Cyberlink PowerDVD / Media Suit with RootKit

A few days ago, my Norton Internet Security 2012 crashed and popped up a link to download their Norton Power Eraser to fix the problem.

I follow the instruction and ran the scan with root kit, turn out there is a file name RIKVM_38F51D56.SYS under the C:\Windows\System32\drivers and infect the MBR. The file is invisible and can't be found at all. Only NPE can sees it. i ran it couple time and it kept coming back. I was very puzzled and tried to do some research. I googled RIKVM and only a very few record but with differet file name like RIKVM_xxxxxxxx.sys.

It seems that no one really know what / where it came from. I also searched the registry with 38F51D56 and i got some hit all relate to CyberLink, I then kept digging, and found the source, it's from CyberLink Product under the Services ( kmsvc.exe). It creates some type of dynamic driver (RIKVM_xxxxxxxx.sys) in MBR everytime computer reboots.

I guess my question is, it's obviously some type of root kit from cyberlink, but i have no idea what it does, right now i have the service turn off from start up and everything seems to be fine, power dvd is still working.

If i have to guess, this might be some type of security they run behind the use that relate to blu-ray and / or to collect user's data? contact cyberlink is no help, no respond. their KB is useless, can't find anything about rikvm nor kmsvc.exe.

Anyone has any idea?

Message quoted 1 times

Reply to Nakecat

http://www.processlibrary.com/dire [...] vc/402384/

------------------------------

http://i1123.photobucket.com/albums/l546/area51reopened/Moderator1-1.jpg

Reply to Area51reopened

it's not kmsvc.dll, it's kmsvc.exe which is a Service relate to cyberlink but unknown usage.
Which create a legacy dynamic driver *.sys in MBR.

it's just very suspicious.

Reply to Nakecat

http://systemexplorer.net/db/kmsvc.exe.html

Sorry they say it is safe here ^

------------------------------

Reply to Area51reopened

Yea thanks, i know it's probably safe and it's not virus, just wondering what exactly does it do, it just seems like a root kit and suspicious.

You wouldn't want some legit company to spy on you like Sony once did with their rootkit scandal. My question is more like, what does this Kmsvc.exe do? is CyberLink trying to spy on us now with their embedded root kit?

Reply to Nakecat

Service: CyberLink Product - 2011/10/06 17:39:06 (CLKMSVC10_9EC60124) - CyberLink - C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe

Is this it ^

It's not a virus or malware

------------------------------

Reply to Area51reopened

Nakecat wrote :

A few days ago, my Norton Internet Security 2012 crashed and popped up a link to download their Norton Power Eraser to fix the problem.

I follow the instruction and ran the scan with root kit, turn out there is a file name RIKVM_38F51D56.SYS under the C:\Windows\System32\drivers and infect the MBR. The file is invisible and can't be found at all. Only NPE can sees it. i ran it couple time and it kept coming back. I was very puzzled and tried to do some research. I googled RIKVM and only a very few record but with differet file name like RIKVM_xxxxxxxx.sys.

It seems that no one really know what / where it came from. I also searched the registry with 38F51D56 and i got some hit all relate to CyberLink, I then kept digging, and found the source, it's from CyberLink Product under the Services ( kmsvc.exe). It creates some type of dynamic driver (RIKVM_xxxxxxxx.sys) in MBR everytime computer reboots.

I guess my question is, it's obviously some type of root kit from cyberlink, but i have no idea what it does, right now i have the service turn off from start up and everything seems to be fine, power dvd is still working.

If i have to guess, this might be some type of security they run behind the use that relate to blu-ray and / or to collect user's data? contact cyberlink is no help, no respond. their KB is useless, can't find anything about rikvm nor kmsvc.exe.

Anyone has any idea?

I have the same issue and would like to know why Norton Power Eraser identifies it as a problem but cannot stop it from reappearing even after running Norton Power Eraser which fixes by removing it but it reappears and the cycle goes on. Thanks for letting me know that it is a CyberLink Product. I would think that Norton and Cyberlink should let us know what the deal is. I think I'll write to both of them. What say you?

Message edited by jpgillum on 12-11-2011 at 07:47:39 AM

Reply to jpgillum

Thanks for sharing what you experienced and discovered regarding "rikvm..." Norton reported this "problem" to me as well. The amount of time and stress I would have expended has been hugely reduced because of y'all. It's very much appreciated.

Reply to sfgjm

I have found that the rikvm crimeware is on the cyberlink dvd update. Once I removed the cyberlink dvd update that I downloaded a few days ago the rikum crimeware was removed. It definitely came from cyberlink. DO NOT install their cyberlink dvd update!!

Message quoted 1 times

Reply to rosetrust

rosetrust wrote :

I have found that the rikvm crimeware is on the cyberlink dvd update. Once I removed the cyberlink dvd update that I downloaded a few days ago the rikum crimeware was removed. It definitely came from cyberlink. DO NOT install their cyberlink dvd update!!

How did you go about removing the cyberlink dvd update, I'm having the same issue with the rikvm

Reply to wouhoo

If you suspect a malware or rootkit, it is normally bound to come from rogue wares or malware infectors disguising under familar names. Never click or respond to a link that offer to fix computer problems or malware or spyware. If you think your system is infected, please download and use extras like SuperAntiSpyware or on-demand MBAM. Protect with all-in-one security suite or mix-match products, and realtime spyware guard or something suitable. Use the extras at regular pace. To cap it all, surf safely. Install some damn good add-ons for firefox and chrome.

It is always a good idea to check a suspected fie or url on this excellent site

https://www.virustotal.com/

------------------------------ HP XW8600, Xeon x5450, 28 GB DDR2 667, 4 x 22", WD 500 GB OS SATA II, RAID 5 - 4 x 500 GB WD SATA II & Clevo X7200, i7 950, 12 GB DDR3 1333, GTX 460M, Full HD. .
Reply to SSri

Forum Applications : Security, Utilities, Anti-Malware Cyberlink PowerDVD / Media Suit with RootKit

Drivers & Firmware

Security, Utilities, Anti-Malware

Internet Applications

Multimedia

Graphics

Office

Enterprise Software

CAD

Programming

Other Software

Distributed Computing