Member Avatar for fatrcat

Hi everyone-
I have just come across a .dll in my startup list that has me baffled and a bit concerned as to just what it is. In the past, a Google search has always provided something on any file name I have ever checked, but this one returns zip.

The name is hurwenf.dll

In msconfig the startup item is listed simply as hurwenf, with the command being C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hurwenf.dll,uyesscc

In looking at it's properties it only declares association to an unknown program.

I did a basic files/folders search for all instances of hurwenf, and again looking for the phrase uyesscc. All that was returned was the .dll itself, present in the Windows/system32 folder, and 2 referenced files found in an orphaned program folder belonging to a long-removed spyware detection/removal program, SpyHunter, which I had likely tried out and quickly removed. One file is a support log, which merely lists the item as being one of the items in normal startup. The other I'm unfortunately a bit vague on except for recalling it as an xml file, or having seen xml in the name. When I could find no valid reason for this dll to be in action, I turned it off in msconfig and rebooted to see if any of my programs had any problems without it. Only then did I think to go back and examine the "xml" file further, discovering it had now disappeared. Restoring startup status to the unknown dll and re-starting in hopes it would also re-initiate the mystery file did not work as I thought it might; the file has not returned, leaving only the support log. Obviously since it vanished into thin air it could not have been an xml, and I'm smacking my head on the desk for having failed to not have at least jotted the full name down before making any changes; it didn't occur to me this file would go "poof" as it did.

Attempting decompile on a copy of the dll fails stating it was not built with VB 5 or 6, so I do not have a way to do this.

In opening the dll with Notepad the one only discernable reference I found reads:
hurwenf.dll DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer uyesscc

The one potential clue to it's origin/nature that strikes me is maybe held in the disappearance of the mystery file; could this suggest that hurwenf.dll was a leftover of the SpyHunter program, rather than part of something SpyHunter tagged as an invader?

Any info or suggestions would be greatly appreciated; I won't rest easy until knowing just what the devil this thing is.

Thanks!

  • 3 Contributors
  • 3 Replies
  • 84 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by gerbil

Recommended Answers

All 3 Replies

Member Avatar for jbennet

Sounds suspicious, so run sfc /scannow as well as a a full spyware/antivirus scan.

If they come back clean then the dll is most likely a leftover. many av programs leave dlls for there resident shield in the windows dir.

Member Avatar for fatrcat

Thanks for the input jbennet- those steps have been taken. I "run a tight ship" where it comes to my PC; Dual firewalled with a business-class router, OS & AV always up to date, Windows Defender running too, no acceptance of Active X or Java without permission, so on & so forth. Sometimes it's a real pain, checking every new little thing before allowing to run or not, but I've also been incredibly pleased by the lack of instance where a breach has occurred. I've sent email to SpyHunter with query on the dll, and hopefully they can confirm it as part of a past program release.

Hate like h%## to act like an alarmist, but after the Google search and local data came up empty I decided it was time to go to PC DEFCON 2; equal levels to graceful acceptance of being found stupid or being damned thankful you went ahead and pushed the big red button. I had my first ever major hard drive crash last fall which appears to have simply been due a mechanical failure but still in question, and the creation date of the dll dates back to the same time period, making it equally possible to be something unwittingly acquired during data recovery processes or like you said, a leftover from one of the numerous security-related programs I tested out at that time.

Many Thanks for the input!

Member Avatar for gerbil

..remove the startup entry, then delete it in safe mode.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.