944,111 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Very Suspicious DLL
Ad:
Permalink
Apr 23rd, 2007
0

Very Suspicious DLL

Expand Post »
Hi everyone-
I have just come across a .dll in my startup list that has me baffled and a bit concerned as to just what it is. In the past, a Google search has always provided something on any file name I have ever checked, but this one returns zip.

The name is hurwenf.dll

In msconfig the startup item is listed simply as hurwenf, with the command being C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hurwenf.dll,uyesscc

In looking at it's properties it only declares association to an unknown program.

I did a basic files/folders search for all instances of hurwenf, and again looking for the phrase uyesscc. All that was returned was the .dll itself, present in the Windows/system32 folder, and 2 referenced files found in an orphaned program folder belonging to a long-removed spyware detection/removal program, SpyHunter, which I had likely tried out and quickly removed. One file is a support log, which merely lists the item as being one of the items in normal startup. The other I'm unfortunately a bit vague on except for recalling it as an xml file, or having seen xml in the name. When I could find no valid reason for this dll to be in action, I turned it off in msconfig and rebooted to see if any of my programs had any problems without it. Only then did I think to go back and examine the "xml" file further, discovering it had now disappeared. Restoring startup status to the unknown dll and re-starting in hopes it would also re-initiate the mystery file did not work as I thought it might; the file has not returned, leaving only the support log. Obviously since it vanished into thin air it could not have been an xml, and I'm smacking my head on the desk for having failed to not have at least jotted the full name down before making any changes; it didn't occur to me this file would go "poof" as it did.

Attempting decompile on a copy of the dll fails stating it was not built with VB 5 or 6, so I do not have a way to do this.

In opening the dll with Notepad the one only discernable reference I found reads:
hurwenf.dll DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer uyesscc

The one potential clue to it's origin/nature that strikes me is maybe held in the disappearance of the mystery file; could this suggest that hurwenf.dll was a leftover of the SpyHunter program, rather than part of something SpyHunter tagged as an invader?

Any info or suggestions would be greatly appreciated; I won't rest easy until knowing just what the devil this thing is.

Thanks!
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
fatrcat is offline Offline
2 posts
since Apr 2007
Permalink
Apr 23rd, 2007
0

Re: Very Suspicious DLL

Sounds suspicious, so run sfc /scannow as well as a a full spyware/antivirus scan.

If they come back clean then the dll is most likely a leftover. many av programs leave dlls for there resident shield in the windows dir.
Last edited by jbennet; Apr 23rd, 2007 at 5:16 am.
Moderator
Featured Poster
Reputation Points: 1800
Solved Threads: 575
Moderator
jbennet is offline Offline
16,534 posts
since Apr 2005
Permalink
Apr 23rd, 2007
0

Re: Very Suspicious DLL

Thanks for the input jbennet- those steps have been taken. I "run a tight ship" where it comes to my PC; Dual firewalled with a business-class router, OS & AV always up to date, Windows Defender running too, no acceptance of Active X or Java without permission, so on & so forth. Sometimes it's a real pain, checking every new little thing before allowing to run or not, but I've also been incredibly pleased by the lack of instance where a breach has occurred. I've sent email to SpyHunter with query on the dll, and hopefully they can confirm it as part of a past program release.

Hate like h%## to act like an alarmist, but after the Google search and local data came up empty I decided it was time to go to PC DEFCON 2; equal levels to graceful acceptance of being found stupid or being damned thankful you went ahead and pushed the big red button. I had my first ever major hard drive crash last fall which appears to have simply been due a mechanical failure but still in question, and the creation date of the dll dates back to the same time period, making it equally possible to be something unwittingly acquired during data recovery processes or like you said, a leftover from one of the numerous security-related programs I tested out at that time.

Many Thanks for the input!
Reputation Points: 10
Solved Threads: 0
Newbie Poster
fatrcat is offline Offline
2 posts
since Apr 2007
Permalink
Apr 24th, 2007
0

Re: Very Suspicious DLL

..remove the startup entry, then delete it in safe mode.
Last edited by gerbil; Apr 24th, 2007 at 1:20 am.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Need Some Help - Clean Up Needed
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Any hope for the hopeless?





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC