C:\Program Files\SRankingPopView\srankingdc.exe (detected as ADW_KRADDARE.GA)
- C:\Program Files\SRankingPopView\uninstall.exe
(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)
It stays resident in memory by creating the following process(es):
Autostart Technique
This adware adds the following registry entries to enable its automatic execution at every system startup:
HKCU\Software\Microsoft\
Windows\CurrentVersion\Run
SRankingPopView = %Program Files%\SRankingPopView\srankingp.exe
HKCU\Software\Microsoft\
Windows\CurrentVersion\Run
SRankingPopViewupdate = %Program Files%\SRankingPopView\srankingdc.exe
It registers itself as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry entries:
HKLM\SOFTWARE\Classes\
CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32
ThreadingModel = Apartment
HKLM\SOFTWARE\Classes\
CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}
AppID = {889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}
HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}
NoExplorer = 1
HKLM\SOFTWARE\Classes\
Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\TypeLib
Version = 1
HKCU\Software\Microsoft\
Windows\CurrentVersion\Explorer\
MountPoints2\{50acfe2a-c8f0-11df-9e33-000c296817cc}
BaseClass = Drive
HKCU\Software\Microsoft\
Windows\CurrentVersion\Explorer\
MountPoints2\{e2d01591-c92b-11df-94c2-806d6172696f}
BaseClass = Drive
HKLM\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}
Appname = srankingp.exe
HKLM\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}
AppPath = %Program Files%\SRankingPopView\
HKLM\SOFTWARE\Classes\
AppID\scattertap.DLL
AppID = {889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}
Information Theft
This adware gathers the following data:
- visited pages
- search engine queries
Stolen Information
This adware sends the gathered information via HTTP POST to the following URL:
- http://www.{BLOCKED}ck.co.kr/adver_partner/CallKeyword.php?addr={Host IP Address}&q={Site & Search Query}&uCode=popview
Step 1
Scan your computer with your Trend Micro product to delete files detected as ADW_KRADDARE.GA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Remove ADW_KRADDARE.GA by using its own Uninstall option
[ Learn More ]
[ back ]
To uninstall the grayware process
To uninstall the grayware program:
- Open Programs via Control Panel. To do this:
• For Windows 2000, click Start>Settings>Control Panel>Add/Remove Programs.
• For Windows XP and Server 2003, click Start>Settings>Control Panel>Add or Remove Programs. For the following Windows versions, make sure the Control Panel is set to Classic View (Vista) or View by Large icons/Small icons (Windows 7 and later).
• For Windows Vista, 7, and Server 2008, click Start>Control Panel>Programs and Features.
• For Windows 8, 8.1, and Server 2012, right-click on the lower left corner of the screen, click Control Panel>Programs and Features. - In the displayed list, choose the following program:
SRankingPopView - Click on Remove or Uninstall depending on the currently running Windows version.
- Follow the instructions on the dialog box that appears.
- Close the Programs window, and the Control Panel window.
Step 3
Terminate this process
[ Learn More ]
[ back ]
- For Windows 98 and ME users, the Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Terminating the Grayware Process
To terminate the malware/grayware/spyware process:
- Open Windows Task Manager. To do this, press CTRL+SHIFT+ESC.
- View the list of all running programs. To do this:
• For Windows 2000, XP, Server 2003, Vista, 7, and Server 2008 users, click the Processes tab.
• For Windows 8, 8.1, and Server 2012 users, click the Details tab. - In the list of running programs, locate the process:
- Select the malware/grayware/spyware process, then press either the End Task or the End Process button, depending on the version of Windows you are using.
- To check if the malware/grayware/spyware process has been terminated, close Task Manager, and then open it again.
- Close Task Manager.
Step 4
Delete this registry value
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
To delete the registry value this malware/grayware created:
- Open Registry Editor.
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run, type regedit in the text box provided, and then press Enter.
» For Windows Vista, Windows 7, and Windows Server 2008 users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on the lower left corner of the screen, click Run, type regedit in the text box provided, and then press Enter. - In the left panel, double-click the following:
HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run - In the right panel, locate and delete the entry:
SRankingPopView = - Again In the right panel, locate and delete the entry:
SRankingPopViewupdate = - Close Registry Editor.
Step 5
Delete this registry key
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
To delete the registry key this malware/grayware/spyware created:
- Restart your computer in Safe Mode. For instructions on how to do this, you may refer to this page. If the preceding step requires you to restart in safe mode, you may proceed to #2.
- Open Registry Editor. To do this:
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run, type regedit in the text box provided, and then press Enter.
» For Windows Vista, Windows 7, and Windows Server 2008 users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on the lower left corner of the screen, click Run, type regedit in the text box provided, and then press Enter. HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50acfe2a-c8f0-11df-9e33-000c296817cc}
HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2d01591-c92b-11df-94c2-806d6172696f}
HKEY_Local_Machine\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\scattertap.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\TypeLib
HKEY_Current_User\Software\sranking\dcdata
HKEY_Current_User\Software\sranking
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall
- Close Registry Editor.
Step 6
Search and delete this file
[ Learn More ]
[ back ]
There may be some files that are hidden. Please make sure you check the
Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
To manually delete a malware/grayware file from an affected system:
• For Windows 2000, Windows XP, and Windows Server 2003:
- Right-click Start then click Search....
- In the File name* input box, type the following:
%Temp%\nseF.tmp\IEKill.dll
%Temp%\nseF.tmp\KillProcDLL.dll
%Temp%\nseF.tmp\UnProtectMode.dll
%Temp%\nseF.tmp\DLLWebCount.dll
%Temp%\nseF.tmp\SelfDelete.dll
C:\DelUS.bat
C:\Program Files\SRankingPopView\srankingp.exe
C:\Program Files\SRankingPopView\sranking.dll
C:\Program Files\SRankingPopView\srankingdc.exe
C:\Program Files\SRankingPopView\uninstall.exe
- In the Look In drop-down list, select My Computer then press Enter.
- Once located, select the file then press SHIFT+DELETE to delete it.
*Note: The file name input box title varies depending on the Windows version (e.g. Search for files or folders named or All or part of the file name.).
• For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:
- Open a Windows Explorer window.
- For Windows Vista, 7, and Server 2008 users, click Start>Computer.
- For Windows 8, 8.1, and Server 2012 users, right-click on the lower left corner of the screen, then click File Explorer.
- In the Search Computer/This PC input box, type:
%Temp%\nseF.tmp\IEKill.dll
%Temp%\nseF.tmp\KillProcDLL.dll
%Temp%\nseF.tmp\UnProtectMode.dll
%Temp%\nseF.tmp\DLLWebCount.dll
%Temp%\nseF.tmp\SelfDelete.dll
C:\DelUS.bat
C:\Program Files\SRankingPopView\srankingp.exe
C:\Program Files\SRankingPopView\sranking.dll
C:\Program Files\SRankingPopView\srankingdc.exe
C:\Program Files\SRankingPopView\uninstall.exe
- Once located, select the file then press SHIFT+DELETE to delete it.
*Note: Read the following Microsoft page if these steps do not work on Windows 7.
