Educause Security Discussion mailing list archives
Re: kraes.dll
From: "Young, Beth A." <youngba () MORE NET>
Date: Thu, 22 Jul 2004 08:57:57 -0500
I would also run RegEdit and do a find on the file name. If it is coming back, it could also have a key in the registry. Another program I like to run is SecCheck (http://www.mynetwatchman.com/tools/sc) I recommend the DOS version, it will create a SecCheckLog.txt file with information on running processes, running services, common registry keys, etc. I have found it invaluable in trying to find virus infections on remote machines. The user runs the program, sends me the text file and I can peruse it to find the pesky virus processes and keys. Beth Beth Young, CISSP MOREnet Security 1.800.509.6673 http://www.more.net
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tom Gerstner Sent: Thursday, July 22, 2004 8:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] kraes.dll Have you tried running HijackThis? Look for a BHO with that setting. Tom Gerstner Rutgers University Unit Computing Specialist Office 1-732-932-2554 Cell-1-848-565-1163 -----Original Message----- From: Nathan Hall [mailto:hallnk () ONEONTA EDU] Sent: Thursday, July 22, 2004 7:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] kraes.dll I believe this is a randomly named .dll. Try searching for it's effects: resetting the homepage to res://???.dll/index.html. Searching for this info I found the following information which may be helpful: http://www.pchell.com/support/onlythebest.shtml, http://www.pchell.com/support/lookfor.shtml. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Edward Chase Sent: Wednesday, July 21, 2004 3:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] kraes.dll I'm looking for information on a file named: c:\windows\kraes.dll I've run across a machine that's got some internet weirdness going on. It's been virused checked, it been run through Ad-adware and Spybot. It's been Windows updated and it's been firewalled. All have been done AFTER the weirdness started. The machine keeps wanting to set it's homepage to res://kraes.dll/index.html (followed by ? and some number which I forget) I did find the file above and manually deleted it, yet it somehow came back. The machine is Windows XP Home. I can't find anything via Google. Anybody heard of this? -- Edward Chase Providence College Information Technology ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- kraes.dll Edward Chase (Jul 21)
- <Possible follow-ups>
- Re: kraes.dll Clyde Hoadley (Jul 21)
- Re: kraes.dll Nathan Hall (Jul 22)
- Re: kraes.dll Tom Gerstner (Jul 22)
- Re: kraes.dll Young, Beth A. (Jul 22)
- Re: kraes.dll Laura A. Pokalsky (Jul 22)