Is it a worm - C:\UNWISE.EXE?

[Shenan Stanley]

I accidentally noticed a file under the root directory C:\UNWISE.EXE
and also another suspicious install log file as follows:

------------------------------------------

Source: E:\player\SKIN.EXE | 02-01-2002 | 01:58:02 | 725005
File Copy: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Copy: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 |
398ca304
File Copy: C:\WINDOWS\system32\ActiveSkin.ocx | 09-30-2001 | 19:10:44
| 3.65.0.0 | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 |
97e6a077 File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | |
166160 | 7eec9854 File Overwrite: C:\WINDOWS\system32\wininet.dll | |
| | 291600 | f0f51099 Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll

-----------------------------------------------------------------------

Is it a worm?

I did some researches, and seems UNWISE.exe and skin.exe can be
legitimate execution files or worms.


I also checked, atl.dll under windows, and it says it's from MS, and
ActiveSkin.ini with the following information:

------------------------------------------------------

ActiveSkin control is registered to:

User Name: "George Emilov, Webmessenger, Inc."

------------------------------------------------------

I am using Norton Anti-Virus 2004 to scan the entire system now.

I ran Ad-Aware and nothing strange.

Familar?
http://www.activeskin-control.net-software-download.com/

 

[xfile]

Hi:

I accidentally noticed a file under the root directory C:\UNWISE.EXE and
also another suspicious install log file as follows:

------------------------------------------

Source: E:\player\SKIN.EXE | 02-01-2002 | 01:58:02 | 725005
File Copy: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Copy: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 |
398ca304
File Copy: C:\WINDOWS\system32\ActiveSkin.ocx | 09-30-2001 | 19:10:44 |
3.65.0.0 | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 | 97e6a077
File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | | 166160 | 7eec9854
File Overwrite: C:\WINDOWS\system32\wininet.dll | | | | 291600 | f0f51099
Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll

-----------------------------------------------------------------------

Is it a worm?

I did some researches, and seems UNWISE.exe and skin.exe can be legitimate
execution files or worms.


I also checked, atl.dll under windows, and it says it's from MS, and
ActiveSkin.ini with the following information:

------------------------------------------------------

ActiveSkin control is registered to:

User Name: "George Emilov, Webmessenger, Inc."

------------------------------------------------------

I am using Norton Anti-Virus 2004 to scan the entire system now.

I ran Ad-Aware and nothing strange.

Thanks for your help.

 

[Sharrie Wilson]

unwise - unwise.exe - Process Information
Process File: unwise or unwise.exe
Process Name: PrintScreen

Description:
unwise.exe is a screen capture utility from Gadwin Systems, Inc. It provides
the user with features to capture and save the the desktop as an image.


Author: Gadwin Systems, Inc.
Part Of: PrintScreen

System Process: No
Virus: No
Spyware: No
Background Process: No
Uses Network: No
Hardware Related: No

 

[xfile]

Hi:

Thanks for both of you, and those information were also found from the net.
I did also find alert from Symantec about worms with the same names, that's
why I am confused and paranoid.

Thanks for your kind reply and I am more comfortable now.

Thanks again.

 

[dude]

check it out and do a scan ... The link is from norton
and i just made the URL smaller but do check it out ...

http://tinyurl.com/4ob9s

 

[xfile]

Hi:

Thanks dude, I did scan for the computer security and glad to know I am
fully protected

But virus scan will take longer time since I do have a large HDD here, and I
will run it later.

Thanks for your information

 

[dude]

your welcome ...

 

[Rick \Nutcase\ Rogers]

Hi,

Unwise.exe is a file name commonly used by many software vendors as the
uninstaller for thier program. It is usually found in the program folder
that houses the installation, it is unusual for it to be on the root
directory.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[ug]

A late update to an old thread...

Unwise.exe is a file name commonly used by many software vendors as the
uninstaller for thier program. It is usually found in the program folder
that houses the installation, it is unusual for it to be on the root
directory.

Last week, I found a set of files just like these.
Judging by the date, I got them when I installed a player application
that came with a copy protected "CD" I accidentally bought.

I ran "unwise install.log" and it removed itself, along with some
other files mentioned in the log...

/ug

 

[deepinsight]

Snap !

I have seen exactly the same thing on my PC after inserting a SONY 'copy control' enabled CD.

Is E: your CD drive? and if so had you inserted a SONY BMG CD into it?