Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: kraes.dll

From: "Laura A. Pokalsky" <lpokals () EMORY EDU>
Date: Thu, 22 Jul 2004 10:40:11 -0400
Beware, though, that you WILL  find it in the registry under the key
HKEY_USERS\S-1-5-21-4279633407-28481931-2677731258-12871\Software\Microsoft\Search
Assistant\ACMru\5603
if you've previously searched the hard drive for it.

Laura Pokalsky



Young, Beth A. wrote:


I would also run RegEdit and do a find on the file name.  If it is
coming back, it could also have a key in the registry.

Another program I like to run is SecCheck
(http://www.mynetwatchman.com/tools/sc)  I recommend the DOS version, it
will create a SecCheckLog.txt file with information on running
processes, running services, common registry keys, etc.  I have found it
invaluable in trying to find virus infections on remote machines.  The
user runs the program, sends me the text file and I can peruse it to
find the pesky virus processes and keys.

Beth

Beth Young, CISSP
MOREnet Security
1.800.509.6673
http://www.more.net






-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tom Gerstner
Sent: Thursday, July 22, 2004 8:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] kraes.dll

Have you tried running HijackThis? Look for a BHO with that setting.

Tom Gerstner

Rutgers University

Unit Computing Specialist

Office 1-732-932-2554

Cell-1-848-565-1163


-----Original Message-----
From: Nathan Hall [mailto:hallnk () ONEONTA EDU]
Sent: Thursday, July 22, 2004 7:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] kraes.dll

I believe this is a randomly named .dll. Try searching for
it's effects:
resetting the homepage to res://???.dll/index.html. Searching for this
info I found the following information which may be helpful:
http://www.pchell.com/support/onlythebest.shtml,
http://www.pchell.com/support/lookfor.shtml.


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Edward Chase
Sent: Wednesday, July 21, 2004 3:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] kraes.dll

I'm looking for information on a file named:

c:\windows\kraes.dll

I've run across a machine that's got some internet weirdness going on.
It's
been virused checked, it been run through Ad-adware and Spybot.  It's
been Windows updated and it's been firewalled.  All have been
done AFTER
the weirdness started.

The machine keeps wanting to set it's homepage to
res://kraes.dll/index.html (followed by ? and some number which I
forget)

I did find the file above and manually deleted it, yet it somehow came
back.

The machine is Windows XP Home.

I can't find anything via Google.

Anybody heard of this?


--
Edward Chase
Providence College
Information Technology

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.






**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.




***************************************

Laura A. Pokalsky
Emory College Computing Support
Emory University
550 Asbury Circle, Candler Library 214
Atlanta, GA 30322
404/727-4754
lpokals () emory edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: