9 Replies Latest reply on Nov 11, 2010 5:04 AM by curVV

    W32/Rimecud!mem virus creating lots of pain

      Hello All

      I have this Virus Rimecud!mem virus in the system.each time MCa fee cleans it and this virus comed back after restart..i think this resides in the memory and creates this problem..i have tried SAFE MODE scan and this seems doesnt work..this virus gives lots of problem..

      black screen, repeated standby , no audio,  keyboard doesnt work..so many problems happens ..Please  help me here..i am a corporate user and dont want to go for formatting..any better solution available to kill this monster...

        • 1. Re: W32/Rimecud!mem virus creating lots of pain



          Chances are this isn't just one machine that's seeing the issue as w32/Rimecud is a worm and will attempt to spread over network shares and via USB sticks. Which version of VSE, DAT file and engine are you running?


          The following articles contain more information but please be aware we are seeing new variants of this all the time so it may be that you need to submit samples to us.





          It would also be a good idea to log a ticket with support via telephone if you need assistance with obtaining samples of infected files. Details on how to contact support are in the Gold Support Handbook.


          Kind regards,


          • 2. Re: W32/Rimecud!mem virus creating lots of pain

            Have been hit twice with W32/Rimecud!mem recently.


            Using VS Enterprise 8.7.0i

            Engine 5400.1158

            DAT 6064.0000

            4 Aug 2010


            Detects the virus, reports it removed, but DOES NOT remove it !

            Upon reboot the virus is still present.

            Only thing that removes it is Microsoft Malicious Software tool!!!!

            • 3. Re: W32/Rimecud!mem virus creating lots of pain

              i'm having the same infection for months on dozens of machines, although their security is daily updated (most recent dat&engine).


              disabling system restore, and running command line scan in safe mode does not help. The next day the users logon they get infected again. they have mapped drives in which an infected autorun.inf was placed, but even then the local VSE should detect it before executing it.


              when a user has the autorun.inf locked even the mcafee for netapp can't remove it.


              there is no way that I can track down the SOURCE machine from which the infection spreads, i can only notice that a machine is cleaned.


              our local mcafee certified partner has passed it, but there is still no definitive solution for this problem, except formatting a machine and denying network acces. but then mcafee is obsolete

              • 4. Re: W32/Rimecud!mem virus creating lots of pain

                Try the Microsoft® Windows® Malicious Software Removal Tool (KB890830)

                http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3 -75B8EB148356&displaylang=en

                It not only found it but removed it.

                • 5. Re: W32/Rimecud!mem virus creating lots of pain

                  thanks, i'll look into that and check it on a few infectect machines

                  • 6. Re: W32/Rimecud!mem virus creating lots of pain

                    mcafee created an extra.dat for me and it will be added to the future dat files.


                    i wanted to attach it, but the forum doesn't allow dat, zip or rar files



                    on 8/10/10 6:07:55 AM CDT
                    • 7. Re: W32/Rimecud!mem virus creating lots of pain

                      Rimcud seems to change its MD5 hash value all the time. McAfee extra dats won't help as they are created for that specific hash.

                      This worm is smarter than we think.


                      Its going to take behavioural based scanning to get rid of this one.

                      • 8. Re: W32/Rimecud!mem virus creating lots of pain

                        I also was experiencing the same problem. My problem got resolved with Anti-malware s/w.

                        Try malwarebytes from http://www.malwarebytes.org/ it works.



                        Message was edited by: shailendra_v on 10/31/10 11:23:16 PM CDT
                        • 9. Re: W32/Rimecud!mem virus creating lots of pain

                          I thought Malware bytes removed it but after the user logged on McAfee detected it again.


                          This is how I removed it:


                          First find the registry entry from where the virus is run:


                          Optional: So you don't have to search through a bunch of users' regsitry settings, you can run whoami (from windows support tools) on the user session where infection is known to occur:

                          C:\Program Files\Support Tools>whoami /USER /SID


                          Go to the registry key (where S-1-5-21-2029537294-2108322907-478368070-33085 is the user SID):


                          HKEY_USERS\S-1-5-21-2029537294-2108322907-478368070-33085\Software\Microsoft\Win dows NT\CurrentVersion\Winlogon


                          Find the string entry called Shell, it will have a value of something like this:

                          explorer.exe,C:\RECYCLER\S-1-5-21-5425960118-7136680355-150211887-2863\MsMxEng.e xe

                          Make a note of it and delete. (Delete the Shell key)


                          Rimecud attaches itself to the explorer.exe process, but McAfee also detected another process infected with it in my environment.


                          So, terminate all processes detected earlier by McAfee as infected with Rimecud!mem.


                          I had to do this on remote machines, so I used the commandline. You can also use Process Explorer (a cool sysinternals app you can found here)


                          Using the commandline, to get the PID of the process(es), type:

                          tasklist /s RemoteMachineNameOrIP /v | find /i "explorer"

                          To terminate the process(es), type (substitute 9999 with the PID you got from above command):

                          taskkill /s RemoteMachineNameOrIP /PID 9999 /f


                          Do this for all infected processes. (With Process Explorer, just right click and Kill Process)


                          Now MsMxEng.exe will automatically start up again. Get the PID of it and terminate. To do this watch the processes in process explorer and kill it as it starts up, or use the same tasklist, taskkill method above if you're remote. Like so:


                          tasklist /s RemoteMachineNameOrIP /v | find /i "msmxeng"


                          Use the PID obtained above and kill it like so:


                          taskkill /s RemoteMachineNameOrIP /PID 9999 /f


                          After it's been terminated, make sure it doesn't start up again, by watching the processes for a few seconds. Also make sure the reported infected files are also still not running.


                          Next, go to the location of MsMxEng.exe (C:\RECYCLER\S-1-5-21-5425960118-7136680355-150211887-2863\ in this example)


                          Delete it. (Delete the entire C:\RECYCLER\S-1-5-21-5425960118-7136680355-150211887-2863\ and its contents)


                          If you get an error when trying to delete it, it means MsMxEng.exe is still running. Kill it.


                          Go back to the registry entry and delete the Shell key once again (recreated when MxMxEng.exe started up again) for all other users (SIDs) as well.


                          Use McAfee or Malwarebytes or MS Malicious Software Removal Tool to do another scan to be sure and remove all remnants of the virus.


                          This worked for me... so far



                          I found that on some systems the Shell entry had multiple values:

                          C:\RECYCLER\S-1-5-21-0796310875-1152809144-000314393-2999\MsMxEng.exe,C:\RECYCLE R\S-1-5-21-6666706016-5642069538-232978687-8822\MsMxEng.exe,C:\RECYCLER\S-1-5-21 -4879822223-5116865435-498973743-3138\MsMxEng.exe,C:\RECYCLER\S-1-5-21-012596814 8-3494627164-193935815-9780\MsMxEng.exe,C:\RECYCLER\S-1-5-21-5293291855-46437886 50-304467024-8909\MsMxEng.exe,C:\RECYCLER\S-1-5-21-7634157096-3504788085-1150451 45-5462\MsMxEng.exe,explorer.exe,C:\RECYCLER\S-1-5-21-6593396547-4435296853-7908 49407-1078\MsMxEng.exe

                          You must delete ALL of these files/directories corresponding to the values!



                          Message was edited by: curVV on 11/11/10 5:04:57 AM CST