Found "rikvm_90970B6B.sys" when running Norton Power Eraser. Is this a virus or a rootkit? It seem to be hiding and stopping access sometimes to 1 of my drives. NPE seems to remove it but it keeps on coming back not found at all by NIS 2013 beta or before by NIS2012. Please help need help to permanently remove.
Thank you
Paul M. Steinberger
Windows 7 Ultimate X64
NIS 2013 Beta
Found "rikvm_90970B6B.sys" when running Norton Power Eraser. Is this a virus or a rootkit? It seem to be hiding and stopping access sometimes to 1 of my drives. NPE seems to remove it but it keeps on coming back not found at all by NIS 2013 beta or before by NIS2012. Please help need help to permanently remove.
Thank you
Paul M. Steinberger
Windows 7 Ultimate X64
NIS 2013 Beta
Hi NUser
Having a problem posting the requested file
the system will not allow me to post this type of formatted file.
Thank you
PSteinberger
Can you please try renaming it to a text file and attaching it?
Hi NUser
Tried that still not able to attach
Thank you
Psteinberger
Thanks for the logs Paul.
Unfortunately, all the logs contain no information regarding the threat.
Can you please run a scan using NBRT on the machine? You can download NBRT from www.norton.com/nbrt
Please download and install NBRT Wizard from the above link and create a tool on a CD/DVD/USB
NBRT might ask for your product key so kindly keep it handy. Please run a scan using Norton Advanced Recovery Scan and let us know the results. You may also run a scan using Norton Power Eraser Recovery Scan after that.
In case you have any queries regarding the tool you may visit the NBRT tutorials at www.norton.com/nbrt2012
Hi NUser
Created the NBRT disc, booted the sytem with the NBRT disc and ran NPE and the Advanced scan. Neither one of the scans came up with the rikvm_90970B6B.sys file or any other problems. What next?
Paul,
Based on the filename, it looks like your system is getting infected with Happili virus which is often associated with ZeroAccess rootkit.
Can you please run the FixZeroAccess tool from http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99 to disable the rootkit?
Once FixZeroAccess completes, please run a scan using NPE.
It is not Zeroaccess, You would really know something was wrong with you system if it was zeroaccess, although not what is causing it.
rikvm_[Random].sys appears to be the Cyberlink product(s) update that when Norton or the likes of NPE removes it it gets recreated
Quads
Hi NUser
Downloaded and ran FixZeroAccess tool you requested, did not again find any problems. Ran NPE with and without Rookit. NPE with Rootkit found rikvm_90970B6B.sys. I checked to find location and I did not find the file on the computer even though NPE found it again. What next?
I know it's not Zeroaccess
Do you have a HP/ Compaq Cyberlink product or a Cyberlink product on a system not of HP / Compaq??
Quads
Hi Quads
I do have Cyberlink products on my computer
rikvm ...... is for the cyberlink power dvd, it's list under Service as "PowerLink Product".
You can
a) Remove the cyberlink power dvd update or
b) Disable the Service listed as "PowerLink Product".
The File disappears, or should.
Quads
Hi Quads
I have never actually found the file riknm ***.sys on my computer, but NPE keeps finding it.
You won't it's run under a different service link.
Quads
So the physical file does not exist, then why is NPE finding it.
Because NPE does, it is rootkit like, so NPE is correct, did you not read the warning(s) about NPE??
I know how the service keys look like for this, If you want it to disappear do the a) or b) above.
Quads
As long as the file does not act like a true Rootkit, I have no problem with it.
As far as I know it's not doing anything bad, from the tons of people using Cyberlinik Software.
Quads