I was doing a routine check of startup and running systems as the machine was slowing down on boot up.

In the startup programs I found "kranhdc" with the command "rundll32 c:\windows\system32:kranhdc.dll,init 1".

Search finds the file loaded in c:\documents and settings\owner\local settings\temp but no trace in win system32.

There are 2 registry entries at HKLM\software\microsoft\windows\current version\run and ditto\runonce.

AV, spybot and adaware all run to no effect so it seems safe BUT a Google search returns no info on kranhdc and that srikes me as strange.

As it starts with a K i'm asking here in the vain hope that it's Kazaa/Klite related.

I run windows XP home.

Anyone got any ideas what this piece of dren is and, more to the point, what is the obvious I have overlooked.

First off, it is not related to Kazaa Lite, and Second, is your antivirus up to date. Try running an online scan at Housecall Trend Micro (http://housecall.trendmicro.com/) and see if it finds anything. It is strange that the file would start in the temp folder. I would suspect it is a broser hijack or maybe a virus. I would disable and rename the file see what it does. More than likely on my computer I would get rid of it.

Thanks FF.

Virus defs totally uptodate. Both AVG and Norton.

Done online scan at symantec.

Tried to isolate file but it refuses all change as it's "being used".

Tried to delete file and registry entries in DOS safe mode but it all reloads on boot-up.

Tried a text searchas well as a file search in case it is in a script that has wandered in.

I'm baffled and I don't want to go to the lengths of re-format at moment.

What really frells me is I cannot find a trace of this file in any web search - tried Google, MSN, Windows Support and Symantec - all a great big zilch.

Still the system still works so I should be grateful. I just don't like having stuff I don't know about on here.

have you tried to run CWS Shredder (http://www.spywareinfo.com/~merijn/downloads.html) which is a broser hijack tool that does things like this, it may find something that you can remove. Also what does hijack this have to say.

Thanks for the link FF. CWS got me no further BUT hijackthis got me a solution of sorts.

I ended up deleting Browser helper object and registry keys etc with H-this until I found I could delete the "kranhdc" reg entries AND not have them reload on restart.

I then went into safe mode command prompt and deleted the kranhdc file.

That was an hour ago and it hasn't returned.

Bit of a "sawn-off" shotgun approach but its gone. If was doing something useful it may show up in the future when something doesn't work properly (hopefully the wife's Ebay or Pogo accounts!).

Thanks for all the interest and tips.

PS all AV and other scanning software has been uptodate throughout so they don't know or aren't bothered about it.

PPS I'd still like to know what the frell it was!

It could just be that the folks at Symantec, Spybot et all have not come across it before, so you could drop them a line to alert them.
If the program is legit, it's unlikely to be that hard to get rid of... unless it's from QT or Real. :)