Rolex WORM please help!

[Shawn]

I have windows XP, and Mcafee Anitvirus 8 or 9, I keep getting a popup
saying Potential Worm Activity Detected. Email Subject: Gift someone you
love with a ROlex ! [morrow] . I stop the email and i get the same thing
again over and over.
HERES THE UPDATE PLEASE HELP!
I cannot find anything in my registry, services, startup, thats reoccuring.
But I have found something here in my
local setting\temp directory These files are reoccuring
tsk.sys*****Which will not delete unless through safe mode
body.dat
mailz.dat
mcme.tmp
McVXXX<--- XXX replaces abunch of different charcters.
I know this worm is preventing me from starting my Outlook-express. I NEED
TO KNOW WHAT IS THIS WORM!!! Mcafee is not detecting it, and spy remover is
not detecting it, Both are up-to-date.

 

[David H. Lipman]

From: "Shawn" <[email protected]>

| I have windows XP, and Mcafee Anitvirus 8 or 9, I keep getting a popup
| saying Potential Worm Activity Detected. Email Subject: Gift someone you
| love with a ROlex ! [morrow] . I stop the email and i get the same thing
| again over and over.
| HERES THE UPDATE PLEASE HELP!
| I cannot find anything in my registry, services, startup, thats reoccuring.
| But I have found something here in my
| local setting\temp directory These files are reoccuring
| tsk.sys*****Which will not delete unless through safe mode
| body.dat
| mailz.dat
| mcme.tmp
| McVXXX<--- XXX replaces abunch of different charcters.
| I know this worm is preventing me from starting my Outlook-express. I NEED
| TO KNOW WHAT IS THIS WORM!!! Mcafee is not detecting it, and spy remover is
| not detecting it, Both are up-to-date.
|


Please submit "tsk.sys" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results from Virus Total.


1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Trend Sysclean Method 1
--------------------------------
Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt524.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------
The utility SYSCLEAN_FE in "Procedure F" at the following URL
http://www.ik-cs.com/got-a-virus.htm automates the download and execution process of the
Trend Sysclean Package.



2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *