Chances are this isn't just one machine that's seeing the issue as w32/Rimecud is a worm and will attempt to spread over network shares and via USB sticks. Which version of VSE, DAT file and engine are you running?
The following articles contain more information but please be aware we are seeing new variants of this all the time so it may be that you need to submit samples to us.
It would also be a good idea to log a ticket with support via telephone if you need assistance with obtaining samples of infected files. Details on how to contact support are in the Gold Support Handbook.
Have been hit twice with W32/Rimecud!mem recently.
Using VS Enterprise 8.7.0i
4 Aug 2010
Detects the virus, reports it removed, but DOES NOT remove it !
Upon reboot the virus is still present.
Only thing that removes it is Microsoft Malicious Software tool!!!!
i'm having the same infection for months on dozens of machines, although their security is daily updated (most recent dat&engine).
disabling system restore, and running command line scan in safe mode does not help. The next day the users logon they get infected again. they have mapped drives in which an infected autorun.inf was placed, but even then the local VSE should detect it before executing it.
when a user has the autorun.inf locked even the mcafee for netapp can't remove it.
there is no way that I can track down the SOURCE machine from which the infection spreads, i can only notice that a machine is cleaned.
our local mcafee certified partner has passed it, but there is still no definitive solution for this problem, except formatting a machine and denying network acces. but then mcafee is obsolete
Try the Microsoft® Windows® Malicious Software Removal Tool (KB890830)
It not only found it but removed it.
thanks, i'll look into that and check it on a few infectect machines
mcafee created an extra.dat for me and it will be added to the future dat files.
i wanted to attach it, but the forum doesn't allow dat, zip or rar files
Rimcud seems to change its MD5 hash value all the time. McAfee extra dats won't help as they are created for that specific hash.
This worm is smarter than we think.
Its going to take behavioural based scanning to get rid of this one.
I also was experiencing the same problem. My problem got resolved with Anti-malware s/w.
Try malwarebytes from http://www.malwarebytes.org/ it works.
I thought Malware bytes removed it but after the user logged on McAfee detected it again.
This is how I removed it:
First find the registry entry from where the virus is run:
Optional: So you don't have to search through a bunch of users' regsitry settings, you can run whoami (from windows support tools) on the user session where infection is known to occur:
C:\Program Files\Support Tools>whoami /USER /SID
Go to the registry key (where S-1-5-21-2029537294-2108322907-478368070-33085 is the user SID):
HKEY_USERS\S-1-5-21-2029537294-2108322907-478368070-33085\Software\Microsoft\Win dows NT\CurrentVersion\Winlogon
Find the string entry called Shell, it will have a value of something like this:
Make a note of it and delete. (Delete the Shell key)
Rimecud attaches itself to the explorer.exe process, but McAfee also detected another process infected with it in my environment.
So, terminate all processes detected earlier by McAfee as infected with Rimecud!mem.
I had to do this on remote machines, so I used the commandline. You can also use Process Explorer (a cool sysinternals app you can found here)
Using the commandline, to get the PID of the process(es), type:
tasklist /s RemoteMachineNameOrIP /v | find /i "explorer"
To terminate the process(es), type (substitute 9999 with the PID you got from above command):
taskkill /s RemoteMachineNameOrIP /PID 9999 /f
Do this for all infected processes. (With Process Explorer, just right click and Kill Process)
Now MsMxEng.exe will automatically start up again. Get the PID of it and terminate. To do this watch the processes in process explorer and kill it as it starts up, or use the same tasklist, taskkill method above if you're remote. Like so:
tasklist /s RemoteMachineNameOrIP /v | find /i "msmxeng"
Use the PID obtained above and kill it like so:
taskkill /s RemoteMachineNameOrIP /PID 9999 /f
After it's been terminated, make sure it doesn't start up again, by watching the processes for a few seconds. Also make sure the reported infected files are also still not running.
Next, go to the location of MsMxEng.exe (C:\RECYCLER\S-1-5-21-5425960118-7136680355-150211887-2863\ in this example)
Delete it. (Delete the entire C:\RECYCLER\S-1-5-21-5425960118-7136680355-150211887-2863\ and its contents)
If you get an error when trying to delete it, it means MsMxEng.exe is still running. Kill it.
Go back to the registry entry and delete the Shell key once again (recreated when MxMxEng.exe started up again) for all other users (SIDs) as well.
Use McAfee or Malwarebytes or MS Malicious Software Removal Tool to do another scan to be sure and remove all remnants of the virus.
This worked for me... so far
I found that on some systems the Shell entry had multiple values:
C:\RECYCLER\S-1-5-21-0796310875-1152809144-000314393-2999\MsMxEng.exe,C:\RECYCLE R\S-1-5-21-6666706016-5642069538-232978687-8822\MsMxEng.exe,C:\RECYCLER\S-1-5-21 -4879822223-5116865435-498973743-3138\MsMxEng.exe,C:\RECYCLER\S-1-5-21-012596814 8-3494627164-193935815-9780\MsMxEng.exe,C:\RECYCLER\S-1-5-21-5293291855-46437886 50-304467024-8909\MsMxEng.exe,C:\RECYCLER\S-1-5-21-7634157096-3504788085-1150451 45-5462\MsMxEng.exe,explorer.exe,C:\RECYCLER\S-1-5-21-6593396547-4435296853-7908 49407-1078\MsMxEng.exe
You must delete ALL of these files/directories corresponding to the values!