Sign in with
Sign up | Sign in
Your question

Cyberlink PowerDVD / Media Suit with RootKit

Last response: in Applications
Share
November 16, 2011 6:33:50 PM

A few days ago, my Norton Internet Security 2012 crashed and popped up a link to download their Norton Power Eraser to fix the problem.

I follow the instruction and ran the scan with root kit, turn out there is a file name RIKVM_38F51D56.SYS under the C:\Windows\System32\drivers and infect the MBR. The file is invisible and can't be found at all. Only NPE can sees it. i ran it couple time and it kept coming back. I was very puzzled and tried to do some research. I googled RIKVM and only a very few record but with differet file name like RIKVM_xxxxxxxx.sys.

It seems that no one really know what / where it came from. I also searched the registry with 38F51D56 and i got some hit all relate to CyberLink, I then kept digging, and found the source, it's from CyberLink Product under the Services ( kmsvc.exe). It creates some type of dynamic driver (RIKVM_xxxxxxxx.sys) in MBR everytime computer reboots.

I guess my question is, it's obviously some type of root kit from cyberlink, but i have no idea what it does, right now i have the service turn off from start up and everything seems to be fine, power dvd is still working.

If i have to guess, this might be some type of security they run behind the use that relate to blu-ray and / or to collect user's data? contact cyberlink is no help, no respond. their KB is useless, can't find anything about rikvm nor kmsvc.exe.

Anyone has any idea?
November 16, 2011 6:53:44 PM

it's not kmsvc.dll, it's kmsvc.exe which is a Service relate to cyberlink but unknown usage.
Which create a legacy dynamic driver *.sys in MBR.

it's just very suspicious.
m
0
l
Related resources
November 16, 2011 8:37:34 PM

Yea thanks, i know it's probably safe and it's not virus, just wondering what exactly does it do, it just seems like a root kit and suspicious.

You wouldn't want some legit company to spy on you like Sony once did with their rootkit scandal. My question is more like, what does this Kmsvc.exe do? is CyberLink trying to spy on us now with their embedded root kit?

m
0
l
a b 8 Security
November 16, 2011 8:49:40 PM

Service: CyberLink Product - 2011/10/06 17:39:06 (CLKMSVC10_9EC60124) - CyberLink - C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe

Is this it ^

It's not a virus or malware
m
0
l
December 11, 2011 4:40:39 AM

Nakecat said:
A few days ago, my Norton Internet Security 2012 crashed and popped up a link to download their Norton Power Eraser to fix the problem.

I follow the instruction and ran the scan with root kit, turn out there is a file name RIKVM_38F51D56.SYS under the C:\Windows\System32\drivers and infect the MBR. The file is invisible and can't be found at all. Only NPE can sees it. i ran it couple time and it kept coming back. I was very puzzled and tried to do some research. I googled RIKVM and only a very few record but with differet file name like RIKVM_xxxxxxxx.sys.

It seems that no one really know what / where it came from. I also searched the registry with 38F51D56 and i got some hit all relate to CyberLink, I then kept digging, and found the source, it's from CyberLink Product under the Services ( kmsvc.exe). It creates some type of dynamic driver (RIKVM_xxxxxxxx.sys) in MBR everytime computer reboots.

I guess my question is, it's obviously some type of root kit from cyberlink, but i have no idea what it does, right now i have the service turn off from start up and everything seems to be fine, power dvd is still working.

If i have to guess, this might be some type of security they run behind the use that relate to blu-ray and / or to collect user's data? contact cyberlink is no help, no respond. their KB is useless, can't find anything about rikvm nor kmsvc.exe.

Anyone has any idea?


I have the same issue and would like to know why Norton Power Eraser identifies it as a problem but cannot stop it from reappearing even after running Norton Power Eraser which fixes by removing it but it reappears and the cycle goes on. Thanks for letting me know that it is a CyberLink Product. I would think that Norton and Cyberlink should let us know what the deal is. I think I'll write to both of them. What say you?
m
0
l
January 28, 2012 2:38:55 PM

Thanks for sharing what you experienced and discovered regarding "rikvm..." Norton reported this "problem" to me as well. The amount of time and stress I would have expended has been hugely reduced because of y'all. It's very much appreciated.
m
0
l
February 23, 2012 8:40:07 AM

I have found that the rikvm crimeware is on the cyberlink dvd update. Once I removed the cyberlink dvd update that I downloaded a few days ago the rikum crimeware was removed. It definitely came from cyberlink. DO NOT install their cyberlink dvd update!!
m
0
l
May 4, 2012 7:47:22 AM

rosetrust said:
I have found that the rikvm crimeware is on the cyberlink dvd update. Once I removed the cyberlink dvd update that I downloaded a few days ago the rikum crimeware was removed. It definitely came from cyberlink. DO NOT install their cyberlink dvd update!!



How did you go about removing the cyberlink dvd update, I'm having the same issue with the rikvm
m
0
l
May 9, 2012 10:17:33 AM

If you suspect a malware or rootkit, it is normally bound to come from rogue wares or malware infectors disguising under familar names. Never click or respond to a link that offer to fix computer problems or malware or spyware. If you think your system is infected, please download and use extras like SuperAntiSpyware or on-demand MBAM. Protect with all-in-one security suite or mix-match products, and realtime spyware guard or something suitable. Use the extras at regular pace. To cap it all, surf safely. Install some damn good add-ons for firefox and chrome.

It is always a good idea to check a suspected fie or url on this excellent site

https://www.virustotal.com/

m
0
l
Anonymous
a b 8 Security
October 23, 2012 11:25:48 AM

rosetrust said:
I have found that the rikvm crimeware is on the cyberlink dvd update. Once I removed the cyberlink dvd update that I downloaded a few days ago the rikum crimeware was removed. It definitely came from cyberlink. DO NOT install their cyberlink dvd update!!


Hello,
Can you tell me how to remove the cyberlink update?

Thanks a lot
m
0
l
!