S
Shenan Stanley
xfile said:I accidentally noticed a file under the root directory C:\UNWISE.EXE
and also another suspicious install log file as follows:
------------------------------------------
Source: E:\player\SKIN.EXE | 02-01-2002 | 01:58:02 | 725005
File Copy: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Copy: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 |
398ca304
File Copy: C:\WINDOWS\system32\ActiveSkin.ocx | 09-30-2001 | 19:10:44
| 3.65.0.0 | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 |
97e6a077 File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | |
166160 | 7eec9854 File Overwrite: C:\WINDOWS\system32\wininet.dll | |
| | 291600 | f0f51099 Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll
-----------------------------------------------------------------------
Is it a worm?
I did some researches, and seems UNWISE.exe and skin.exe can be
legitimate execution files or worms.
I also checked, atl.dll under windows, and it says it's from MS, and
ActiveSkin.ini with the following information:
------------------------------------------------------
ActiveSkin control is registered to:
User Name: "George Emilov, Webmessenger, Inc."
------------------------------------------------------
I am using Norton Anti-Virus 2004 to scan the entire system now.
I ran Ad-Aware and nothing strange.
Familar?
http://www.activeskin-control.net-software-download.com/