Cyberlink PowerDVD / Media Suit with RootKit
Tags:
- Security
- Apps
Last response: in Antivirus / Security / Privacy
Nakecat
November 16, 2011 6:33:50 PM
A few days ago, my Norton Internet Security 2012 crashed and popped up a link to download their Norton Power Eraser to fix the problem.
I follow the instruction and ran the scan with root kit, turn out there is a file name RIKVM_38F51D56.SYS under the C:\Windows\System32\drivers and infect the MBR. The file is invisible and can't be found at all. Only NPE can sees it. i ran it couple time and it kept coming back. I was very puzzled and tried to do some research. I googled RIKVM and only a very few record but with differet file name like RIKVM_xxxxxxxx.sys.
It seems that no one really know what / where it came from. I also searched the registry with 38F51D56 and i got some hit all relate to CyberLink, I then kept digging, and found the source, it's from CyberLink Product under the Services ( kmsvc.exe). It creates some type of dynamic driver (RIKVM_xxxxxxxx.sys) in MBR everytime computer reboots.
I guess my question is, it's obviously some type of root kit from cyberlink, but i have no idea what it does, right now i have the service turn off from start up and everything seems to be fine, power dvd is still working.
If i have to guess, this might be some type of security they run behind the use that relate to blu-ray and / or to collect user's data? contact cyberlink is no help, no respond. their KB is useless, can't find anything about rikvm nor kmsvc.exe.
Anyone has any idea?
I follow the instruction and ran the scan with root kit, turn out there is a file name RIKVM_38F51D56.SYS under the C:\Windows\System32\drivers and infect the MBR. The file is invisible and can't be found at all. Only NPE can sees it. i ran it couple time and it kept coming back. I was very puzzled and tried to do some research. I googled RIKVM and only a very few record but with differet file name like RIKVM_xxxxxxxx.sys.
It seems that no one really know what / where it came from. I also searched the registry with 38F51D56 and i got some hit all relate to CyberLink, I then kept digging, and found the source, it's from CyberLink Product under the Services ( kmsvc.exe). It creates some type of dynamic driver (RIKVM_xxxxxxxx.sys) in MBR everytime computer reboots.
I guess my question is, it's obviously some type of root kit from cyberlink, but i have no idea what it does, right now i have the service turn off from start up and everything seems to be fine, power dvd is still working.
If i have to guess, this might be some type of security they run behind the use that relate to blu-ray and / or to collect user's data? contact cyberlink is no help, no respond. their KB is useless, can't find anything about rikvm nor kmsvc.exe.
Anyone has any idea?
More about : cyberlink powerdvd media suit rootkit
Nakecat
November 16, 2011 6:53:44 PM
Related resources
- How do I play a video file from my internal harddrive, Sony Vaio, 64 bit, Windows 7, with CyberLink PowerDvd version 9? - Forum
- Cyberlink PowerDVD 13 says no disc is in drive when there is one in it - Forum
- CyberLink PowerDVD - Forum
- Computer can't read the Cyberlink PowerDVD - Forum
- Media seeks records in AMD-Intel law suit - Forum
m
0
l
Nakecat
November 16, 2011 8:37:34 PM
Yea thanks, i know it's probably safe and it's not virus, just wondering what exactly does it do, it just seems like a root kit and suspicious.
You wouldn't want some legit company to spy on you like Sony once did with their rootkit scandal. My question is more like, what does this Kmsvc.exe do? is CyberLink trying to spy on us now with their embedded root kit?
You wouldn't want some legit company to spy on you like Sony once did with their rootkit scandal. My question is more like, what does this Kmsvc.exe do? is CyberLink trying to spy on us now with their embedded root kit?
m
0
l
jpgillum
December 11, 2011 4:40:39 AM
Nakecat said:
A few days ago, my Norton Internet Security 2012 crashed and popped up a link to download their Norton Power Eraser to fix the problem.I follow the instruction and ran the scan with root kit, turn out there is a file name RIKVM_38F51D56.SYS under the C:\Windows\System32\drivers and infect the MBR. The file is invisible and can't be found at all. Only NPE can sees it. i ran it couple time and it kept coming back. I was very puzzled and tried to do some research. I googled RIKVM and only a very few record but with differet file name like RIKVM_xxxxxxxx.sys.
It seems that no one really know what / where it came from. I also searched the registry with 38F51D56 and i got some hit all relate to CyberLink, I then kept digging, and found the source, it's from CyberLink Product under the Services ( kmsvc.exe). It creates some type of dynamic driver (RIKVM_xxxxxxxx.sys) in MBR everytime computer reboots.
I guess my question is, it's obviously some type of root kit from cyberlink, but i have no idea what it does, right now i have the service turn off from start up and everything seems to be fine, power dvd is still working.
If i have to guess, this might be some type of security they run behind the use that relate to blu-ray and / or to collect user's data? contact cyberlink is no help, no respond. their KB is useless, can't find anything about rikvm nor kmsvc.exe.
Anyone has any idea?
I have the same issue and would like to know why Norton Power Eraser identifies it as a problem but cannot stop it from reappearing even after running Norton Power Eraser which fixes by removing it but it reappears and the cycle goes on. Thanks for letting me know that it is a CyberLink Product. I would think that Norton and Cyberlink should let us know what the deal is. I think I'll write to both of them. What say you?
m
0
l
sfgjm
January 28, 2012 2:38:55 PM
rosetrust
February 23, 2012 8:40:07 AM
wouhoo
May 4, 2012 7:47:22 AM
rosetrust said:
I have found that the rikvm crimeware is on the cyberlink dvd update. Once I removed the cyberlink dvd update that I downloaded a few days ago the rikum crimeware was removed. It definitely came from cyberlink. DO NOT install their cyberlink dvd update!!How did you go about removing the cyberlink dvd update, I'm having the same issue with the rikvm
m
0
l
SSri
May 9, 2012 10:17:33 AM
If you suspect a malware or rootkit, it is normally bound to come from rogue wares or malware infectors disguising under familar names. Never click or respond to a link that offer to fix computer problems or malware or spyware. If you think your system is infected, please download and use extras like SuperAntiSpyware or on-demand MBAM. Protect with all-in-one security suite or mix-match products, and realtime spyware guard or something suitable. Use the extras at regular pace. To cap it all, surf safely. Install some damn good add-ons for firefox and chrome.
It is always a good idea to check a suspected fie or url on this excellent site
https://www.virustotal.com/
It is always a good idea to check a suspected fie or url on this excellent site
https://www.virustotal.com/
m
0
l
Anonymous
a
b
8
Security
October 23, 2012 11:25:48 AM
rosetrust said:
I have found that the rikvm crimeware is on the cyberlink dvd update. Once I removed the cyberlink dvd update that I downloaded a few days ago the rikum crimeware was removed. It definitely came from cyberlink. DO NOT install their cyberlink dvd update!!Hello,
Can you tell me how to remove the cyberlink update?
Thanks a lot
m
0
l
Related resources
- Storage solution for sharing media in a video editing suite? Forum
- SolvedAnyone try the new nero media suite? Forum
- More resources
!